| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In commit 4e1cc5f6dda22e9 the create_temp_filename() function was
reviewed and hardened, which in the end renamed this function to
create_temp_file() in commit 495e3cec5d156.
With these changes it became more evident that OpenVPN needs a directory
where it can create temporary files. The create_temp_file() will create
such files f.ex. if --client-connect or --plugin which makes use of
the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so.
When this happens, OpenVPN will normally create these files in the directory
OpenVPN was started. In many cases, this will fail due to restricted access.
By using --tmp-dir and pointing it to a directory writeable to the user
running OpenVPN, it works again.
This patch makes OpenVPN use a more suitable temproary directory by default,
instead of the current working directory. On non-Windows platforms this
default value is set to '/tmp', but can be modified at compile-time by
running ./configure --with-tmp-dir-path=<TEMP DIR PATH>. On Windows, it
will use GetTempPath() to find temporary paths recommended by the OS. If
this fails, it will fallback to the old behaviour, using the directory
where OpenVPN was started.
In any cases, this default value can be overridden in the configuration
file by using the --tmp-dir option, as before.
To check what the default is at runime, you can see this easily by doing
this:
$ ./openvpn --verb 4 --dev tun | grep tmp_dir
Signed-off-by: David Sommerseth <davids@redhat.com>
Tested-by: Jan Just Keijser <janjust@nikhef.nl>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
As agreed in last thursday's IRC meeting [1], I've added a comment to the
code explaining "--rdns-internal". It's really very much an internal
option, so it does not need to go to the man page.
[1] http://thread.gmane.org/gmane.network.openvpn.devel/4573
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: chantra <chantra@debuntu.org>
Acked-By: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
instead of "key" in client mode, and allows the client to run
without the need to load the actual private key. When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:
>RSA_SIGN:[BASE64_DATA]
The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:
rsa-sig
[BASE64_SIG_LINE]
.
.
.
END
This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
[1] <http://sourceforge.net/mailarchive/forum.php?thread_name=87fwx08bod.fsf%40macbook.be.48ers.dk&forum_name=openvpn-devel>
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This allows using other X509 certificate fields for the certificate
authentication. To use altSubjectName, use
--x509-username-field ext:altSubjectName
This feature requires OpenVPN to be built with --enable-x509-alt-username
This patch is slightly modified, to honour --enable-x509-alt-username
compile time configuration. Two #ifdef's are added.
Signed-off-by: Markus Koetter <koetter@rrzn-hiwi.uni-hannover.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
After some discussion [1] regarding an extension of this feature,
James Yonan wanted this extension to be an opt-in feature. However,
as it does not make sense to opt-in on a extension of a feature which
was discussed, this patch makes the base feature an opt-in instead.
The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2)
and commit 935c62be9c0c8a256112 (feat_misc).
[1] http://thread.gmane.org/gmane.network.openvpn.devel/4266
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
|
|
Conflicts:
acinclude.m4
config-win32.h
configure.ac
misc.c
thread.c
thread.h
- These conflicts was mainly due to feat_misc getting old
and mostly caused by the pthread clean-up patches in
feat_misc
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
The GNU C compiler gave warnings about some functions not being used.
These functions where only used if certian #ifdef sections was enabled.
This patch encapsulates these function declarations with matching #ifdef's
to make it more clear when these functions are needed.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Peter Stuge <peter@stuge.se>
|
|
Conflicts:
options.c
- Disagreements about a new included file (forward.h)
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
[1] <http://sourceforge.net/mailarchive/forum.php?thread_name=87fwx08bod.fsf%40macbook.be.48ers.dk&forum_name=openvpn-devel>
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This code was not activated at all, and hard coded as disabled in syshead.h
with this code snippet:
/*
* Pthread support is currently experimental (and quite unfinished).
*/
#if 1 /* JYFIXME -- if defined, disable pthread */
#undef USE_PTHREAD
#endif
So no matter if --enable-pthread when running ./configure or not, this feature
was never enabled in reality. Further, by removing the blocker code above made
OpenVPN uncompilable in the current state.
As the threading part needs to be completely rewritten and pthreading will not be
supported in OpenVPN 2.x, removing this code seems most reasonable.
In addition, a lot of mutex locking code was also removed, as they were practically
NOP functions, due to pthreading being forcefully disabled
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
|
|
The file containing CONFIGURE_DEFINES variable, configure.h, is not present if
openvpn is built using the Python + Visual C -based buildsystem. This causes the
build to fail. This patch adds a check to see if variable exists before trying
to use it.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Peter Stuge <peter@stuge.se>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Conflicts:
Makefile.am
openvpn.8
options.c
socket.c
ssl.c
- feat_misc is missing a lot of bugfix2.1 changes
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This patch adds support for SOCKS plain text (username/password)
authentication as described in RFC 1929. It adds an optional third
parameter to the socks-proxy option, which is a file containing the
login credentials.
I've been using this patch for two weeks now and it does not seem to
cause any problem. The only modifications are in the SOCKS handshake
handling and the options parser.
Signed-Off-By: Pierre Bourdon <delroth@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This is to satisfy those wanting to build openvpn for embedded devices
where every bytes matters.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking. This patch corrects this and
fixes an issue when creating configure.h via make distcheck.
This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.
[1] <http://thread.gmane.org/gmane.network.openvpn.devel/3410/focus=3491>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch will create ./configure.h which will contain two new #define
strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and
DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the
complete ./configure line which was used when configuring the package
for building.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
Addedd configure option (--disable-eurephia) to disable the code which the
eurephia plug-in depends on.
It was chosen to use --disable-eurephia, as this patch is not much intrusive. It
just enables a SHA1 fingerprint environment variable for each certificate being
used for the connection.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
The warnings reported where:
--------------------------------------------------------
misc.c:158: warning: ignoring return value of ‘nice’, declared with attribute warn_unused_result
options.c:4033: warning: format not a string literal and no format arguments
options.c:4043: warning: format not a string literal and no format arguments
options.c:4053: warning: format not a string literal and no format arguments
push.c:182: warning: format not a string literal and no format arguments
push.c:199: warning: format not a string literal and no format arguments
push.c:235: warning: format not a string literal and no format arguments
status.c:171: warning: ignoring return value of ‘ftruncate’, declared with attribute warn_unused_result
--------------------------------------------------------
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Peter Stuge <peter@stuge.se>
|
|
This is a fix for trac ticket #20,
<https://community.openvpn.net/openvpn/ticket/20>
which was started in the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&aid=2078470&group_id=48978&atid=454719>
The implemented solution is to give a warning for each of the different script hooks
available. The last configured script will override any earlier configured scripts,
to ensure that the command line can override the configuration file.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
Version 2.1.3a
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6424 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
rendered as base64.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
of existing --register-dns commands.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6352 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Fixed some issues on Windows with --log, subprocess creation
for command execution, and stdout/stderr redirection.
Version 2.1.1m.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6304 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
core dump if http-proxy-fallback-disable command was issued in
response to ">PROXY:NEED_NOW management" interface notification.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6284 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Version 2.1.1i
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5652 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Improved the ability of http-auth "auto" flag to dynamically detect
the auth method required by the proxy.
Added http-auth "auto-nct" flag to reject weak proxy auth methods.
Added HTTP proxy digest authentication method.
Removed extraneous openvpn_sleep calls from proxy.c.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5628 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
This is to satisfy those wanting to build openvpn for embedded devices
where every bytes matters.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking. This patch corrects this and
fixes an issue when creating configure.h via make distcheck.
This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.
[1] <http://thread.gmane.org/gmane.network.openvpn.devel/3410/focus=3491>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch will create ./configure.h which will contain two new #define
strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and
DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the
complete ./configure line which was used when configuring the package
for building.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5467 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
* Updated ChangeLog.
* Note in man page that clients connecting to a --multihome server
should always use the --nobind option.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5266 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
or "dhcp-renew" options were combined with "route-gateway dhcp".
The problem is that the IP Helper functions for DHCP release and
renew are blocking, and so calling them from a single-threaded
client stops tunnel traffic forwarding, and hence breaks
"route-gateway dhcp" which requires an active tunnel. The fix is
to call the IP Helper functions for DHCP release and renew from
another process.
Version 2.1_rc21b.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5164 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
that cannot directly be used as a config file. The directive
will simply cause OpenVPN to exit with an error if a generic
config file is used.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5077 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5011 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
servers to connect to in a round-robin fashion, spend no more than
n seconds waiting for a response before trying the next server.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5010 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
Remember that to make use of this feature to allow many routes to
be pushed to clients, the client config file must specify the
max-routes option, and the number of pushed routes cannot exceed
this limit. Also, both server and client must include this commit.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
file or pulled from a server) can now be configured via the new
"max-routes" directive.
Previously, the limit was set to 100 and fixed by a compile-time
constant. Now the limit is dynamic and can be modified by the
"max-routes" directive. If max-routes is not specified, the default
limit is 100.
Note that this change does not address the maximum size of the
pushed options string sent from server to client, which is still
controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4967 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
(Sebastien Raveau).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4932 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4843 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
set correctly when the 'local' option is specifed.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4476 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
client will examine the routing table and determine whether (a) the
OpenVPN server is reachable via a locally connected interface, or (b)
traffic to the server must be forwarded through the default router.
Only add a special bypass route for the OpenVPN server if (b) is true.
If (a) is true, behave as if the 'local' flag is specified, and do not
add a bypass route.
The new 'autolocal' flag depends on the non-portable test_local_addr()
function in route.c, which is currently only implemented for Windows.
The 'autolocal' flag will act as a no-op on platforms that have not
yet defined a test_local_addr() function.
Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
more option content to be pushed from server to client).
Raised D_MULTI_DROPPED debug level to 4 from 3.
Version 2.1_rc16b.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4446 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to be pushed to the client in such a way that they don't accidently
obscure critical local addresses such as the DHCP server address and
DNS server addresses.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4436 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
that result in the termination of the daemon will be written
to stderr.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4131 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with unix domain sockets.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4128 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
from stdin, when "stdin" is given as the config
file name.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4127 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
In management interface, added new ">CLIENT:ESTABLISHED" notification.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3763 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to inhibit the pushing of the route-gateway parameter to
clients.
Miscellaneous man page edits, fixed some formatting issues.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3550 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
flag on the server as well as pushes it to connecting clients.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3513 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
server-only option and should therefore generate an
error when used on the client.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3506 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with options that are incompatible with those of the server
will be disconnected.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
number generator) parameters. In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash. Now any OpenSSL hash may be used. This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3503 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
backward compatibility with system() call semantics used in OpenVPN
2.1_rc8 and earlier. To preserve backward compatibility use:
script-security 3 system
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3495 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3477 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
config file syntax checking to allow directives for future OpenVPN
versions to be ignored.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3476 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
it from being combined with --server directive.
Now, for example, we can configure thusly:
server 10.8.0.0 255.255.255.0 nopool
ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
to have ifconfig-pool manage only a subset
of the VPN subnet.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3471 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--status-version 3.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3468 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
except tabs are used as delimiters instead of commas.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3466 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Telethra to OpenVPN Technologies.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
domain socket, for example:
management /tmp/openvpn unix
Also added management-client-user and management-client-group
directives to control which processes are allowed to connect
to the socket.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3396 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
was incorrectly expecting the lladdr parameter to be an IP address
when it is actually a MAC address (HoverHell).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3339 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by default.
Now --allow-pull-fqdn will be explicitly required on the client to enable
DNS-name-to-IP-address translation of pulled options.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Fixed separate compile errors in options.c and ntlm.c that occur
on strict C compilers (such as old versions of gcc) that require
that C variable declarations occur at the start of a {} block,
not in the middle.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3219 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
DHCP proxy mode: Configure server mode for ethernet
bridging using a DHCP-proxy, where clients talk to the
OpenVPN server-side DHCP server to receive their IP address
allocation and DNS server addresses.
Added "--route-gateway dhcp", to enable the extraction
of the gateway address from a DHCP negotiation with the
OpenVPN server-side LAN.
Modified client.conf and server.conf to reflect new option
modes.
Incremented version to 2.1_rc9a.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3164 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
by client from server. Fixes --iproute vulnerability.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3126 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
used in the config file parser.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3078 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
http://svn.openvpn.net/projects/openvpn/test/conn
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2993 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Added client authentication and packet filtering capability
to management interface.
Extended packet filtering capability to work on both --dev tun
and --dev tap tunnels.
Updated valgrind-suppress file.
Made "Linux ip addr del failed" error nonfatal.
Amplified --client-cert-not-required warning.
Added #pragma pack to proto.h.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in
openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH.
Added a simple packet filter functionality that can be driven by
a plugin. See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.
See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.
"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication. In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.
Added a test to configure.ac for LoadLibrary function on Windows.
Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.
setenv and setenv-safe directives may now omit a value argument
which defaults to "".
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2959 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2664 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
passwords when management session disconnects (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2652 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
by allowing openvpn --mktun to be used with --user and --group
to set the UID/GID of the tun device node. Also added --iproute
option to allow an alternative command to be executed in place
of the default iproute2 command (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2639 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2418 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
quoted strings using single quotes ('') (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2414 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
interface disconnects (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2413 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Added new settings to settings.in to better control
build process.
Removed some unneeded JYFIXMEs from source code.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1874 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1749 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
of 5 seconds to deal with an apparent routing table race
condition on Vista.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1747 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
when ./configure --enable-strict is used.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1040 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
parameter to --inactive directive.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1036 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
for the tap interface on non-Windows platforms (Roy Marples).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1012 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
for --route (Roy Marples).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1011 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be
able to use smartcards.
The changes allows the following features:
1. Thread safe, is activated if USE_PTHREAD.
2. Slot event - Will allow us in the future to disconnect VPN when smartcard
is removed. In order to support this OpenVPN must support threading... At
least SIGUSR1 from a different thread. Threading should be supported in both
Windows and Linux. -- currently disabled.
When I talk about threading support it is just support in configuration script
and that the method that SIGUSR1 self can be called from a different thread.
I already handle the monitor threads.
3. Certificate enumeration - Will allow us to finally have one configuration
file for all users! When you add the plugin GUI stuff you talked about, we will
be able to display a list of available certificates for the user to select.
-- currently disabled.
4. Data object manipulation - Will allow us to store tls-auth on the smartcard
as well. -- currently disabled.
5. Many other minor improvements.
Alon Bar-Lev
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
malicious or compromised server could potentially receive
"setenv" configuration directives from the server which could
cause arbitrary code execution on the client via a LD_PRELOAD
attack. A successful attack appears to require that (a) the
client has agreed to allow the server to push configuration
directives to it by including "pull" or the macro "client" in
its configuration file, (b) the client configuration file uses
a scripting directive such as "up" or "down", (c) the client
succesfully authenticates the server, (d) the server is
malicious or has been compromised and is under the control of
the attacker, and (e) the attacker has at least some level of
pre-existing control over files on the client (this might be
accomplished by having the server respond to a client web request
with a specially crafted file).
The fix is to disallow "setenv" to be pushed to clients from
the server, and to add a new directive "setenv-safe" which is
pushable from the server, but which appends "OPENVPN_" to the
name of each remotely set environmental variable.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@983 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21 21
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@894 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
server to share the same port number.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@893 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
by writing IP addr and port to a file.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@885 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
management GUI app rather than be connected to as a server.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@884 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--ip-win32 adaptive and --route-method adaptive.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@859 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
which tries IP helper API first, then falls back to
route.exe.
Made --route-method adaptive the default.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@858 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--ip-win32 netsh (or --ip-win32 adaptive when in netsh
mode) can now set DNS/WINS addresses on the TAP-Win32
adapter.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@857 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@855 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
proxy settings (currently Windows only).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@850 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Windows-only at this point. Proxy settings
are taken from IE.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@846 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--secret and --tls-auth. For example:
<secret>
[ascii key data]
</secret>
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@844 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
on TCP client connection attempts (doesn't work on all
OSes). This patch also makes OpenVPN signalable during
TCP connection attempts.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@823 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
To use new adaptive mode, set explicitly.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@805 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@798 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--remote-cert-tls from Alon's branch:
svn merge -r 793:796 $SO/contrib/alon/BETA21/openvpn .
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@797 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
connect-retry-max option from
/contrib/alon/BETA21@783.
Added uninit_management_callback call to
init_instance_handle_signals so that
signals thrown during initialization can
bring us back to a management hold.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@786 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Allow plugin and push directives to have multiple
parameters specified instead of only 1 quoted
parameter.
Allow plugin and push directives to have multi-line
parameter lists, such as:
<plugin>
my-plugin.so
parm1
parm2
</plugin>
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@785 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@784 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@768 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@767 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Merged with https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21@752
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@753 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Security fixes from 2.0.3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@740 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* Added code to make sure that the local PATH environmental
variable points to the Windows system32 directory.
* Added new --ip-win32 adaptive mode which tries 'dynamic'
and then fails over to 'netsh' if the DHCP negotiation fails.
* Made --ip-win32 adaptive the default.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@739 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@689 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn@645
Pre-2.1_beta5
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@648 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Added --bind option for TCP client connections (Ewan Bhamrah Harley).
Pre-2.1-beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@623 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Merged --multihome patch + aggregated sockflags.
Pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@622 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
svn merge -r 616:617 $SO/patches/2.0.x-r599-capath/openvpn
Pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@621 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
used at the same time as --pkcs12, the CA certificate is loaded
from the file specified by --ca regardless if the pkcs12 file
contains a CA cert or not (Mathias Sundman).
Pre-2.1-beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@607 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@604 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@601 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@588 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@581 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
It includes the --topology feature, and
TAP-Win32 driver changes to allow
non-admin access.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5
|
