| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The GNU C compiler warned about a potential issue with an if()
expression missing an extra set of parentheses.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Peter Stuge <peter@stuge.se>
|
|
These code paths was practically not needed with no locking mechanisms
enabled and was just bloating the source code.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
This code was not activated at all, and hard coded as disabled in syshead.h
with this code snippet:
/*
* Pthread support is currently experimental (and quite unfinished).
*/
#if 1 /* JYFIXME -- if defined, disable pthread */
#undef USE_PTHREAD
#endif
So no matter if --enable-pthread when running ./configure or not, this feature
was never enabled in reality. Further, by removing the blocker code above made
OpenVPN uncompilable in the current state.
As the threading part needs to be completely rewritten and pthreading will not be
supported in OpenVPN 2.x, removing this code seems most reasonable.
In addition, a lot of mutex locking code was also removed, as they were practically
NOP functions, due to pthreading being forcefully disabled
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
This comes in addition to commit 935c62be9c0c8a256112d after some
additional review comments.
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
Acked-by: Peter Stuge <peter@stuge.se>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This patch fixes two bugs introduced in
commit 339f2a4d4b487afa53fa99d72c35b16f31e417d3
Author: David Sommerseth <dazo@users.sourceforge.net>
Date: Thu Apr 29 23:35:45 2010 +0200
David's patch replaced openvpn_execve() with openvpn_run_script() in two places,
but didn't adjust the return value handling. openvpn_run_script() returns true
or false, while openvpn_execve() returns the program's exit code.
Without the fix, the --tls-verify script and the --auth-user-pass-verify
script fail to run. (I noticed the latter, but haven't actually tested the
former.)
The return value handling is fine for the other places where
openvpn_run_script() is used, because those places previously used
openvpn_execve_check() (notice the "_check" suffix).
Signed-off-by: Fabian Knittel <fabian.knittel@avona.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem. This general warning should now only appear once, and only when
--script-security is not set, 0 or 1. In all other cases this warning should
not appear.
In addition, this warning will come close to the script-hook which most probably
will fail. It will also give a little bit more concrete hint on which script-hook
which failed. If --script-security is 2 or 3, only the execve failure itself will
be shown. This message will on the other hand be shown repeatedly.
This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function. It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead. Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
to the client when a bad password is given for mid-session reauth.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
make it a hard failure, rather than just a warning.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
renegotiations -- this is similer to how the common name is also
locked.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
renegotiations -- this is similer to how the common name is also
locked.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
when an AUTH_FAILED message is returned to the client. This
string can be set by the server-side managment interface and read
by the client-side management interface.
For more info, see management/management-notes.txt, and look for
references to "client-reason-text".
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5012 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
Remember that to make use of this feature to allow many routes to
be pushed to clients, the client config file must specify the
max-routes option, and the number of pushed routes cannot exceed
this limit. Also, both server and client must include this commit.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
functionality (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4475 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
compilers.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3903 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with options that are incompatible with those of the server
will be disconnected.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
X509_{cert_depth}_{name}={value}
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3459 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
deferred authentication.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3457 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Telethra to OpenVPN Technologies.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
deferred authentication features in 2.1_rc8.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3316 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
arguments since all scripts were called by system().
The security hardening changes made to 2.1_rc9 no longer
use system(), but rather use the safer execve or CreateProcess
system calls. The security hardening also introduced a
backward incompatibility with 2.1_rc8 and earlier in that
script parameters were no longer shell-expanded, so
for example:
client-connect "docc CLIENT-CONNECT"
would fail to work because execve would try to execute
a script called "docc CLIENT-CONNECT" instead of "docc"
with "CLIENT-CONNECT" as the first argument.
This patch fixes the issue, bringing the script argument
semantics back to pre 2.1_rc9 behavior in order to preserve
backward compatibility while still using execve or CreateProcess
to execute the script/executable.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
the new implementation of extract_x509_field_ssl depends on.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3220 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
success/error, and any truncation of output due to an insufficiently
large output buffer will be cause for error.
In verify_callback, read X509 Subject Name without truncation.
In verify_callback, rather than silently truncating Common Name at
64 bytes, throw an error if Common Name is larger than 64 bytes.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3084 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
before calling user-defined scripts, to preclude the chance of a leading
dash being interpreted as an option prefix.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3083 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3066 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Added client authentication and packet filtering capability
to management interface.
Extended packet filtering capability to work on both --dev tun
and --dev tap tunnels.
Updated valgrind-suppress file.
Made "Linux ip addr del failed" error nonfatal.
Amplified --client-cert-not-required warning.
Added #pragma pack to proto.h.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
would fail on the first field of the subject name, such as
the common name in:
/CN=foo/emailAddress=foo@bar.com
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2980 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in
openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH.
Added a simple packet filter functionality that can be driven by
a plugin. See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.
See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.
"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication. In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.
Added a test to configure.ac for LoadLibrary function on Windows.
Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.
setenv and setenv-safe directives may now omit a value argument
which defaults to "".
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin handler.
See documentation in openvpn-plugin.h and example
usage in plugin/defer/simple.c.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2969 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2959 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
in early versions of OpenSSL 0.9.6. Now we will fall
back to the old function extract_x509_field for OpenSSL
0.9.6.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2749 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to allow forward slash characters ("/") in the X509 common name
(Pavel Shramov).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2638 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
first being checked against NULL.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2635 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2418 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with some argument ARG, then -ARG will be appended to the
username string that is sent to the server.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2259 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Implemented AUTO_USERID using
MD5(MAC address(primary network adapter)).
Currently implemented for Linux and Windows.
Basically if ENABLE_AUTO_USERID is defined,
the --auth-user-pass option will not prompt
for username/password, but will rather generate
a unique username and blank password.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1459 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
back in r893 which causes TLS soft resets
(1 per hour by default) in TCP server mode to force
a blockage of tunnel packets and later time-out and
restart the connection.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1076 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
-r 1046:1053 https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21
1. Modified ssl.c to not FATAL and return to init.c so auth-retry will work.
2. Modifed pkcs11-helper.c to fix some problem with multiple providers.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1070 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be
able to use smartcards.
The changes allows the following features:
1. Thread safe, is activated if USE_PTHREAD.
2. Slot event - Will allow us in the future to disconnect VPN when smartcard
is removed. In order to support this OpenVPN must support threading... At
least SIGUSR1 from a different thread. Threading should be supported in both
Windows and Linux. -- currently disabled.
When I talk about threading support it is just support in configuration script
and that the method that SIGUSR1 self can be called from a different thread.
I already handle the monitor threads.
3. Certificate enumeration - Will allow us to finally have one configuration
file for all users! When you add the plugin GUI stuff you talked about, we will
be able to display a list of available certificates for the user to select.
-- currently disabled.
4. Data object manipulation - Will allow us to store tls-auth on the smartcard
as well. -- currently disabled.
5. Many other minor improvements.
Alon Bar-Lev
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
server to share the same port number.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@893 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@862 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@855 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--remote-cert-tls from Alon's branch:
svn merge -r 793:796 $SO/contrib/alon/BETA21/openvpn .
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@797 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@784 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Merged with https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21@752
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@753 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* Added code to make sure that the local PATH environmental
variable points to the Windows system32 directory.
* Added new --ip-win32 adaptive mode which tries 'dynamic'
and then fails over to 'netsh' if the DHCP negotiation fails.
* Made --ip-win32 adaptive the default.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@739 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@717 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
in the management interface (Rolf Fokkens).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@701 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@689 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn@645
Pre-2.1_beta5
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@648 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--capath fix in ssl.c
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@641 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Merged --multihome patch + aggregated sockflags.
Pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@622 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
svn merge -r 616:617 $SO/patches/2.0.x-r599-capath/openvpn
Pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@621 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
used at the same time as --pkcs12, the CA certificate is loaded
from the file specified by --ca regardless if the pkcs12 file
contains a CA cert or not (Mathias Sundman).
Pre-2.1-beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Pre-2.1_beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@604 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@581 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
It includes the --topology feature, and
TAP-Win32 driver changes to allow
non-admin access.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5
|
