aboutsummaryrefslogtreecommitdiff
path: root/ssl.c (follow)
AgeCommit message (Collapse)AuthorFilesLines
2011-01-06Fix compiler warning when compiling against OpenSSL 1.0.0David Sommerseth1-1/+1
The declaration of SSL_get_current_cipher() has changed to be return a const value. And this makes compilers a little bit grumpy. gcc: ssl.c: In function ‘print_details’: ssl.c:1918: warning: assignment discards qualifiers from pointer target type Visual C: ssl.c (1918): warning C4019: '=' : different 'const' qualifiers Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 7bd3cea4c2f2aa8ed1bf548a3233ae2c3619d47d)
2010-12-17Make the --x509-username-field feature an opt-in featureDavid Sommerseth1-0/+4
After some discussion [1] regarding an extension of this feature, James Yonan wanted this extension to be an opt-in feature. However, as it does not make sense to opt-in on a extension of a feature which was discussed, this patch makes the base feature an opt-in instead. The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2) and commit 935c62be9c0c8a256112 (feat_misc). [1] http://thread.gmane.org/gmane.network.openvpn.devel/4266 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net> (cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
2010-11-18Merge branch 'feat_misc' into beta2.2David Sommerseth1-5/+0
Conflicts: acinclude.m4 config-win32.h configure.ac misc.c thread.c thread.h - These conflicts was mainly due to feat_misc getting old and mostly caused by the pthread clean-up patches in feat_misc Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Merge branch 'bugfix2.1' into beta2.2David Sommerseth1-2/+2
2010-11-18Fixed potential misinterpretation of boolean logicDavid Sommerseth1-1/+1
The GNU C compiler warned about a potential issue with an if() expression missing an extra set of parentheses. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
2010-11-18Merge branch 'svn-BETA21' into bugfix2.1David Sommerseth1-2/+2
2010-11-16In verify_callback, the subject var should be freed by OPENSSL_free,James Yonan1-2/+2
not free, since it is allocated by OpenSSL. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6655 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-11-14Clean-up: Remove more dead and inactive code pathsDavid Sommerseth1-4/+0
These code paths was practically not needed with no locking mechanisms enabled and was just bloating the source code. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-11-14Clean-up: Remove pthread and mutex locking codeDavid Sommerseth1-1/+0
This code was not activated at all, and hard coded as disabled in syshead.h with this code snippet: /* * Pthread support is currently experimental (and quite unfinished). */ #if 1 /* JYFIXME -- if defined, disable pthread */ #undef USE_PTHREAD #endif So no matter if --enable-pthread when running ./configure or not, this feature was never enabled in reality. Further, by removing the blocker code above made OpenVPN uncompilable in the current state. As the threading part needs to be completely rewritten and pthreading will not be supported in OpenVPN 2.x, removing this code seems most reasonable. In addition, a lot of mutex locking code was also removed, as they were practically NOP functions, due to pthreading being forcefully disabled Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-11-13Merge branch 'svn-BETA21' into beta2.2David Sommerseth1-0/+27
Conflicts: version.m4 - Reset version.m4 to a more neutral version number Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-13Merge branch 'svn-BETA21' into bugfix2.1David Sommerseth1-0/+27
2010-10-24Implement challenge/response authentication support in client mode,James Yonan1-0/+27
where credentials are entered from stdin. This capability is compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled by default). Challenge/response support was previously implemented for creds that are queried via the management interface. In this case, the challenge message will be returned as a custom client-reason-text string (see management-notes.txt for more info) on auth failure. Also, see the comments in misc.c above get_auth_challenge() for info on the OpenVPN challenge/response protocol. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-21Fixed compiler warning in ssl.cDavid Sommerseth1-2/+2
James Yonan noticed a couple of compiler warnings when compiling with --enable-strict configured. This patch was sent directly to him for review and got accepted. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Solved hidden merge conflict between feat_misc and bugfix2.1David Sommerseth1-1/+1
The OCSP patch (commit a3982181e284f8c5c8f, feat_misc) introduced a new function which was calling create_temp_filename(). When merging in bugfix2.1 into allmerged, create_temp_filename() got renamed to create_temp_file() in commit 5d30273a8741d2c141. This patch only changes create_temp_filename() to create_temp_file() in the new function introduced by commit a3982181e284f8c5c8f. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> (cherry picked from commit 926d1662e4d9e14b50eddec993b2f4e0209c0646)
2010-10-21Fixed static defined length check to use sizeof()Emilien Mantel1-1/+1
This comes in addition to commit 935c62be9c0c8a256112d after some additional review comments. Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Choose a different field in X509 to be usernameEmilien Mantel1-12/+17
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be username (few people can have the same "CN"). In our case, we only use the UID. With my patch, you can choose another field to be username with a new option called --x509-username-field, the default value is "CN". Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21ssl.c: fix use of openvpn_run_script()'s return valueFabian Knittel1-13/+5
This patch fixes two bugs introduced in commit 339f2a4d4b487afa53fa99d72c35b16f31e417d3 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Thu Apr 29 23:35:45 2010 +0200 David's patch replaced openvpn_execve() with openvpn_run_script() in two places, but didn't adjust the return value handling. openvpn_run_script() returns true or false, while openvpn_execve() returns the program's exit code. Without the fix, the --tls-verify script and the --auth-user-pass-verify script fail to run. (I noticed the latter, but haven't actually tested the former.) The return value handling is fine for the other places where openvpn_run_script() is used, because those places previously used openvpn_execve_check() (notice the "_check" suffix). Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Revamped the script-security warning logging (version 2)David Sommerseth1-2/+2
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING over and over again, in addition to not show this warning when it should not be a problem. This general warning should now only appear once, and only when --script-security is not set, 0 or 1. In all other cases this warning should not appear. In addition, this warning will come close to the script-hook which most probably will fail. It will also give a little bit more concrete hint on which script-hook which failed. If --script-security is 2 or 3, only the execve failure itself will be shown. This message will on the other hand be shown repeatedly. This is a new rewritten version which simplifies the implementaion of the new openvpn_run_script() function. It was considered to remove it completely, but due to code clearity and easy of use it was decided to make this function a static inline function instead. Anyhow, this function will enforce openvpn_execve_check() to be called with the S_SCRIPT flag. Patch ACKed on the developers meeting 2009-04-29. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21enhance tls-verify possibilityMathieu GIANNECCHINI1-0/+61
It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new "tls-export-cert" option which allow to get peer certificate in PEM format and to store it in an openvpn temporary file. Peer certificate is stored before tls-script execution and deleted after. The name of the related temporary file is available under tls-verify script by an environment variable "peer_cert". The patch was made from OpenVPN svn Beta21 branches. Here is a very simple exemple of Tls-verify script which provide OCSP support to OpenVPN (with tls-export-cert option) without any OpenVPN "core" modification : X509=$2 openssl ocsp \ -issuer /etc/openvpn/ssl.crt/RootCA.pem \ -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \ -cert $peer_cert \ -url http://your-ocsp-url if [ $? -ne 0 ] then echo "error : OCSP check failed for ${X509}" | logger -t "tls-verify" exit 1 fi This has been discussed here: <http://thread.gmane.org/gmane.network.openvpn.devel/2492> <http://thread.gmane.org/gmane.network.openvpn.devel/3150> <http://thread.gmane.org/gmane.network.openvpn.devel/3217> This patch has been modified by David Sommerseth, by fixing a few issues which came up to during the code review process. The man page has been updated and tmp_file in ssl.c is checked for not being NULL before calling delete_file(). Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Reworked the eurephia patch for inclusion to the openvpn-testing treeDavid Sommerseth1-0/+14
Addedd configure option (--disable-eurephia) to disable the code which the eurephia plug-in depends on. It was chosen to use --disable-eurephia, as this patch is not much intrusive. It just enables a SHA1 fingerprint environment variable for each certificate being used for the connection. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixes openssl-1.0.0 compilation warningchantra1-3/+3
When compiling against OpenSSL v1.0.0, the following compiler warnings appears. ssl.c: In function ‘verify_callback’: ssl.c:944: warning: passing argument 1 of ‘sk_num’ from incompatible pointer type /usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’ but argument is of type ‘struct stack_st_X509_REVOKED *’ ssl.c:947: warning: passing argument 1 of ‘sk_value’ from incompatible pointer type /usr/include/openssl/stack.h:80: note: expected ‘const struct _STACK *’ but argument is of type ‘struct stack_st_X509_REVOKED *’ ssl.c: In function ‘init_ssl’: ssl.c:1565: warning: passing argument 1 of ‘sk_num’ from incompatible pointer type /usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’ but argument is of type ‘struct stack_st_X509 *’ ssl.c: In function ‘print_details’: ssl.c:1766: warning: assignment discards qualifiers from pointer target type Trac ticket #5 https://community.openvpn.net/openvpn/ticket/5 Signed-off-by: chantra <chantra@debuntu.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix certificate serial number exportDavide Brini1-3/+24
contrib/OCSP_check/OCSP_check.sh: New barebone script to demonstrate how to use $tls_serial_{n} to perform simple OCSP queries using OpenSSL command line "openssl ocsp". Minimal sanity checks to fail if user tries to use it without customizing. openvpn.8: Added some notes about $tls_serial_{n} format and usage to the existing description. ssl.c: correctly manage and export serial numbers of any size (as parsed by OpenSSL) into the environment. Set to empty string in case of errors, as 0 and negative numbers are all possible (although illegal) certificate serial numbers. Use an OpenSSL BIO object to do the job. Conforms to coding style guidelines. See the discussion at http://article.gmane.org/gmane.network.openvpn.devel/3588 for more details. Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixed potential NULL pointer issueDavid Sommerseth1-1/+1
If create_temp_file() returns NULL, this strlen() check would cause a SEGV. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Renamed all calls to create_temp_filename()David Sommerseth1-15/+21
All places where create_temp_filename() was called are now calling create_temp_file(). Extra checks on the result of create_temp_file() is added in addition. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Make use of counter_type instead of int when counting bytes and network packetsDavid Sommerseth1-1/+2
This is in response to a reported Debian bug, where the connection counter overflows. <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576827> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-08-29Allow PKCS12 file content to be included inline in configuration file,James Yonan1-10/+32
rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-27Fixed an issue where application payload transmissions on theJames Yonan1-0/+22
TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. Version 2.1.1n git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6350 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-06-26Fixed static defined length check to use sizeof()Emilien Mantel1-1/+1
This comes in addition to commit 935c62be9c0c8a256112d after some additional review comments. Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-06-17Choose a different field in X509 to be usernameEmilien Mantel1-12/+17
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be username (few people can have the same "CN"). In our case, we only use the UID. With my patch, you can choose another field to be username with a new option called --x509-username-field, the default value is "CN". Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-06-01Implemented a key/value auth channel from client to server.James Yonan1-2/+122
Version 2.1.1i git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-04ssl.c: fix use of openvpn_run_script()'s return valueFabian Knittel1-13/+5
This patch fixes two bugs introduced in commit 339f2a4d4b487afa53fa99d72c35b16f31e417d3 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Thu Apr 29 23:35:45 2010 +0200 David's patch replaced openvpn_execve() with openvpn_run_script() in two places, but didn't adjust the return value handling. openvpn_run_script() returns true or false, while openvpn_execve() returns the program's exit code. Without the fix, the --tls-verify script and the --auth-user-pass-verify script fail to run. (I noticed the latter, but haven't actually tested the former.) The return value handling is fine for the other places where openvpn_run_script() is used, because those places previously used openvpn_execve_check() (notice the "_check" suffix). Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-04-29Revamped the script-security warning logging (version 2)David Sommerseth1-2/+2
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING over and over again, in addition to not show this warning when it should not be a problem. This general warning should now only appear once, and only when --script-security is not set, 0 or 1. In all other cases this warning should not appear. In addition, this warning will come close to the script-hook which most probably will fail. It will also give a little bit more concrete hint on which script-hook which failed. If --script-security is 2 or 3, only the execve failure itself will be shown. This message will on the other hand be shown repeatedly. This is a new rewritten version which simplifies the implementaion of the new openvpn_run_script() function. It was considered to remove it completely, but due to code clearity and easy of use it was decided to make this function a static inline function instead. Anyhow, this function will enforce openvpn_execve_check() to be called with the S_SCRIPT flag. Patch ACKed on the developers meeting 2009-04-29. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-04-28Updated copyright date to 2010.James Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Modified ">PASSWORD:Verification Failed" management interfaceJames Yonan1-1/+1
notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5468 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-06Fixed an issue where if reneg-sec was set to 0 on the client,James Yonan1-2/+5
so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5464 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-02enhance tls-verify possibilityMathieu GIANNECCHINI1-0/+61
It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new "tls-export-cert" option which allow to get peer certificate in PEM format and to store it in an openvpn temporary file. Peer certificate is stored before tls-script execution and deleted after. The name of the related temporary file is available under tls-verify script by an environment variable "peer_cert". The patch was made from OpenVPN svn Beta21 branches. Here is a very simple exemple of Tls-verify script which provide OCSP support to OpenVPN (with tls-export-cert option) without any OpenVPN "core" modification : X509=$2 openssl ocsp \ -issuer /etc/openvpn/ssl.crt/RootCA.pem \ -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \ -cert $peer_cert \ -url http://your-ocsp-url if [ $? -ne 0 ] then echo "error : OCSP check failed for ${X509}" | logger -t "tls-verify" exit 1 fi This has been discussed here: <http://thread.gmane.org/gmane.network.openvpn.devel/2492> <http://thread.gmane.org/gmane.network.openvpn.devel/3150> <http://thread.gmane.org/gmane.network.openvpn.devel/3217> This patch has been modified by David Sommerseth, by fixing a few issues which came up to during the code review process. The man page has been updated and tmp_file in ssl.c is checked for not being NULL before calling delete_file(). Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-01-16Fixed an issue where AUTH_FAILED was not being properly deliveredjames1-0/+4
to the client when a bad password is given for mid-session reauth. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-13Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,james1-1/+4
make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25On server, lock client-provided certs against mid-session TLSjames1-3/+134
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-24On server, lock session username against changes in mid-session TLSjames1-2/+29
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-29Added the ability for the server to provide a custom reason stringjames1-1/+18
when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. For more info, see management/management-notes.txt, and look for references to "client-reason-text". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5012 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-27Eliminated the limitation on the number of options that can be pushedjames1-3/+3
to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. Remember that to make use of this feature to allow many routes to be pushed to clients, the client config file must specify the max-routes option, and the number of pushed routes cannot exceed this limit. Also, both server and client must include this commit. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30Update copyright to 2009.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30Fixed issue of symbol conflicts interfering with Windows CryptoAPIjames1-4/+4
functionality (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4475 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-27Fixed issue involving an #ifdef in a macro reference that breaks early gccjames1-2/+5
compilers. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3903 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-18Added server-side --opt-verify option: clients that connectjames1-0/+5
with options that are incompatible with those of the server will be disconnected. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-31Added --no-name-remapping option to allow Common Name, X509 Subject,james1-3/+12
and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Added server-side --auth-user-pass-optional directive, to allowjames1-9/+12
connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Save X509 Subject fields to environment, using the naming convention:james1-0/+54
X509_{cert_depth}_{name}={value} git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3459 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-27Fixed informational message in ssl.c to properly indicatejames1-1/+5
deferred authentication. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3457 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-06Copyright notice changed to reflect change in name ofjames1-1/+1
Telethra to OpenVPN Technologies. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-08Fixed bug in intra-session TLS key rollover that was introduced withjames1-18/+39
deferred authentication features in 2.1_rc8. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3316 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-062.1_rc8 and earlier did implicit shell expansion on scriptjames1-2/+2
arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded, so for example: client-connect "docc CLIENT-CONNECT" would fail to work because execve would try to execute a script called "docc CLIENT-CONNECT" instead of "docc" with "CLIENT-CONNECT" as the first argument. This patch fixes the issue, bringing the script argument semantics back to pre 2.1_rc9 behavior in order to preserve backward compatibility while still using execve or CreateProcess to execute the script/executable. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-10Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, whichjames1-2/+2
the new implementation of extract_x509_field_ssl depends on. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3220 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-26Completely revamped the system for calling external programs and scripts:james1-21/+19
* All external programs and scripts are now called by execve() on unix and CreateProcess on Windows. * The system() function is no longer used. * Argument lists for external programs and scripts are now built by the new argv_printf function which natively outputs to string arrays (i.e. char *argv[] lists), never truncates its output, and eliminates the security issues inherent in formatting and parsing command lines, and dealing with argument quoting. * The --script-security directive has been added to offer policy controls on OpenVPN's execution of external programs and scripts. Also added a new plugin example (openvpn/plugin/examples/log.c) that logs information to stdout for every plugin method called by OpenVPN. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19Modified extract_x509_field_ssl to return a status value indicatingjames1-37/+41
success/error, and any truncation of output due to an insufficiently large output buffer will be cause for error. In verify_callback, read X509 Subject Name without truncation. In verify_callback, rather than silently truncating Common Name at 64 bytes, throw an error if Common Name is larger than 64 bytes. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3084 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19Replace leading dash ('-') characters in an X509 name with underbars ('_')james1-0/+3
before calling user-defined scripts, to preclude the chance of a leading dash being interpreted as an option prefix. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3083 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-17Removed old version of extract_x509_field.james1-40/+0
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3066 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-14Copyright change OpenVPN Solutions LLC -> Telethra, Inc.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11Updated copyright notice to 2008.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11Updated version to 2.1_rc7e.james1-20/+154
Added client authentication and packet filtering capability to management interface. Extended packet filtering capability to work on both --dev tun and --dev tap tunnels. Updated valgrind-suppress file. Made "Linux ip addr del failed" error nonfatal. Amplified --client-cert-not-required warning. Added #pragma pack to proto.h. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-04Fixed an issue in extract_x509_field_ssl where the extractionjames1-1/+1
would fail on the first field of the subject name, such as the common name in: /CN=foo/emailAddress=foo@bar.com git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2980 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-04Incremented version to 2.1_rc7d.james1-32/+70
Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-05-24Support asynchronous/deferred authentication injames1-44/+157
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin handler. See documentation in openvpn-plugin.h and example usage in plugin/defer/simple.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2969 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-05-12Moved branch into official BETA21 position.james1-8/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2959 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-02-17The new function extract_x509_field_ssl tends to breakjames1-1/+11
in early versions of OpenSSL 0.9.6. Now we will fall back to the old function extract_x509_field for OpenSSL 0.9.6. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2749 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-01-21Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASSjames1-1/+47
to allow forward slash characters ("/") in the X509 common name (Pavel Shramov). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2638 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-01-21Simple fix where options->ca_file was used withoutjames1-1/+1
first being checked against NULL. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2635 e7ae566f-a301-0410-adde-c780ea21d3b5
2007-10-22Use pkcs11-helper as external library, can be downloadedjames1-3/+5
from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2418 e7ae566f-a301-0410-adde-c780ea21d3b5
2007-08-17AUTO_USERID feature -- if the auth-user-pass option is usedjames1-1/+1
with some argument ARG, then -ARG will be appended to the username string that is sent to the server. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2259 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-11-13New try at AUTO_USERID.james1-1/+7
Implemented AUTO_USERID using MD5(MAC address(primary network adapter)). Currently implemented for Linux and Windows. Basically if ENABLE_AUTO_USERID is defined, the --auth-user-pass option will not prompt for username/password, but will rather generate a unique username and blank password. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1459 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-06-30Fixed bug introduced with the --port-share directivejames1-1/+1
back in r893 which causes TLS soft resets (1 per hour by default) in TCP server mode to force a blockage of tunnel packets and later time-out and restart the connection. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1076 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-06-29pkcs11 changes:james1-5/+8
-r 1046:1053 https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21 1. Modified ssl.c to not FATAL and return to init.c so auth-retry will work. 2. Modifed pkcs11-helper.c to fix some problem with multiple providers. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1070 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-04-05I've recently worked on a better version of pkcs11-helper. I've also mergedjames1-1/+1
it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be able to use smartcards. The changes allows the following features: 1. Thread safe, is activated if USE_PTHREAD. 2. Slot event - Will allow us in the future to disconnect VPN when smartcard is removed. In order to support this OpenVPN must support threading... At least SIGUSR1 from a different thread. Threading should be supported in both Windows and Linux. -- currently disabled. When I talk about threading support it is just support in configuration script and that the method that SIGUSR1 self can be called from a different thread. I already handle the monitor threads. 3. Certificate enumeration - Will allow us to finally have one configuration file for all users! When you add the plugin GUI stuff you talked about, we will be able to display a list of available certificates for the user to select. -- currently disabled. 4. Data object manipulation - Will allow us to store tls-auth on the smartcard as well. -- currently disabled. 5. Many other minor improvements. Alon Bar-Lev git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-02-16Added --port-share option for allowing OpenVPN and HTTPSjames1-2/+4
server to share the same port number. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@893 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-12-28Added OPENVPN_PLUGIN_TLS_FINAL plugin callback.james1-1/+11
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@862 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-12-14svn merge -r 845:854 $SO/trunk/openvpn .james1-2/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@855 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-11-12Merged --remote-cert-ku, --remote-cert-eku, andjames1-0/+117
--remote-cert-tls from Alon's branch: svn merge -r 793:796 $SO/contrib/alon/BETA21/openvpn . git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@797 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-11-08Added ENABLE_INLINE_FILES feature.james1-22/+242
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@784 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-11-01More PKCS#11 changes.james1-1/+1
Merged with https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21@752 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@753 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-31Windows reliability changes:james1-2/+0
* Added code to make sure that the local PATH environmental variable points to the Windows system32 directory. * Added new --ip-win32 adaptive mode which tries 'dynamic' and then fails over to 'netsh' if the DHCP negotiation fails. * Made --ip-win32 adaptive the default. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@739 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-24Removed #warn from ssl.cjames1-1/+0
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@717 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-20Added actual remote address used to the ">STATE" alertjames1-0/+2
in the management interface (Rolf Fokkens). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@701 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-20Merged with Alon's r688.james1-2/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@689 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-17Brought up-to-date with Alon's PKCS11 patch atjames1-10/+1
https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn@645 Pre-2.1_beta5 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@648 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-16VERSION 2.1_beta4 (re-released)james1-1/+1
--capath fix in ssl.c git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@641 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-15svn merge -r 618:619 $SO/patches/openvpn-2-0_rc16-mh/openvpnjames1-39/+53
Merged --multihome patch + aggregated sockflags. Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@622 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-15Merged --capath patch (Thomas Noel).james1-4/+24
svn merge -r 616:617 $SO/patches/2.0.x-r599-capath/openvpn Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@621 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-15Enable the use of --ca together with --pkcs12. If --ca isjames1-8/+13
used at the same time as --pkcs12, the CA certificate is loaded from the file specified by --ca regardless if the pkcs12 file contains a CA cert or not (Mathias Sundman). Pre-2.1-beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-13Merged PKCS#11 patch.james1-0/+21
Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@604 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-09-26version 2.1_beta1james1-2/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@581 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-09-26This is the start of the BETA21 branch.james1-0/+4099
It includes the --topology feature, and TAP-Win32 driver changes to allow non-admin access. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5