Gert Doering [Tue, 25 Dec 2012 12:41:50 +0000 (13:41 +0100)]
Fix client crash on double PUSH_REPLY.
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).
Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e)
Gert Doering [Sun, 16 Dec 2012 21:15:20 +0000 (22:15 +0100)]
Fix option inconsistency warnings about "proto" and "tun-ipv6"
"tun-ipv6" is only sent in option string if running in point-to-point
mode (= not --server and not --client or --pull), because in those
scenarios it's usually pushed by the server, and the client does not
yet have it when comparing options -> needless warning.
Completely ignore "proto" values when comparing option strings - this
is in preparation for removing proto from the option string in a future
release, and to avoid warnings when 2.3 talks to this future release.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1355692520-24362-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7194 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 3b860cf27b9374f6ebe67ff21011661f8ec391c6)
David Sommerseth [Fri, 16 Nov 2012 11:02:06 +0000 (12:02 +0100)]
Avoid recursion in virtual_output_callback_func()
This solves a SEGV situation when using the management API while OpenVPN
is closing down.
The situation happens when the management socket has closed and OpenVPN
tries to write an error about this to the management socket. What happens
is that
virtual_output_callback_func() is called, which then calls
-> man_output_list_push_finalize()
-> man_output_standalone()
-> man_write() <-- this does the socket write
-> man_io_error()
-> x_msg()
-> virtual_output_print()
-> virtual_output_callback_func() (recursion start)
virtual_output_callback_func() do have a mechanism to avoid recursion,
but that did not keep the recurse counter when
man_output_list_push_finalize()
is called.
This patch just reorganise the recursion block to also keep the counter
while
calling the other functions from virtual_output_callback_func()
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353063726-25113-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7130
(cherry picked from commit b2b66179f6dcc37de9582d5c3044f0357dda3df3)
David Sommerseth [Thu, 29 Nov 2012 13:16:12 +0000 (14:16 +0100)]
The get_default_gateway() function uses warn() instead of msg()
A report on #openvpn pointed out that in his setup three warnings
appeard on the console when starting up.
$ sudo /usr/local/etc/rc.d/openvpn restart
Stopping openvpn.
Waiting for PIDS: 33031.
Starting openvpn.
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
$
This setup is on FreeBSD using jails with strict access to the
routing table.
After looking at the code path, this error was found in the BSD
sections for get_default_gateway(). But it was using the warn()
call instead of msg(M_WARN|M_ERRNO, ...) which causes these
warnings to go to stderr instead of the log file.
The warning string is also slightly modified to better explain
what fails.
Reported-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Tested-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1354194972-5388-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7149
(cherry picked from commit b3f19cc4bec6978a128f5af3ab22d8cfa954b064)
Arne Schwabe [Mon, 26 Nov 2012 14:33:09 +0000 (15:33 +0100)]
Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
When specifying --tls-client --cert ... without a --key (or --pkcs11)
option, OpenVPN should complain:
"You must define private key file (--key)...". Ensure that this
works even when compiling with MANAGMENT_EXTERNAL_KEY.
Also fix the other instance where this logic is broken
Orginal-Patch-by: Found by Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353940389-31075-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7143 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit feca0900dd00577779ab02f2e52b41eb3dab935f)
Arne Schwabe [Mon, 19 Nov 2012 18:12:17 +0000 (19:12 +0100)]
Error message if max-routes used incorrectly
the route/route-ipv6/redirect-gateway options allocate the route structe
with max_routes number of routes. A max-routes after any of this commands
has no effect. This can be problematic
(http://code.google.com/p/ics-openvpn/issues/detail?id=101)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353348737-21920-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7131 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit f83ccec6525179968b68696acb6ccf22182fc6de)
In commit dc7be6d078ba106f9b0de12f3e879c3561c3c537 the string_alloc() call
in pf_init_context() was modified to use the gc_arena object for memory
allocation. What was not taken into consideration was that
pf_destroy_context() was also freeing memory allocated by string_alloc(),
and when pf_init_context() is calling gc_free() a double-free situation
showed up.
Lets remove the explict free, and let gc_free take care of all the memory
handling.
Reported-by: cuzz@163.com Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1352196216-11560-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7124
(cherry picked from commit 1f300fe94f1bd521966bb05dea40edc1fae82b84)
David Sommerseth [Thu, 25 Oct 2012 12:22:30 +0000 (14:22 +0200)]
Remove the support for using system() when executing external programs or scripts
This patch removes the support for the system() call, and enforces the
usage of execve() on the *nix platform and CreateProcessW() on Windows.
This is to enhance the overall security when calling external scripts.
Using system() is prone to shell expansions, which may lead to security
breaches. Which is also why the execve() approach has been the default
since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
re-introduced the system() in Nov. 2008.
After having asked on the mailing list and checked around on the IRC
channels, the genereal consensus is that very few uses system() these
days.
The only annoyance I've been made aware of is that this will now
require adding a full path to the script interpreter together with the
script, and not just put in the script name alone. But to just use the
script name in Windows, you had to configure --script-security with the
'system' flag earlier too. So my conclusion is that it's better to add
a full path to the script interpreter in Windows and raise the overal
security with OpenVPN, than to continue to have a possible potentially
risky OpenVPN configuration just to make life "easier" for Windows
script users.
Removal of the system() call, also solves a nasty bug related to the
usage of putenv() on the *nix platforms.
For more information please see:
http://thread.gmane.org/gmane.network.openvpn.devel/7090
https://community.openvpn.net/openvpn/ticket/228
Trac-ticket: 228 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
(cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2)
Heiko Hund [Mon, 29 Oct 2012 13:16:37 +0000 (14:16 +0100)]
Support UTF-8 --client-config-dir
If a common name (or user name, when used in conjunction with
--username-as-common-name) contains UTF-8 encoded characters their
octets get replaced by underscores. This becomes problematic when
user "Müller" and "Möller" need to have a CCD file and both would
receive options from the file "M__ller". The situation is even
worse for non-latin alphabets, where CCD file names consist of
underscores entirely.
This patch removes that limitation and also allows the file names
to contain any punctuation characters besided the resevered ones.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1351516597-11128-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7110 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 9885f57e3ac8d2e32ba20ca84f6bdd0a1a995eac)
Adriaan de Jong [Wed, 17 Oct 2012 09:39:25 +0000 (11:39 +0200)]
Fixed a bug where PolarSSL gave an error when using an inline file tag.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1350466765-23301-1-git-send-email-dejong@fox-it.com Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 2ebbe4c0b4f0f0b15b4c32180e906a545446c376)
Kenneth Rose [Mon, 1 Oct 2012 18:47:02 +0000 (14:47 -0400)]
Fix v3 plugins to support returning values back to OpenVPN.
There's a small implementation issue with the V3 plugin API
implementation. V3 plugins cannot return data back to OpenVPN using
openvpn_plugin_args_func_return since
openvpn_plugin_args_func_return.return_list is always NULL.
This patch makes the behaviour identical to the V2 API (return_list is
again a proper out parameter).
Signed-off-by: Kenneth Rose <ken+openvpn@surfeasy.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: CAAUdgR8VZjaO0-thFPVoQkbZ1DNG3rx+gtYYLqyfocp3yns==w@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7083 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit e92255f58bcfaec157c3ef59e01c40cbd04b1d43)
With this option, users can basically undo the changes of the UTF-8
support commit 5e86fd93779482b90a191f929edebe414cd78a4f. It's here for
short term compatibility and should be removed again as soon as possible.
When OpenSSL is used, the subject strings will be in the proprietary
format again. Generally username, X.509 CN, and X.509 subject will again
be subject to '_' replacemant, unless the "no-remapping" flag is
also specified. That flag ensures compatibility with setups using the
--no-name-remapping option, that has been removed in 2.3.
[v2: More comments related to compat_flags() added by DS plus using
COMPAT_FLAG_QUERY expclit]
[v3: Improved the man page entry for --compat-names, after suggestions
from Bernhard R. Link]
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347377664-15462-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7053
Fix reconnect issues when --push and UDP is used on the server
When the server is configured with UDP and --push statements, reconnecting
often fails by the client never receiving PUSH_REPLY. The client sends
PUSH_REQUEST and the server logs these requests but does not send them.
This bug got introduced in commit ff65da3a230b658b2c1d52dc1a48612e80a2eb42
which tries to avoid sending duplicated PUSH messages if the client/server
connection is slow.
This patch keeps this behaviour, but instead of a session wide PUSH_REPLY
block it sets an expiry time for the PUSH_REPLY block. The expiry time
is set to 30 seconds.
Signed-off-by: David Sommerseth <davids@redhat.com> Cc: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1347154246-20143-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7044
Gert Doering [Tue, 11 Sep 2012 11:56:55 +0000 (13:56 +0200)]
make "ipv6 ifconfig" on linux compatible with busybox ifconfig
We used to call "ifconfig tun0 inet6 add...". The "inet6" part is
optional,
and not understood by busybox. So now we call "ifconfig tun0 add ...",
which works on all supported Linux variants.
Tested on Gentoo, RHEL5+, Debian Lenny & up.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347364615-26878-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7052 Signed-off-by: David Sommerseth <davids@redhat.com>
Arne Schwabe [Mon, 10 Sep 2012 14:39:33 +0000 (16:39 +0200)]
Add checks for external-key-managements
Commit 4806cc102655f1a829d656f6deb83e5953c5eab2 fixed only part of the
problem. Since it removed the filename either the magic filename has to be
resurrected or all checks against priv_key_file need to take to check for
MF_EXTERNAL_KEY as well. This patch implements the extra checks
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347287973-12398-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7046 Signed-off-by: David Sommerseth <davids@redhat.com>
Arne Schwabe [Tue, 7 Aug 2012 10:03:57 +0000 (12:03 +0200)]
Merge getaddr_multi and getaddr6 into one function
the getaddr6 and getaddr_mutli functions are duplicates of each other.
Since we always require getaddrinfo to be present both function are merge
into one openvpn_getaddrinfo.
This functions also returns a standard struct addrinfo* so our resolve
interface is closer to the standard unix interface. The getaddr function
is a wrapper which provides backward compatibility for IPv4 addresses.
Ipv6 calls and calls to getaddr_multi are replaced with the new interface.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1344333837-22076-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/6959 Signed-off-by: David Sommerseth <davids@redhat.com>
[DS: Applied proper indenting on the changes wherever needed]
Gert Doering [Thu, 16 Aug 2012 18:09:09 +0000 (20:09 +0200)]
Keep pre-existing tun/tap devices around on *BSD
This amends commit 62c613d46dc49 to check whether a named tun/tap
device ("--dev tunX" instead of "--dev tun") exists before OpenVPN
started - if yes, keep around at program end. If no, destroy.
Also has a spelling fix, and changes clear_tuntap() to be "static"
(only ever called from within tun.c).
Tested on FreeBSD 7.4, FreeBSD 9.0, NetBSD 5.1, OpenBSD 4.9
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric Crist <ecrist@secure-computing.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Thu, 16 Aug 2012 18:31:22 +0000 (20:31 +0200)]
Put actual OpenVPN command line on top of corresponding log file.
This is useful if a test fails, and the tester wants to run the very
same OpenVPN call with the very same arguments interactively to
pinpoint and fix the problem.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1345141883-9889-2-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6984 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Thu, 16 Aug 2012 18:31:23 +0000 (20:31 +0200)]
Reduce --version string detail about IPv6 to just "[IPv6]".
For 2.3 release, we do not need to have more details, as there is no
separate patch set anymore, and both IPv6 transport and IPv6 payload
(PF_INET6) have been fully integrated.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1345141883-9889-3-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6985 Signed-off-by: David Sommerseth <davids@redhat.com>
Arne Schwabe [Thu, 23 Aug 2012 21:21:00 +0000 (23:21 +0200)]
Document the inlining of files in openvpn and document key-direction
This patch documents the usage of inline files in OpenVPN. Hackish ways of
inline files are deliberately left out. For tls-auth and
secret the key-direction option is right way of specifying the direction
and not by using two tls-auth/secret lines where the first sets the
direction and has a dummy file name and the second sets the inline file
data but does not reset the direction parameter.
Also pkcs12 [[INLINE]] base64encoded_data works but is a quirk of how the
config parser works
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1345756860-2044-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7006 Signed-off-by: David Sommerseth <davids@redhat.com>
Commit af1bf85a introducing the --management-query-proxy option
broke the initialization of HTTP proxy options by not assigning
the allocated object to the options element in the function
init_http_proxy_options_once().
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1343639122-8658-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6913 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Make openvpn query for proxy information through the
management interface. This allows GUIs to provide (automatically
detected) proxy information on a per connection basis.
This new option supersedes the undocumented --http-proxy-fallback
option and puts the responsibilty for HTTP proxy fallback handling
to the GUI caring for such.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Reviewed-by: James Yonan <james@openvpn.net>
Message-Id: 1342009010-9735-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6841 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Arne Schwabe [Thu, 5 Jul 2012 09:17:15 +0000 (11:17 +0200)]
Fix compiling with --disable-management
Some of the MANAGEMENT_QUERY_REMOTE were actually needed. Put #ifdef
ENABLE_MANAGMENT in their place
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1341479835-12963-1-git-send-email-arne@rfc2549.org Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Sat, 30 Jun 2012 20:50:43 +0000 (22:50 +0200)]
Repair "tap server" mode brokenness caused by <stdbool.h> fallout
Operator/Cast precedence wrong: casting mac[0] to (bool) first - giving
"1" for "any mac address that does not start with 00:" - and only then
bit-anding with "1" - thus always returning "true". Which, in turn,
leads to "reject all incoming packets with 'bad source address'".
OpenVPN bug #216.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Fabian Knittel <fabian.knittel@lettink.de>
Message-Id: 1341089443-2287-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6817 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Arne Schwabe [Mon, 18 Jun 2012 18:39:04 +0000 (20:39 +0200)]
Only use tmpdir if tmp_dir is really used.
This fixes starting openvpn compiled as client only version of systems
that have no /tmp (Android). --tmp-dir could only be set if P2MP_SERVER
has been enabled too.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1340044749-10694-2-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/6741 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 10 Jun 2012 15:41:30 +0000 (17:41 +0200)]
Add missing pieces to IPv6 route gateway handling.
OpenVPN on Linux (iproute2+ifconfig), FreeBSD and MacOS X (Darwin)
normally points routes directly towards the "tun" interface, obviating
the need for a gateway. For "tap" interfaces, now add gateway spec to
linux route command, and replace "-iface <dev>" with gateway spec (both
together do not work) on FreeBSD and MacOS X.
Also adapt "route delete" appropriately, otherwise route will not be found.
All other platforms already use the gateway address for tun and tap,
because there's no way to install a route "towards an interface" there.
Remove warning about missing IPv6 route gateway handling.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1339342891-28443-5-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6712 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 10 Jun 2012 15:41:27 +0000 (17:41 +0200)]
cleanup and redefine metric handling for IPv6 routes
"no metric set" is now stored as "-1"
"metric 0" means "on-link route" (what the BSDs do)
properly initialize metric value to "0" for on-link IPv6 net on BSDs
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1339342891-28443-2-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6710 Signed-off-by: David Sommerseth <davids@redhat.com>
This is not the a problem when building using the latest Mac OS X SDK.
I've did a quick search and it seems to be a more common issue on some
(old) Darwin platforms.
[ Additional review note from Gert Doering:
IPV6_PKTINFO is part of the "extended socket API" defined in RFC2292.
That RFC used IPV6_PKTINFO both for receiving the destination IPv6 address
in UDP packets, and for setting the source address for outgoing packets.
RFC2292 was updated by RFC3542, which renamed the "receive" function to
IPV6_RECVPKTINFO, leaving the "sending" function as IPV6_PKTINFO - and,
subsequently, in FreeBSD they have different "setsockopt()" opcodes.
So, on a system that has *both*, we need to use IPV6_RECVPKTINFO for
receving (turning it on with setsockopt) to make --multihome work, and
IPV6_PKTINFO for sending (which we don't actually do).
On a system that only has IPV6_PKTINFO, because it's API only implements
2292 (MacOS up until 10.6), use IPV6_PKTINFO for setsockopt().
Now, the interesting question is whether a 10.5-compiled openvpn.exe
will behave correctly under 10.7 if --multihome is active...
]
Signed-off-by: Frank de Brabander <debrabander@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: eb2837a3-ce55-4f52-b2fe-f822efc661f7@l14g2000vbe.googlegroups.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/5591 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Thu, 7 Jun 2012 15:38:17 +0000 (17:38 +0200)]
Implement search for "first free" tun/tap device on Solaris
Without this patch, Solaris will do "--dev tun3" just fine, but "--dev tun"
will either use "tun0" if that is available, or fail. With the patch, the
first available device is searched if "--dev tun" or "--dev tap" (without
a number) is specified.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120607174638.GW1059@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6705 Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Sun, 5 Feb 2012 12:47:09 +0000 (13:47 +0100)]
remove the --auto-proxy option from openvpn
During discussion on FOSDEM 2012 it was decided that proxy auto detection
is best done in the GUI as it's highly platform specific and shouldn't be
handled in openvpn itself for every supported platform in openvpn itself.
This removes --auto-proxy from openvpn.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1328446029-30523-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/5333 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 1 Jun 2012 15:13:09 +0000 (18:13 +0300)]
t_client.sh iproute2 script fixes
Test for existance of "iproute2" with "-n" (Alon)
Work around "ip -6 route show" behaviour on FC14 where some parts of
the IPv6 route cache would be displayed, which has no relevance to
OpenVPN but breaks before/after comparison.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120601151507.GE400@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6637 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 27 May 2012 20:19:11 +0000 (23:19 +0300)]
repair t_client.sh test after build system revolution
- run t_client.sh at "make check" time
- in t_client.sh, read t_client.rc from source *or* build dir (as before)
- @IP@ evaluates to "" now (not "ip") if iproute2 not found - adapt script
- introduce $SETUP_TIME_WAIT to delay "waiting for openvpn startup" longer
than the default delay of 10 seconds - this is needed for test servers
with a high network RTT
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120527202737.GV1161@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6616 Signed-off-by: David Sommerseth <davids@redhat.com>
Some filesystems don't like ':', which is a path 'make dist' would use
In commit 7a845401043dbd9c the version.m4 was modified to remove the
alpha1 tag. But then Alon Bar-Lev noticed that NTFS wasn't happy about
the ':' character. So let's rather just skip the complete 'git:'
prefix and use just 'master' instead.
Reported-by: Alon Bar-Lev <alon.barlev@gmail.com> Signed-off-by: David Sommerseth <davids@redhat.com>
To avoid confusion between check_file_access() and check_cmd_access() in
the future, remove unneeded arguments from check_cmd_access()
As a command will always be a file, it should always check for CHKACC_FILE
and nothing else. And as the commands always will need X_OK, check only
for that.
One change from earlier behaviour is that R_OK is not checked for. The
reason is that only scripts require R_OK to work. However, a system might
be installed with binaries with only X_OK set. If a script is missing
R_OK, then the execution will fail due to lacking permissions.
Clarified the docs and help screen about what a 'cmd' is
This also changes the descriptions of several options to note that they accept
a "command"; change the description of --client-connect and --client-disconnect
indicate that the temporary file's path is passed as the last argument to the
command, not the first argument; and Adds a description of --route-pre-down to
the descriptions of the other --route options.
[DS: This patch is based on parts of the options.c.diff and the complete
openvpn.8.diff patch sent to the mailing list - where these docs changes
are merged together into this patch]
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: CAEsd45RkyJw6yUk1Jwkip70HkCjKYoU+V=do3N7SH7JOaHBZdw@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6194 Signed-off-by: David Sommerseth <davids@redhat.com>
The current implementation of check_file_access() does not consider that
some options take scripts and executables as input. When some of these
commands are given arguments in the OpenVPN configuration,
check_file_access() would take those arguments as a part of the file name
to the command. Thus the file check would fail.
This patch improves that by introducing a check_cmd_access() function which
first splits out the arguments to the command before checking if the file
with the command is available.
[DS: This patch is splitted out from the options.c.diff patch sent to the
mailing list - where only the function changes is included here]
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: CAEsd45RkyJw6yUk1Jwkip70HkCjKYoU+V=do3N7SH7JOaHBZdw@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6194 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:06 +0000 (09:28 +0200)]
Removed stray "Fox-IT hardening" string.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-5-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6212 Signed-off-by: David Sommerseth <davids@redhat.com>