the new format. When a data packet arrives, the server identifies peer
by peer-id. If peer's ip/port has changed, server assumes that
client has floated, verifies HMAC and updates ip/port in internal structs.
- This allows the connection to be immediatly restored, instead of requiring
+ This allows the connection to be immediately restored, instead of requiring
a TLS handshake before the server accepts packets from the new client
ip/port.
of a field get _$N appended to it's field name, starting at N=1. For the
example above, that would result in e.g. X509_0_OU=one, X509_0_OU_1=two.
Note that this breaks setups that rely on the fact that OpenVPN would
- previously (incorrectly) only export the last occurence of a field.
+ previously (incorrectly) only export the last occurrence of a field.
- ``proto udp`` and ``proto tcp`` now use both IPv4 and IPv6. The new
options ``proto udp4`` and ``proto tcp4`` use IPv4 only.
- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks
A client could cause a server to leak a few bytes each time it connects to the
- server. That can eventuall cause the server to run out of memory, and thereby
+ server. That can eventually cause the server to run out of memory, and thereby
causing the server process to terminate. Discovered and reported to the
OpenVPN security team by Guido Vranken. (OpenSSL builds only.)
--enable-strict-options enable strict options check between peers (debugging
option) [default=no]
--enable-selinux enable SELinux support [default=no]
- --enable-systemd enable systemd suppport [default=no]
+ --enable-systemd enable systemd support [default=no]
ENVIRONMENT for ./configure:
4.) do "ifconfig tun0 inet6 unplumb" or "ifconfig tun0 destroy" for
Solaris, *BSD, ... at program termination time, to clean up leftovers
- (unless tunnel persistance is desired).
+ (unless tunnel persistence is desired).
For Solaris, only the "ipv6 tun0" is affected, for the *BSDs all tun0
stay around.
4b.) verify this - on FreeBSD, tun0 is auto-destroyed if created by
opening /dev/tun (and lingers if created by "ifconfig tun0 create")
- -> use for persistant tunnels on not-linux?
+ -> use for persistent tunnels on not-linux?
* 2012-06-10 tun interface behaviour is documented in "man tun(4)"
downstream.
- Still done by flags, seems clean enough.
- o implement comparison for mapped addesses: server in dual stack
+ o implement comparison for mapped addresses: server in dual stack
listening IPv6 must permit incoming streams from allowed IPv4 peer,
currently you need to pass eg: --remote ffff::1.2.3.4
- OpenVPN will compare all address of a remote
AC_ARG_ENABLE(
[systemd],
- [AS_HELP_STRING([--enable-systemd], [enable systemd suppport @<:@default=no@:>@])],
+ [AS_HELP_STRING([--enable-systemd], [enable systemd support @<:@default=no@:>@])],
,
[enable_systemd="no"]
)
# From a security perspective, I think it makes
# sense to remove this, and have users who need
- # it explictly enable in their --up scripts or
+ # it explicitly enable in their --up scripts or
# firewall setups.
#echo 1 > /proc/sys/net/ipv4/ip_forward
# - removed sourcing "network"
# - removed network checking. it seemed not to work with SuSE.
# - added sourcing "rc.status", comments and "rc_reset" command
-# - removed "succes; echo" and "failure; echo" lines
+# - removed "success; echo" and "failure; echo" lines
# - added "rc_status" lines at the end of each section
# - changed "service" to "/etc/init.d/" in "In addition to start/stop"
# section above.
# From a security perspective, I think it makes
# sense to remove this, and have users who need
- # it explictly enable in their --up scripts or
+ # it explicitly enable in their --up scripts or
# firewall setups.
#echo 1 > /proc/sys/net/ipv4/ip_forward
[DerivedAAABindingKey] [DerivedAAABindingKey]
[AuthenticateBindingKeys]
Client -------> Server
- [Confidental channel]
+ [Confidential channel]
TLS Message flow for a full handshake
If the
.B ipv6only
-keyword is present OpenVPN will bind only to IPv6 (as oposed
+keyword is present OpenVPN will bind only to IPv6 (as opposed
to IPv6 and IPv4) when a IPv6 socket is opened.
.\"*********************************************************
is parsed on the command line even though
the daemonization point occurs later. If one of the
.B \-\-log
-options is present, it will supercede syslog
+options is present, it will supersede syslog
redirection.
The optional
already exists it will be truncated.
This option takes effect
immediately when it is parsed in the command line
-and will supercede syslog output if
+and will supersede syslog output if
.B \-\-daemon
or
.B \-\-inetd
DEFAULT_DIR is replaced by the default plug\-in directory,
which is configured at the build time of OpenVPN. CWD is the
current directory where OpenVPN was started or the directory
-OpenVPN have swithed into via the
+OpenVPN have switched into via the
.B \-\-cd
option before the
.B \-\-plugin
IV_LZ4=1 \-\- if the client supports LZ4 compressions.
-IV_PROTO=2 \-\- if the client supports peer\-id floating mechansim
+IV_PROTO=2 \-\- if the client supports peer\-id floating mechanism
IV_NCP=2 \-\- negotiable ciphers, client supports
.B \-\-cipher
.B \-\-tls\-cipher
and
.B \-\-tls\-ciphersuites
-are expert features, which \- if used correcly \- can improve the security of
+are expert features, which \- if used correctly \- can improve the security of
your VPN connection. But it is also easy to unwittingly use them to carefully
align a gun with your foot, or just break your connection. Use with care!
Newer clients (2.4.7+) will fall back to the original password method
after a failed auth. Older clients will keep using the token value
-and react acording to
+and react according to
.B \-\-auth-retry
.
.\"*********************************************************
# to PKG_CHECK_MODULES(), but does not set variables or print errors.
#
# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-# only at the first occurence in configure.ac, so if the first place
+# only at the first occurrence in configure.ac, so if the first place
# it's called might be skipped (such as if it is within an "if", you
# have to call PKG_CHECK_EXISTS manually
# --------------------------------------------------------------
key client.key
# Verify server certificate by checking that the
-# certicate has the correct key usage set.
+# certificate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
-x509_extensions = basic_exts # The extentions to add to the cert
+x509_extensions = basic_exts # The extensions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = cn_only
-x509_extensions = easyrsa_ca # The extentions to add to the self signed cert
+x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra;
if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit))
{
- msg(M_FATAL, "attemped allocation of excessively large array");
+ msg(M_FATAL, "attempted allocation of excessively large array");
}
return (size_t) res;
}
*/
struct _query_user {
char *prompt; /**< Prompt to present to the user */
- size_t prompt_len; /**< Lenght of the prompt string */
+ size_t prompt_len; /**< Length of the prompt string */
char *response; /**< The user's response */
- size_t response_len; /**< Lenght the of the user reposone */
+ size_t response_len; /**< Length the of the user response */
bool echo; /**< True: The user should see what is being typed, otherwise mask it */
};
* @param prompt Prompt to display to the user
* @param prompt_len Length of the prompt string
* @param resp String containing the user response
- * @param resp_len Lenght of the response string
+ * @param resp_len Length of the response string
* @param echo Should the user input be echoed to the user? If False, input will be masked
*
*/
* @param authname The name of the HMAC digest to use
* @param keysize The length of the cipher key to use, in bytes. Only valid
* for ciphers that support variable length keys.
- * @param tls_mode Specifies wether we are running in TLS mode, which allows
+ * @param tls_mode Specifies whether we are running in TLS mode, which allows
* more ciphers than static key mode.
* @param warn Print warnings when null cipher / auth is used.
*/
* Initialises the given HMAC context, using the given digest
* and key.
*
- * @param ctx HMAC context to intialise
+ * @param ctx HMAC context to initialise
* @param key The key to use for the HMAC
* @param key_len The key length to use
* @param kt Static message digest parameters
if (flags & (FRAG_SEQ_ID_MASK | FRAG_ID_MASK))
{
- FRAG_ERR("spurrious FRAG_WHOLE flags");
+ FRAG_ERR("spurious FRAG_WHOLE flags");
}
}
else if (frag_type == FRAG_YES_NOTLAST || frag_type == FRAG_YES_LAST)
{
if (!options->dev && options->dev_node)
{
- char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
+ char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
options->dev = basename(dev_node);
}
}
"options --mktun and --rmtun are not available on your operating "
"system. Please check 'man tun' (or 'tap'), whether your system "
"supports using 'ifconfig %s create' / 'destroy' to create/remove "
- "persistant tunnel interfaces.", options->dev );
+ "persistent tunnel interfaces.", options->dev );
#endif
}
return false;
}
c->persist.restart_sleep_seconds = 0;
- /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
+ /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
if (do_hold(sec))
{
sec = 0;
/* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
* and need link_mtu+3 bytes on socket reception (on server).
*
- * accomodate receive path in f->extra_link, which has the side effect of
+ * accommodate receive path in f->extra_link, which has the side effect of
* also increasing send buffers (BUF_SIZE() macro), which need to be
* allocated big enough before receiving peer-id option from server.
*
msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
}
- /* If a script is used, print appropiate warnings */
+ /* If a script is used, print appropriate warnings */
if (o->user_script_used)
{
if (script_security() >= SSEC_SCRIPTS)
}
/*
- * Close packet-id persistance file
+ * Close packet-id persistence file
*/
static void
do_close_packet_id(struct context *c)
}
/*
- * Handle ifconfig-pool persistance object.
+ * Handle ifconfig-pool persistence object.
*/
static void
do_open_ifconfig_pool_persist(struct context *c)
do_init_traffic_shaper(c);
}
- /* do one-time inits, and possibily become a daemon here */
+ /* do one-time inits, and possibly become a daemon here */
do_init_first_time(c);
#ifdef ENABLE_PLUGIN
do_close_plugins(c);
#endif
- /* close packet-id persistance file */
+ /* close packet-id persistence file */
do_close_packet_id(c);
/* close --status file */
* before the final header (TCP, UDP, ...), so we'd need to walk that
* chain (see RFC 2460 and RFC 6564 for details).
*
- * In practice, "most typically used" extention headers (AH, routing,
+ * In practice, "most typically used" extension headers (AH, routing,
* fragment, mobility) are very unlikely to be seen inside an OpenVPN
* tun, so for now, we only handle the case of "single next header = TCP"
*/
" user/pass via environment, if method='via-file', pass\n"
" user/pass via temporary file.\n"
"--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
- " to each client, replacing the password. Usefull when\n"
+ " to each client, replacing the password. Useful when\n"
" OTP based two-factor auth mechanisms are in use and\n"
" --reneg-* options are enabled. Optionally a lifetime in seconds\n"
" for generated tokens can be set.\n"
"--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
" path. Set for each provider.\n"
"--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
- " 0 : Try to determind automatically (default).\n"
+ " 0 : Try to determine automatically (default).\n"
" 1 : Use Sign.\n"
" 2 : Use SignRecover.\n"
" 4 : Use Decrypt.\n"
/* Set default --tmp-dir */
#ifdef _WIN32
- /* On Windows, find temp dir via enviroment variables */
+ /* On Windows, find temp dir via environment variables */
o->tmp_dir = win_get_tempdir();
#else
/* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
*/
#ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
-#define CHKACC_FILE (1<<0) /** Check for a file/directory precense */
-#define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */
+#define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
+#define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
#define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
#define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */
#define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */
/* Is the directory path leading to the given file accessible? */
if (type & CHKACC_DIRPATH)
{
- char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */
+ char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
char *dirpath = dirname(fullpath);
if (platform_access(dirpath, mode|X_OK) != 0)
msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
}
- /* Return true if an error occured */
+ /* Return true if an error occurred */
return (errcode != 0 ? true : false);
}
* @param p Packet ID state.
* @param buf Buffer to write the packet ID too
* @param long_form If true, also update and write time_t to buf
- * @param prepend If true, prepend to buffer, otherwise apppend.
+ * @param prepend If true, prepend to buffer, otherwise append.
*
* @return true if successful, false otherwise.
*/
{
/* clear host bit parts of route
* (needed if routes are specified improperly, or if we need to
- * explicitely setup/clear the "connected" network routes on some OSes)
+ * explicitly setup/clear the "connected" network routes on some OSes)
*/
int byte = 15;
int bits_to_clear = 128 - r6->netbits;
/*
* Run execve() inside a fork(). Designed to replicate the semantics of system() but
* in a safer way that doesn't require the invocation of a shell or the risks
- * assocated with formatting and parsing a command line.
+ * associated with formatting and parsing a command line.
*/
int
openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags)
/*
* Run execve() inside a fork(), duping stdout. Designed to replicate the semantics of popen() but
* in a safer way that doesn't require the invocation of a shell or the risks
- * assocated with formatting and parsing a command line.
+ * associated with formatting and parsing a command line.
*/
int
openvpn_popen(const struct argv *a, const struct env_set *es)
}
/*
- * SOCKET INITALIZATION CODE.
+ * SOCKET INITIALIZATION CODE.
* Create a TCP/UDP socket
*/
* by now just ignore it
*
* For --remote entries with multiple addresses this
- * only return the actual endpoint we have sucessfully connected to
+ * only return the actual endpoint we have successfully connected to
*/
if (lsa->actual.dest.addr.sa.sa_family != AF_INET)
{
* for PF_INET6 routes over PF_INET6 endpoints
*
* For --remote entries with multiple addresses this
- * only return the actual endpoint we have sucessfully connected to
+ * only return the actual endpoint we have successfully connected to
*/
if (lsa->actual.dest.addr.sa.sa_family != AF_INET6)
{
*
* IPv6 and IPv4 protocols are comptabile but OpenVPN
* has always sent UDPv4, TCPv4 over the wire. Keep these
- * strings for backward compatbility
+ * strings for backward compatibility
*/
const char *
proto_remote(int proto, bool remote)
#if ENABLE_IP_PKTINFO
-/* make the buffer large enough to handle ancilliary socket data for
+/* make the buffer large enough to handle ancillary socket data for
* both IPv4 and IPv6 destination addresses, plus padding (see RFC 2292)
*/
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
if (ret >= 0 && io->addr_defined)
{
/* TODO(jjo): streamline this mess */
- /* in this func we dont have relevant info about the PF_ of this
+ /* in this func we don't have relevant info about the PF_ of this
* endpoint, as link_socket_actual will be zero for the 1st received packet
*
* Test for inets PF_ possible sizes
#endif
};
-/* IP addresses which are persistant across SIGUSR1s */
+/* IP addresses which are persistent across SIGUSR1s */
struct link_socket_addr
{
struct addrinfo *bind_local;
/* support for P_DATA_V2 */
buf_printf(&out, "IV_PROTO=2\n");
- /* support for Negotiable Crypto Paramters */
+ /* support for Negotiable Crypto Parameters */
if (session->opt->ncp_enabled
&& (session->opt->mode == MODE_SERVER || session->opt->pull))
{
*
* The tracked attributes are stored in ll_head.
*
- * @param ll_head The x509_track to store tracked atttributes in
+ * @param ll_head The x509_track to store tracked attributes in
* @param name Name of the attribute to track
* @param msglevel Message level for errors
* @param gc Garbage collection arena for temp data
#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \
|| defined(TARGET_DARWIN)
- /* and, hooray, we explicitely need to add a route... */
+ /* and, hooray, we explicitly need to add a route... */
add_route_connected_v6_net(tt, es);
#endif
#elif defined(TARGET_AIX)
ASSERT(0);
}
-#endif /* !PENDANTIC */
+#endif /* !PEDANTIC */
#ifdef ENABLE_FEATURE_TUN_PERSIST
/* the current way OpenVPN handles tun devices on NetBSD leads to
* lingering tunX interfaces after close -> for a full cleanup, they
- * need to be explicitely destroyed
+ * need to be explicitly destroyed
*/
void
close_tun(struct tuntap *tt)
{
fd = utun_open_helper(ctlInfo, utunnum);
/* Break if the fd is valid,
- * or if early initalization failed (-2) */
+ * or if early initialization failed (-2) */
if (fd !=-1)
{
break;
*/
/*
- * Win32-specific OpenVPN code, targetted at the mingw
+ * Win32-specific OpenVPN code, targeted at the mingw
* development environment.
*/
#define WIN_NET_PATH_SUFFIX "\\system32\\net.exe"
/*
- * Win32-specific OpenVPN code, targetted at the mingw
+ * Win32-specific OpenVPN code, targeted at the mingw
* development environment.
*/
/**
* Initializes execution session
*
- * @param session Pointer to an unitialized execution session
+ * @param session Pointer to an uninitialized execution session
*
* @param hInstall Installer handle
*
method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
passwords) to be used with OpenVPN. While PAM supports
username/password authentication, this can be combined with X509
-certificates to provide two indepedent levels of authentication.
+certificates to provide two independent levels of authentication.
This module uses a split privilege execution model which will
function even if you drop openvpn daemon privileges using the user,
static-challenge
Use of --static challenege is required to pass a pin (represented by "OTP" in
-parameter substituion) or a second password.
+parameter substitution) or a second password.
Run OpenVPN with --verb 7 or higher to get debugging output from
this plugin, including the list of queries presented by the
#define _PLUGIN_AUTH_PAM_UTILS__H
/**
- * Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return
+ * Read 'tosearch', replace all occurrences of 'searchfor' with 'replacewith' and return
* a pointer to the NEW string. Does not modify the input strings. Will not enter an
* infinite loop with clever 'searchfor' and 'replacewith' strings.
*
* @param searchfor needle to search for in the haystack
* @param replacewith when a match is found, replace needle with this string
*
- * @return Retuns NULL when any parameter is NULL or the worst-case result is to large ( >= SIZE_MAX).
+ * @return Returns NULL when any parameter is NULL or the worst-case result is to large ( >= SIZE_MAX).
* Otherwise it returns a pointer to a new buffer containing the modified input
*/
char *
* @param name Environment variable to look up
* @param envp Environment variable table with all key/value pairs
*
- * @return Returns a pointer to the value of the enviroment variable if found, otherwise NULL is returned.
+ * @return Returns a pointer to the value of the environment variable if found, otherwise NULL is returned.
*/
const char *
get_env(const char *name, const char *envp[]);
* property that is being retrieved. This is one of the standard
* registry data types. This parameter is optional and can be NULL.
*
- * @param ppData A pointer to pointer to data that receives the device propery. The
+ * @param ppData A pointer to pointer to data that receives the device property. The
* data must be released with free() after use.
*
* @return ERROR_SUCCESS on success; Win32 error code otherwise
if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi
if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi
-echo "Test sets succeded:$SUMMARY_OK."
+echo "Test sets succeeded:$SUMMARY_OK."
echo "Test sets failed:$SUMMARY_FAIL."
# remove trap handler
ctx->gc = gc_new();
- /* Sligthly longer buffers to be able to test too-long data */
+ /* Slightly longer buffers to be able to test too-long data */
ctx->metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16, &ctx->gc);
ctx->unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16,
&ctx->gc);
projects / thirdparty / openvpn.git / commitdiff
