James Yonan [Sun, 24 Apr 2011 00:59:28 +0000 (00:59 +0000)]
Added 'dir' flag to "crl-verify" (see man page for info).
Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list
if not running in server mode (these functions are only useful for
TLS/SSL servers).
Modified openvpn_snprintf to return false on overflow, and true
otherwise.
When AUTH_FAILED,... is received, log the full string.
James Yonan [Tue, 19 Apr 2011 10:28:06 +0000 (10:28 +0000)]
Revert r7092 and r7151, i.e. remove --enable-osxipconfig
configure option. ipconfig on Mac has certain behavior that makes
it unsuitable for use by OpenVPN to configure tun/tap interface.
James Yonan [Tue, 12 Apr 2011 05:14:34 +0000 (05:14 +0000)]
For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig
command on failure once every second for up to 15 seconds. This
is necessary to work around an issue observed on OSX 10.5 where
the ipconfig command sometimes fails if executed immediately after
the tun device open.
James Yonan [Sat, 2 Apr 2011 08:21:28 +0000 (08:21 +0000)]
Fixed bug that incorrectly placed stricter TCP packet replay rules on
UDP sessions when the client daemon was running in UDP/TCP adaptive
mode, and transitioned from TCP to UDP.
The bug would cause a single dropped packet in UDP mode to trigger a
barrage of packet replay errors followed by a disconnect and
reconnect.
James Yonan [Sun, 27 Mar 2011 09:20:13 +0000 (09:20 +0000)]
Added ./configure --enable-osxipconfig option for Mac OS X which will
enable the use of ipconfig (instead of ifconfig) for configuring the
IP address and netmask of the tun/tap adapter.
James Yonan [Sat, 26 Mar 2011 21:16:40 +0000 (21:16 +0000)]
Added "auth-token" client directive, which is intended to be
pushed by server, and that is used to offer a temporary session
token to clients that can be used in place of a password on
subsequent credential challenges.
This accomplishes the security benefit of preventing caching
of the real password while offering most of the advantages
of password caching, i.e. not forcing the user to re-enter
credentials for every TLS renegotiation or network hiccup.
auth-token does two things:
1. if password caching is enabled, the token replaces the
previous password, and
2. if the management interface is active, the token is output
to it:
>PASSWORD:Auth-Token:<token>
Also made a minor change to HALT/RESTART processing when password
caching is enabled. When client receives a HALT or RESTART message,
and if the message text contains a flags block (i.e. [FFF]:message),
if flag 'P' (preserve auth) is present in flags, don't purge the Auth
password. Otherwise do purge the Auth password.
James Yonan [Fri, 18 Mar 2011 04:51:59 +0000 (04:51 +0000)]
Fixed issue where a client might receive multiple push replies from
a server if it sent multiple push requests due to the server being
slow to respond. This could cause the client to process pushed
options twice, leading to duplicate pushed routes, among other issues.
The fix, implemented server-side, is to reply only once to a push
request even if multiple requests are received.
James Yonan [Thu, 10 Mar 2011 00:04:39 +0000 (00:04 +0000)]
Added --enable-lzo-stub configure option to build an OpenVPN client without LZO, but that has limited interoperability with LZO-enabled servers.
Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when
client was built with --enable-lzo-stub configure option. This tells
the server that the client lacks LZO capabilities, so the server
should turn off LZO compression for this client via "lzo no".
Added "setenv PUSH_PEER_INFO" option having the same effect as
"push-peer-info".
Gert Doering [Sun, 24 Apr 2011 15:15:56 +0000 (17:15 +0200)]
rebased to 2.2RC2 (beta 2.2 branch)
removed mutex locking stuff (no more threading in 2.2)
fixed rebase/merge artifacts in mroute.c
add current ChangeLog.IPv6 and TODO.IPv6 to commit
tag as ipv6-20110424-2
Gert Doering [Sun, 16 Jan 2011 17:24:37 +0000 (18:24 +0100)]
Implement "ipv6 ifconfig" for TAP interfaces on Solaris
Solaris close_tun(): add explicit "unplumb'ing" of IPv6 tun/tap
interfaces, otherwise they would linger around after OpenVPN exits.
Gert Doering [Thu, 2 Sep 2010 19:20:30 +0000 (21:20 +0200)]
2.2-beta3 has a signed TAP driver with the IPv6 code, but it's not
version 9.7 as anticipated (that's 2.1.3) but 9.8 - change test to
require 9.8, and change message to point to 2.2-beta3 and up.
Gert Doering [Tue, 10 Aug 2010 10:39:28 +0000 (12:39 +0200)]
renamed t_client.sh to t_client.sh.in
build t_client.sh by configure at run-time, with proper paths to
ip/ifconfig/netstat binaries, and (most important) with proper #!SHELL
extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh"
Gert Doering [Sun, 8 Aug 2010 19:24:30 +0000 (21:24 +0200)]
full "VPN client connect" test framework for OpenVPN
run from "make check" if "t_client.rc" is found in workdir or srcdir
(copy t_client.rc-sample, fill in specifics for your test server)
Gert Doering [Sun, 28 Feb 2010 21:57:28 +0000 (22:57 +0100)]
- Win32 IPv6 ifconfig support, using "netsh" calls
- initialize tuntap->ipv6 in init.c::do_init_tun(), to make sure it's
setup "early enough", no matter what ifconfig_order() wants
- change call convention for open_tun(): drop "ipv6" flag, because it's
incompatible with windows/openbsd calling sequence (ifconfig first,
open_tun later) - also affects open_tun_generic() and tuncfg().
- drop ipv6_support() helper function - has no useful purpose anymore
- introduce add_route_connected_v6_net() helper for Win32, Darwin, Netbsd
(cleanup code)
- fix NetBSD tunnel setup - destroy/recreate before ifconfig'ing, to make
sure no leftover configuration lingers on tunnel from previous call
(NetBSD tunnels are always persistent unless explicitely destroyed)
- DARWIN (MacOS X) gets its own #ifdef section for open_tun()/close_tun()
now, because close_tun() needs to cleanup IPv6 ifconfig
Gert Doering [Sun, 28 Feb 2010 21:50:41 +0000 (22:50 +0100)]
add IPv6 route add / route delete code for windows (using "netsh")
- somewhat preliminary, as the next-hop setting requirements of tun/tap
driver are not decided yet, and "route add" might need to be adapted
JuanJo Ciarlante [Sun, 21 Feb 2010 17:46:59 +0000 (18:46 +0100)]
* make ipv6_payload compile under windowze
- create inet_ntop() and inet_pton() wrap-implementations using
WSAAddressToString() and WSAStringToAddress() functions
- add relevant win32-only headers to syshead.h
NOTE: syshead.h changes are already included in ipv6_transport
Gert Doering [Tue, 16 Feb 2010 14:40:31 +0000 (15:40 +0100)]
add some TODOs to TODO.IPv6
--version: change printing of IPv6 payload patch version to [...] style
fix "make check" regression in tun.c (unnecessary change reverted)
Gert Doering [Thu, 14 Jan 2010 14:21:05 +0000 (15:21 +0100)]
NetBSD fixes - on 4.0 and up, use multi-af mode. On earlier systems that
do not have TUNSIFHEAD (and do not have IPv6 capable tunnels), fall back
to old IPv4-only code without address-family prepending.
(cherry picked from commit 2a57c58b185deb11b0a62c584489fff59258146c)
Gert Doering [Tue, 16 Feb 2010 14:40:31 +0000 (15:40 +0100)]
add some TODOs to TODO.IPv6
--version: change printing of IPv6 payload patch version to [...] style
fix "make check" regression in tun.c (unnecessary change reverted)
Gert Doering [Thu, 14 Jan 2010 14:53:40 +0000 (15:53 +0100)]
new feature: "ifconfig-ipv6-push" (from ccd/ config)
affects options.h, options.c, multi.c
benefit: static IPv6 address assignment from radiusplugin (etc)
rewritten get_ipv6_addr() to handle IPv6 addresses with and without "/bits"
affects route.c and mainly options.c
benefit: ifconfig-ipv6, ifconfig-ipv6-pool can now be accept
configurations with networks != /64 (the rest of the implementation
is not yet completely there, but this is imporant preparation work to
be able to add /bits to "push 'ifconfig-ipv6 ...'" later on without
breaking clients
do not try to add/delete IPv6 routes if no IPv6 on tunnel
affects: route.c
benefit: avoid error messages, and make IPv6 troubleshooting easier
flag as "config error" if --ifconfig-ipv6-pool used without --ifconfig-ipv6
flag as "config error" if --ifconfig-ipv6-pool used without --server
print warning if --ifconfig-ipv6 is used without --tun-ipv6
changes documented in more detail in ChangeLog.IPv6
Gert Doering [Thu, 14 Jan 2010 14:21:05 +0000 (15:21 +0100)]
NetBSD fixes - on 4.0 and up, use multi-af mode. On earlier systems that
do not have TUNSIFHEAD (and do not have IPv6 capable tunnels), fall back
to old IPv4-only code without address-family prepending.
(cherry picked from commit 2a57c58b185deb11b0a62c584489fff59258146c)
Robert Fischer [Sun, 17 Apr 2011 21:25:34 +0000 (23:25 +0200)]
Update man page with info about --connect-timeout
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Robert Fischer [Sun, 17 Apr 2011 21:03:49 +0000 (23:03 +0200)]
Update man page with info about --capath
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 21 Apr 2011 19:03:25 +0000 (21:03 +0200)]
Add a simple comment regarding openvpn_snprintf() is duplicated
Commit df5a4380c3931520d5fae2b18f0fc2e67a883aae copies this function
from buffer.c to service-win32/openvpnserv.c. Any changes on either
places should be done in both implementations.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 21 Apr 2011 18:32:26 +0000 (20:32 +0200)]
Improve the mysprintf() issue in openvpnserv.c
A quick and dirty compile fix was introduced in commit 77d244050964525417,
and was accepted under the condition that it would be a temporary fix.
As the usage of _snprintf() is realy not ideal on Windows, this patch
uses the same well tested openvpn_snprintf() function from buffer.c.
It was a longer discussion of several possibilities to re-use that code,
but in the end it seemed easier to just copy-paste this function to
openvpnserv.c for now.
The reason for this conclusion was that the function is really simple,
well defined and will most likely not be changed much in the future.
It is also added a comment in openvpnserv.c where this function
has its origins.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Gisle Vanem [Sat, 9 Apr 2011 12:56:52 +0000 (12:56 +0000)]
Avoid re-defining uint32_t when using mingw compiler
Since MingW for quite a long time (since 3.2 in 2008?) has defined
'uint32_t' etc. in it's <stdint.h>, we need to guard against defining
them again. Ideally we should figure out in what version of MingW
this happened. But for now:
Signed-off-by: Gisle Vanem <gvanem@broadpark.no> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
The win/config_ti.py build script assumes to find ../tapinstall/7600/sources.in
which does not exists in devcon.exe source code directory. This makes
config_ti.py look for ../tapinstall/7600/sources instead.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 14 Apr 2011 14:21:16 +0000 (16:21 +0200)]
Change the default --tmp-dir path to a more suitable path
In commit 4e1cc5f6dda22e9 the create_temp_filename() function was
reviewed and hardened, which in the end renamed this function to
create_temp_file() in commit 495e3cec5d156.
With these changes it became more evident that OpenVPN needs a directory
where it can create temporary files. The create_temp_file() will create
such files f.ex. if --client-connect or --plugin which makes use of
the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so.
When this happens, OpenVPN will normally create these files in the directory
OpenVPN was started. In many cases, this will fail due to restricted access.
By using --tmp-dir and pointing it to a directory writeable to the user
running OpenVPN, it works again.
This patch makes OpenVPN use a more suitable temproary directory by default,
instead of the current working directory. On non-Windows platforms this
default value is set to '/tmp', but can be modified at compile-time by
running ./configure --with-tmp-dir-path=<TEMP DIR PATH>. On Windows, it
will use GetTempPath() to find temporary paths recommended by the OS. If
this fails, it will fallback to the old behaviour, using the directory
where OpenVPN was started.
In any cases, this default value can be overridden in the configuration
file by using the --tmp-dir option, as before.
To check what the default is at runime, you can see this easily by doing
this:
$ ./openvpn --verb 4 --dev tun | grep tmp_dir
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 9 Apr 2011 16:16:21 +0000 (18:16 +0200)]
Add more detailed explanation regarding the function of "--rdns-internal"
As agreed in last thursday's IRC meeting [1], I've added a comment to the
code explaining "--rdns-internal". It's really very much an internal
option, so it does not need to go to the man page.
This commit introduced a bug, which made the verify_callback()
function getting called even if --client-cert-not-required was
enabled in the config.
The reason for this was that an 'else' statement was lacking a
couple of curly braces. The offending commit in reality moved
the setup of the verify_callback() function out of the 'else'
statement.
Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
* fix --multihome for ipv6: IPV6_RECVPKTINFO
- setsockopt IPV6_RECVPKTINFO (not IPV6_PKTINFO!)
- do check for setsockopt() failures
- append %<iface> in INFO msg
JuanJo Ciarlante [Tue, 20 Oct 2009 20:38:50 +0000 (22:38 +0200)]
* no new funcionality, just small cleanups:
- cmdline options help: add tcp6/udp6 missing messages
- win32: expand usage of proto_is_udp(), proto_is_tcp()
- replace some memset(&obj, 0, sizeof obj) by openvpn's CLEAR(obj)
projects / thirdparty / openvpn.git / log
