git.ipfire.org Git - thirdparty/openvpn.git/log

]> git.ipfire.org Git - thirdparty/openvpn.git/log

projects / thirdparty / openvpn.git / log

summary | shortlog | log | commit | commitdiff | tree
first ⋅ prev ⋅ next

commit | commitdiff | tree

David Sommerseth [Thu, 16 Jun 2011 15:27:06 +0000 (17:27 +0200)]

Do some file/directory tests before really starting openvpn

OpenVPN can handle over 30 different files and directories, and it is easy
to misconfigure some of them. In many situations OpenVPN will even start
running, even with a wrong file path or without the proper permissions, and
then it will complain much later on. In some cases the error being seen at
this late point might even be difficult to relate to a configuration option.

This patch tries to catch as many of these files as soon as possible, kind of
to "smoke-test" the files and directories to avoid the most likely errors.

Trac-ticket: 73
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>

commit | commitdiff | tree

Gert Doering [Wed, 23 Nov 2011 10:11:54 +0000 (11:11 +0100)]

log error message and exit for "win32, tun mode, tap driver version 9.8"

(driver is known-buggy for small IPv4 packets in tun mode)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Gert Doering [Wed, 23 Nov 2011 10:07:09 +0000 (11:07 +0100)]

bump tap driver version from 9.8 to 9.9

(bugfixed tapdrvr.c regarding small IPv4 packets)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

David Sommerseth [Fri, 18 Nov 2011 12:21:43 +0000 (13:21 +0100)]

Make '--win-sys env' default

Without this patch, the default path used by OpenVPN is hard coded
to C:\WINDOWS. As users might install Windows in a different directory,
this approach will cause OpenVPN to malfunction in some configurations.

OpenVPN have supported using the system path, by adding --win-sys env.
This patch removes the hard coded approach and uses the --win-sys env
approach by default instead.

Trac-ticket: 66
URL: http://thread.gmane.org/gmane.network.openvpn.user/32508
Signed-off-by: David Sommerseth <davids@redhat.com>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>

commit | commitdiff | tree

David Sommerseth [Mon, 21 Nov 2011 11:49:33 +0000 (12:49 +0100)]

Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()

On these platforms (including DragonFly), get_default_gateway() would in some
cases return false. As get_default_gateway() is defined as a void function, and
none of the callers expect a return value -> just return without any value.

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>

commit | commitdiff | tree

Samuli Seppänen [Wed, 9 Nov 2011 09:49:36 +0000 (11:49 +0200)]

Fixed a regression causing VS2008/Python build failure

Patch "Added options to switch between OpenSSL and PolarSSL and PKCS11" caused a
regression when building OpenVPN with Visual Studio 2008/Python build system.
The underlying cause was a wrong path to lzo2.lib.

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:21 +0000 (16:29 +0100)]

Fixed a typo when initialising cryptoapi certs

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:20 +0000 (16:29 +0100)]

Minor cleanup to enable warning-free Windows build:

- Changed int32_t to size_t
- Removed some unused variables
- Added missing include files
- changed ordering to ensure variable declarations are before asserts

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:19 +0000 (16:29 +0100)]

Moved from strsep to strtok, for Windows compatibility

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:18 +0000 (16:29 +0100)]

Added options to switch between OpenSSL and PolarSSL and PKCS11...

at compile time. Also included the option to enable/disable PKCS11.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:17 +0000 (16:29 +0100)]

Reordered functions to ensure warning-free Windows build

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:15 +0000 (16:29 +0100)]

Moved CryptoAPI header include to the ssl_openssl.c

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:14 +0000 (16:29 +0100)]

Moved prng_uninit out of crypto_uninit_lib

Since prng_uninit is SSL-library agnostic, but crypto_uninit_lib isn't,
the function was moved up a level.

Also removed one unused variable (j) in tls1_P_hash().

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Gert Doering [Thu, 10 Nov 2011 19:15:44 +0000 (20:15 +0100)]

add missing break between "case IPv4" and "case IPv6", leading to the
minimum-size for IPv6 being applied to IPv4 packets, subsequently
leading to drop of small-sized IPv4 packets.

Bug found & fixed by Christian Niessner.

Signed-off-by: Christian Niessner <bug-report@secadm.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

David Sommerseth [Mon, 24 Oct 2011 06:53:35 +0000 (08:53 +0200)]

Fix PolarSSL and --pkcs12 option issues

PolarSSL does not support PKCS#12 certificate/key bundles, but had a
typo where #ifdef USE_POLARSSL was used, and it should have been #ifndef
instead.

Also added a few extra exclusions of PKCS#12 messages where appropriate,
to avoid confusing users.

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 31 Oct 2011 15:29:16 +0000 (16:29 +0100)]

Fixed missing comma in plugin.h

Fixed a bug where the wrong value was being passed to plugin_call_ssl, due to a missing comma.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 24 Oct 2011 14:11:14 +0000 (16:11 +0200)]

Further removal of des_old.h based calls

Replaced des_set_key_unchecked and des_ecb_encrypt functions in cipher_des_encrypt_ecb

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 24 Oct 2011 11:11:32 +0000 (13:11 +0200)]

Removed obsolete des_cblock and des_keyschedule

This is to allow building on NetBSD which does not install <des_old.h> anymore

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 24 Oct 2011 08:46:00 +0000 (10:46 +0200)]

Got rid of a few magic numbers in ntlm.c

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 24 Oct 2011 08:46:01 +0000 (10:46 +0200)]

Fixed disabling crypto and SSL

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 24 Oct 2011 09:39:05 +0000 (11:39 +0200)]

Added missing #ifdef to allow --disable-managent to work again

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Sun, 16 Oct 2011 13:56:31 +0000 (15:56 +0200)]

Moved to PolarSSL 1.0.0:

- Reversed des_key_check_weak output check, as the library changed this
- Changed POLARSSL_MODE_CFB to POLARSSL_MODE_CFB128
- Changed the bio write function to accept const input

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Sun, 16 Oct 2011 13:13:36 +0000 (15:13 +0200)]

Made SSL_CIPHER const in print_details, to fix warning

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 29 Sep 2011 17:58:16 +0000 (19:58 +0200)]

Fixed a typo: print the subject instead of the serial for verification errors

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 1 Sep 2011 18:44:56 +0000 (20:44 +0200)]

Removed a stray Fox-IT tag

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 3 Aug 2011 19:25:57 +0000 (21:25 +0200)]

Unified verification function return values:

- Now return either SUCCESS or FAILURE.
- SUCCESS is defined as 0.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 3 Aug 2011 18:43:08 +0000 (20:43 +0200)]

Fixed a bug in the return value of ssl_verify when pre_verify failed

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 3 Aug 2011 18:16:01 +0000 (20:16 +0200)]

Moved gc_new and gc_free to begin end of function

As a safety measure against future modifications

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 28 Jul 2011 17:53:44 +0000 (19:53 +0200)]

Added back checks for ks->authenticated in verify_user_pass

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 14 Jul 2011 19:35:45 +0000 (21:35 +0200)]

Moved HMAC prints back to main crypto module

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 14 Jul 2011 19:19:12 +0000 (21:19 +0200)]

Moved print messages back to generic crypto.c from cipher backends

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 14 Jul 2011 18:50:29 +0000 (20:50 +0200)]

Fixed an unintentional change in the options calculated key size.

It is now in bits again.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 7 Jul 2011 08:05:32 +0000 (10:05 +0200)]

Further improvements to plugin support:

- Renamed struct entries to explicitly show them as disabled
- Added a warning if USE_SSL is enabled, but neither ssl_verify_openssl.h or ssl_verify_polarssl.h is included
- If neither of those files is included, disable ssl support for a plugin including openvpn-plugin.h

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 7 Jul 2011 07:21:03 +0000 (09:21 +0200)]

Fixes for the plugin system:

- Removed the dependency on an SSL library for USE_SSL when creating non-SSL plugins
- Fixed example plugin code to include USE_SSL when needed

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 11:50:48 +0000 (13:50 +0200)]

Hardening: periodically reset the PRNG's nonce value

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 11:09:13 +0000 (13:09 +0200)]

Disabled X.509 track and username selection for PolarSSL

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 10:46:33 +0000 (12:46 +0200)]

Added SSL library to title string

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 10:02:12 +0000 (12:02 +0200)]

Added an extra define to allow building without PKCS#11

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 09:48:38 +0000 (11:48 +0200)]

Refactored (and disabled for PolarSSL) support for writing external cert files in scripts

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 09:41:14 +0000 (11:41 +0200)]

Removed stray X509_free from ssl.c

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 08:32:09 +0000 (10:32 +0200)]

Removed support for management external keys in PolarSSL

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 08:16:46 +0000 (10:16 +0200)]

Disable CryptoAPI when not using OpenSSL, and document that fact.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 08:05:32 +0000 (10:05 +0200)]

Added warning that --capath is not available with PolarSSL

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 08:02:40 +0000 (10:02 +0200)]

Added a warning that the PolarSSL library does not support pkcs12 files.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 5 Jul 2011 07:56:53 +0000 (09:56 +0200)]

Fixed a compilation warning for size_t key sizes

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Sat, 2 Jul 2011 12:28:56 +0000 (14:28 +0200)]

Updated ssl_polarssl.c to work with 0.99-pre5

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Sat, 2 Jul 2011 12:28:17 +0000 (14:28 +0200)]

Changed PolarSSL crypto backend to support v0.99-pre5

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Sat, 2 Jul 2011 09:00:49 +0000 (11:00 +0200)]

Added SHA_DIGEST_SIZE definition

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Fri, 1 Jul 2011 15:31:44 +0000 (17:31 +0200)]

Fixed a bug in the hash generation in ssl_verify_openssl.c

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Fri, 1 Jul 2011 15:20:18 +0000 (17:20 +0200)]

Fixed a missing include in ssl_backend.h

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Fri, 1 Jul 2011 12:15:11 +0000 (14:15 +0200)]

Added PolarSSL support:

- Crypto library
- SSL library
- PKCS#11 support

For missing features, please see README.polarssl

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Fri, 1 Jul 2011 12:40:30 +0000 (14:40 +0200)]

Refactored X509 track feature to be contained within the openssl backend

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Fri, 1 Jul 2011 12:39:13 +0000 (14:39 +0200)]

Final cleanup before PolarSSL addition:

- Remove stray X509 entries
- Remove unnecessary USE_OPENSSL ifdefs
- Normalised x509_get_sha1_hash to look similar to x509_get_* functions

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 14:34:11 +0000 (16:34 +0200)]

Modified base64 code in preparation for PolarSSL merge

- Renamed base64_decode and base64_encode to openvpn_*
- Changed the contributor's name to UTF-8

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 14:28:56 +0000 (16:28 +0200)]

Separated OpenSSL-specific parts of the PKCS#11 driver

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 13:44:24 +0000 (15:44 +0200)]

Refactored: renamed X509 functions from verify_*

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 12:53:41 +0000 (14:53 +0200)]

Refactored: made M_SSL dependent on USE_OPENSSL

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 13:11:47 +0000 (15:11 +0200)]

Cleaned up ssl.h

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 13:07:21 +0000 (15:07 +0200)]

Refactored: Moved verify_cert to ssl_verify

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 13:03:33 +0000 (15:03 +0200)]

Minor cleanup in verify_cert:

- Removed envname variable
- Removed debug code
- Changed ERR_clear_error to tls_clear_error
- Changed verify_get_subject to match verify_get_serial more closely

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 12:55:53 +0000 (14:55 +0200)]

Refactored CRL checks

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 12:38:38 +0000 (14:38 +0200)]

Refactored tls-verify script code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 12:15:40 +0000 (14:15 +0200)]

Refactored tls-verify-plugin code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 12:28:44 +0000 (14:28 +0200)]

Refactored tls-remote checking

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 12:24:15 +0000 (14:24 +0200)]

Refactored EKU verification

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 12:20:43 +0000 (14:20 +0200)]

Refactored key usage verification code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 11:51:16 +0000 (13:51 +0200)]

Refactored: Netscape certificate type verification

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 11:43:46 +0000 (13:43 +0200)]

Refactored: separated environment setup during verification

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 10:37:33 +0000 (12:37 +0200)]

Refactored: removed global x509_username_field

Moved to tls_options.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 09:43:38 +0000 (11:43 +0200)]

Added function to verify and extract the username

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 11:29:33 +0000 (13:29 +0200)]

Added function to extract and verify the subject from a certificate

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 09:19:07 +0000 (11:19 +0200)]

Refactored: split verify_callback into two parts

- One part is the actual callback, and is OpenSSL-specific
- One part, verify_cert(), is called by the callback to process the actual
verification

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 10:40:12 +0000 (12:40 +0200)]

Add some extra comments

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 08:48:18 +0000 (10:48 +0200)]

Refactored username and password authentication code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 14:22:40 +0000 (16:22 +0200)]

Refactored common name locking functions

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 08:10:28 +0000 (10:10 +0200)]

Refactored certificate hash lock checks

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 13:41:32 +0000 (15:41 +0200)]

Refactored client_config_dir_exclusive function

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 08:04:56 +0000 (10:04 +0200)]

Migrated data structures needed by verification functions to ssl_common.h

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 07:58:48 +0000 (09:58 +0200)]

Refactored Doxygen for tls_multi functions

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 09:03:45 +0000 (11:03 +0200)]

Refactored: moved write_empty_string function back

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 08:41:22 +0000 (10:41 +0200)]

Refactored: removed ks and ks_lame macro for clarity

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 08:08:08 +0000 (10:08 +0200)]

Refactored: Moved BIO debug functions to OpenSSL backend

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 08:02:47 +0000 (10:02 +0200)]

Refactored key_state write functions

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Tue, 28 Jun 2011 07:47:52 +0000 (09:47 +0200)]

Refactored key_state read code (including bio_read())

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 07:43:14 +0000 (09:43 +0200)]

Refactored print_details

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 27 Jun 2011 15:51:23 +0000 (17:51 +0200)]

Refactored key_state free code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 27 Jun 2011 15:44:40 +0000 (17:44 +0200)]

Refactored initalisation of key_states

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 07:33:41 +0000 (09:33 +0200)]

Refactored tls_options, key_state, and key_source data structures

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 16:32:44 +0000 (18:32 +0200)]

Refactored cipher restriction code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 16:28:02 +0000 (18:28 +0200)]

Refactored CA and extra certs code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Thu, 30 Jun 2011 06:57:52 +0000 (08:57 +0200)]

Refactored external key loading from management

Fixed a bug in external key loading, where if no certificate file was
specified, the program would still try to use an external private key.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 27 Jun 2011 12:39:23 +0000 (14:39 +0200)]

Refactored private key loading code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 15:59:55 +0000 (17:59 +0200)]

Refactored load certificate functions

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 27 Jun 2011 12:13:16 +0000 (14:13 +0200)]

Refactored windows cert loading

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 27 Jun 2011 12:01:22 +0000 (14:01 +0200)]

Refactored PKCS#11 loading

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 14:51:16 +0000 (16:51 +0200)]

Refactored PKCS#12 key loading

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 14:30:38 +0000 (16:30 +0200)]

Refactored root TLS option settings

- Started merge of new feature (x509_altnames), will continue in a
future patch

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Mon, 27 Jun 2011 11:03:07 +0000 (13:03 +0200)]

Refactored DH paramater loading

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 13:45:44 +0000 (15:45 +0200)]

Refactored new external key code

- To make patch application easier in the future

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

commit | commitdiff | tree

Adriaan de Jong [Wed, 29 Jun 2011 13:30:34 +0000 (15:30 +0200)]

Refactored root SSL context initialisation

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

Mirror of https://github.com/OpenVPN/openvpn.git