Adriaan de Jong [Mon, 2 Apr 2012 07:28:05 +0000 (09:28 +0200)]
Removed support for PolarSSL < 1.1
PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
certain operations, using the RDTSC instruction. Although this is fine on
bare metal PCs, the RDTSC instruction is virtualised on some virtual
machine implementations. This can result in issues on those virtual
machines. PolarSSL fixes this potential issue by also using platform
entropy.
To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
is therefore no longer supported.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6211 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:02 +0000 (09:28 +0200)]
Added support for new PolarSSL 1.1 RNG
This patch, while retaining PolarSSL 1.0 support, introduces the PolarSSL 1.1 DRBG.
This RNG adds a number of features, including support for personalisation strings
and multiple entropy sources.
Personalisation strings have been implemented, based on PID, program name, place
within memory, and a hash of the user's certificate.
The entropy sources used are the platform default ones. Which ones these are
depends on how PolarSSL was built, but usually this includes:
- /dev/urandom or the Windows CryptoAPI RNG
- the HAVEGE RNG
- the output of PolarSSL's hardclock() call (usually RDTSC)
Finally, this patch moves to only one instance of the RNG per OpenVPN instance,
instead of one per keystate
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: Eelse-jan Stutvoet <stutvoet@fox-it.com> Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1333351687-3732-1-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6210 Signed-off-by: David Sommerseth <davids@redhat.com>
Program received signal SIGSEGV, Segmentation fault.
packet_id_debug_print (msglevel=1174405255, p=0xa36bd0718,
pin=0x3de5feec1b0,
message=0xa330dde80 "PID_TEST", value=0) at
../../../src/openvpn/packet_id.c:504
504 for (i = 0; i < sl->x_size; ++i)
David Sommerseth [Fri, 27 Apr 2012 10:10:25 +0000 (12:10 +0200)]
Clean-up: Presume that Linux is always IPv6 capable at build time
These days it is highly unlikely that OpenVPN will be built in a non-IPv6
capable Linux environment. So remove compile-time related macros identifying
that.
This also solves an issue which was introduced in commit 51bd56f46f55177cf0f8b
where HAVE_TUN_PI is no longer detected. The tun_pi struct is defined in
linux/if_tun.h, which will be checked for later on. As this struct has history
in linux/if_tun.h all back to the beginning of the kernel git tree (2.6.12-rc2,
April 2005), it is considered not needed to check for this struct explicit.
[ v2: Commit 7c0a2b5f2b4409 modifies some of the checks this patch touches. This
patch just adopts to those changes ]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Message-Id: 1335521425-23391-1-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6351
cleanup: add .gitattributes to control eol style explicitly
Having the text auto detection is a risk, as the detection may detect
text files that are not text and vise versa.
Having global setting will create confusion and differentiate between
users. So this patch also move this to local repository.
Having git to check out files differently in different OS is also
a not correct, as checkouts may be used in shares or in *NIX emulation
environments, so it have no effect.
Another issue is packaging, if we change out the tree differently
in several OSes, we may have different package content, which is
something that should be avoided.
Currently any editor of MS supports LF end of lines, so there is no
need to convert source files while checking out.
The visual studio files should be stored as CRLF as they are generated
by visual studio every save, in a way that CRLF are added.
I handled only the files that may be touch by MS users.
Adriaan de Jong [Tue, 14 Feb 2012 10:11:26 +0000 (11:11 +0100)]
Migrated x509_get_sha1_hash to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 14 Feb 2012 10:11:25 +0000 (11:11 +0100)]
Migrated x509_get_serial to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 14 Feb 2012 10:11:24 +0000 (11:11 +0100)]
Migrated x509_get_subject to use of the garbage collector
This also cleans up a messy call in pkcs11.c to _openssl_get_subject, as discussed at FOSDEM.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Igor Novgorodov [Tue, 28 Feb 2012 11:16:01 +0000 (15:16 +0400)]
Remove calls to OpenSSL when building with --disable-ssl
Move OpenSSL calls out from the generic crypto layer and into the
OpenSSL specific layer. Also don't load all algortihms if SSL
isn't enabled.
Error strings will also not be loaded into memory if ENABLE_SMALL
is configured.
Signed-off-by: Igor Novgorodov <igor@novg.net> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:09 +0000 (22:12 +0200)]
build: proper lzo detection and usage
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:04 +0000 (22:12 +0200)]
build: autoconf: minor cleanups
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:02 +0000 (22:12 +0200)]
build: libdl usage
1. properly detect.
2. Link only required components.
3. No way we don't have LoadLibrary on Windows.
4. ENABLE_PLUGIN should be controlled in autoconf.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:56 +0000 (22:11 +0200)]
build: autotools: first pass of trivial autotools changes
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:49 +0000 (22:11 +0200)]
Remove tap-win32
Introduce tap-windows.h which is modified tap-win32/common.h.
Except of function rename, it is the same without the tap_id.
This file should be provided as part of tap-win32 MSI.
For now we hold a copy.
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:45 +0000 (22:11 +0200)]
build: plugins: properly use CC, CFLAGS and LDFLAGS
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:40 +0000 (22:11 +0200)]
fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:37 +0000 (22:11 +0200)]
cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
autoconf rejecting this anyway:
----
AC_MSG_CHECKING([that OpenSSL Library is at least version 0.9.6])
<snip>
AC_MSG_ERROR([OpenSSL crypto Library is too old.])
----
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:35 +0000 (22:11 +0200)]
cleanup: win32.c: wrong printf format
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Wed, 17 Aug 2011 15:53:01 +0000 (15:53 +0000)]
remove wrapper code for Windows CryptoAPI function
The CryptoAPI function CryptAcquireCertificatePrivateKey() was previously
unsupported in MinGW. With recent w32api headers it's now defined, mostly.
Since the code used to load the CryptoAPI DLL is prone to a DLL hijacking
attack [1], it's now a good time to get rid of wrapper completely.
Just a few macros left that may still be undefined on some
systems using the original MinGW headers.
[1] http://isc.sans.edu/diary.html?storyid=9445
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: James Yonan <james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/4979 Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 20 Feb 2012 09:31:54 +0000 (10:31 +0100)]
Revamp check_file_access() checks in stdin scenarios
It was discovered that --management also can take stdin as argument
instead of a file. Enabled this by revamping the check_file_access()
flags by adding CHKACC_ACPTSTDIN. Setting this flag will then consider
filenames as 'stdin' as always present.
The other place where 'stdin' was accepted is also modified to use this
flag instead.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 18 Feb 2012 19:44:12 +0000 (20:44 +0100)]
define access mode flag X_OK as 0 on Windows
The _access and _waccess functions in Windows don't know about
X_OK (1). If you pass an uneven mode flag the C runtime's default
invalid parameter handler ends execution of openvpn.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Fri, 17 Feb 2012 11:09:51 +0000 (12:09 +0100)]
Makefile.am referenced a now non-existing config-win32.h
This file was moved to win/config.h.in and is the template used
by the Python build tools in win/. This happened in
commit 4b312378e9e7084a0699ca6d4b895bdadb7540db
For all other autotools based environments, ./configure will take
care of creating the proper config.h
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Thu, 16 Feb 2012 17:30:40 +0000 (18:30 +0100)]
use the underscore version of stat on Windows
MSVC does not know wstat(). Instead _wstat() must be used here.
Unfortunately _wstat() takes a 'struct _stat'. A type 'stat_t' is
introduced to handle this situation in a portable way.
[v2: Use openvpn_stat_t instead of stat_t (David Sommerseth)]
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
The cipher_kt_mode uses bool as return type, this should be int. On
some platforms like OS X, any returned value larger than one will
be converted to 1.
Signed-off-by: Frank de Brabander <brabander@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Tue, 14 Feb 2012 10:45:27 +0000 (11:45 +0100)]
Connection entry {tun,link}_mtu_defined not set correctly
Commit 76809cae0eae07817160b423d3f9551df1a1d68e enabled setting MTU
variables inside <connection> blocks. But in that process, the
tun_mtu_defined and link_mtu_defined was not set as it should.
By moving this out of the options_postprocess_mutate_invariant()
function and into options_postprocess_mutate_ce(), these
{tun,link}_mtu_defined variables are set correctly in each
connection entry.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
The following options may now be used in a connection block:
fragment
mssfix
tun-mtu
tun-mtu-extra
link-mtu
mtu_discover_type
explicit-exit-notification
In order to support stuff like
<connection>
remote host
proto udp
fragment
explicit-exit-notification 3
</connection>
<connection>
remote host
proto tcp
</connection>
Signed-off-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
