David Sommerseth [Sun, 24 Jul 2011 23:44:27 +0000 (01:44 +0200)]
Merge remote branch SVN 2.1 into the git tree
Hopefully the last SVN merge we need to do, as these merges are getting
more and more difficult. Most of the files had minor changes, but due to
the CRLF unification patch (commit 6b2883a637fe73492) we got an increased
number of conflicts. In addition inclusion of IPv6 support makes the
creates a lot of merge issues in route.c and socket.c
This merge also reverts commit 7c18c6353904f8c6e7 which merged
add_bypass_address() into add_host_route_if_nonlocal(). However the SVN
tree began to use add_bypass_address() another place, where at first glance
it did not be appropriate to use add_host_route_if_nonlocal().
This merge has gone through a 'make check' without any errors, but have
not been tested more thoroughly yet.
Signed-off-by: David Sommerseth <davids@redhat.com> Reviewed-by: Gert Doering <gert@greenie.muc.de> Reviewed-by: James Yonan <james@openvpn.net> Reviewed-by: Adriaan de Jong <dejong@fox-it.com>
Samuli Seppänen [Thu, 30 Jun 2011 07:59:10 +0000 (10:59 +0300)]
Fixes to easy-rsa/2.0
As support for OpenSSL 1.0.0 requires a modified openssl.cnf file, it was
decided to rename openssl.cnf to openssl-1.0.0.cnf for clarity and better
support of different OpenSSL versions. The old openssl.cnf was renamed as
openssl-0.9.8.cnf.
This patch makes sure that all openssl*.cnf files are copied when running 'make
install' in easy-rsa and makes the whichopensslcnf script aware of them as well.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Samuli Seppänen [Wed, 29 Jun 2011 08:24:07 +0000 (11:24 +0300)]
Updated "easy-rsa" for OpenSSL 1.0.0
This patch fixes remaining issues with Trac ticket #125. It does the following:
- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
required by OpenSSL 1.0.0 (at least on Windows)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Remove support for Linux 2.2 configuration fallback
When configuring OpenVPN nowadays, the TUN/TAP configuration can
sometimes jump into the Linux 2.2 fallback code paths, which will
also fails. The reason it jumps into fallback mode is that the
tun/tap device already exists or that /dev/net/tun does not exist.
This can be very confusing, as /dev/tunX which the fallback mode tries
to use, does not exist on Linux 2.4 and newer.
Considering that the last Linux 2.2 update was released 25-Feb-2004
and the first Linux 2.4 release came 04-Jan-2001, there are no
reasonable reasons to help users to stay on outdated kernels.
I consider this extra code path just waste of bytes ... so lets make
the world simpler.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Robert Fischer [Thu, 21 Apr 2011 20:55:52 +0000 (22:55 +0200)]
Documented --x509-username-field option
Also fixed a typo in the --help screen.
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Robert Fischer [Thu, 21 Apr 2011 19:36:10 +0000 (21:36 +0200)]
Added info about --show-proxy-settings
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Sun, 12 Jun 2011 01:14:36 +0000 (01:14 +0000)]
Added redirect-gateway block-local flag, with support for
Linux, Mac OS X, and Linux. This flag (which is pushable
from server) blocks client access to local LAN while VPN
session is active.
Added standalone --show-gateway option to show info about
default gateway.
Extensively refactored get_default_gateway function in
route.c to ease implementation of block-local.
Removed "Experimental" disclaimer from redirect-gateway
man page.
James Yonan [Fri, 3 Jun 2011 21:21:20 +0000 (21:21 +0000)]
Added support for static challenge/response protocol.
This includes the new "static-challenge" directive.
See management/management-notes.txt for details on both
static and dynamic challenge/response protocols.
All client-side challenge/response code is #ifdefed on
ENABLE_CLIENT_CR and can be removed from the build
by commenting out the definition of ENABLE_CLIENT_CR
in syshead.h.
David Sommerseth [Thu, 26 May 2011 08:16:59 +0000 (10:16 +0200)]
Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
The push_peer_info feature depends on the SSL infrastructure and openvpn
will fail to build if ./configure --disable-crypto --disable-ssl is
used. The solution is to not define ENABLE_PUSH_PEER_INFO if we don't
have crypto/ssl.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 22 May 2011 17:02:39 +0000 (19:02 +0200)]
Windows IPv6 cleanup - properly remove IPv6 routes and interface config
after tunnel shutdown. Needs to make delete_route_ipv6() visible from
tun.c (route.c, route.h) and to properly zero-out host bits from IPv6
"network" at interface route clearing. Further, add IPv6 routes with
"store=active" to make sure nothing lingers after a system crash while
OpenVPN was running.
While at it, small Solaris cleanup - use CLEAR() to zero-out "ifr" struct.
Tested on Windows XP SP3 and Win7 by Gert Doering and Tony Lim.
David Sommerseth [Fri, 29 Apr 2011 11:28:06 +0000 (13:28 +0200)]
Fix const declarations in plug-in v3 structs
Microsoft Visual Studio complains about const char const **ptr declarations
and expects them to be be const char ** const ptr. The latter is what was the
intention, that neither the pointer nor the value(s) it points at can be changed.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
smos [Tue, 10 May 2011 08:01:48 +0000 (10:01 +0200)]
Change the netsh.exe command from "add" to "set".
This prevents the netsh.exe command from exiting with a status 1
when the address already exists. By adding store=active the address
will not survive a reboot and be assigned temporarily.
Tested on Windows 7 and Windows XP SP 2.
Signed-off-by: smos <seth.mos@dds.nl> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix 2.2.0 build failure when management interface disabled
I just upgraded to 2.2.0, and my build fails with:
ps.c: In function 'port_share_open':
ps.c:778:7: error: 'management' undeclared (first use in this function)
ps.c:778:7: note: each undeclared identifier is reported only once for
each function it appears in
make[5]: *** [ps.o] Error 1
[Comment by David Sommerseth:
This happens only when building with --enable-small, --disable-management
and --disable-pkcs11
Also changed MANAGEMENT_ENABLED to ENABLE_MANAGEMENT from the original
patch.
]
Mailing-list: http://thread.gmane.org/gmane.network.openvpn.devel/4639 Signed-off-by: Matthew L. Creech <mlcreech@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Simon Matter [Tue, 8 Mar 2011 07:27:00 +0000 (07:27 +0000)]
Fix issues with some older GCC compilers
Some older GCC compilers don't like that variables are declared
in the middle of the code, and expect them on the top in the
block/scope.
Trac-ticket: 99 Signed-off-by: Simon Matter <simon.matter@invoca.ch> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Sun, 24 Apr 2011 00:59:28 +0000 (00:59 +0000)]
Added 'dir' flag to "crl-verify" (see man page for info).
Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list
if not running in server mode (these functions are only useful for
TLS/SSL servers).
Modified openvpn_snprintf to return false on overflow, and true
otherwise.
When AUTH_FAILED,... is received, log the full string.
James Yonan [Tue, 19 Apr 2011 10:28:06 +0000 (10:28 +0000)]
Revert r7092 and r7151, i.e. remove --enable-osxipconfig
configure option. ipconfig on Mac has certain behavior that makes
it unsuitable for use by OpenVPN to configure tun/tap interface.
James Yonan [Tue, 12 Apr 2011 05:14:34 +0000 (05:14 +0000)]
For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig
command on failure once every second for up to 15 seconds. This
is necessary to work around an issue observed on OSX 10.5 where
the ipconfig command sometimes fails if executed immediately after
the tun device open.
James Yonan [Sat, 2 Apr 2011 08:21:28 +0000 (08:21 +0000)]
Fixed bug that incorrectly placed stricter TCP packet replay rules on
UDP sessions when the client daemon was running in UDP/TCP adaptive
mode, and transitioned from TCP to UDP.
The bug would cause a single dropped packet in UDP mode to trigger a
barrage of packet replay errors followed by a disconnect and
reconnect.
James Yonan [Sun, 27 Mar 2011 09:20:13 +0000 (09:20 +0000)]
Added ./configure --enable-osxipconfig option for Mac OS X which will
enable the use of ipconfig (instead of ifconfig) for configuring the
IP address and netmask of the tun/tap adapter.
James Yonan [Sat, 26 Mar 2011 21:16:40 +0000 (21:16 +0000)]
Added "auth-token" client directive, which is intended to be
pushed by server, and that is used to offer a temporary session
token to clients that can be used in place of a password on
subsequent credential challenges.
This accomplishes the security benefit of preventing caching
of the real password while offering most of the advantages
of password caching, i.e. not forcing the user to re-enter
credentials for every TLS renegotiation or network hiccup.
auth-token does two things:
1. if password caching is enabled, the token replaces the
previous password, and
2. if the management interface is active, the token is output
to it:
>PASSWORD:Auth-Token:<token>
Also made a minor change to HALT/RESTART processing when password
caching is enabled. When client receives a HALT or RESTART message,
and if the message text contains a flags block (i.e. [FFF]:message),
if flag 'P' (preserve auth) is present in flags, don't purge the Auth
password. Otherwise do purge the Auth password.
James Yonan [Fri, 18 Mar 2011 04:51:59 +0000 (04:51 +0000)]
Fixed issue where a client might receive multiple push replies from
a server if it sent multiple push requests due to the server being
slow to respond. This could cause the client to process pushed
options twice, leading to duplicate pushed routes, among other issues.
The fix, implemented server-side, is to reply only once to a push
request even if multiple requests are received.
James Yonan [Thu, 10 Mar 2011 00:04:39 +0000 (00:04 +0000)]
Added --enable-lzo-stub configure option to build an OpenVPN client without LZO, but that has limited interoperability with LZO-enabled servers.
Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when
client was built with --enable-lzo-stub configure option. This tells
the server that the client lacks LZO capabilities, so the server
should turn off LZO compression for this client via "lzo no".
Added "setenv PUSH_PEER_INFO" option having the same effect as
"push-peer-info".
Gert Doering [Sun, 24 Apr 2011 15:15:56 +0000 (17:15 +0200)]
rebased to 2.2RC2 (beta 2.2 branch)
removed mutex locking stuff (no more threading in 2.2)
fixed rebase/merge artifacts in mroute.c
add current ChangeLog.IPv6 and TODO.IPv6 to commit
tag as ipv6-20110424-2
Gert Doering [Sun, 16 Jan 2011 17:24:37 +0000 (18:24 +0100)]
Implement "ipv6 ifconfig" for TAP interfaces on Solaris
Solaris close_tun(): add explicit "unplumb'ing" of IPv6 tun/tap
interfaces, otherwise they would linger around after OpenVPN exits.
Gert Doering [Thu, 2 Sep 2010 19:20:30 +0000 (21:20 +0200)]
2.2-beta3 has a signed TAP driver with the IPv6 code, but it's not
version 9.7 as anticipated (that's 2.1.3) but 9.8 - change test to
require 9.8, and change message to point to 2.2-beta3 and up.
Gert Doering [Tue, 10 Aug 2010 10:39:28 +0000 (12:39 +0200)]
renamed t_client.sh to t_client.sh.in
build t_client.sh by configure at run-time, with proper paths to
ip/ifconfig/netstat binaries, and (most important) with proper #!SHELL
extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh"
Gert Doering [Sun, 8 Aug 2010 19:24:30 +0000 (21:24 +0200)]
full "VPN client connect" test framework for OpenVPN
run from "make check" if "t_client.rc" is found in workdir or srcdir
(copy t_client.rc-sample, fill in specifics for your test server)
Gert Doering [Sun, 28 Feb 2010 21:57:28 +0000 (22:57 +0100)]
- Win32 IPv6 ifconfig support, using "netsh" calls
- initialize tuntap->ipv6 in init.c::do_init_tun(), to make sure it's
setup "early enough", no matter what ifconfig_order() wants
- change call convention for open_tun(): drop "ipv6" flag, because it's
incompatible with windows/openbsd calling sequence (ifconfig first,
open_tun later) - also affects open_tun_generic() and tuncfg().
- drop ipv6_support() helper function - has no useful purpose anymore
- introduce add_route_connected_v6_net() helper for Win32, Darwin, Netbsd
(cleanup code)
- fix NetBSD tunnel setup - destroy/recreate before ifconfig'ing, to make
sure no leftover configuration lingers on tunnel from previous call
(NetBSD tunnels are always persistent unless explicitely destroyed)
- DARWIN (MacOS X) gets its own #ifdef section for open_tun()/close_tun()
now, because close_tun() needs to cleanup IPv6 ifconfig
Gert Doering [Sun, 28 Feb 2010 21:50:41 +0000 (22:50 +0100)]
add IPv6 route add / route delete code for windows (using "netsh")
- somewhat preliminary, as the next-hop setting requirements of tun/tap
driver are not decided yet, and "route add" might need to be adapted
JuanJo Ciarlante [Sun, 21 Feb 2010 17:46:59 +0000 (18:46 +0100)]
* make ipv6_payload compile under windowze
- create inet_ntop() and inet_pton() wrap-implementations using
WSAAddressToString() and WSAStringToAddress() functions
- add relevant win32-only headers to syshead.h
NOTE: syshead.h changes are already included in ipv6_transport
Gert Doering [Tue, 16 Feb 2010 14:40:31 +0000 (15:40 +0100)]
add some TODOs to TODO.IPv6
--version: change printing of IPv6 payload patch version to [...] style
fix "make check" regression in tun.c (unnecessary change reverted)
Gert Doering [Thu, 14 Jan 2010 14:21:05 +0000 (15:21 +0100)]
NetBSD fixes - on 4.0 and up, use multi-af mode. On earlier systems that
do not have TUNSIFHEAD (and do not have IPv6 capable tunnels), fall back
to old IPv4-only code without address-family prepending.
(cherry picked from commit 2a57c58b185deb11b0a62c584489fff59258146c)
Gert Doering [Tue, 16 Feb 2010 14:40:31 +0000 (15:40 +0100)]
add some TODOs to TODO.IPv6
--version: change printing of IPv6 payload patch version to [...] style
fix "make check" regression in tun.c (unnecessary change reverted)
Gert Doering [Thu, 14 Jan 2010 14:53:40 +0000 (15:53 +0100)]
new feature: "ifconfig-ipv6-push" (from ccd/ config)
affects options.h, options.c, multi.c
benefit: static IPv6 address assignment from radiusplugin (etc)
rewritten get_ipv6_addr() to handle IPv6 addresses with and without "/bits"
affects route.c and mainly options.c
benefit: ifconfig-ipv6, ifconfig-ipv6-pool can now be accept
configurations with networks != /64 (the rest of the implementation
is not yet completely there, but this is imporant preparation work to
be able to add /bits to "push 'ifconfig-ipv6 ...'" later on without
breaking clients
do not try to add/delete IPv6 routes if no IPv6 on tunnel
affects: route.c
benefit: avoid error messages, and make IPv6 troubleshooting easier
flag as "config error" if --ifconfig-ipv6-pool used without --ifconfig-ipv6
flag as "config error" if --ifconfig-ipv6-pool used without --server
print warning if --ifconfig-ipv6 is used without --tun-ipv6
changes documented in more detail in ChangeLog.IPv6
Gert Doering [Thu, 14 Jan 2010 14:21:05 +0000 (15:21 +0100)]
NetBSD fixes - on 4.0 and up, use multi-af mode. On earlier systems that
do not have TUNSIFHEAD (and do not have IPv6 capable tunnels), fall back
to old IPv4-only code without address-family prepending.
(cherry picked from commit 2a57c58b185deb11b0a62c584489fff59258146c)
James Yonan [Sun, 24 Apr 2011 00:59:28 +0000 (00:59 +0000)]
Added 'dir' flag to "crl-verify" (see man page for info).
Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list
if not running in server mode (these functions are only useful for
TLS/SSL servers).
Modified openvpn_snprintf to return false on overflow, and true
otherwise.
When AUTH_FAILED,... is received, log the full string.
Robert Fischer [Sun, 17 Apr 2011 21:25:34 +0000 (23:25 +0200)]
Update man page with info about --connect-timeout
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Robert Fischer [Sun, 17 Apr 2011 21:03:49 +0000 (23:03 +0200)]
Update man page with info about --capath
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 21 Apr 2011 19:03:25 +0000 (21:03 +0200)]
Add a simple comment regarding openvpn_snprintf() is duplicated
Commit df5a4380c3931520d5fae2b18f0fc2e67a883aae copies this function
from buffer.c to service-win32/openvpnserv.c. Any changes on either
places should be done in both implementations.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 21 Apr 2011 18:32:26 +0000 (20:32 +0200)]
Improve the mysprintf() issue in openvpnserv.c
A quick and dirty compile fix was introduced in commit 77d244050964525417,
and was accepted under the condition that it would be a temporary fix.
As the usage of _snprintf() is realy not ideal on Windows, this patch
uses the same well tested openvpn_snprintf() function from buffer.c.
It was a longer discussion of several possibilities to re-use that code,
but in the end it seemed easier to just copy-paste this function to
openvpnserv.c for now.
The reason for this conclusion was that the function is really simple,
well defined and will most likely not be changed much in the future.
It is also added a comment in openvpnserv.c where this function
has its origins.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
James Yonan [Tue, 19 Apr 2011 10:28:06 +0000 (10:28 +0000)]
Revert r7092 and r7151, i.e. remove --enable-osxipconfig
configure option. ipconfig on Mac has certain behavior that makes
it unsuitable for use by OpenVPN to configure tun/tap interface.
Gisle Vanem [Sat, 9 Apr 2011 12:56:52 +0000 (12:56 +0000)]
Avoid re-defining uint32_t when using mingw compiler
Since MingW for quite a long time (since 3.2 in 2008?) has defined
'uint32_t' etc. in it's <stdint.h>, we need to guard against defining
them again. Ideally we should figure out in what version of MingW
this happened. But for now:
Signed-off-by: Gisle Vanem <gvanem@broadpark.no> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
The win/config_ti.py build script assumes to find ../tapinstall/7600/sources.in
which does not exists in devcon.exe source code directory. This makes
config_ti.py look for ../tapinstall/7600/sources instead.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 14 Apr 2011 14:21:16 +0000 (16:21 +0200)]
Change the default --tmp-dir path to a more suitable path
In commit 4e1cc5f6dda22e9 the create_temp_filename() function was
reviewed and hardened, which in the end renamed this function to
create_temp_file() in commit 495e3cec5d156.
With these changes it became more evident that OpenVPN needs a directory
where it can create temporary files. The create_temp_file() will create
such files f.ex. if --client-connect or --plugin which makes use of
the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so.
When this happens, OpenVPN will normally create these files in the directory
OpenVPN was started. In many cases, this will fail due to restricted access.
By using --tmp-dir and pointing it to a directory writeable to the user
running OpenVPN, it works again.
This patch makes OpenVPN use a more suitable temproary directory by default,
instead of the current working directory. On non-Windows platforms this
default value is set to '/tmp', but can be modified at compile-time by
running ./configure --with-tmp-dir-path=<TEMP DIR PATH>. On Windows, it
will use GetTempPath() to find temporary paths recommended by the OS. If
this fails, it will fallback to the old behaviour, using the directory
where OpenVPN was started.
In any cases, this default value can be overridden in the configuration
file by using the --tmp-dir option, as before.
To check what the default is at runime, you can see this easily by doing
this:
$ ./openvpn --verb 4 --dev tun | grep tmp_dir
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
