james [Sun, 24 May 2009 09:13:58 +0000 (09:13 +0000)]
Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
client will examine the routing table and determine whether (a) the
OpenVPN server is reachable via a locally connected interface, or (b)
traffic to the server must be forwarded through the default router.
Only add a special bypass route for the OpenVPN server if (b) is true.
If (a) is true, behave as if the 'local' flag is specified, and do not
add a bypass route.
The new 'autolocal' flag depends on the non-portable test_local_addr()
function in route.c, which is currently only implemented for Windows.
The 'autolocal' flag will act as a no-op on platforms that have not
yet defined a test_local_addr() function.
Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
more option content to be pushed from server to client).
james [Sat, 23 May 2009 10:30:10 +0000 (10:30 +0000)]
Added "redirect-private" option which allows private subnets
to be pushed to the client in such a way that they don't accidently
obscure critical local addresses such as the DHCP server address and
DNS server addresses.
james [Thu, 21 May 2009 10:15:26 +0000 (10:15 +0000)]
Fixed race condition in management interface recv code on
Windows, where sending a set of several commands to the
management interface in quick succession might cause the
latter commands in the set to be ignored.
Increased management interface input command buffer size
from 256 to 1024 bytes.
james [Wed, 13 May 2009 13:36:23 +0000 (13:36 +0000)]
Updated Windows build scripts to package openssl-0.9.8k,
and to use the Server 2008 WDK (6001.18002).
In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
OpenVPNCryptAcquireCertificatePrivateKey to work around
a symbol conflict in MinGW-5.1.4.exe.
james [Tue, 18 Nov 2008 01:25:05 +0000 (01:25 +0000)]
Added --prng option to control PRNG (pseudo-random
number generator) parameters. In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash. Now any OpenSSL hash may be used. This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.
james [Mon, 17 Nov 2008 04:28:07 +0000 (04:28 +0000)]
* Added additional method parameter to --script-security to preserve
backward compatibility with system() call semantics used in OpenVPN
2.1_rc8 and earlier. To preserve backward compatibility use:
james [Tue, 4 Nov 2008 21:42:56 +0000 (21:42 +0000)]
Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
config file syntax checking to allow directives for future OpenVPN
versions to be ignored.
james [Fri, 31 Oct 2008 07:04:51 +0000 (07:04 +0000)]
Added --no-name-remapping option to allow Common Name, X509 Subject,
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return.
james [Tue, 28 Oct 2008 20:01:05 +0000 (20:01 +0000)]
Added server-side --auth-user-pass-optional directive, to allow
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
james [Tue, 28 Oct 2008 05:42:02 +0000 (05:42 +0000)]
Change to pkitool/openssl.cnf so that calling scripts can
set the KEY_NAME environmental variable to set the "name"
X509 subject field in generated certificates.
james [Fri, 24 Oct 2008 06:04:34 +0000 (06:04 +0000)]
Added optional files SAMPCONF_CONF2 (second sample configuration
file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
build system, and may be defined in settings.in.
james [Fri, 17 Oct 2008 08:15:22 +0000 (08:15 +0000)]
Modified Windows domake-win build system to write all openvpn.nsi
input files to gen, so that gen can be disconnected from
the rest of the source tree and makensis openvpn.nsi will
still function correctly.
Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
(commented out by default).
james [Fri, 19 Sep 2008 20:12:43 +0000 (20:12 +0000)]
Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
was incorrectly expecting the lladdr parameter to be an IP address
when it is actually a MAC address (HoverHell).
james [Sat, 6 Sep 2008 09:42:17 +0000 (09:42 +0000)]
2.1_rc8 and earlier did implicit shell expansion on script
arguments since all scripts were called by system().
The security hardening changes made to 2.1_rc9 no longer
use system(), but rather use the safer execve or CreateProcess
system calls. The security hardening also introduced a
backward incompatibility with 2.1_rc8 and earlier in that
script parameters were no longer shell-expanded, so
for example:
client-connect "docc CLIENT-CONNECT"
would fail to work because execve would try to execute
a script called "docc CLIENT-CONNECT" instead of "docc"
with "CLIENT-CONNECT" as the first argument.
This patch fixes the issue, bringing the script argument
semantics back to pre 2.1_rc9 behavior in order to preserve
backward compatibility while still using execve or CreateProcess
to execute the script/executable.
james [Thu, 4 Sep 2008 20:35:09 +0000 (20:35 +0000)]
Added --allow-pull-fqdn option which allows client to pull DNS names
from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by default.
Now --allow-pull-fqdn will be explicitly required on the client to enable
DNS-name-to-IP-address translation of pulled options.
james [Sun, 10 Aug 2008 19:29:00 +0000 (19:29 +0000)]
Fixed build issue with ./configure --disable-socks --disable-http.
Fixed separate compile errors in options.c and ntlm.c that occur
on strict C compilers (such as old versions of gcc) that require
that C variable declarations occur at the start of a {} block,
not in the middle.
james [Sun, 10 Aug 2008 18:49:28 +0000 (18:49 +0000)]
Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
--script-security rules. Also adds retrying if the addresses are in
use (Matthias Andree).
james [Tue, 5 Aug 2008 07:52:06 +0000 (07:52 +0000)]
Workaround for MinGW autoconf issue where HAVE_SETSOCKOPT,
HAVE_GETSOCKOPT, and HAVE_POLL are undefined even though
the underlying functions are present.
james [Tue, 5 Aug 2008 04:44:31 +0000 (04:44 +0000)]
Added additional warnings to flag common gotchas:
* Warn when ethernet bridging that the IP address of the
bridge adapter is probably not the same address that
the LAN adapter was set to previously.
* When running as a server, warn if the LAN network address is
the all-popular 192.168.[0|1].x, since this condition commonly
leads to subnet conflicts down the road.
* Primarily on the client, check for subnet conflicts between
the local LAN and the VPN subnet.
Added a 'netmask' parameter to get_default_gateway, to return
the netmask of the adapter containing the default gateway.
Only implemented on Windows so far. Other platforms will
return 255.255.255.0. Currently the netmask information is
only used to warn about subnet conflicts.
james [Sat, 2 Aug 2008 08:02:53 +0000 (08:02 +0000)]
Added "--server-bridge" (without parameters) to enable
DHCP proxy mode: Configure server mode for ethernet
bridging using a DHCP-proxy, where clients talk to the
OpenVPN server-side DHCP server to receive their IP address
allocation and DNS server addresses.
Added "--route-gateway dhcp", to enable the extraction
of the gateway address from a DHCP negotiation with the
OpenVPN server-side LAN.
Modified client.conf and server.conf to reflect new option
modes.
james [Thu, 31 Jul 2008 22:03:38 +0000 (22:03 +0000)]
In Windows build, package a statically linked openssl.exe to work around
observed instabilities in the dynamic build since the migration to
OpenSSL 0.9.8h.
james [Sun, 27 Jul 2008 18:20:52 +0000 (18:20 +0000)]
Added additional warnings for:
* --tls-remote -- some people misunderstand the semantics
* --script-security -- warn if script-security will allow user-defined
scripts to be called, and also warn separately if passwords may be
passed to scripts via the environment
james [Sat, 26 Jul 2008 07:27:03 +0000 (07:27 +0000)]
Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
james [Wed, 23 Jul 2008 19:51:27 +0000 (19:51 +0000)]
Added argv_x functions to buffer.[ch] to be used to safely build
up argv strings for execve without the possibility of truncation
or misinterpretation of mid-argument spacing.
james [Sat, 19 Jul 2008 03:33:27 +0000 (03:33 +0000)]
Modified extract_x509_field_ssl to return a status value indicating
success/error, and any truncation of output due to an insufficiently
large output buffer will be cause for error.
In verify_callback, read X509 Subject Name without truncation.
In verify_callback, rather than silently truncating Common Name at
64 bytes, throw an error if Common Name is larger than 64 bytes.
james [Sat, 19 Jul 2008 00:29:31 +0000 (00:29 +0000)]
Replace leading dash ('-') characters in an X509 name with underbars ('_')
before calling user-defined scripts, to preclude the chance of a leading
dash being interpreted as an option prefix.
projects / thirdparty / openvpn.git / log
