Samuli Seppänen [Fri, 11 Feb 2011 14:16:14 +0000 (16:16 +0200)]
Added configure.h and version.m4 variable parsing to win/config.py
Python-based buildsystem uses win/config.py to obtain global build parameters
from various sources. Added parsing of the (fake) configure.h and version.m4 to
it so that other Python build files can use them.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:14:28 +0000 (16:14 +0200)]
Added command-line switch to win/build_all.py to skip TAP driver building
Modified win/build_all.py so that by giving -n or --notap switch the TAP driver
is not built. This is useful if using prebuilt TAP drivers, or when WinDDK is
not installed.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:06:05 +0000 (16:06 +0200)]
Added comments and made small modifications to win/msvc.mak.in
The win/msvc.mak.in file is used as basis for msvc.mak file which drives
openvpn.exe building. This change separates output file from LINK32_FLAGS and
adds helpful comments to the win/msvc.mak.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:03:31 +0000 (16:03 +0200)]
Added support for viewing config-win32.h paramters to win/show.py
The win/show.py tools is used to view build parameters interactively. This
changes it so that it displays parameters parsed from config-win32.h in addition
to those from win/settings.in.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:53:19 +0000 (15:53 +0200)]
Added helper functionality to win/wb.py
This change adds several helper functions to win/wb.py:
- config-win32.h parser (to read build configuration options)
- helper function to cd to service-win32 for openvpnserv.exe building
- code to dynamically generate TAP-driver -related variables from version.m4,
required by tap-win32/tapdrv.c
- configure.h generator to allow viewing build options using openvpn --version
- creation of temporary version.m4-based file to allow importing it's variables
to the NSI installer script (win/openvpn.nsi)
- helper function to rename files (used in win/make_dist.py)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:28:13 +0000 (15:28 +0200)]
Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
Previously parts of TAP-driver version information were stored in
win/settings.in. This patch moves all of it to version.m4. This patch also
cleans up and adds comments to win/settings.in
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7bd3cea4c2f2aa8ed1bf548a3233ae2c3619d47d)
David Sommerseth [Wed, 15 Dec 2010 09:53:04 +0000 (10:53 +0100)]
Make the --x509-username-field feature an opt-in feature
After some discussion [1] regarding an extension of this feature,
James Yonan wanted this extension to be an opt-in feature. However,
as it does not make sense to opt-in on a extension of a feature which
was discussed, this patch makes the base feature an opt-in instead.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
Matthias Andree [Sat, 4 Dec 2010 02:51:11 +0000 (03:51 +0100)]
Change variadic macros to C99 style.
The macros used GCC's pre-C99 syntax, which could not be compiled with
Microsoft Visual Studio 2008.
Note this breaks compatibility with GCC versions before 3.0, which is
deemed safe in a discussion on IRC with David Sommerseth and Samuli
Seppänen on #openvpn-devel (RHEL 3 uses GCC 3.2 already).
Compiled tested on VS2008 by Samuli, on Cygwin GCC 3.4 and GCC 4.3 by myself.
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 9469168e3abb09bd78297208a917ee4d9c025041)
Samuli Seppänen [Thu, 25 Nov 2010 19:48:34 +0000 (21:48 +0200)]
Fixed an issue causing a build failure with MS Visual Studio 2008.
The new SOCKS auth code in socks.c contained a call to sprintf instead of
openvpn_sprintf. This caused build to fail if MS Visual Studio 2008 C compiler
was used. This change fixes that issue.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 18 Nov 2010 21:17:58 +0000 (22:17 +0100)]
Merge branch 'feat_misc' into beta2.2
Conflicts:
acinclude.m4
config-win32.h
configure.ac
misc.c
thread.c
thread.h
- These conflicts was mainly due to feat_misc getting old
and mostly caused by the pthread clean-up patches in
feat_misc
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Thu, 18 Nov 2010 16:00:54 +0000 (18:00 +0200)]
Added command-line option parser and an unsigned build option to build_all.py
Modified win/build_all.py so that it parses command-line options using getopt.
Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h /
--help" option. By default a signed build is generated, provided that the Python
SignTool module is installed. If not, the build is interrupted.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 15 Nov 2010 08:00:12 +0000 (09:00 +0100)]
Merged add_bypass_address() and add_host_route_if_nonlocal()
The add_host_route_if_nonlocal() function is too simple to really
benefit from calling add_bypass_address() when this function is the
only caller to this function.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 07:58:36 +0000 (08:58 +0100)]
Removed functions not being used anywhere
The GNU C compiler gave warnings about these functions in the patch
not being used anywhere. Doing a git grep on the code turned out
there were no callers to these functions. Taking these functions out,
as there is not good reason why to carry dead code.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 07:48:57 +0000 (08:48 +0100)]
Fix compiler warnings about not used dummy() functions
It has been reported that the Microsoft Visual C compiler complains if
a .c file do not contain any compilable code, which can happen if the
code has been #ifdef'ed out. To avoid this, these #ifdef sections have
a #else section which adds a static dummy() function which does nothing.
On the other hand, the GNU C compiler complains about unused functions when
it discovers this situation.
This patch tries to only add these dummy() functions if the Microsoft Visual C
compiler is detected, via the _MSC_VER macro.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 20:44:59 +0000 (21:44 +0100)]
Use stricter snprintf() formatting in socks_username_password_auth() (v3)
commit fc1fa9ffc7e3356458ec3 added a new function which needs to have a
stricter string formatting. This was detected due to a compiler warning.
This patch makes sure that the length of username and password is not longer
than 255 bytes. It also adds extra checks to avoid NULL pointer issues with
strlen() on these two parameters.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Sun, 14 Nov 2010 22:38:47 +0000 (23:38 +0100)]
Fixed compiling issues when using --disable-crypto
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Jesse Young [Mon, 1 Nov 2010 16:33:26 +0000 (11:33 -0500)]
Remove hardcoded path to resolvconf
Signed-off-by: Jesse Young <jesse.young@gmail.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Sat, 28 Aug 2010 18:14:36 +0000 (20:14 +0200)]
Clean-up: Remove pthread and mutex locking code
This code was not activated at all, and hard coded as disabled in syshead.h
with this code snippet:
/*
* Pthread support is currently experimental (and quite unfinished).
*/
#if 1 /* JYFIXME -- if defined, disable pthread */
#undef USE_PTHREAD
#endif
So no matter if --enable-pthread when running ./configure or not, this feature
was never enabled in reality. Further, by removing the blocker code above made
OpenVPN uncompilable in the current state.
As the threading part needs to be completely rewritten and pthreading will not be
supported in OpenVPN 2.x, removing this code seems most reasonable.
In addition, a lot of mutex locking code was also removed, as they were practically
NOP functions, due to pthreading being forcefully disabled
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Samuli Seppänen [Fri, 12 Nov 2010 15:30:07 +0000 (17:30 +0200)]
Added check for variable CONFIGURE_DEFINES into options.c
The file containing CONFIGURE_DEFINES variable, configure.h, is not present if
openvpn is built using the Python + Visual C -based buildsystem. This causes the
build to fail. This patch adds a check to see if variable exists before trying
to use it.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Thu, 21 Oct 2010 11:13:21 +0000 (13:13 +0200)]
Improved man page entry for script_type
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Lars Hupel [Thu, 30 Sep 2010 00:27:36 +0000 (01:27 +0100)]
Add HTTP/1.1 Host header
OpenVPN should send a Host: header to comply with the HTTP/1.1
specification.
Full discussion of this patch can be found here:
<http://thread.gmane.org/gmane.network.openvpn.devel/4039>
Signed-off-by: Lars Hupel <hupel@in.tum.de> Acked-by: Peter Stuge <peter@stuge.se> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Trac-ticket: 63
Pierre Bourdon [Sun, 10 Oct 2010 22:56:04 +0000 (00:56 +0200)]
Adding support for SOCKS plain text authentication
This patch adds support for SOCKS plain text (username/password)
authentication as described in RFC 1929. It adds an optional third
parameter to the socks-proxy option, which is a file containing the
login credentials.
I've been using this patch for two weeks now and it does not seem to
cause any problem. The only modifications are in the SOCKS handshake
handling and the options parser.
Signed-Off-By: Pierre Bourdon <delroth@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
James Yonan [Sun, 24 Oct 2010 09:12:47 +0000 (09:12 +0000)]
Implement challenge/response authentication support in client mode,
where credentials are entered from stdin. This capability is
compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled
by default).
Challenge/response support was previously implemented for creds
that are queried via the management interface. In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.
Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.
David Sommerseth [Mon, 16 Aug 2010 18:23:49 +0000 (20:23 +0200)]
Fixed compiler warning in ssl.c
James Yonan noticed a couple of compiler warnings when compiling with
--enable-strict configured. This patch was sent directly to him
for review and got accepted.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Thu, 22 Apr 2010 21:29:34 +0000 (23:29 +0200)]
Solved hidden merge conflict between feat_misc and bugfix2.1
The OCSP patch (commit a3982181e284f8c5c8f, feat_misc) introduced
a new function which was calling create_temp_filename(). When merging
in bugfix2.1 into allmerged, create_temp_filename() got renamed to
create_temp_file() in commit 5d30273a8741d2c141.
This patch only changes create_temp_filename() to create_temp_file()
in the new function introduced by commit a3982181e284f8c5c8f.
Emilien Mantel [Thu, 17 Jun 2010 19:38:59 +0000 (21:38 +0200)]
Choose a different field in X509 to be username
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David's patch replaced openvpn_execve() with openvpn_run_script() in two places,
but didn't adjust the return value handling. openvpn_run_script() returns true
or false, while openvpn_execve() returns the program's exit code.
Without the fix, the --tls-verify script and the --auth-user-pass-verify
script fail to run. (I noticed the latter, but haven't actually tested the
former.)
The return value handling is fine for the other places where
openvpn_run_script() is used, because those places previously used
openvpn_execve_check() (notice the "_check" suffix).
Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 29 Apr 2010 21:35:45 +0000 (23:35 +0200)]
Revamped the script-security warning logging (version 2)
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem. This general warning should now only appear once, and only when
--script-security is not set, 0 or 1. In all other cases this warning should
not appear.
In addition, this warning will come close to the script-hook which most probably
will fail. It will also give a little bit more concrete hint on which script-hook
which failed. If --script-security is 2 or 3, only the execve failure itself will
be shown. This message will on the other hand be shown repeatedly.
This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function. It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead. Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Thu, 22 Apr 2010 21:01:31 +0000 (23:01 +0200)]
Fix dependency checking for configure.h (v2)
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking. This patch corrects this and
fixes an issue when creating configure.h via make distcheck.
This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.
Add comile time information/settings from ./configure to --version
This patch will create ./configure.h which will contain two new #define
strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and
DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the
complete ./configure line which was used when configuring the package
for building.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Wil Cooley [Tue, 2 Mar 2010 20:54:15 +0000 (21:54 +0100)]
pkitool lacks expected option "--help"
The pkitool script lacks the "--help" parameter to actually display the
usage statement; most people are conditioned to try that before running the
command without options. This patch adds that and "--version" to display
just the program name and version.
Karl O. Pinc [Tue, 2 Mar 2010 20:41:06 +0000 (21:41 +0100)]
Several updates to openvpn.8 (man page updates)
This is a collection of 4 patches sent to the -devel mailing list:
* [PATCH] Frob the openvpn(8) man page tls-verify section to clarify
* [PATCH] More improvments to openvpn(8) --tls-verify
* [PATCH] Yet another tweak of openvpn(8) --tls-verify
* [PATCH] Final frobbing of openvpn(8) --tls-verify
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 15 Feb 2010 22:15:44 +0000 (23:15 +0100)]
Reworked the eurephia patch for inclusion to the openvpn-testing tree
Addedd configure option (--disable-eurephia) to disable the code which the
eurephia plug-in depends on.
It was chosen to use --disable-eurephia, as this patch is not much intrusive. It
just enables a SHA1 fingerprint environment variable for each certificate being
used for the connection.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Thu, 21 Oct 2010 08:35:29 +0000 (10:35 +0200)]
Fix problem with special case route targets ('remote_host')
The init_route() function will leave &netlist untouched for
get_special_addr() routes ("remote_host" being one of them).
netlist is on stack, contains random garbage, and netlist.len
will not be 0 - thus, random stack data is copied from
netlist.data[] until the route_list is full.
This issue has been reported several places lately:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600166
http://thread.gmane.org/gmane.network.openvpn.devel/4083
https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8168
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 17 Sep 2010 15:10:25 +0000 (17:10 +0200)]
Fixed compiler warnings reported on Ubuntu 10.04
The warnings reported where:
--------------------------------------------------------
misc.c:158: warning: ignoring return value of ‘nice’, declared with attribute warn_unused_result
options.c:4033: warning: format not a string literal and no format arguments
options.c:4043: warning: format not a string literal and no format arguments
options.c:4053: warning: format not a string literal and no format arguments
push.c:182: warning: format not a string literal and no format arguments
push.c:199: warning: format not a string literal and no format arguments
push.c:235: warning: format not a string literal and no format arguments
status.c:171: warning: ignoring return value of ‘ftruncate’, declared with attribute warn_unused_result
--------------------------------------------------------
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Peter Stuge <peter@stuge.se>
Gert Doering [Tue, 10 Aug 2010 10:39:28 +0000 (12:39 +0200)]
Build t_client.sh by configure at run-time.
This is now built using "configure", knows how to find "ip", "ifconfig" and "netstat" (configure
does the work :-) ), *and* has been tested on Solaris (works!).
extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh"
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Sun, 8 Aug 2010 19:24:30 +0000 (21:24 +0200)]
full "VPN client connect" test framework for OpenVPN
Run from "make check" if "t_client.rc" is found in workdir or srcdir
(copy t_client.rc-sample, fill in specifics for your test server)
How does it work?
- you run "sudo make check" (needs root access to configure tun if!)
- t_client.sh reads t_client.rc from current dir or ${srcdir}
- t_client.rc defines a number of "test suffixes" to run (could be
"1" "2" "3" or "p2m", "p2p", "special" or whatever you like), and
for each suffix, there's config variables to specify
- how to call OpenVPN
- which hosts to ping for IPv4 and IPv6 when OpenVPN is up
(and actually before starting OpenVPN - to make the test more
meaningful, I have decided that the test hosts must not ping
before the tests starts)
- which addresses must show up in the output of "ifconfig" after
OpenVPN has started
- all variables except OPENVPN_CONF_<x> are optional
(this should all be fairly obvious from looking at t_client.rc-sample)
- the script wants to connect to a well-defined OpenVPN server that
will assign well-known IPv4 (and IPv6) addresses, have well-defined
pingable addresse, etc. - so you need to setup the test server before
the script is useful for you. (Whether you use certificates or
username/password is up to you, you could even mix and match - run
one test with certs, and one with user/pass against different target
ports... :-) )
[we *could* run a "reference server" somewhere and ship a sample
t_client.rc + cert so that users could use this right away, but I
do not currently have the resources to run such a public server]
- whatever the script does is logged to a newly created directory
below the current directory (openvpn output, ifconfig+route before
starting OpenVPN, while running it, after ending it)
- important: at least on NetBSD and OpenBSD, the script will print
one failure, because the tun0 interface created is not destroyed
after openvpn ends. For OpenBSD, I have changed close_tun() to
do so ("ifconfig tun0 destroy"), for NetBSD I have not yet changed
anything - but I strongly believe that the output of "ifconfig+route"
should be reverted to exactly how it looked like before OpenVPN
was started, so I consider this a bug in the NetBSD-specific bits
of OpenVPN (and will look into this).
- the test framework has been tested on Linux, NetBSD and OpenBSD.
It *should* work fine on FreeBSD and Solaris.
It works on MacOS X (but the output looks funny, because /bin/sh
does not implement "echo -e" - need to add configure trickery)
It will *not* work on Windows yet - I haven't looked into what's
needed to make it work (background processes and signals in mingw
bash?), maybe it's as easy as adding the necessary "ipconfig" and
"netsh" commands to print interface + routing config...
- I have only tested "connect via IPv4 transport, use IPv4+IPv6 payload",
but the framework is generic enough that "connect via IPv6 transport"
should work just fine (just setup OPENVPN_CONF_x accordingly in the
t_client.rc).
- this is neither finished nor pretty, but it helps me a *lot* in
quickly testing whether I broke anything when fiddling system-dependent
code (tun.c, route.c) across multiple build hosts - so I hope this
is going to be fairly useful to Samuli and the buildbot :-)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
When compiling against OpenSSL v1.0.0, the following compiler warnings
appears.
ssl.c: In function ‘verify_callback’:
ssl.c:944: warning: passing argument 1 of ‘sk_num’ from incompatible
pointer type
/usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509_REVOKED *’
ssl.c:947: warning: passing argument 1 of ‘sk_value’ from incompatible
pointer type
/usr/include/openssl/stack.h:80: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509_REVOKED *’
ssl.c: In function ‘init_ssl’:
ssl.c:1565: warning: passing argument 1 of ‘sk_num’ from incompatible
pointer type
/usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509 *’
ssl.c: In function ‘print_details’:
ssl.c:1766: warning: assignment discards qualifiers from pointer target type
Gert Doering [Fri, 9 Jul 2010 08:24:46 +0000 (10:24 +0200)]
Fix compile problems on NetBSD and OpenBSD
Configure will not find <net/if.h> due to missing <sys/types.h> in the test program,
and thus, tun.c will fail to compile with missing symbol IFF_MULTICAST.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
This is a fix for trac ticket #20,
<https://community.openvpn.net/openvpn/ticket/20>
which was started in the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&aid=2078470&group_id=48978&atid=454719>
The implemented solution is to give a warning for each of the different script hooks
available. The last configured script will override any earlier configured scripts,
to ensure that the command line can override the configuration file.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Davide Brini [Sun, 2 May 2010 09:07:38 +0000 (11:07 +0200)]
Exclude ping and control packets from activity
Problem: using --ping and --inactive together partially defeats the
point of using --inactive as periodic ping packets are counted as
activity. Here is the original discussion:
It turns out that "activity" is detected and recorded in two places
in the code, both in forward.c: in process_outgoing_tun() for received
packets, after they've been decrypted and sent to the TUN device; and
in process_outgoing_link(), after they've been encrypted and written
to the network socket.
In the first case we can be sure that packets that get so far are
really due to user activity, whereas in the second case there can be
non-user packets (like OpenVPN's internal ping packets, and TLS control
packets), and those should not be counted as activity as they are not
coming from the user.
So a need arises to detect those control packets and not count them as
activity for the purposes of --inactive. Unfortunately, at that stage
packets are already compressed and encrypted, so it's not possible to
look into them to see what they are. However, there seems to be a
convention in the code that packets whose buffer length in the context_2
structure is 0 should be ignored for certain purposes. TLS control
packets follow that convention already, so this patch makes a small
change in the code that generates the ping packets to set their buffer
length to 0 as well.
Finally, the call to register_activity() in process_outgoing_link() is
made conditional to the buffer length being > 0.
According to my tests, now --inactive behaves correctly according to
the configured parameters (time or time+bytes) even when --ping is
being used.
forward.c:
Call register_activity() in process_outgoing_link() only if the
packet is not a ping or TLS control packet.
openvpn.8:
Updated the description of --inactive to describe the new semantics.
ping.c:
Set c->c2.buf.len = 0 after the ping packet has been generated and
encrypted.
Test routine is described here:
<https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6>
Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
When the client sends PUSH_REQUESTS, it waits until the server sends PUSH_REPLY.
If the server do not have anything to push to the client nothing happens. The
client will then regularly send new PUSH_REQUESTS until it gets an answer, which
results in not completing the connection negotiation.
This patch makes the server send an empty PUSH_REPLY when it has nothing to more
to push to the client.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
chantra [Fri, 11 Jun 2010 14:23:03 +0000 (16:23 +0200)]
Handle non standard subnets in PF grammar
Allow subnets for like 192.168.100.8/28 to be understood. A warning
will be logged when subnet is incorrect and is being corrected to what
is assumed to be correct.
Signed-off-by: chantra <chantra@debuntu.org> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Sun, 16 May 2010 17:42:40 +0000 (19:42 +0200)]
OCSP_check.sh: new check logic
contrib/OCSP_check/OCSP_check.sh:
I discovered that, quite surprisingly, the exit status of "openssl ocsp"
is 0 even if the certificate status is "revoked". This means that the
logic of the script needs to be rewritten so that it parses the output
returned by the query and explicitly looks for a
"0x<serial number>: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
comments.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 26 Apr 2010 07:50:30 +0000 (09:50 +0200)]
Avoid repetition of "this config may cache passwords in memory" (v2)
For OpenVPN clients with long living connections, this message is repeated
everytime the connection is renegotiated. This patch removes this behaviour
and will only show this warning once.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
contrib/OCSP_check/OCSP_check.sh:
New barebone script to demonstrate how to use $tls_serial_{n}
to perform simple OCSP queries using OpenSSL command line
"openssl ocsp". Minimal sanity checks to fail if user tries to
use it without customizing.
openvpn.8:
Added some notes about $tls_serial_{n} format and usage to the
existing description.
ssl.c:
correctly manage and export serial numbers of any size (as
parsed by OpenSSL) into the environment. Set to empty string
in case of errors, as 0 and negative numbers are all possible
(although illegal) certificate serial numbers. Use an OpenSSL
BIO object to do the job. Conforms to coding style guidelines.
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 16 Apr 2010 20:09:48 +0000 (22:09 +0200)]
Renamed all calls to create_temp_filename()
All places where create_temp_filename() was called are now calling
create_temp_file(). Extra checks on the result of create_temp_file()
is added in addition.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 16 Apr 2010 20:02:36 +0000 (22:02 +0200)]
Harden create_temp_filename() (version 2)
By hardening the create_temp_filename() function to check if the generated
filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit
files set before calling the script, it should become even more difficult to
exploit such a scenario.
After a discussion on the mailing list, Fabian Knittel provided an enhanced
version of the inital patch which is added to this patch.
This patch also renames create_temp_filename() to create_temp_file(), as this
patch also creates the temporary file. The function returns the filename of the
created file, or NULL on error.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Jan Brinkmann [Sun, 28 Feb 2010 22:29:29 +0000 (23:29 +0100)]
The man page needs dash escaping in UTF-8 environments
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Daniel Johnson [Tue, 30 Mar 2010 13:54:44 +0000 (15:54 +0200)]
When I began testing OpenVPN v2.1_rc9 I was having trouble authenticating to the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course):
Finally I turned on more verbose logging and found that the plugin did
not recognize "USERNAME" as something to replace, because it expected
the string to be surrounded by whitespace. I wrote the following patch
to correct this. I hope you find it useful,
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
After having disucssed this patch on IRC (#openvpn-discussions)
March 4, 2010, it was decided to accept this patch when not modifying
TARGET_* defines through out the code. Further, in a mail comment
Alon Bar-Lev had some other comments of what would be needed to be done.
Mail reference:
<http://thread.gmane.org/gmane.network.openvpn.devel/3176>
This patch has been tested by bootstrapping the code on a RHEL4.6 box.
with the following autotools packages installed:
autoconf-2.59-5
automake-1.9.2-3
libtool-1.5.6-4.EL4.2
It builds cleanly and 'make check' passes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Jan Brinkmann [Sun, 28 Feb 2010 22:29:29 +0000 (23:29 +0100)]
The man page needs dash escaping in UTF-8 environments
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Dan Nelson [Sun, 28 Feb 2010 21:09:18 +0000 (22:09 +0100)]
bash->bourne script cleanup
Many of the scripts in the openvpn source have their shell set to
/bin/bash, but only two use bash features. The attached patch (against
openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for
better portability. The only scripts that actually require bash are
contrib/pull-resolv-conf/client.{up,down} ; they use the ${!var} variable
indirection feature.
projects / thirdparty / openvpn.git / log
