james [Fri, 24 Oct 2008 06:04:34 +0000 (06:04 +0000)]
Added optional files SAMPCONF_CONF2 (second sample configuration
file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
build system, and may be defined in settings.in.
james [Fri, 17 Oct 2008 08:15:22 +0000 (08:15 +0000)]
Modified Windows domake-win build system to write all openvpn.nsi
input files to gen, so that gen can be disconnected from
the rest of the source tree and makensis openvpn.nsi will
still function correctly.
Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
(commented out by default).
james [Fri, 19 Sep 2008 20:12:43 +0000 (20:12 +0000)]
Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
was incorrectly expecting the lladdr parameter to be an IP address
when it is actually a MAC address (HoverHell).
james [Sat, 6 Sep 2008 09:42:17 +0000 (09:42 +0000)]
2.1_rc8 and earlier did implicit shell expansion on script
arguments since all scripts were called by system().
The security hardening changes made to 2.1_rc9 no longer
use system(), but rather use the safer execve or CreateProcess
system calls. The security hardening also introduced a
backward incompatibility with 2.1_rc8 and earlier in that
script parameters were no longer shell-expanded, so
for example:
client-connect "docc CLIENT-CONNECT"
would fail to work because execve would try to execute
a script called "docc CLIENT-CONNECT" instead of "docc"
with "CLIENT-CONNECT" as the first argument.
This patch fixes the issue, bringing the script argument
semantics back to pre 2.1_rc9 behavior in order to preserve
backward compatibility while still using execve or CreateProcess
to execute the script/executable.
james [Thu, 4 Sep 2008 20:35:09 +0000 (20:35 +0000)]
Added --allow-pull-fqdn option which allows client to pull DNS names
from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by default.
Now --allow-pull-fqdn will be explicitly required on the client to enable
DNS-name-to-IP-address translation of pulled options.
james [Sun, 10 Aug 2008 19:29:00 +0000 (19:29 +0000)]
Fixed build issue with ./configure --disable-socks --disable-http.
Fixed separate compile errors in options.c and ntlm.c that occur
on strict C compilers (such as old versions of gcc) that require
that C variable declarations occur at the start of a {} block,
not in the middle.
james [Sun, 10 Aug 2008 18:49:28 +0000 (18:49 +0000)]
Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
--script-security rules. Also adds retrying if the addresses are in
use (Matthias Andree).
james [Tue, 5 Aug 2008 07:52:06 +0000 (07:52 +0000)]
Workaround for MinGW autoconf issue where HAVE_SETSOCKOPT,
HAVE_GETSOCKOPT, and HAVE_POLL are undefined even though
the underlying functions are present.
james [Tue, 5 Aug 2008 04:44:31 +0000 (04:44 +0000)]
Added additional warnings to flag common gotchas:
* Warn when ethernet bridging that the IP address of the
bridge adapter is probably not the same address that
the LAN adapter was set to previously.
* When running as a server, warn if the LAN network address is
the all-popular 192.168.[0|1].x, since this condition commonly
leads to subnet conflicts down the road.
* Primarily on the client, check for subnet conflicts between
the local LAN and the VPN subnet.
Added a 'netmask' parameter to get_default_gateway, to return
the netmask of the adapter containing the default gateway.
Only implemented on Windows so far. Other platforms will
return 255.255.255.0. Currently the netmask information is
only used to warn about subnet conflicts.
james [Sat, 2 Aug 2008 08:02:53 +0000 (08:02 +0000)]
Added "--server-bridge" (without parameters) to enable
DHCP proxy mode: Configure server mode for ethernet
bridging using a DHCP-proxy, where clients talk to the
OpenVPN server-side DHCP server to receive their IP address
allocation and DNS server addresses.
Added "--route-gateway dhcp", to enable the extraction
of the gateway address from a DHCP negotiation with the
OpenVPN server-side LAN.
Modified client.conf and server.conf to reflect new option
modes.
james [Thu, 31 Jul 2008 22:03:38 +0000 (22:03 +0000)]
In Windows build, package a statically linked openssl.exe to work around
observed instabilities in the dynamic build since the migration to
OpenSSL 0.9.8h.
james [Sun, 27 Jul 2008 18:20:52 +0000 (18:20 +0000)]
Added additional warnings for:
* --tls-remote -- some people misunderstand the semantics
* --script-security -- warn if script-security will allow user-defined
scripts to be called, and also warn separately if passwords may be
passed to scripts via the environment
james [Sat, 26 Jul 2008 07:27:03 +0000 (07:27 +0000)]
Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
james [Wed, 23 Jul 2008 19:51:27 +0000 (19:51 +0000)]
Added argv_x functions to buffer.[ch] to be used to safely build
up argv strings for execve without the possibility of truncation
or misinterpretation of mid-argument spacing.
james [Sat, 19 Jul 2008 03:33:27 +0000 (03:33 +0000)]
Modified extract_x509_field_ssl to return a status value indicating
success/error, and any truncation of output due to an insufficiently
large output buffer will be cause for error.
In verify_callback, read X509 Subject Name without truncation.
In verify_callback, rather than silently truncating Common Name at
64 bytes, throw an error if Common Name is larger than 64 bytes.
james [Sat, 19 Jul 2008 00:29:31 +0000 (00:29 +0000)]
Replace leading dash ('-') characters in an X509 name with underbars ('_')
before calling user-defined scripts, to preclude the chance of a leading
dash being interpreted as an option prefix.
james [Thu, 17 Jul 2008 23:31:16 +0000 (23:31 +0000)]
Previously, OpenVPN might log a client's auth-user-pass
password if the verbosity was set to a high debug level
such as 7 or higher. Normally this would only be used by
developers. Now, even at high debug levels, the password
will not be output.
james [Thu, 17 Jul 2008 20:57:42 +0000 (20:57 +0000)]
Call prng_init after fork in background process
created by port_share_open, so as to ensure
a newly seeded PRNG sequence. This is strictly
defensive programming since port_share_proxy
currently does not use the PRNG.
james [Thu, 17 Jul 2008 18:56:09 +0000 (18:56 +0000)]
Support wraparound of reliable.[ch] packet IDs. In
practice, wraparound of the packet ID sequence is
extremely unlikely since the sequence is restarted
for each mid-session TLS renegotiation. But we will
support it for completeness.
james [Wed, 16 Jul 2008 22:37:09 +0000 (22:37 +0000)]
In the Windows version of tun_finalize, on errors that would
return -1, set buf->len to 0 rather than -1. While downstream
code is set up to consider the buffer invalidated if its length
is <= 0, this change makes the code cleaner and safer.
james [Wed, 4 Jun 2008 07:23:20 +0000 (07:23 +0000)]
Fixed unbounded memory growth bug in
environmental variable code that could
have caused long-running OpenVPN sessions
with many TLS renegotiations to incrementally
increase memory usage over time.
james [Wed, 4 Jun 2008 05:16:44 +0000 (05:16 +0000)]
Incremented version to 2.1_rc7d.
Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in
openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH.
Added a simple packet filter functionality that can be driven by
a plugin. See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.
See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.
"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication. In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.
Added a test to configure.ac for LoadLibrary function on Windows.
Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.
setenv and setenv-safe directives may now omit a value argument
which defaults to "".
james [Sun, 25 May 2008 22:31:25 +0000 (22:31 +0000)]
Fixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1
to not be called for the top-level "generic" client template.
Added additional documentation to openvpn-plugin.h that more clearly
illustrates the full sequence and ordering of plugin callbacks
(plugin/defer/simple.c was extended to provide the raw data for this
documentation).
james [Sun, 17 Feb 2008 08:21:28 +0000 (08:21 +0000)]
The new function extract_x509_field_ssl tends to break
in early versions of OpenSSL 0.9.6. Now we will fall
back to the old function extract_x509_field for OpenSSL
0.9.6.
james [Fri, 1 Feb 2008 19:44:53 +0000 (19:44 +0000)]
Changes to Windows build system: added GENOUT_PREBUILT mode
to allow building an OpenVPN installer with a reduced set
of prerequisites. See comments in domake-win for more info.
james [Fri, 1 Feb 2008 10:13:59 +0000 (10:13 +0000)]
Changes to Windows build system to make it easier to do
partial builds, where only a subset of OpenVPN installer
components are built. See ./domake-win comments.
projects / thirdparty / openvpn.git / log
