This commit introduced a bug, which made the verify_callback()
function getting called even if --client-cert-not-required was
enabled in the config.
The reason for this was that an 'else' statement was lacking a
couple of curly braces. The offending commit in reality moved
the setup of the verify_callback() function out of the 'else'
statement.
Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Joe Patterson [Mon, 21 Mar 2011 22:02:59 +0000 (18:02 -0400)]
common_name passing in auth_pam plugin
Added the ability to have "COMMONNAME" replaced with certificate common
name in pam conversation.
Signed-off-by: Joe Patterson <j.m.patterson@gmail.com> Acked-By: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
A additional ';' had sneaked in commit 4c4b8cedfa98e8892a53. Lets
kick it out again.
Signed-off-by: Stefan Hellermann <stefan@the2masters.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
Commit 2db5a0ac3e053857d97e468de53e70a605f54561 adds two arguments to
plugin_call(...), but missed the !ENABLE_PLUGIN case. With
!ENABLE_PLUGIN, plugin_call(...) is only a dummy, so add these two
parameters there too.
Signed-off-by: Stefan Hellermann <stefan@the2masters.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Separate the general plug-in version constant and v3 plug-in structs version
After a review of the second round of the the v3 plug-in implementation, it
was decided to use a separate constant defining the version of the structs
used for argument and return value passing, instead of OPENVPN_PLUGIN_VERSION.
To not make it too complex, this patch uses a shared version constant for all
the v3 structures. It is not expected that these strucutures will change too
much and too often.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
This plug-in will only log arguments and environment variables it receives
during all the different plug-in phases OpenVPN currently supports. It will
also parse the X509 certificate information given during the TLS_VERIFY phase.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Fri, 10 Dec 2010 00:16:09 +0000 (01:16 +0100)]
Extend the v3 plug-in API to send over X509 certificates
The certificates sent to the plug-in API will only happen during the
OPENVPN_PLUGIN_TLS_VERIFY phase and will contain a pointer to the OpenSSL
X509 certificate data.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Mon, 29 Nov 2010 22:57:44 +0000 (23:57 +0100)]
Provide 'dev_type' environment variable to plug-ins and script hooks
Normally OpenVPN is configured with --dev {tun,tap}, but it is also possible
to use --dev myvpn instead. In these situations, OpenVPN will request
--dev-type as well to be able to set up a tun or tap device properly.
The 'dev' environment variable will contain the value provided by --dev. In
those cases where the plug-in/script need to behave differently when using a tun
device versus using a tap device, there are no possibilities for it to know what
kind of device --dev myvpn would be.
This patch adds a 'dev_type' environment variable which contains a string of the
device type, either automatically discovered based on the --dev name, or set using
the --dev-type option.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
James Yonan [Thu, 9 Dec 2010 11:21:04 +0000 (11:21 +0000)]
Added "management-external-key" option. This option can be used
instead of "key" in client mode, and allows the client to run
without the need to load the actual private key. When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:
>RSA_SIGN:[BASE64_DATA]
The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:
rsa-sig
[BASE64_SIG_LINE]
.
.
.
END
This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.
James Yonan [Sun, 14 Nov 2010 22:38:47 +0000 (23:38 +0100)]
Fixed compiling issues when using --disable-crypto
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Markus Koetter [Fri, 10 Dec 2010 19:30:09 +0000 (20:30 +0100)]
Add extv3 X509 field support to --x509-username-field
This allows using other X509 certificate fields for the certificate
authentication. To use altSubjectName, use
--x509-username-field ext:altSubjectName
This feature requires OpenVPN to be built with --enable-x509-alt-username
This patch is slightly modified, to honour --enable-x509-alt-username
compile time configuration. Two #ifdef's are added.
Signed-off-by: Markus Koetter <koetter@rrzn-hiwi.uni-hannover.de> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Fri, 4 Mar 2011 21:14:33 +0000 (23:14 +0200)]
Windows cross-compile cleanup
It should be sufficient to just try to see if socklen_t is defined.
Next, on all platforms it would be int in all other platforms.
And, there is no need to check for the type in monolitic environment
like Windows, as it will be always the same.
Currently it fails cross compile windows in mingw-w64 compiler, as
winsock.h is as follows:
"""
/* define WINSOCK_API_LINKAGE and WSAAPI for less
* diff output between winsock.h and winsock2.h, but
* remember to undefine them at the end of file */
"""
And the macro uses these macros which are internal winsock macros and
should not be used anyway.
Also, when did the autodefs.h went mandatory? Why is it in
tap-win32/common.h while no constant is actually used?
The use of WSA_IO_INCOMPLETE without including winsock2.h is invalid!
Look at http://msdn.microsoft.com/en-us/library/aa921087.aspx
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 13 Dec 2010 11:49:00 +0000 (12:49 +0100)]
Open log files as text files on Windows
By giving the "t" flag to _fdopen() on Windows, the file will be
opened in a "translate mode", where it will take care of converting
\n to \r\n, and also look for the CTRL-Z mark when opening the log
file in append mode.
Samuli Seppänen [Tue, 15 Mar 2011 14:37:41 +0000 (16:37 +0200)]
Replaced config-win32.h with win/config.h.in
The original config-win32.h - a static header file - has been superceded by both
"domake-win" script and the new Python-based buildsystem. Transformed it into a
template file, win/config.h.in, which obtains the most commonly used build
parameters from win/settings.in.
Added support code to win/config.py and win/wb.py to preprocess win/config.h.in
and copy it to config.h, from where source and header files can find it.
Removed all references to config-win32.h. Also removed obsolete
PACKAGE_BUGREPORT and USE_PTHREAD variables from the win/config.h.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Samuli Seppänen [Tue, 8 Mar 2011 14:07:49 +0000 (16:07 +0200)]
Added support for prebuilt TAP-drivers. Automated embedding manifests.
Removed win/make_dist.py's dependency on TAP-driver and tapinstall.exe building.
Also added manifest embedding commands to win/make_dist.py. To avoid duplicate
code moved the "build_vc" method from win/build.py to win/wb.py and renamed it
"run_in_vs_shell".
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 7 Mar 2010 18:28:55 +0000 (19:28 +0100)]
Implement IPv6 in TUN mode for Windows TAP driver.
* install-win32/settings.in: bump version to 9.7, TAP_RELDATE to "07/03/2010".
* tap-win32/proto.h: add data types and definitions needed for IPv6
* tap-win32/types.h: add m_UserToTap_IPv6 ethernet header for IPv6 packets
* tap-win32/tapdrvr.c: implement support for IPv6 in TUN mode:
- IPv6 packets User->OS need correct ether type
- IPv6 packets OS->User get correctly forwarded
- IPv6 neighbour discovery packets for "fe80::8" (magic address
installed as route-nexthop by OpenVPN.exe) get answered locally
(cherry picked from commit 175e17a5abd5969f6803a9cc9587b7959e1100ae)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 28 Feb 2011 13:57:49 +0000 (14:57 +0100)]
Fix packaging of config-win32.h and service-win32/msvc.mak
The config-win32.h and service-win32/msvc.mak was not included
into the final source balls when using 'make dist', which is
crucial for Windows building.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Samuli Seppänen <samuli@openvpn.net>
Samuli Seppänen [Fri, 18 Feb 2011 09:39:27 +0000 (11:39 +0200)]
Temporary snprintf-related fix to service-win32/openvpnserv.c
This is intended just as a TEMPORARY solution to get the 2.2-RC released.
The intesion is to get this fixed with a better solution for the final 2.2
release. This patch has also been discussed here:
Samuli Seppänen [Sat, 19 Feb 2011 08:15:12 +0000 (10:15 +0200)]
Changes to buildsystem patchset
Implemented changes to the buildsystem patchset suggested by jamesyonan in IRC
meeting on 17th Feb 2010:
1) Remove variables added to version.m4 and use win/settings.in instead
2) Add ENABLE_<FEATURE> configuration to win/settings.in instead of parsing
config-win32.h for them
This patch applies on top of the previous 13 patches.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:32:35 +0000 (16:32 +0200)]
Added first version of NSI installer script to win/openvpn.nsi
This win/openvpn.nsi file is a heavily cleaned-up version of the
install-win32/openvpn.nsi file. The key differences:
- paths have been adapted to new buildsystem's requirements
- obsolete XGUI support has been removed
- unused Windows version detection has been removed
- variables specific to new build system (win/settings.in, version.m4) are
imported
- a few new installer options have been introduced:
- install lzo2.dll
- install msvcr90.dll (a requirement from VS2008 builds)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:25:40 +0000 (16:25 +0200)]
Several modifications to win/make_dist.py to allow building the NSI installer
Added copying of all remaining openvpn dependencies to dist directory so that
the NSI installer script (win/openvpn.nsi) can find and use them more easily.
This includes openvpn.exe, openvpnserv.exe, libpkcs11-helper-1.dll, openssl.exe,
and example files. The associated, external DDL/manifest files are copied also,
so that embedding them with mt.exe is easier. This is a temporary solution until
nmake makefiles are modified to automate this process, except for a few of the
library dependencies (lzo2.dll and libpkcs11-helper-1.dll).
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:16:14 +0000 (16:16 +0200)]
Added configure.h and version.m4 variable parsing to win/config.py
Python-based buildsystem uses win/config.py to obtain global build parameters
from various sources. Added parsing of the (fake) configure.h and version.m4 to
it so that other Python build files can use them.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:14:28 +0000 (16:14 +0200)]
Added command-line switch to win/build_all.py to skip TAP driver building
Modified win/build_all.py so that by giving -n or --notap switch the TAP driver
is not built. This is useful if using prebuilt TAP drivers, or when WinDDK is
not installed.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:06:05 +0000 (16:06 +0200)]
Added comments and made small modifications to win/msvc.mak.in
The win/msvc.mak.in file is used as basis for msvc.mak file which drives
openvpn.exe building. This change separates output file from LINK32_FLAGS and
adds helpful comments to the win/msvc.mak.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:03:31 +0000 (16:03 +0200)]
Added support for viewing config-win32.h paramters to win/show.py
The win/show.py tools is used to view build parameters interactively. This
changes it so that it displays parameters parsed from config-win32.h in addition
to those from win/settings.in.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:53:19 +0000 (15:53 +0200)]
Added helper functionality to win/wb.py
This change adds several helper functions to win/wb.py:
- config-win32.h parser (to read build configuration options)
- helper function to cd to service-win32 for openvpnserv.exe building
- code to dynamically generate TAP-driver -related variables from version.m4,
required by tap-win32/tapdrv.c
- configure.h generator to allow viewing build options using openvpn --version
- creation of temporary version.m4-based file to allow importing it's variables
to the NSI installer script (win/openvpn.nsi)
- helper function to rename files (used in win/make_dist.py)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:28:13 +0000 (15:28 +0200)]
Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
Previously parts of TAP-driver version information were stored in
win/settings.in. This patch moves all of it to version.m4. This patch also
cleans up and adds comments to win/settings.in
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7bd3cea4c2f2aa8ed1bf548a3233ae2c3619d47d)
David Sommerseth [Wed, 15 Dec 2010 09:53:04 +0000 (10:53 +0100)]
Make the --x509-username-field feature an opt-in feature
After some discussion [1] regarding an extension of this feature,
James Yonan wanted this extension to be an opt-in feature. However,
as it does not make sense to opt-in on a extension of a feature which
was discussed, this patch makes the base feature an opt-in instead.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
Matthias Andree [Sat, 4 Dec 2010 02:51:11 +0000 (03:51 +0100)]
Change variadic macros to C99 style.
The macros used GCC's pre-C99 syntax, which could not be compiled with
Microsoft Visual Studio 2008.
Note this breaks compatibility with GCC versions before 3.0, which is
deemed safe in a discussion on IRC with David Sommerseth and Samuli
Seppänen on #openvpn-devel (RHEL 3 uses GCC 3.2 already).
Compiled tested on VS2008 by Samuli, on Cygwin GCC 3.4 and GCC 4.3 by myself.
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 9469168e3abb09bd78297208a917ee4d9c025041)
Samuli Seppänen [Thu, 25 Nov 2010 19:48:34 +0000 (21:48 +0200)]
Fixed an issue causing a build failure with MS Visual Studio 2008.
The new SOCKS auth code in socks.c contained a call to sprintf instead of
openvpn_sprintf. This caused build to fail if MS Visual Studio 2008 C compiler
was used. This change fixes that issue.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 18 Nov 2010 21:17:58 +0000 (22:17 +0100)]
Merge branch 'feat_misc' into beta2.2
Conflicts:
acinclude.m4
config-win32.h
configure.ac
misc.c
thread.c
thread.h
- These conflicts was mainly due to feat_misc getting old
and mostly caused by the pthread clean-up patches in
feat_misc
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Thu, 18 Nov 2010 16:00:54 +0000 (18:00 +0200)]
Added command-line option parser and an unsigned build option to build_all.py
Modified win/build_all.py so that it parses command-line options using getopt.
Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h /
--help" option. By default a signed build is generated, provided that the Python
SignTool module is installed. If not, the build is interrupted.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 15 Nov 2010 08:00:12 +0000 (09:00 +0100)]
Merged add_bypass_address() and add_host_route_if_nonlocal()
The add_host_route_if_nonlocal() function is too simple to really
benefit from calling add_bypass_address() when this function is the
only caller to this function.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 07:58:36 +0000 (08:58 +0100)]
Removed functions not being used anywhere
The GNU C compiler gave warnings about these functions in the patch
not being used anywhere. Doing a git grep on the code turned out
there were no callers to these functions. Taking these functions out,
as there is not good reason why to carry dead code.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 07:48:57 +0000 (08:48 +0100)]
Fix compiler warnings about not used dummy() functions
It has been reported that the Microsoft Visual C compiler complains if
a .c file do not contain any compilable code, which can happen if the
code has been #ifdef'ed out. To avoid this, these #ifdef sections have
a #else section which adds a static dummy() function which does nothing.
On the other hand, the GNU C compiler complains about unused functions when
it discovers this situation.
This patch tries to only add these dummy() functions if the Microsoft Visual C
compiler is detected, via the _MSC_VER macro.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 20:44:59 +0000 (21:44 +0100)]
Use stricter snprintf() formatting in socks_username_password_auth() (v3)
commit fc1fa9ffc7e3356458ec3 added a new function which needs to have a
stricter string formatting. This was detected due to a compiler warning.
This patch makes sure that the length of username and password is not longer
than 255 bytes. It also adds extra checks to avoid NULL pointer issues with
strlen() on these two parameters.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Sun, 14 Nov 2010 22:38:47 +0000 (23:38 +0100)]
Fixed compiling issues when using --disable-crypto
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Jesse Young [Mon, 1 Nov 2010 16:33:26 +0000 (11:33 -0500)]
Remove hardcoded path to resolvconf
Signed-off-by: Jesse Young <jesse.young@gmail.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Sat, 28 Aug 2010 18:14:36 +0000 (20:14 +0200)]
Clean-up: Remove pthread and mutex locking code
This code was not activated at all, and hard coded as disabled in syshead.h
with this code snippet:
/*
* Pthread support is currently experimental (and quite unfinished).
*/
#if 1 /* JYFIXME -- if defined, disable pthread */
#undef USE_PTHREAD
#endif
So no matter if --enable-pthread when running ./configure or not, this feature
was never enabled in reality. Further, by removing the blocker code above made
OpenVPN uncompilable in the current state.
As the threading part needs to be completely rewritten and pthreading will not be
supported in OpenVPN 2.x, removing this code seems most reasonable.
In addition, a lot of mutex locking code was also removed, as they were practically
NOP functions, due to pthreading being forcefully disabled
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Samuli Seppänen [Fri, 12 Nov 2010 15:30:07 +0000 (17:30 +0200)]
Added check for variable CONFIGURE_DEFINES into options.c
The file containing CONFIGURE_DEFINES variable, configure.h, is not present if
openvpn is built using the Python + Visual C -based buildsystem. This causes the
build to fail. This patch adds a check to see if variable exists before trying
to use it.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Thu, 21 Oct 2010 11:13:21 +0000 (13:13 +0200)]
Improved man page entry for script_type
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Lars Hupel [Thu, 30 Sep 2010 00:27:36 +0000 (01:27 +0100)]
Add HTTP/1.1 Host header
OpenVPN should send a Host: header to comply with the HTTP/1.1
specification.
Full discussion of this patch can be found here:
<http://thread.gmane.org/gmane.network.openvpn.devel/4039>
Signed-off-by: Lars Hupel <hupel@in.tum.de> Acked-by: Peter Stuge <peter@stuge.se> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Trac-ticket: 63
Pierre Bourdon [Sun, 10 Oct 2010 22:56:04 +0000 (00:56 +0200)]
Adding support for SOCKS plain text authentication
This patch adds support for SOCKS plain text (username/password)
authentication as described in RFC 1929. It adds an optional third
parameter to the socks-proxy option, which is a file containing the
login credentials.
I've been using this patch for two weeks now and it does not seem to
cause any problem. The only modifications are in the SOCKS handshake
handling and the options parser.
Signed-Off-By: Pierre Bourdon <delroth@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
James Yonan [Sun, 24 Oct 2010 09:12:47 +0000 (09:12 +0000)]
Implement challenge/response authentication support in client mode,
where credentials are entered from stdin. This capability is
compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled
by default).
Challenge/response support was previously implemented for creds
that are queried via the management interface. In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.
Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.
David Sommerseth [Mon, 16 Aug 2010 18:23:49 +0000 (20:23 +0200)]
Fixed compiler warning in ssl.c
James Yonan noticed a couple of compiler warnings when compiling with
--enable-strict configured. This patch was sent directly to him
for review and got accepted.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Thu, 22 Apr 2010 21:29:34 +0000 (23:29 +0200)]
Solved hidden merge conflict between feat_misc and bugfix2.1
The OCSP patch (commit a3982181e284f8c5c8f, feat_misc) introduced
a new function which was calling create_temp_filename(). When merging
in bugfix2.1 into allmerged, create_temp_filename() got renamed to
create_temp_file() in commit 5d30273a8741d2c141.
This patch only changes create_temp_filename() to create_temp_file()
in the new function introduced by commit a3982181e284f8c5c8f.
Emilien Mantel [Thu, 17 Jun 2010 19:38:59 +0000 (21:38 +0200)]
Choose a different field in X509 to be username
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David's patch replaced openvpn_execve() with openvpn_run_script() in two places,
but didn't adjust the return value handling. openvpn_run_script() returns true
or false, while openvpn_execve() returns the program's exit code.
Without the fix, the --tls-verify script and the --auth-user-pass-verify
script fail to run. (I noticed the latter, but haven't actually tested the
former.)
The return value handling is fine for the other places where
openvpn_run_script() is used, because those places previously used
openvpn_execve_check() (notice the "_check" suffix).
Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 29 Apr 2010 21:35:45 +0000 (23:35 +0200)]
Revamped the script-security warning logging (version 2)
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem. This general warning should now only appear once, and only when
--script-security is not set, 0 or 1. In all other cases this warning should
not appear.
In addition, this warning will come close to the script-hook which most probably
will fail. It will also give a little bit more concrete hint on which script-hook
which failed. If --script-security is 2 or 3, only the execve failure itself will
be shown. This message will on the other hand be shown repeatedly.
This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function. It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead. Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Thu, 22 Apr 2010 21:01:31 +0000 (23:01 +0200)]
Fix dependency checking for configure.h (v2)
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking. This patch corrects this and
fixes an issue when creating configure.h via make distcheck.
This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.
projects / thirdparty / openvpn.git / log
