Make openvpn query for proxy information through the
management interface. This allows GUIs to provide (automatically
detected) proxy information on a per connection basis.
This new option supersedes the undocumented --http-proxy-fallback
option and puts the responsibilty for HTTP proxy fallback handling
to the GUI caring for such.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Reviewed-by: James Yonan <james@openvpn.net>
Message-Id: 1342009010-9735-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6841 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Arne Schwabe [Thu, 5 Jul 2012 09:17:15 +0000 (11:17 +0200)]
Fix compiling with --disable-management
Some of the MANAGEMENT_QUERY_REMOTE were actually needed. Put #ifdef
ENABLE_MANAGMENT in their place
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1341479835-12963-1-git-send-email-arne@rfc2549.org Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Sat, 30 Jun 2012 20:50:43 +0000 (22:50 +0200)]
Repair "tap server" mode brokenness caused by <stdbool.h> fallout
Operator/Cast precedence wrong: casting mac[0] to (bool) first - giving
"1" for "any mac address that does not start with 00:" - and only then
bit-anding with "1" - thus always returning "true". Which, in turn,
leads to "reject all incoming packets with 'bad source address'".
OpenVPN bug #216.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Fabian Knittel <fabian.knittel@lettink.de>
Message-Id: 1341089443-2287-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6817 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Arne Schwabe [Mon, 18 Jun 2012 18:39:04 +0000 (20:39 +0200)]
Only use tmpdir if tmp_dir is really used.
This fixes starting openvpn compiled as client only version of systems
that have no /tmp (Android). --tmp-dir could only be set if P2MP_SERVER
has been enabled too.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1340044749-10694-2-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/6741 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 10 Jun 2012 15:41:30 +0000 (17:41 +0200)]
Add missing pieces to IPv6 route gateway handling.
OpenVPN on Linux (iproute2+ifconfig), FreeBSD and MacOS X (Darwin)
normally points routes directly towards the "tun" interface, obviating
the need for a gateway. For "tap" interfaces, now add gateway spec to
linux route command, and replace "-iface <dev>" with gateway spec (both
together do not work) on FreeBSD and MacOS X.
Also adapt "route delete" appropriately, otherwise route will not be found.
All other platforms already use the gateway address for tun and tap,
because there's no way to install a route "towards an interface" there.
Remove warning about missing IPv6 route gateway handling.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1339342891-28443-5-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6712 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 10 Jun 2012 15:41:27 +0000 (17:41 +0200)]
cleanup and redefine metric handling for IPv6 routes
"no metric set" is now stored as "-1"
"metric 0" means "on-link route" (what the BSDs do)
properly initialize metric value to "0" for on-link IPv6 net on BSDs
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1339342891-28443-2-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6710 Signed-off-by: David Sommerseth <davids@redhat.com>
This is not the a problem when building using the latest Mac OS X SDK.
I've did a quick search and it seems to be a more common issue on some
(old) Darwin platforms.
[ Additional review note from Gert Doering:
IPV6_PKTINFO is part of the "extended socket API" defined in RFC2292.
That RFC used IPV6_PKTINFO both for receiving the destination IPv6 address
in UDP packets, and for setting the source address for outgoing packets.
RFC2292 was updated by RFC3542, which renamed the "receive" function to
IPV6_RECVPKTINFO, leaving the "sending" function as IPV6_PKTINFO - and,
subsequently, in FreeBSD they have different "setsockopt()" opcodes.
So, on a system that has *both*, we need to use IPV6_RECVPKTINFO for
receving (turning it on with setsockopt) to make --multihome work, and
IPV6_PKTINFO for sending (which we don't actually do).
On a system that only has IPV6_PKTINFO, because it's API only implements
2292 (MacOS up until 10.6), use IPV6_PKTINFO for setsockopt().
Now, the interesting question is whether a 10.5-compiled openvpn.exe
will behave correctly under 10.7 if --multihome is active...
]
Signed-off-by: Frank de Brabander <debrabander@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: eb2837a3-ce55-4f52-b2fe-f822efc661f7@l14g2000vbe.googlegroups.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/5591 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Thu, 7 Jun 2012 15:38:17 +0000 (17:38 +0200)]
Implement search for "first free" tun/tap device on Solaris
Without this patch, Solaris will do "--dev tun3" just fine, but "--dev tun"
will either use "tun0" if that is available, or fail. With the patch, the
first available device is searched if "--dev tun" or "--dev tap" (without
a number) is specified.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120607174638.GW1059@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6705 Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Sun, 5 Feb 2012 12:47:09 +0000 (13:47 +0100)]
remove the --auto-proxy option from openvpn
During discussion on FOSDEM 2012 it was decided that proxy auto detection
is best done in the GUI as it's highly platform specific and shouldn't be
handled in openvpn itself for every supported platform in openvpn itself.
This removes --auto-proxy from openvpn.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1328446029-30523-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/5333 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 1 Jun 2012 15:13:09 +0000 (18:13 +0300)]
t_client.sh iproute2 script fixes
Test for existance of "iproute2" with "-n" (Alon)
Work around "ip -6 route show" behaviour on FC14 where some parts of
the IPv6 route cache would be displayed, which has no relevance to
OpenVPN but breaks before/after comparison.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120601151507.GE400@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6637 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 27 May 2012 20:19:11 +0000 (23:19 +0300)]
repair t_client.sh test after build system revolution
- run t_client.sh at "make check" time
- in t_client.sh, read t_client.rc from source *or* build dir (as before)
- @IP@ evaluates to "" now (not "ip") if iproute2 not found - adapt script
- introduce $SETUP_TIME_WAIT to delay "waiting for openvpn startup" longer
than the default delay of 10 seconds - this is needed for test servers
with a high network RTT
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120527202737.GV1161@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6616 Signed-off-by: David Sommerseth <davids@redhat.com>
Some filesystems don't like ':', which is a path 'make dist' would use
In commit 7a845401043dbd9c the version.m4 was modified to remove the
alpha1 tag. But then Alon Bar-Lev noticed that NTFS wasn't happy about
the ':' character. So let's rather just skip the complete 'git:'
prefix and use just 'master' instead.
Reported-by: Alon Bar-Lev <alon.barlev@gmail.com> Signed-off-by: David Sommerseth <davids@redhat.com>
To avoid confusion between check_file_access() and check_cmd_access() in
the future, remove unneeded arguments from check_cmd_access()
As a command will always be a file, it should always check for CHKACC_FILE
and nothing else. And as the commands always will need X_OK, check only
for that.
One change from earlier behaviour is that R_OK is not checked for. The
reason is that only scripts require R_OK to work. However, a system might
be installed with binaries with only X_OK set. If a script is missing
R_OK, then the execution will fail due to lacking permissions.
Clarified the docs and help screen about what a 'cmd' is
This also changes the descriptions of several options to note that they accept
a "command"; change the description of --client-connect and --client-disconnect
indicate that the temporary file's path is passed as the last argument to the
command, not the first argument; and Adds a description of --route-pre-down to
the descriptions of the other --route options.
[DS: This patch is based on parts of the options.c.diff and the complete
openvpn.8.diff patch sent to the mailing list - where these docs changes
are merged together into this patch]
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: CAEsd45RkyJw6yUk1Jwkip70HkCjKYoU+V=do3N7SH7JOaHBZdw@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6194 Signed-off-by: David Sommerseth <davids@redhat.com>
The current implementation of check_file_access() does not consider that
some options take scripts and executables as input. When some of these
commands are given arguments in the OpenVPN configuration,
check_file_access() would take those arguments as a part of the file name
to the command. Thus the file check would fail.
This patch improves that by introducing a check_cmd_access() function which
first splits out the arguments to the command before checking if the file
with the command is available.
[DS: This patch is splitted out from the options.c.diff patch sent to the
mailing list - where only the function changes is included here]
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: CAEsd45RkyJw6yUk1Jwkip70HkCjKYoU+V=do3N7SH7JOaHBZdw@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6194 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:06 +0000 (09:28 +0200)]
Removed stray "Fox-IT hardening" string.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-5-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6212 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:07 +0000 (09:28 +0200)]
Updated README.polarssl with build system changes.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-6-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6209 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:05 +0000 (09:28 +0200)]
Removed support for PolarSSL < 1.1
PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
certain operations, using the RDTSC instruction. Although this is fine on
bare metal PCs, the RDTSC instruction is virtualised on some virtual
machine implementations. This can result in issues on those virtual
machines. PolarSSL fixes this potential issue by also using platform
entropy.
To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
is therefore no longer supported.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6211 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:02 +0000 (09:28 +0200)]
Added support for new PolarSSL 1.1 RNG
This patch, while retaining PolarSSL 1.0 support, introduces the PolarSSL 1.1 DRBG.
This RNG adds a number of features, including support for personalisation strings
and multiple entropy sources.
Personalisation strings have been implemented, based on PID, program name, place
within memory, and a hash of the user's certificate.
The entropy sources used are the platform default ones. Which ones these are
depends on how PolarSSL was built, but usually this includes:
- /dev/urandom or the Windows CryptoAPI RNG
- the HAVEGE RNG
- the output of PolarSSL's hardclock() call (usually RDTSC)
Finally, this patch moves to only one instance of the RNG per OpenVPN instance,
instead of one per keystate
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: Eelse-jan Stutvoet <stutvoet@fox-it.com> Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1333351687-3732-1-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6210 Signed-off-by: David Sommerseth <davids@redhat.com>
Program received signal SIGSEGV, Segmentation fault.
packet_id_debug_print (msglevel=1174405255, p=0xa36bd0718,
pin=0x3de5feec1b0,
message=0xa330dde80 "PID_TEST", value=0) at
../../../src/openvpn/packet_id.c:504
504 for (i = 0; i < sl->x_size; ++i)
David Sommerseth [Fri, 27 Apr 2012 10:10:25 +0000 (12:10 +0200)]
Clean-up: Presume that Linux is always IPv6 capable at build time
These days it is highly unlikely that OpenVPN will be built in a non-IPv6
capable Linux environment. So remove compile-time related macros identifying
that.
This also solves an issue which was introduced in commit 51bd56f46f55177cf0f8b
where HAVE_TUN_PI is no longer detected. The tun_pi struct is defined in
linux/if_tun.h, which will be checked for later on. As this struct has history
in linux/if_tun.h all back to the beginning of the kernel git tree (2.6.12-rc2,
April 2005), it is considered not needed to check for this struct explicit.
[ v2: Commit 7c0a2b5f2b4409 modifies some of the checks this patch touches. This
patch just adopts to those changes ]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Message-Id: 1335521425-23391-1-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6351
cleanup: add .gitattributes to control eol style explicitly
Having the text auto detection is a risk, as the detection may detect
text files that are not text and vise versa.
Having global setting will create confusion and differentiate between
users. So this patch also move this to local repository.
Having git to check out files differently in different OS is also
a not correct, as checkouts may be used in shares or in *NIX emulation
environments, so it have no effect.
Another issue is packaging, if we change out the tree differently
in several OSes, we may have different package content, which is
something that should be avoided.
Currently any editor of MS supports LF end of lines, so there is no
need to convert source files while checking out.
The visual studio files should be stored as CRLF as they are generated
by visual studio every save, in a way that CRLF are added.
I handled only the files that may be touch by MS users.
Adriaan de Jong [Tue, 14 Feb 2012 10:11:26 +0000 (11:11 +0100)]
Migrated x509_get_sha1_hash to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 14 Feb 2012 10:11:25 +0000 (11:11 +0100)]
Migrated x509_get_serial to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 14 Feb 2012 10:11:24 +0000 (11:11 +0100)]
Migrated x509_get_subject to use of the garbage collector
This also cleans up a messy call in pkcs11.c to _openssl_get_subject, as discussed at FOSDEM.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Igor Novgorodov [Tue, 28 Feb 2012 11:16:01 +0000 (15:16 +0400)]
Remove calls to OpenSSL when building with --disable-ssl
Move OpenSSL calls out from the generic crypto layer and into the
OpenSSL specific layer. Also don't load all algortihms if SSL
isn't enabled.
Error strings will also not be loaded into memory if ENABLE_SMALL
is configured.
Signed-off-by: Igor Novgorodov <igor@novg.net> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
