Adriaan de Jong [Mon, 27 Jun 2011 07:44:47 +0000 (09:44 +0200)]
Refactored tls_show_available_ciphers
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 27 Jun 2011 07:22:08 +0000 (09:22 +0200)]
Refactored TLS_PRF to new hmac and md primitives
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Thu, 23 Jun 2011 15:31:19 +0000 (17:31 +0200)]
Refactored cipher key types
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Thu, 23 Jun 2011 10:45:29 +0000 (12:45 +0200)]
Refactored DES key manipulation functions
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
This patch adds a stale-routes-check option that takes 2 parameters: a ageing
time (in seconds) and a check interval (in seconds). The latter defaults to the
former if it's not present. Internally, a new "check" is added in
multi_process_per_second_timers_dowork(). This check deletes stale routes and
it is inspired to the function multi_reap_range().
We're running a very large connectivity infrastructure based on openVPN (more
than 4000 different clients connected per day per server), so we can throughly
check this patch (or, of course, any variant of it).
Signed-off-by: Davide Guerri <d.guerri@caspur.it> Reviewed-by: David Sommerseth <davids@redhat.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 16 Sep 2011 17:51:09 +0000 (19:51 +0200)]
Platform cleanup for NetBSD
make TAP devices work (need to go via multiplex device /dev/tap)
cleanup TUN devices at program end ("ifconfig tunX destroy")
correctly setup TUN devices for "topology subnet"
don't try to put TAP devices into TUNSIFHEAD mode (get rid of error message)
Tested on NetBSD 5.1_STABLE / Sparc64
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
- use __APPLE_USE_RFC_3542 for macosx build environment >= 1070
- define SOL_IP from IPPROTO_IP if it's missing
In Linux man 7 ip says:
"Using SOL_IP socket options level isn't portable, BSD-based
stacks use IPPROTO_IP level."
Signed-off-by: JuanJo Ciarlante <jjo+ml@google.com> Tested-by: Eric F Crist <ecrist@secure-computing.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 19 Sep 2011 14:43:04 +0000 (16:43 +0200)]
Fixed compile issues on FreeBSD and Solaris
In commit 7fb0e07ec3f7c5f6514523085dbe struct route changed and
this change was not fixed in all places in tun.c, which caused
a compilation error. A few whitespace fixes is added as well.
OSX needs to be fixed as well, but this will be done in a separate patch.
Tested-by: Eric F Crist <ecrist@secure-computing.net> (FreeBSD) Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Fri, 2 Sep 2011 23:49:45 +0000 (23:49 +0000)]
Fixed management interface bug where >FATAL notifications were
not being output properly because the management interface
socket was being closed before the >FATAL notification could
be transmitted.
Heiko Hund [Wed, 31 Aug 2011 14:38:08 +0000 (14:38 +0000)]
lowercase include header name in syshead.h
Cross compiling for Windows is broken since commit 739fa9881f12e67dc8b9cadc7230e59e7fe42423 added the mixed
case header name "NtDDNdis.h" to the file. While this header
exists in a MinGW build environment it's lowercase there.
Windows doesn't mind the case of a file name, but Linux does.
So, lowercasing the filename will make openvpn build in both
worlds.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
JuanJo Ciarlante [Thu, 26 May 2011 17:01:42 +0000 (19:01 +0200)]
USE_PF_INET6 by default for v2.3
- put all #ifdef'd code in place, kill the cpp symbol,
- thus in v2.3 it's not actually possible to --disable-ipv6 :)
RATIONALE:
#1 some wacky compilers choke on #ifdef'd constructions for
concatenated strings, and given that:
#2 v2.3 has already transport ipv6 by default
=> doesn't justify putting effort on #1 to keep USE_PF_INET6
ifdef wraps.
Signed-off-by: JuanJo Ciarlante <jjo+ml@google.com> Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sat, 28 May 2011 20:50:40 +0000 (22:50 +0200)]
Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
Windows has no 32-bit accessor to the union inside "struct in6_addr",
and the 8-bit accessor is the only common denominator across BSD, Solaris,
Linux and Windows...
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Samuli Seppänen <samuli@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Thu, 26 May 2011 13:23:03 +0000 (16:23 +0300)]
Fix Microsoft Visual Studio incompatibility in plugin.c
MS Visual Studio don't like to have struct members named in the
variable declaration. Without this fix, Visual Studio is not able
to compile the new v3 plug-in API.
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Samuli Seppänen <samuli@openvpn.net> Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Samuli Seppänen [Thu, 11 Aug 2011 16:00:57 +0000 (19:00 +0300)]
Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
Prior to this patch were two sets of IPv6 README/TODO files: one from payload
and one from transport patchset. Unfortunately Git on Windows gets very confused
of these files, as they only differ in case. This patch merges these sets into
one.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Thu, 18 Aug 2011 12:17:50 +0000 (12:17 +0000)]
add .gitignore to official repository
This .gitignore make the output of git status a lot more readable. It was
made from the dynamically generated files that showed after using both
build system.
Signed-off-by: Samuli Seppänen <samuli@openvpn.ne> Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-By: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Fri, 19 Aug 2011 03:15:25 +0000 (03:15 +0000)]
"status" management interface command (version >= 2) will now
include the username for each connected user. This should
generally be backward compatible with existing management
interface clients since the new username field is added
to the CLIENT_LIST header as well.
James Yonan [Fri, 19 Aug 2011 03:10:08 +0000 (03:10 +0000)]
CC_PRINT character class now allows any 8-bit character value >= 32.
This is done to allow UTF-8 and restrict the use of control characters
in usernames, passwords, common names, etc.
James Yonan [Fri, 19 Aug 2011 03:07:27 +0000 (03:07 +0000)]
Fixed issue where redirect-gateway block-local code was not
correctly calculating the two halves of the subnet if the
gateway was in the upper half (Gert Doering).
David Sommerseth [Sun, 24 Jul 2011 23:44:27 +0000 (01:44 +0200)]
Merge remote branch SVN 2.1 into the git tree
Hopefully the last SVN merge we need to do, as these merges are getting
more and more difficult. Most of the files had minor changes, but due to
the CRLF unification patch (commit 6b2883a637fe73492) we got an increased
number of conflicts. In addition inclusion of IPv6 support makes the
creates a lot of merge issues in route.c and socket.c
This merge also reverts commit 7c18c6353904f8c6e7 which merged
add_bypass_address() into add_host_route_if_nonlocal(). However the SVN
tree began to use add_bypass_address() another place, where at first glance
it did not be appropriate to use add_host_route_if_nonlocal().
This merge has gone through a 'make check' without any errors, but have
not been tested more thoroughly yet.
Signed-off-by: David Sommerseth <davids@redhat.com> Reviewed-by: Gert Doering <gert@greenie.muc.de> Reviewed-by: James Yonan <james@openvpn.net> Reviewed-by: Adriaan de Jong <dejong@fox-it.com>
David Sommerseth [Thu, 28 Jul 2011 21:58:50 +0000 (23:58 +0200)]
Moved doxygen-specific files to a separate directory
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:56:24 +0000 (23:56 +0200)]
Added main/control docs
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:27:58 +0000 (23:27 +0200)]
Added data channel fragmentation docs
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:25:07 +0000 (23:25 +0200)]
Added memory management documentation
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:22:51 +0000 (23:22 +0200)]
Added reliability layer documentation
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:17:51 +0000 (23:17 +0200)]
Added compression docs
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:08:17 +0000 (23:08 +0200)]
Added control channel crypto docs
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 28 Jul 2011 21:05:07 +0000 (23:05 +0200)]
Doxygen: Added data channel crypto docs
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Adriaan de Jong [Tue, 21 Jun 2011 08:05:04 +0000 (10:05 +0200)]
Added Doxygen doxyfile
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Thu, 30 Jun 2011 07:59:10 +0000 (10:59 +0300)]
Fixes to easy-rsa/2.0
As support for OpenSSL 1.0.0 requires a modified openssl.cnf file, it was
decided to rename openssl.cnf to openssl-1.0.0.cnf for clarity and better
support of different OpenSSL versions. The old openssl.cnf was renamed as
openssl-0.9.8.cnf.
This patch makes sure that all openssl*.cnf files are copied when running 'make
install' in easy-rsa and makes the whichopensslcnf script aware of them as well.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Samuli Seppänen [Wed, 29 Jun 2011 08:24:07 +0000 (11:24 +0300)]
Updated "easy-rsa" for OpenSSL 1.0.0
This patch fixes remaining issues with Trac ticket #125. It does the following:
- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
required by OpenSSL 1.0.0 (at least on Windows)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Remove support for Linux 2.2 configuration fallback
When configuring OpenVPN nowadays, the TUN/TAP configuration can
sometimes jump into the Linux 2.2 fallback code paths, which will
also fails. The reason it jumps into fallback mode is that the
tun/tap device already exists or that /dev/net/tun does not exist.
This can be very confusing, as /dev/tunX which the fallback mode tries
to use, does not exist on Linux 2.4 and newer.
Considering that the last Linux 2.2 update was released 25-Feb-2004
and the first Linux 2.4 release came 04-Jan-2001, there are no
reasonable reasons to help users to stay on outdated kernels.
I consider this extra code path just waste of bytes ... so lets make
the world simpler.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Robert Fischer [Thu, 21 Apr 2011 20:55:52 +0000 (22:55 +0200)]
Documented --x509-username-field option
Also fixed a typo in the --help screen.
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Robert Fischer [Thu, 21 Apr 2011 19:36:10 +0000 (21:36 +0200)]
Added info about --show-proxy-settings
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Sun, 12 Jun 2011 01:14:36 +0000 (01:14 +0000)]
Added redirect-gateway block-local flag, with support for
Linux, Mac OS X, and Linux. This flag (which is pushable
from server) blocks client access to local LAN while VPN
session is active.
Added standalone --show-gateway option to show info about
default gateway.
Extensively refactored get_default_gateway function in
route.c to ease implementation of block-local.
Removed "Experimental" disclaimer from redirect-gateway
man page.
James Yonan [Fri, 3 Jun 2011 21:21:20 +0000 (21:21 +0000)]
Added support for static challenge/response protocol.
This includes the new "static-challenge" directive.
See management/management-notes.txt for details on both
static and dynamic challenge/response protocols.
All client-side challenge/response code is #ifdefed on
ENABLE_CLIENT_CR and can be removed from the build
by commenting out the definition of ENABLE_CLIENT_CR
in syshead.h.
David Sommerseth [Thu, 26 May 2011 08:16:59 +0000 (10:16 +0200)]
Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
The push_peer_info feature depends on the SSL infrastructure and openvpn
will fail to build if ./configure --disable-crypto --disable-ssl is
used. The solution is to not define ENABLE_PUSH_PEER_INFO if we don't
have crypto/ssl.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 22 May 2011 17:02:39 +0000 (19:02 +0200)]
Windows IPv6 cleanup - properly remove IPv6 routes and interface config
after tunnel shutdown. Needs to make delete_route_ipv6() visible from
tun.c (route.c, route.h) and to properly zero-out host bits from IPv6
"network" at interface route clearing. Further, add IPv6 routes with
"store=active" to make sure nothing lingers after a system crash while
OpenVPN was running.
While at it, small Solaris cleanup - use CLEAR() to zero-out "ifr" struct.
Tested on Windows XP SP3 and Win7 by Gert Doering and Tony Lim.
David Sommerseth [Fri, 29 Apr 2011 11:28:06 +0000 (13:28 +0200)]
Fix const declarations in plug-in v3 structs
Microsoft Visual Studio complains about const char const **ptr declarations
and expects them to be be const char ** const ptr. The latter is what was the
intention, that neither the pointer nor the value(s) it points at can be changed.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
smos [Tue, 10 May 2011 08:01:48 +0000 (10:01 +0200)]
Change the netsh.exe command from "add" to "set".
This prevents the netsh.exe command from exiting with a status 1
when the address already exists. By adding store=active the address
will not survive a reboot and be assigned temporarily.
Tested on Windows 7 and Windows XP SP 2.
Signed-off-by: smos <seth.mos@dds.nl> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix 2.2.0 build failure when management interface disabled
I just upgraded to 2.2.0, and my build fails with:
ps.c: In function 'port_share_open':
ps.c:778:7: error: 'management' undeclared (first use in this function)
ps.c:778:7: note: each undeclared identifier is reported only once for
each function it appears in
make[5]: *** [ps.o] Error 1
[Comment by David Sommerseth:
This happens only when building with --enable-small, --disable-management
and --disable-pkcs11
Also changed MANAGEMENT_ENABLED to ENABLE_MANAGEMENT from the original
patch.
]
Mailing-list: http://thread.gmane.org/gmane.network.openvpn.devel/4639 Signed-off-by: Matthew L. Creech <mlcreech@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Simon Matter [Tue, 8 Mar 2011 07:27:00 +0000 (07:27 +0000)]
Fix issues with some older GCC compilers
Some older GCC compilers don't like that variables are declared
in the middle of the code, and expect them on the top in the
block/scope.
Trac-ticket: 99 Signed-off-by: Simon Matter <simon.matter@invoca.ch> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Sun, 24 Apr 2011 00:59:28 +0000 (00:59 +0000)]
Added 'dir' flag to "crl-verify" (see man page for info).
Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list
if not running in server mode (these functions are only useful for
TLS/SSL servers).
Modified openvpn_snprintf to return false on overflow, and true
otherwise.
When AUTH_FAILED,... is received, log the full string.
James Yonan [Tue, 19 Apr 2011 10:28:06 +0000 (10:28 +0000)]
Revert r7092 and r7151, i.e. remove --enable-osxipconfig
configure option. ipconfig on Mac has certain behavior that makes
it unsuitable for use by OpenVPN to configure tun/tap interface.
James Yonan [Tue, 12 Apr 2011 05:14:34 +0000 (05:14 +0000)]
For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig
command on failure once every second for up to 15 seconds. This
is necessary to work around an issue observed on OSX 10.5 where
the ipconfig command sometimes fails if executed immediately after
the tun device open.
projects / thirdparty / openvpn.git / log
