james [Sun, 27 Jul 2008 18:20:52 +0000 (18:20 +0000)]
Added additional warnings for:
* --tls-remote -- some people misunderstand the semantics
* --script-security -- warn if script-security will allow user-defined
scripts to be called, and also warn separately if passwords may be
passed to scripts via the environment
james [Sat, 26 Jul 2008 07:27:03 +0000 (07:27 +0000)]
Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
james [Wed, 23 Jul 2008 19:51:27 +0000 (19:51 +0000)]
Added argv_x functions to buffer.[ch] to be used to safely build
up argv strings for execve without the possibility of truncation
or misinterpretation of mid-argument spacing.
james [Sat, 19 Jul 2008 03:33:27 +0000 (03:33 +0000)]
Modified extract_x509_field_ssl to return a status value indicating
success/error, and any truncation of output due to an insufficiently
large output buffer will be cause for error.
In verify_callback, read X509 Subject Name without truncation.
In verify_callback, rather than silently truncating Common Name at
64 bytes, throw an error if Common Name is larger than 64 bytes.
james [Sat, 19 Jul 2008 00:29:31 +0000 (00:29 +0000)]
Replace leading dash ('-') characters in an X509 name with underbars ('_')
before calling user-defined scripts, to preclude the chance of a leading
dash being interpreted as an option prefix.
james [Thu, 17 Jul 2008 23:31:16 +0000 (23:31 +0000)]
Previously, OpenVPN might log a client's auth-user-pass
password if the verbosity was set to a high debug level
such as 7 or higher. Normally this would only be used by
developers. Now, even at high debug levels, the password
will not be output.
james [Thu, 17 Jul 2008 20:57:42 +0000 (20:57 +0000)]
Call prng_init after fork in background process
created by port_share_open, so as to ensure
a newly seeded PRNG sequence. This is strictly
defensive programming since port_share_proxy
currently does not use the PRNG.
james [Thu, 17 Jul 2008 18:56:09 +0000 (18:56 +0000)]
Support wraparound of reliable.[ch] packet IDs. In
practice, wraparound of the packet ID sequence is
extremely unlikely since the sequence is restarted
for each mid-session TLS renegotiation. But we will
support it for completeness.
james [Wed, 16 Jul 2008 22:37:09 +0000 (22:37 +0000)]
In the Windows version of tun_finalize, on errors that would
return -1, set buf->len to 0 rather than -1. While downstream
code is set up to consider the buffer invalidated if its length
is <= 0, this change makes the code cleaner and safer.
james [Wed, 4 Jun 2008 07:23:20 +0000 (07:23 +0000)]
Fixed unbounded memory growth bug in
environmental variable code that could
have caused long-running OpenVPN sessions
with many TLS renegotiations to incrementally
increase memory usage over time.
james [Wed, 4 Jun 2008 05:16:44 +0000 (05:16 +0000)]
Incremented version to 2.1_rc7d.
Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in
openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH.
Added a simple packet filter functionality that can be driven by
a plugin. See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.
See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.
"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication. In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.
Added a test to configure.ac for LoadLibrary function on Windows.
Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.
setenv and setenv-safe directives may now omit a value argument
which defaults to "".
james [Sun, 25 May 2008 22:31:25 +0000 (22:31 +0000)]
Fixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1
to not be called for the top-level "generic" client template.
Added additional documentation to openvpn-plugin.h that more clearly
illustrates the full sequence and ordering of plugin callbacks
(plugin/defer/simple.c was extended to provide the raw data for this
documentation).
james [Sun, 17 Feb 2008 08:21:28 +0000 (08:21 +0000)]
The new function extract_x509_field_ssl tends to break
in early versions of OpenSSL 0.9.6. Now we will fall
back to the old function extract_x509_field for OpenSSL
0.9.6.
james [Fri, 1 Feb 2008 19:44:53 +0000 (19:44 +0000)]
Changes to Windows build system: added GENOUT_PREBUILT mode
to allow building an OpenVPN installer with a reduced set
of prerequisites. See comments in domake-win for more info.
james [Fri, 1 Feb 2008 10:13:59 +0000 (10:13 +0000)]
Changes to Windows build system to make it easier to do
partial builds, where only a subset of OpenVPN installer
components are built. See ./domake-win comments.
james [Mon, 21 Jan 2008 19:34:13 +0000 (19:34 +0000)]
Allow OpenVPN to run completely unprivileged under Linux
by allowing openvpn --mktun to be used with --user and --group
to set the UID/GID of the tun device node. Also added --iproute
option to allow an alternative command to be executed in place
of the default iproute2 command (Alon Bar-Lev).
james [Mon, 21 Jan 2008 19:00:43 +0000 (19:00 +0000)]
Added PLUGIN_LIBDIR preprocessor string to prepend a default plugin
directory to the dlopen search list when the user specifies the basename
of the plugin only (Marius Tomaschewski).
james [Fri, 17 Aug 2007 08:22:42 +0000 (08:22 +0000)]
AUTO_USERID feature -- if the auth-user-pass option is used
with some argument ARG, then -ARG will be appended to the
username string that is sent to the server.
james [Sun, 22 Apr 2007 08:21:16 +0000 (08:21 +0000)]
Version is now specified in version.m4 for both
unix and windows versions.
Reworked the Windows build scripting system, with
settings (other than version #) specified in settings.in.
Moved the native scripting grammar as defined by trans.pl
away from NSIS and to something more generic.
james [Sat, 21 Apr 2007 18:28:59 +0000 (18:28 +0000)]
The easy-rsa directory installed by the windows installer comes with the
old easy-rsa 1.0 files. (even current openvpn-2.1_rc2-install.exe)
This bug is not that critical, but it is annoying that easy-rsa still
creates server certificates without extended key usage per default
(openssl.cnf), making the windows user wonder about error messages if
the recommended "remote-cert-tls" option is used. (In this case simply
copying the openssl.cnf from the 2.0 directory did the job, for regular
usage the path to opensc in the newly added pkcs11 section should be
changed).
And if possible please add the following three files to the "Windows"
directory if easy-rsa. They allow to build password protected versions
of the keys (I just copied the files and remove the "-nodes" parameter).
Except of build-key-server-pass.bat i think that they are vital for
security (e.g. the key files are in an unencrypted directory and
physical access is possible). -- Daniel Zauft
james [Sat, 21 Apr 2007 17:59:40 +0000 (17:59 +0000)]
Clean up configure on FreeBSD for recent autotool versions that
require that all .h files have to be compiled.
Also, FreeBSD install does not support GNU long options which the
Makefile in easy-rsa/2.0 uses (not checked the others as we don't
install those on Gentoo) -- Roy Marples
projects / thirdparty / openvpn.git / log
