Arne Schwabe [Fri, 31 May 2013 12:59:35 +0000 (14:59 +0200)]
Add reporting of UI version to basic push-peer-info set.
If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the
server.
Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>",
for example "de.blinkt.openvpn 0.5.47" for the ICS Android version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7646 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 25 Oct 2013 08:02:23 +0000 (10:02 +0200)]
Implement custom HTTP header for http-proxy, and always send user-agent:
There are some patched OpenVPN versions out there without source code
(e.g. NDMVPN) that support adding custom http header.
This patch adds custom header to OpenVPN and supports the syntax that the
"in the wild" variants use.
Patch v3 also prints all custom headers with other http options in --verb 5
Patch v4 does clean up the add_proxy_header function Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382688143-17247-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7946
Josh Cepek [Thu, 14 Nov 2013 18:02:59 +0000 (12:02 -0600)]
Require a 1.2.x PolarSSL version
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
Steffan Karger [Tue, 22 Oct 2013 12:45:17 +0000 (14:45 +0200)]
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 15 Oct 2013 09:23:42 +0000 (11:23 +0200)]
Support non-ASCII TAP adapter names on Windows
Currently the TAP adapter name is fetched as an OEM string, which
is problematic if it contains non-ASCII characters and is to used
with netsh. The logfile also contains these non UTF-8 characters.
This patch fetches the name from the registry as UCS-2 and converts
it right into UTF-8 before it's used.
Josh Cepek [Wed, 21 Aug 2013 21:20:30 +0000 (16:20 -0500)]
Correct error text when no Windows TAP device is present
Starting with the 2.3-series, the TAP-Windows driver/utilities and
OpenVPN are separately installed components. The error message given to
users without available TAP devices uses the pre-2.3 path that does not
exist. The path should be listed under the TAP-Windows program group
that the tap-windows project installer uses.
Resolves bug #320
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <kv4ece$s8s$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Always load intermediate certificates from a PKCS#12 file
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
James Yonan [Sun, 28 Jul 2013 22:05:35 +0000 (16:05 -0600)]
MSVC fixes
Fixes to allow compilation with Microsoft Visual Studio 2008
* Fixed several instances of declarations after statements.
* In socket.c, fixed issue where uninitialized value (err)
is being passed to to gai_strerror.
* ssl.c is trying to access multi_output_peer_info_env
function in multi.c, causing an undefined symbol warning
at compile time. ssl.c is strictly a client of multi.c
(but not the other way around), therefore ssl.c does not
include multi.h and should not depend on multi.h API. To
fix, moved validate_peer_info_line and multi_output_peer_info_env
from multi.c to misc.c.
* MSVC doesn't support %z as a printf format specifier for size_t
* MSVC doesn't support a const variable being used to dimension
an array.
* Explicitly cast the third parameter to setsockopt to
const void * Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1375049135-21444-1-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7777
James Yonan [Tue, 11 Jun 2013 06:25:05 +0000 (00:25 -0600)]
Added "setenv opt" directive prefix. If present, and if the
directive that follows is recognized, it will be processed
as if the "setenv opt" prefix was absent. If present and if
the directive that follows is not recognized, the directive
will be ignored rather than cause a fatal error.
For example, suppose you are distributing a client
configuration file and want to set the minimum TLS version
that the client requires from the server to 1.2.
By using the following directive,
setenv opt tls-version-min 1.2 or-highest
only newer clients that understand the tls-version-min directive
would process it, while older clients would ignore it.
James Yonan [Tue, 11 Jun 2013 04:59:30 +0000 (22:59 -0600)]
TLS version negotiation
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
plugin: Extend the plug-in v3 API to identify the SSL implementation used
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 21 Jun 2013 10:48:28 +0000 (12:48 +0200)]
Add support of utun devices under Mac OS X
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 30 May 2013 21:02:17 +0000 (23:02 +0200)]
Move checking of script file access into set_user_script
At the moment script are only checked if P2MP_SERVER is defined. For
CLIENT_ONLY openvpn script were never checked. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7635
Arne Schwabe [Thu, 30 May 2013 20:26:43 +0000 (22:26 +0200)]
Move settings of user script into set_user_script function
This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all
script options are available by setting options->user_script_used Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7634
Arne Schwabe [Thu, 30 May 2013 13:27:08 +0000 (15:27 +0200)]
Only print script warnings when a script is used. Remove stray mention of script-security system.
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7625
Gert Doering [Thu, 30 May 2013 11:31:24 +0000 (13:31 +0200)]
Fix problem with UDP tunneling due to mishandled pktinfo structures.
In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and
ipv6 are going out of scope before actually calling sendmsg(), so depending
on compiler optimization, garbage is passed to sendmsg() - fix by using
"union openvpn_pktinfo" and having that in scope all the time.
Problem reported and patch provided by "danta" in trac#297
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: https://community.openvpn.net/openvpn/ticket/297
Message-ID: <20130530184427.GP20843@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
Gert Doering [Sun, 5 May 2013 12:36:13 +0000 (14:36 +0200)]
Make push-peer-info visible in "normal" per-instance environment.
Without this patch, peer-info pushed by clients in the TLS handshake
is only visible on the management interface, and only if
--management-client-auth is enabled.
With this patch, received records are sanitized and put into the normal
"multi instance" environment, where it can be evaluated by --client-connect
or --auth-user-pass-verify scripts and plugins, etc. Only records matching
a fairly strict "name=value" format are accepted, and only names starting
with IV_ or UV_ are exported, to avoid clients sending funny stuff and
playing havoc with script/plugin environments on the server. In the
"value" part, spaces, non-printable characters and shell metacharacters
are replaced by '_'.
The change is somewhat invasive as reception of the peer_info string was
only done when username+password are expected from the client, but the
data is always there (if the client sends no username/password, it will
send 0-length strings, so always extracting 3 strings is safe). Also,
the sanitation function validate_peer_info_line() and the opts->peer_info
field were only compiled in #ifdef MANGEMENT_DEF_AUTH...
Patch v3: do not call the old man_output_peer_info_env() anymore, unless
a management env-filter has been set (= ensure IV_ and UV_ stuff is sent
at most *once*, and exactly the way OpenVPN AS expects it). Add
substituting of "bad" characters in the environment values.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1367757373-31637-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7582
James Yonan [Mon, 20 May 2013 10:13:21 +0000 (12:13 +0200)]
Always push basic set of peer info values to server.
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
v3: undo extra whitespace changes in v1 and v2
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
Gert Doering [Fri, 19 Apr 2013 17:41:08 +0000 (19:41 +0200)]
Fix usage of 'compression ...' from global config.
The new compression framework introduced by SVN r8206 only works for
a P2MP server if the compression settings are re-installed for each
client via management interface, ccd/ file or client-connect script,
but the "global" settings get lost due to (needlessly) clearing the
c2.comp_context in the per-client instance. Fixed. (also trac#273)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1366393268-27392-6-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7529
James Yonan [Tue, 18 Sep 2012 06:33:34 +0000 (08:33 +0200)]
Added support for the Snappy compression algorithm
Added support for the Snappy compression algorithm which has shown to
have considerably better compression speed than LZO at a comparable
compression ratio.
To enable Snappy add:
compress snappy
to both client and server config files.
Alternatively, enable compression framing on the client:
compress
and have the server selectively push "compress snappy" to the client.
This change also extends the client capability handshake to include
IV_SNAPPY so the server can be aware that a connecting client supports
Snappy.
Note that the Snappy implementation also includes an improved framing
approach where the first byte of the compressed payload is replaced by
the compression control byte (the first payload byte is moved to the end
of the packet). This solves off-by-one alignment issues, which improves
performance on ARM.
By default, the configure script will try to build with Snappy support.
To disable, use the --disable-snappy option.
The --enable-lzo-stub configure directive is now --enable-comp-stub
(because it's not actually "lzo" but "compression-enabled packet framing")
Add compression overhead to extra buffer unconditionally, as long
as USE_COMP is defined.
OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Josh Cepek [Thu, 16 May 2013 14:09:23 +0000 (09:09 -0500)]
Fix Windows script execution when called from script hooks
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Gert Doering [Fri, 3 May 2013 19:13:24 +0000 (21:13 +0200)]
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation"). For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.
Arne Schwabe [Fri, 26 Apr 2013 19:59:32 +0000 (21:59 +0200)]
Emulate persist-tun on Android
On Android changing the configuration of tun is not possible. So instead
of reconfiguring the tun device, open a new tun device and close the old
one if needed.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1367006372-14815-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7558
Arne Schwabe [Tue, 30 Apr 2013 19:29:11 +0000 (21:29 +0200)]
Android platform specific changes.
On Android 4.0 (TARGET_ANDROID) the real opening of the tun is handled by
the (Java) application controlling OpenVPN. Instead of calling
ifconfig/route call the management to do the work. When running openvpn as
root openvpn should be compiled as TARGET_LINUX
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1367350151-23089-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7570 Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 19 Apr 2013 11:21:54 +0000 (13:21 +0200)]
Improve the git revision tracking
This removes the single 'git revision' line from the --version screen and
moves this information on the top, together with the OpenVPN version.
In addition this patch adds two git flags after the git committish. If
there exists changed but unstaged files when the build was done, a '+' is
appended after the committish. If there exists staged files (files which
have been added with 'git add') a '*' will be appended. These flags are
not exclusive.
This also simplifies the config-version.h generation by not using
sed parsing a template. It's just two lines which are generated, so
no need to complicate things more than needed.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1366375212-14886-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7522
Gert Doering [Wed, 10 Apr 2013 18:55:37 +0000 (20:55 +0200)]
Print "Virtual IPv6 Address" on management interface queries [v4]
Add extra column to management queries for "status 2" or "status 3"
after "Virtual Address", empty if no IPv6 address assigned to this
client (or IPv6 not active at all).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130411150918.GW569@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7503
Arne Schwabe [Fri, 31 Aug 2012 14:19:13 +0000 (16:19 +0200)]
Add the client id (CID) to the output of the status command
This add adds CID which is needed by a few other management commands to
the status output. This will change the output of status in the same way
commit ca18a638aa7cf316611f893127ba44131e57083c did.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1346422753-19520-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7021 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 26 Mar 2013 16:09:35 +0000 (17:09 +0100)]
Fix directly connected routes for "topology subnet" on Solaris.
This basically brings back the previously-working metric setting for
directly connected routes (add a "0" to the "route add" command) on
Solaris/OpenSolaris. It was working in f0eac1a59790, and got broken
by the route.c/route.h refactoring in 576dc96ca1ef1 - the patch
un-does that change to the TARGET_SOLARIS code, plus adds some more
descriptive comments.
Gert Doering [Sat, 23 Mar 2013 09:28:48 +0000 (10:28 +0100)]
Add MIN() compatibility macro
commit 3b23b18dddb8f8f4a introduced usage of MIN(), and not all platforms
have the macro in "readily usable" system header files, most notably it's
missing on OpenSolaris and Android. Add macro if not defined yet.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130323112234.GM17727@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7450
Steffan Karger [Fri, 22 Mar 2013 08:54:24 +0000 (09:54 +0100)]
Switch to IANA names for TLS ciphers.
Added translation table and functions to translate between TLS OpenSSL
and IANA (IETF) cipher suite names. The previously used OpenSSL names
are still accepted, but a deprecation warning is issued.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-6-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7439 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c
to translate between OpenVPN(/OpenSSL) and PolarSSL data channel
cipher algorithm names. OpenSSL does not require any translating,
PolarSSL does for a small number of algorithms. This improves on
config file compatibility between the OpenSSL and PolarSSL builds.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-5-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7435 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 22 Mar 2013 08:54:22 +0000 (09:54 +0100)]
Improve verify_callback messages
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons
that the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7437 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of logging the fact that an error occured, log the error code and
description (when available in the PolarSSL build).
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 22 Mar 2013 08:54:20 +0000 (09:54 +0100)]
PolarSSL-1.2 support
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com>
Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7436 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Josh Cepek [Wed, 20 Mar 2013 18:22:25 +0000 (13:22 -0500)]
(updated) [PATCH] Warn when using verb levels >=7 without debug
On 3/20/2013 11:42, Arne Schwabe wrote:
> ACK. But I would change "debug verb" to "debug verbosity" and I think
> there should be no comma before "but"
This text change makes sense: I've adjusted it to read "NOTE: debug
verbosity..." and saved another byte removing the comma.
Updated patch attached.
--
Josh
>From d41a0237220f2fea6647a508a2ab07263e0f160b Mon Sep 17 00:00:00 2001
From: Josh Cepek <josh.cepek@usa.net>
Date: Tue, 19 Mar 2013 22:52:12 -0500
Subject: [PATCH] Warn when using verb levels >=7 without debug
This patch adds a log warning when using --verb levels at 7 or higher
when running on builds lacking debug support. Since official builds are
now built with enable_debug=no, this warning will help developers
identify why expected debug messages may not be present in log output.
The test and message output code is omitted when built with
enable_debug=yes or enable_small=yes.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <kicup2$gfv$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7425 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Josh Cepek [Thu, 21 Feb 2013 15:50:38 +0000 (09:50 -0600)]
Fix parameter listing in non-debug builds at verb 4
When built with enable_debug=no, the parameter output expected at --verb
4 is not printed due to use of #ifdef ENABLE_DEBUG in the responsible
code sections. This appears to be a mistake when looking at the
configure help text for enable_small and enable_debug.
This change keys the relevant code off of enable_small instead,
including the parameter listing when enale_small=no (the
configure-script default.) Most of this code is in options.c, with some
callers present in plugin.c/h and route.c/h. No function code is
changed, just the #ifdef values to use the small feature instead of
debug.
This means builds no longer need enable_debug=yes in order to get the
expected log output at verb 4.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <437RBuq1U8032S07.1361465626@web07.cms.usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 11 Mar 2013 20:03:20 +0000 (21:03 +0100)]
Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
Return value of mbuf_len() wrong - it's returning a length value, not
a yes/no value - so when the queue length approached 65 (full!), it
still only returned "1", leading to MBUF overflow later on. Change
from "bool" to "unsigned int", misbehaviour gone...
This fixes OpenVPN trac ticket #263.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Peter Caprioli <petercap@kth.se>
Message-Id: <20130312100706.GN953@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7396 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 22 Feb 2013 09:44:21 +0000 (10:44 +0100)]
make --tls-remote compatible with pre 2.3 configs
In openvpn 2.3.0 the semantics of the --tls-remote option changed.
That broke more configurations than anticipated. To not break
configurations that use --tls-remote with a legacy OpenSSL style DN
anymore, it is now detected when such a DN is configured. When
necessary the --compat-names option is then automatically enabled.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1361526263-1740-3-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7366 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix corner case in NTLM authentication (trac #172)
The problem is located in the file proxy.c within
"establish_http_proxy_passthru": To keep buffers small long
base64-encoded NTLM-Strings are truncated.
But the truncating is done on a wrong place: base 64 strings can be
cut every 4 chars. the buffer is 128 bytes - including the terminating
\0, so the usable data is only 127 bytes. And decoding a 127 char
base64 string fails... this is why the ntlm authentication fails in
certain cases (long strings)...
Christian Hesse [Tue, 8 Jan 2013 08:39:12 +0000 (09:39 +0100)]
fix build with automake 1.13(.1)
AM_CONFIG_HEADER has been deprecated for some time, finally it is removed
on automake 1.13. The attached patch replaces it with AC_CONFIG_HEADERS and
fixes build process with latest automake.
Heiko Hund [Mon, 4 Feb 2013 11:39:25 +0000 (11:39 +0000)]
Ignore UTF-8 byte order mark
Currently openvpn exits when reading configuration from a file
that has an UTF-8 byte order mark (EF BB BF) at its start.
While it is useless to put a BOM into UTF-8 encoded files, the
Unicode standard [1] permits it (on page 36):
"Use of a BOM is neither required nor recommended for UTF-8,
but may be encountered in contexts where UTF-8 data is converted
from other encoding forms that use a BOM or where the BOM is
used as a UTF-8 signature."
Notepad.exe, the default text editor on Windows, always puts the BOM
into UTF-8 encoded files when saving them. Others may do as well.
Just ignoring the UTF-8 BOM will make config files with UTF-8 BOM
readable.
Samuli Seppänen [Fri, 25 Jan 2013 09:59:34 +0000 (11:59 +0200)]
Cleaned up and updated INSTALL
- Changed "Supported platforms" to reflect current support status of the
mentioned operatingsystems
- Removed mentions of the obsolete Python and domake-win buildsystems
- Added mention of official Debian/RPM packages
- Added links to the Wiki
- Added mention of the new openvpn-build cross-compile environment
- Added PolarSSL to and removed pthreads from the "Optional" section
- Added mention of t_client.sh test framework
- Removed some very old (pre-2005) nuggets of (obsolete) information
- Other minor cleanups
- Some reorganization
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359107974-1481-1-git-send-email-samuli@openvpn.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7303 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Matthias Andree [Sat, 12 Jan 2013 12:41:17 +0000 (13:41 +0100)]
Enable TCP_NODELAY configuration on FreeBSD.
The missing #include <netinet/tcp.h> causes a defined(TCP_NODELAY) to
fail. I have added the patch to the FreeBSD ports OpenVPN 2.2.2 and
2.3.0, and confirmed (with strings ... | grep) that the TCP_NODELAY code
is now part of the executable on amd64, and results in this log output:
Sat Jan 12 13:39:18 2013 Listening for incoming TCP connection on [undef]
Sat Jan 12 13:39:18 2013 Socket flags: TCP_NODELAY=1 succeeded
Obtained from: https://community.openvpn.net/openvpn/ticket/158
Credits to: M. Nottebrock
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1357994477-29981-1-git-send-email-matthias.andree@gmx.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7230 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 3 Feb 2013 11:12:31 +0000 (12:12 +0100)]
Remove dead code path and putenv functionality
The construct_name_value function call will always fail so this code path
is never used. Since we now always have a valid environment in
static_context->c2.es it is better to have a ASSERT(es) than to call this
code patch.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359889951-3369-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7323 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 25 Jan 2013 11:39:14 +0000 (12:39 +0100)]
Update README.IPv6 to match what is in 2.3.0
IPv6 is no longer provided by external patches - all has been
integrated. Document that fact, point at the new configuration options,
and at potential caveats.
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359113954-25768-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7305 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 1 Feb 2013 14:19:14 +0000 (15:19 +0100)]
close more file descriptors on exec
Don't inherit the --status and --ifconfig-pool-persist, and on Linux
the epoll(7), file descriptors to scripts and other processes that
may be forked by plugins.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359728354-9405-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7312 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Tue, 25 Dec 2012 12:41:50 +0000 (13:41 +0100)]
Fix client crash on double PUSH_REPLY.
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).
Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216 Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 16 Dec 2012 21:15:20 +0000 (22:15 +0100)]
Fix option inconsistency warnings about "proto" and "tun-ipv6"
"tun-ipv6" is only sent in option string if running in point-to-point
mode (= not --server and not --client or --pull), because in those
scenarios it's usually pushed by the server, and the client does not
yet have it when comparing options -> needless warning.
Completely ignore "proto" values when comparing option strings - this
is in preparation for removing proto from the option string in a future
release, and to avoid warnings when 2.3 talks to this future release.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1355692520-24362-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7194 Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Thu, 29 Nov 2012 13:16:12 +0000 (14:16 +0100)]
The get_default_gateway() function uses warn() instead of msg()
A report on #openvpn pointed out that in his setup three warnings
appeard on the console when starting up.
$ sudo /usr/local/etc/rc.d/openvpn restart
Stopping openvpn.
Waiting for PIDS: 33031.
Starting openvpn.
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
$
This setup is on FreeBSD using jails with strict access to the
routing table.
After looking at the code path, this error was found in the BSD
sections for get_default_gateway(). But it was using the warn()
call instead of msg(M_WARN|M_ERRNO, ...) which causes these
warnings to go to stderr instead of the log file.
The warning string is also slightly modified to better explain
what fails.
Reported-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Tested-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1354194972-5388-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7149
David Sommerseth [Fri, 16 Nov 2012 11:02:06 +0000 (12:02 +0100)]
Avoid recursion in virtual_output_callback_func()
This solves a SEGV situation when using the management API while OpenVPN
is closing down.
The situation happens when the management socket has closed and OpenVPN
tries to write an error about this to the management socket. What happens
is that
virtual_output_callback_func() is called, which then calls
-> man_output_list_push_finalize()
-> man_output_standalone()
-> man_write() <-- this does the socket write
-> man_io_error()
-> x_msg()
-> virtual_output_print()
-> virtual_output_callback_func() (recursion start)
virtual_output_callback_func() do have a mechanism to avoid recursion,
but that did not keep the recurse counter when
man_output_list_push_finalize()
is called.
This patch just reorganise the recursion block to also keep the counter
while
calling the other functions from virtual_output_callback_func()
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353063726-25113-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7130
Arne Schwabe [Mon, 26 Nov 2012 14:33:09 +0000 (15:33 +0100)]
Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
When specifying --tls-client --cert ... without a --key (or --pkcs11)
option, OpenVPN should complain:
"You must define private key file (--key)...". Ensure that this
works even when compiling with MANAGMENT_EXTERNAL_KEY.
Also fix the other instance where this logic is broken
Orginal-Patch-by: Found by Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353940389-31075-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7143 Signed-off-by: David Sommerseth <davids@redhat.com>
Arne Schwabe [Mon, 19 Nov 2012 18:12:17 +0000 (19:12 +0100)]
Error message if max-routes used incorrectly
the route/route-ipv6/redirect-gateway options allocate the route structe
with max_routes number of routes. A max-routes after any of this commands
has no effect. This can be problematic
(http://code.google.com/p/ics-openvpn/issues/detail?id=101)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353348737-21920-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7131 Signed-off-by: David Sommerseth <davids@redhat.com>
In commit dc7be6d078ba106f9b0de12f3e879c3561c3c537 the string_alloc() call
in pf_init_context() was modified to use the gc_arena object for memory
allocation. What was not taken into consideration was that
pf_destroy_context() was also freeing memory allocated by string_alloc(),
and when pf_init_context() is calling gc_free() a double-free situation
showed up.
Lets remove the explict free, and let gc_free take care of all the memory
handling.
Reported-by: cuzz@163.com Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1352196216-11560-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7124
David Sommerseth [Thu, 25 Oct 2012 12:22:30 +0000 (14:22 +0200)]
Remove the support for using system() when executing external programs or scripts
This patch removes the support for the system() call, and enforces the
usage of execve() on the *nix platform and CreateProcessW() on Windows.
This is to enhance the overall security when calling external scripts.
Using system() is prone to shell expansions, which may lead to security
breaches. Which is also why the execve() approach has been the default
since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
re-introduced the system() in Nov. 2008.
After having asked on the mailing list and checked around on the IRC
channels, the genereal consensus is that very few uses system() these
days.
The only annoyance I've been made aware of is that this will now
require adding a full path to the script interpreter together with the
script, and not just put in the script name alone. But to just use the
script name in Windows, you had to configure --script-security with the
'system' flag earlier too. So my conclusion is that it's better to add
a full path to the script interpreter in Windows and raise the overal
security with OpenVPN, than to continue to have a possible potentially
risky OpenVPN configuration just to make life "easier" for Windows
script users.
Removal of the system() call, also solves a nasty bug related to the
usage of putenv() on the *nix platforms.
For more information please see:
http://thread.gmane.org/gmane.network.openvpn.devel/7090
https://community.openvpn.net/openvpn/ticket/228
Trac-ticket: 228 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
Heiko Hund [Mon, 29 Oct 2012 13:16:37 +0000 (14:16 +0100)]
Support UTF-8 --client-config-dir
If a common name (or user name, when used in conjunction with
--username-as-common-name) contains UTF-8 encoded characters their
octets get replaced by underscores. This becomes problematic when
user "Müller" and "Möller" need to have a CCD file and both would
receive options from the file "M__ller". The situation is even
worse for non-latin alphabets, where CCD file names consist of
underscores entirely.
This patch removes that limitation and also allows the file names
to contain any punctuation characters besided the resevered ones.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1351516597-11128-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7110 Signed-off-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
