Steffan Karger [Tue, 15 Aug 2017 08:04:33 +0000 (10:04 +0200)]
Fix bounds check in read_key()
The bounds check in read_key() was performed after using the value, instead
of before. If 'key-method 1' is used, this allowed an attacker to send a
malformed packet to trigger a stack buffer overflow.
Fix this by moving the input validation to before the writes.
Note that 'key-method 1' has been replaced by 'key method 2' as the default
in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
and marked for removal in 2.5. This should limit the amount of users
impacted by this issue.
CVE: 2017-12166 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit fce34375295151f548a26c2d0eb30141e427c81a)
Guido Vranken [Fri, 19 May 2017 12:04:25 +0000 (14:04 +0200)]
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Pre-authentication remote crash/information disclosure for clients
If clients use a HTTP proxy with NTLM authentication (i.e.
"--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
a man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password.
If the proxy password is not reused, this is unlikely to compromise
the security of the OpenVPN tunnel itself. Clients who do not use
the --http-proxy option with ntlm2 authentication are not affected.
CVE: 2017-7520 Signed-off-by: Guido Vranken <guidovranken@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
(cherry picked from commit f38a4a105979b87ebebe9be1c3d323116d3fb924)
Gert Doering [Sun, 18 Jun 2017 19:41:04 +0000 (21:41 +0200)]
Fix potential 1-byte overread in TCP option parsing.
A malformed TCP header could lead to a one-byte overread when
searching for the MSS option (but as far as we know, with no
adverse consequences).
Change outer loop to always ensure there's one extra byte available
in the buffer examined.
Technically, this would cause OpenVPN to ignore the only single-byte
TCP option available, 'NOP', if it ends up being the very last
option in the buffer - so what, it's a NOP anyway, and all we
are interested is MSS, which needs 4 bytes.
(https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml)
Found and reported by Guido Vranken <guidovranken@gmail.com>.
Trac: #745
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170618194104.25179-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000)
(cherry picked from commit 4d343fbe9166e14187775567db00c0a91017df83)
Guido Vranken [Fri, 16 Jun 2017 00:58:56 +0000 (02:58 +0200)]
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevents that the client crashes if the peer does not specify
the 'realm' and/or 'nonce' values. These pointers are
dereferenced in DigestCalcHA1() and DigestCalcResponse();
hence, if not set, a null-pointer dereference would occur.
Signed-off-by: Guido Vranken <guidovranken@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497574736-2092-1-git-send-email-gv@guidovranken.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14844.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 14865773ad64d861128bc80ad44c37bdc307c996)
(cherry picked from commit 479b6d13d8c230c11b6315665bf00998a1424eef)
Steffan Karger [Thu, 11 May 2017 21:13:41 +0000 (23:13 +0200)]
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys. Until the
packet ID would roll over and we would ASSERT() out.
Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability. An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)*2^32 bytes, or approx. 196 GB).
This is a fix for finding 5.2 from the OSTIF / Quarkslab audit.
This patch was cherry-picked from b727643c (release/2.3).
CVE: 2017-7479 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494537221-12050-3-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14645.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 11 May 2017 21:13:40 +0000 (23:13 +0200)]
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
The functions packet_id_alloc_outgoing() and packet_id_write() were
always called in tandem. Instead of forcing the caller to allocate a
packet_id_net to do so, merge the two functions. This simplifies the API
and reduces the chance on mistakes in the future.
This patch was cherry-picked from 5d747770 (release/2.3), with the unit
tests removed because release/2.2 does not have unit tests.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494537221-12050-2-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14644.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Jens Wagner [Tue, 7 Jan 2014 21:07:54 +0000 (22:07 +0100)]
Fix spurious ignoring of pushed config options (trac#349).
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1aac9a0b7a4046822a0134cd8693a828f2e16576)
Fix corner case in NTLM authentication (trac #172)
The problem is located in the file proxy.c within
"establish_http_proxy_passthru": To keep buffers small long
base64-encoded NTLM-Strings are truncated.
But the truncating is done on a wrong place: base 64 strings can be
cut every 4 chars. the buffer is 128 bytes - including the terminating
\0, so the usable data is only 127 bytes. And decoding a 127 char
base64 string fails... this is why the ntlm authentication fails in
certain cases (long strings)...
Gert Doering [Tue, 25 Dec 2012 12:41:50 +0000 (13:41 +0100)]
Fix client crash on double PUSH_REPLY.
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).
Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e)
Matthias Andree [Sat, 12 Jan 2013 12:41:17 +0000 (13:41 +0100)]
Enable TCP_NODELAY configuration on FreeBSD.
The missing #include <netinet/tcp.h> causes a defined(TCP_NODELAY) to
fail. I have added the patch to the FreeBSD ports OpenVPN 2.2.2 and
2.3.0, and confirmed (with strings ... | grep) that the TCP_NODELAY code
is now part of the executable on amd64, and results in this log output:
Sat Jan 12 13:39:18 2013 Listening for incoming TCP connection on [undef]
Sat Jan 12 13:39:18 2013 Socket flags: TCP_NODELAY=1 succeeded
Obtained from: https://community.openvpn.net/openvpn/ticket/158
Credits to: M. Nottebrock
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1357994477-29981-1-git-send-email-matthias.andree@gmx.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7230 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e86f688757529f8b33f9e6b49e31ba8d8564c5e)
Steffan Karger [Thu, 20 Nov 2014 12:43:05 +0000 (13:43 +0100)]
Drop too-short control channel packets instead of asserting out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
David Sommerseth [Tue, 13 Dec 2011 17:08:24 +0000 (18:08 +0100)]
Only warn about non-tackled IPv6 packets once
When using OpenVPN 2.2 on clients and server with Windows based
clients, it will try to push IPv6 packets through the tunnel. This
causes the server log to be filled up with log entries like this:
Wed Jun 29 22:12:51 2011 username/1.2.3.4:56990 Need IPv6 code in mroute_extract_addr_from_packet
This patch modifies this message to state that IPv6 packets are not
tackled in tun mode, and prints it only once.
Trac: 147 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 23 Nov 2011 10:11:54 +0000 (11:11 +0100)]
log error message and exit for "win32, tun mode, tap driver version 9.8"
(driver is known-buggy for small IPv4 packets in tun mode)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry-picked from commit 03ab4ead8295e005f72dbffcffdaa74487d9668c)
Gert Doering [Wed, 23 Nov 2011 10:07:09 +0000 (11:07 +0100)]
bump tap driver version from 9.8 to 9.9
(bugfixed tapdrvr.c regarding small IPv4 packets)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1523d1101222340b7ef305020ed7eba0dd1676cf)
Gert Doering [Thu, 10 Nov 2011 19:15:44 +0000 (20:15 +0100)]
add missing break between "case IPv4" and "case IPv6", leading to the
minimum-size for IPv6 being applied to IPv4 packets, subsequently
leading to drop of small-sized IPv4 packets.
Bug found & fixed by Christian Niessner.
Signed-off-by: Christian Niessner <bug-report@secadm.de> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 10b99726a30bb7252cb01806f5f276be7873e84e)
Samuli Seppänen [Thu, 30 Jun 2011 07:59:10 +0000 (10:59 +0300)]
Fixes to easy-rsa/2.0
As support for OpenSSL 1.0.0 requires a modified openssl.cnf file, it was
decided to rename openssl.cnf to openssl-1.0.0.cnf for clarity and better
support of different OpenSSL versions. The old openssl.cnf was renamed as
openssl-0.9.8.cnf.
This patch makes sure that all openssl*.cnf files are copied when running 'make
install' in easy-rsa and makes the whichopensslcnf script aware of them as well.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Samuli Seppänen [Wed, 29 Jun 2011 08:24:07 +0000 (11:24 +0300)]
Updated "easy-rsa" for OpenSSL 1.0.0
This patch fixes remaining issues with Trac ticket #125. It does the following:
- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
required by OpenSSL 1.0.0 (at least on Windows)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Wed, 15 Jun 2011 10:00:57 +0000 (12:00 +0200)]
Remove support for Linux 2.2 configuration fallback
When configuring OpenVPN nowadays, the TUN/TAP configuration can
sometimes jump into the Linux 2.2 fallback code paths, which will
also fails. The reason it jumps into fallback mode is that the
tun/tap device already exists or that /dev/net/tun does not exist.
This can be very confusing, as /dev/tunX which the fallback mode tries
to use, does not exist on Linux 2.4 and newer.
Considering that the last Linux 2.2 update was released 25-Feb-2004
and the first Linux 2.4 release came 04-Jan-2001, there are no
reasonable reasons to help users to stay on outdated kernels.
I consider this extra code path just waste of bytes ... so lets make
the world simpler.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ce637abdafdc19547fc97192033a4d1703ecaf23)
Robert Fischer [Thu, 21 Apr 2011 20:55:52 +0000 (22:55 +0200)]
Documented --x509-username-field option
Also fixed a typo in the --help screen.
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit ca8af756c52ab7a4aecb857f60d6124e58458f0a)
Robert Fischer [Thu, 21 Apr 2011 19:36:10 +0000 (21:36 +0200)]
Added info about --show-proxy-settings
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 54d40afdfa56f38030d7b440cb379abf9c9ddabc)
David Sommerseth [Tue, 31 May 2011 14:59:30 +0000 (16:59 +0200)]
Fix compiling issues with pkcs11 when --disable-management is configured
pkcs11.c seems to miss some header files which gets implicitly added when
the management interface is enabled.
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Mr Dash Four <mr.dash.four@googlemail.com>
(cherry picked from commit efcdf594f81a6af34b72285c12bacbce35c14b2d)
David Sommerseth [Thu, 26 May 2011 08:16:59 +0000 (10:16 +0200)]
Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
The push_peer_info feature depends on the SSL infrastructure and openvpn
will fail to build if ./configure --disable-crypto --disable-ssl is
used. The solution is to not define ENABLE_PUSH_PEER_INFO if we don't
have crypto/ssl.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 21fc2edfc49bcc903d5cfb74c1ba2f41ac8771f0)
Fix 2.2.0 build failure when management interface disabled
I just upgraded to 2.2.0, and my build fails with:
ps.c: In function 'port_share_open':
ps.c:778:7: error: 'management' undeclared (first use in this function)
ps.c:778:7: note: each undeclared identifier is reported only once for
each function it appears in
make[5]: *** [ps.o] Error 1
[Comment by David Sommerseth:
This happens only when building with --enable-small, --disable-management
and --disable-pkcs11
Also changed MANAGEMENT_ENABLED to ENABLE_MANAGEMENT from the original
patch.
]
Mailing-list: http://thread.gmane.org/gmane.network.openvpn.devel/4639 Signed-off-by: Matthew L. Creech <mlcreech@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit ca0ed8458a355aea46d26c209984caaf533784ec)
Simon Matter [Tue, 8 Mar 2011 07:27:00 +0000 (07:27 +0000)]
Fix issues with some older GCC compilers
Some older GCC compilers don't like that variables are declared
in the middle of the code, and expect them on the top in the
block/scope.
Trac-ticket: 99 Signed-off-by: Simon Matter <simon.matter@invoca.ch> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit aa52ca828fc075e010c326e91d2171484a514fde)
Robert Fischer [Sun, 17 Apr 2011 21:25:34 +0000 (23:25 +0200)]
Update man page with info about --connect-timeout
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 285252d1a189c331becde940d948d7ca1fe778fd)
Robert Fischer [Sun, 17 Apr 2011 21:03:49 +0000 (23:03 +0200)]
Update man page with info about --capath
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit b63ecceb8b9bc3215866ae622bbd013d029d0b69)
David Sommerseth [Thu, 21 Apr 2011 19:03:25 +0000 (21:03 +0200)]
Add a simple comment regarding openvpn_snprintf() is duplicated
Commit df5a4380c3931520d5fae2b18f0fc2e67a883aae copies this function
from buffer.c to service-win32/openvpnserv.c. Any changes on either
places should be done in both implementations.
David Sommerseth [Thu, 21 Apr 2011 18:32:26 +0000 (20:32 +0200)]
Improve the mysprintf() issue in openvpnserv.c
A quick and dirty compile fix was introduced in commit 77d244050964525417,
and was accepted under the condition that it would be a temporary fix.
As the usage of _snprintf() is realy not ideal on Windows, this patch
uses the same well tested openvpn_snprintf() function from buffer.c.
It was a longer discussion of several possibilities to re-use that code,
but in the end it seemed easier to just copy-paste this function to
openvpnserv.c for now.
The reason for this conclusion was that the function is really simple,
well defined and will most likely not be changed much in the future.
It is also added a comment in openvpnserv.c where this function
has its origins.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit df5a4380c3931520d5fae2b18f0fc2e67a883aae)
Gisle Vanem [Sat, 9 Apr 2011 12:56:52 +0000 (12:56 +0000)]
Avoid re-defining uint32_t when using mingw compiler
Since MingW for quite a long time (since 3.2 in 2008?) has defined
'uint32_t' etc. in it's <stdint.h>, we need to guard against defining
them again. Ideally we should figure out in what version of MingW
this happened. But for now:
Signed-off-by: Gisle Vanem <gvanem@broadpark.no> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 6a8270c29120473570ec6da4003226f36a4b71eb)
The win/config_ti.py build script assumes to find ../tapinstall/7600/sources.in
which does not exists in devcon.exe source code directory. This makes
config_ti.py look for ../tapinstall/7600/sources instead.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit a18752d4febdaa91f87efcc487ac865d6587c527)
David Sommerseth [Thu, 14 Apr 2011 14:21:16 +0000 (16:21 +0200)]
Change the default --tmp-dir path to a more suitable path
In commit 4e1cc5f6dda22e9 the create_temp_filename() function was
reviewed and hardened, which in the end renamed this function to
create_temp_file() in commit 495e3cec5d156.
With these changes it became more evident that OpenVPN needs a directory
where it can create temporary files. The create_temp_file() will create
such files f.ex. if --client-connect or --plugin which makes use of
the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so.
When this happens, OpenVPN will normally create these files in the directory
OpenVPN was started. In many cases, this will fail due to restricted access.
By using --tmp-dir and pointing it to a directory writeable to the user
running OpenVPN, it works again.
This patch makes OpenVPN use a more suitable temproary directory by default,
instead of the current working directory. On non-Windows platforms this
default value is set to '/tmp', but can be modified at compile-time by
running ./configure --with-tmp-dir-path=<TEMP DIR PATH>. On Windows, it
will use GetTempPath() to find temporary paths recommended by the OS. If
this fails, it will fallback to the old behaviour, using the directory
where OpenVPN was started.
In any cases, this default value can be overridden in the configuration
file by using the --tmp-dir option, as before.
To check what the default is at runime, you can see this easily by doing
this:
$ ./openvpn --verb 4 --dev tun | grep tmp_dir
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ca4c6d618d743ec4a3b6f7ef8003d891603ec1a6)
Gert Doering [Sat, 9 Apr 2011 16:16:21 +0000 (18:16 +0200)]
Add more detailed explanation regarding the function of "--rdns-internal"
As agreed in last thursday's IRC meeting [1], I've added a comment to the
code explaining "--rdns-internal". It's really very much an internal
option, so it does not need to go to the man page.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit cdb3a5c0864e0fe8d0b814de1f024fd624dd3b1c)
This commit introduced a bug, which made the verify_callback()
function getting called even if --client-cert-not-required was
enabled in the config.
The reason for this was that an 'else' statement was lacking a
couple of curly braces. The offending commit in reality moved
the setup of the verify_callback() function out of the 'else'
statement.
Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
(cherry picked from commit 008a18e772bf1854f9a2102bef4b3d5b0a08a66b)
Alon Bar-Lev [Fri, 4 Mar 2011 21:14:33 +0000 (23:14 +0200)]
Windows cross-compile cleanup
It should be sufficient to just try to see if socklen_t is defined.
Next, on all platforms it would be int in all other platforms.
And, there is no need to check for the type in monolitic environment
like Windows, as it will be always the same.
Currently it fails cross compile windows in mingw-w64 compiler, as
winsock.h is as follows:
"""
/* define WINSOCK_API_LINKAGE and WSAAPI for less
* diff output between winsock.h and winsock2.h, but
* remember to undefine them at the end of file */
"""
And the macro uses these macros which are internal winsock macros and
should not be used anyway.
Also, when did the autodefs.h went mandatory? Why is it in
tap-win32/common.h while no constant is actually used?
The use of WSA_IO_INCOMPLETE without including winsock2.h is invalid!
Look at http://msdn.microsoft.com/en-us/library/aa921087.aspx
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 13 Dec 2010 11:49:00 +0000 (12:49 +0100)]
Open log files as text files on Windows
By giving the "t" flag to _fdopen() on Windows, the file will be
opened in a "translate mode", where it will take care of converting
\n to \r\n, and also look for the CTRL-Z mark when opening the log
file in append mode.
Samuli Seppänen [Tue, 15 Mar 2011 14:37:41 +0000 (16:37 +0200)]
Replaced config-win32.h with win/config.h.in
The original config-win32.h - a static header file - has been superceded by both
"domake-win" script and the new Python-based buildsystem. Transformed it into a
template file, win/config.h.in, which obtains the most commonly used build
parameters from win/settings.in.
Added support code to win/config.py and win/wb.py to preprocess win/config.h.in
and copy it to config.h, from where source and header files can find it.
Removed all references to config-win32.h. Also removed obsolete
PACKAGE_BUGREPORT and USE_PTHREAD variables from the win/config.h.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Samuli Seppänen [Tue, 8 Mar 2011 14:07:49 +0000 (16:07 +0200)]
Added support for prebuilt TAP-drivers. Automated embedding manifests.
Removed win/make_dist.py's dependency on TAP-driver and tapinstall.exe building.
Also added manifest embedding commands to win/make_dist.py. To avoid duplicate
code moved the "build_vc" method from win/build.py to win/wb.py and renamed it
"run_in_vs_shell".
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Sun, 7 Mar 2010 18:28:55 +0000 (19:28 +0100)]
Implement IPv6 in TUN mode for Windows TAP driver.
* install-win32/settings.in: bump version to 9.7, TAP_RELDATE to "07/03/2010".
* tap-win32/proto.h: add data types and definitions needed for IPv6
* tap-win32/types.h: add m_UserToTap_IPv6 ethernet header for IPv6 packets
* tap-win32/tapdrvr.c: implement support for IPv6 in TUN mode:
- IPv6 packets User->OS need correct ether type
- IPv6 packets OS->User get correctly forwarded
- IPv6 neighbour discovery packets for "fe80::8" (magic address
installed as route-nexthop by OpenVPN.exe) get answered locally
(cherry picked from commit 175e17a5abd5969f6803a9cc9587b7959e1100ae)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 28 Feb 2011 13:57:49 +0000 (14:57 +0100)]
Fix packaging of config-win32.h and service-win32/msvc.mak
The config-win32.h and service-win32/msvc.mak was not included
into the final source balls when using 'make dist', which is
crucial for Windows building.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Samuli Seppänen <samuli@openvpn.net>
Samuli Seppänen [Fri, 18 Feb 2011 09:39:27 +0000 (11:39 +0200)]
Temporary snprintf-related fix to service-win32/openvpnserv.c
This is intended just as a TEMPORARY solution to get the 2.2-RC released.
The intesion is to get this fixed with a better solution for the final 2.2
release. This patch has also been discussed here:
Samuli Seppänen [Sat, 19 Feb 2011 08:15:12 +0000 (10:15 +0200)]
Changes to buildsystem patchset
Implemented changes to the buildsystem patchset suggested by jamesyonan in IRC
meeting on 17th Feb 2010:
1) Remove variables added to version.m4 and use win/settings.in instead
2) Add ENABLE_<FEATURE> configuration to win/settings.in instead of parsing
config-win32.h for them
This patch applies on top of the previous 13 patches.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:32:35 +0000 (16:32 +0200)]
Added first version of NSI installer script to win/openvpn.nsi
This win/openvpn.nsi file is a heavily cleaned-up version of the
install-win32/openvpn.nsi file. The key differences:
- paths have been adapted to new buildsystem's requirements
- obsolete XGUI support has been removed
- unused Windows version detection has been removed
- variables specific to new build system (win/settings.in, version.m4) are
imported
- a few new installer options have been introduced:
- install lzo2.dll
- install msvcr90.dll (a requirement from VS2008 builds)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:25:40 +0000 (16:25 +0200)]
Several modifications to win/make_dist.py to allow building the NSI installer
Added copying of all remaining openvpn dependencies to dist directory so that
the NSI installer script (win/openvpn.nsi) can find and use them more easily.
This includes openvpn.exe, openvpnserv.exe, libpkcs11-helper-1.dll, openssl.exe,
and example files. The associated, external DDL/manifest files are copied also,
so that embedding them with mt.exe is easier. This is a temporary solution until
nmake makefiles are modified to automate this process, except for a few of the
library dependencies (lzo2.dll and libpkcs11-helper-1.dll).
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:16:14 +0000 (16:16 +0200)]
Added configure.h and version.m4 variable parsing to win/config.py
Python-based buildsystem uses win/config.py to obtain global build parameters
from various sources. Added parsing of the (fake) configure.h and version.m4 to
it so that other Python build files can use them.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:14:28 +0000 (16:14 +0200)]
Added command-line switch to win/build_all.py to skip TAP driver building
Modified win/build_all.py so that by giving -n or --notap switch the TAP driver
is not built. This is useful if using prebuilt TAP drivers, or when WinDDK is
not installed.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:06:05 +0000 (16:06 +0200)]
Added comments and made small modifications to win/msvc.mak.in
The win/msvc.mak.in file is used as basis for msvc.mak file which drives
openvpn.exe building. This change separates output file from LINK32_FLAGS and
adds helpful comments to the win/msvc.mak.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:03:31 +0000 (16:03 +0200)]
Added support for viewing config-win32.h paramters to win/show.py
The win/show.py tools is used to view build parameters interactively. This
changes it so that it displays parameters parsed from config-win32.h in addition
to those from win/settings.in.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:53:19 +0000 (15:53 +0200)]
Added helper functionality to win/wb.py
This change adds several helper functions to win/wb.py:
- config-win32.h parser (to read build configuration options)
- helper function to cd to service-win32 for openvpnserv.exe building
- code to dynamically generate TAP-driver -related variables from version.m4,
required by tap-win32/tapdrv.c
- configure.h generator to allow viewing build options using openvpn --version
- creation of temporary version.m4-based file to allow importing it's variables
to the NSI installer script (win/openvpn.nsi)
- helper function to rename files (used in win/make_dist.py)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:28:13 +0000 (15:28 +0200)]
Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
Previously parts of TAP-driver version information were stored in
win/settings.in. This patch moves all of it to version.m4. This patch also
cleans up and adds comments to win/settings.in
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7bd3cea4c2f2aa8ed1bf548a3233ae2c3619d47d)
David Sommerseth [Wed, 15 Dec 2010 09:53:04 +0000 (10:53 +0100)]
Make the --x509-username-field feature an opt-in feature
After some discussion [1] regarding an extension of this feature,
James Yonan wanted this extension to be an opt-in feature. However,
as it does not make sense to opt-in on a extension of a feature which
was discussed, this patch makes the base feature an opt-in instead.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
Matthias Andree [Sat, 4 Dec 2010 02:51:11 +0000 (03:51 +0100)]
Change variadic macros to C99 style.
The macros used GCC's pre-C99 syntax, which could not be compiled with
Microsoft Visual Studio 2008.
Note this breaks compatibility with GCC versions before 3.0, which is
deemed safe in a discussion on IRC with David Sommerseth and Samuli
Seppänen on #openvpn-devel (RHEL 3 uses GCC 3.2 already).
Compiled tested on VS2008 by Samuli, on Cygwin GCC 3.4 and GCC 4.3 by myself.
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 9469168e3abb09bd78297208a917ee4d9c025041)
Samuli Seppänen [Thu, 25 Nov 2010 19:48:34 +0000 (21:48 +0200)]
Fixed an issue causing a build failure with MS Visual Studio 2008.
The new SOCKS auth code in socks.c contained a call to sprintf instead of
openvpn_sprintf. This caused build to fail if MS Visual Studio 2008 C compiler
was used. This change fixes that issue.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 18 Nov 2010 21:17:58 +0000 (22:17 +0100)]
Merge branch 'feat_misc' into beta2.2
Conflicts:
acinclude.m4
config-win32.h
configure.ac
misc.c
thread.c
thread.h
- These conflicts was mainly due to feat_misc getting old
and mostly caused by the pthread clean-up patches in
feat_misc
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Thu, 18 Nov 2010 16:00:54 +0000 (18:00 +0200)]
Added command-line option parser and an unsigned build option to build_all.py
Modified win/build_all.py so that it parses command-line options using getopt.
Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h /
--help" option. By default a signed build is generated, provided that the Python
SignTool module is installed. If not, the build is interrupted.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 15 Nov 2010 08:00:12 +0000 (09:00 +0100)]
Merged add_bypass_address() and add_host_route_if_nonlocal()
The add_host_route_if_nonlocal() function is too simple to really
benefit from calling add_bypass_address() when this function is the
only caller to this function.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
David Sommerseth [Mon, 15 Nov 2010 07:58:36 +0000 (08:58 +0100)]
Removed functions not being used anywhere
The GNU C compiler gave warnings about these functions in the patch
not being used anywhere. Doing a git grep on the code turned out
there were no callers to these functions. Taking these functions out,
as there is not good reason why to carry dead code.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
projects / thirdparty / openvpn.git / log
