James Yonan [Tue, 12 Apr 2011 05:14:34 +0000 (05:14 +0000)]
For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig
command on failure once every second for up to 15 seconds. This
is necessary to work around an issue observed on OSX 10.5 where
the ipconfig command sometimes fails if executed immediately after
the tun device open.
James Yonan [Sat, 2 Apr 2011 08:21:28 +0000 (08:21 +0000)]
Fixed bug that incorrectly placed stricter TCP packet replay rules on
UDP sessions when the client daemon was running in UDP/TCP adaptive
mode, and transitioned from TCP to UDP.
The bug would cause a single dropped packet in UDP mode to trigger a
barrage of packet replay errors followed by a disconnect and
reconnect.
This commit introduced a bug, which made the verify_callback()
function getting called even if --client-cert-not-required was
enabled in the config.
The reason for this was that an 'else' statement was lacking a
couple of curly braces. The offending commit in reality moved
the setup of the verify_callback() function out of the 'else'
statement.
Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
James Yonan [Sun, 27 Mar 2011 09:20:13 +0000 (09:20 +0000)]
Added ./configure --enable-osxipconfig option for Mac OS X which will
enable the use of ipconfig (instead of ifconfig) for configuring the
IP address and netmask of the tun/tap adapter.
James Yonan [Sat, 26 Mar 2011 21:16:40 +0000 (21:16 +0000)]
Added "auth-token" client directive, which is intended to be
pushed by server, and that is used to offer a temporary session
token to clients that can be used in place of a password on
subsequent credential challenges.
This accomplishes the security benefit of preventing caching
of the real password while offering most of the advantages
of password caching, i.e. not forcing the user to re-enter
credentials for every TLS renegotiation or network hiccup.
auth-token does two things:
1. if password caching is enabled, the token replaces the
previous password, and
2. if the management interface is active, the token is output
to it:
>PASSWORD:Auth-Token:<token>
Also made a minor change to HALT/RESTART processing when password
caching is enabled. When client receives a HALT or RESTART message,
and if the message text contains a flags block (i.e. [FFF]:message),
if flag 'P' (preserve auth) is present in flags, don't purge the Auth
password. Otherwise do purge the Auth password.
* fix --multihome for ipv6: IPV6_RECVPKTINFO
- setsockopt IPV6_RECVPKTINFO (not IPV6_PKTINFO!)
- do check for setsockopt() failures
- append %<iface> in INFO msg
JuanJo Ciarlante [Tue, 20 Oct 2009 20:38:50 +0000 (22:38 +0200)]
* no new funcionality, just small cleanups:
- cmdline options help: add tcp6/udp6 missing messages
- win32: expand usage of proto_is_udp(), proto_is_tcp()
- replace some memset(&obj, 0, sizeof obj) by openvpn's CLEAR(obj)
* created getaddr6(), use it from resolve_remote()
next: merge ipv{4,6} signal logic into one inside resolve_remote()
* passes {loopback,remote}{udp,tcp}{4,6} tests
Joe Patterson [Mon, 21 Mar 2011 22:02:59 +0000 (18:02 -0400)]
common_name passing in auth_pam plugin
Added the ability to have "COMMONNAME" replaced with certificate common
name in pam conversation.
Signed-off-by: Joe Patterson <j.m.patterson@gmail.com> Acked-By: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
A additional ';' had sneaked in commit 4c4b8cedfa98e8892a53. Lets
kick it out again.
Signed-off-by: Stefan Hellermann <stefan@the2masters.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
Commit 2db5a0ac3e053857d97e468de53e70a605f54561 adds two arguments to
plugin_call(...), but missed the !ENABLE_PLUGIN case. With
!ENABLE_PLUGIN, plugin_call(...) is only a dummy, so add these two
parameters there too.
Signed-off-by: Stefan Hellermann <stefan@the2masters.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Separate the general plug-in version constant and v3 plug-in structs version
After a review of the second round of the the v3 plug-in implementation, it
was decided to use a separate constant defining the version of the structs
used for argument and return value passing, instead of OPENVPN_PLUGIN_VERSION.
To not make it too complex, this patch uses a shared version constant for all
the v3 structures. It is not expected that these strucutures will change too
much and too often.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
This plug-in will only log arguments and environment variables it receives
during all the different plug-in phases OpenVPN currently supports. It will
also parse the X509 certificate information given during the TLS_VERIFY phase.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Fri, 10 Dec 2010 00:16:09 +0000 (01:16 +0100)]
Extend the v3 plug-in API to send over X509 certificates
The certificates sent to the plug-in API will only happen during the
OPENVPN_PLUGIN_TLS_VERIFY phase and will contain a pointer to the OpenSSL
X509 certificate data.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Mon, 29 Nov 2010 22:57:44 +0000 (23:57 +0100)]
Provide 'dev_type' environment variable to plug-ins and script hooks
Normally OpenVPN is configured with --dev {tun,tap}, but it is also possible
to use --dev myvpn instead. In these situations, OpenVPN will request
--dev-type as well to be able to set up a tun or tap device properly.
The 'dev' environment variable will contain the value provided by --dev. In
those cases where the plug-in/script need to behave differently when using a tun
device versus using a tap device, there are no possibilities for it to know what
kind of device --dev myvpn would be.
This patch adds a 'dev_type' environment variable which contains a string of the
device type, either automatically discovered based on the --dev name, or set using
the --dev-type option.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
James Yonan [Thu, 9 Dec 2010 11:21:04 +0000 (11:21 +0000)]
Added "management-external-key" option. This option can be used
instead of "key" in client mode, and allows the client to run
without the need to load the actual private key. When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:
>RSA_SIGN:[BASE64_DATA]
The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:
rsa-sig
[BASE64_SIG_LINE]
.
.
.
END
This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.
James Yonan [Sun, 14 Nov 2010 22:38:47 +0000 (23:38 +0100)]
Fixed compiling issues when using --disable-crypto
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Markus Koetter [Fri, 10 Dec 2010 19:30:09 +0000 (20:30 +0100)]
Add extv3 X509 field support to --x509-username-field
This allows using other X509 certificate fields for the certificate
authentication. To use altSubjectName, use
--x509-username-field ext:altSubjectName
This feature requires OpenVPN to be built with --enable-x509-alt-username
This patch is slightly modified, to honour --enable-x509-alt-username
compile time configuration. Two #ifdef's are added.
Signed-off-by: Markus Koetter <koetter@rrzn-hiwi.uni-hannover.de> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Fri, 4 Mar 2011 21:14:33 +0000 (23:14 +0200)]
Windows cross-compile cleanup
It should be sufficient to just try to see if socklen_t is defined.
Next, on all platforms it would be int in all other platforms.
And, there is no need to check for the type in monolitic environment
like Windows, as it will be always the same.
Currently it fails cross compile windows in mingw-w64 compiler, as
winsock.h is as follows:
"""
/* define WINSOCK_API_LINKAGE and WSAAPI for less
* diff output between winsock.h and winsock2.h, but
* remember to undefine them at the end of file */
"""
And the macro uses these macros which are internal winsock macros and
should not be used anyway.
Also, when did the autodefs.h went mandatory? Why is it in
tap-win32/common.h while no constant is actually used?
The use of WSA_IO_INCOMPLETE without including winsock2.h is invalid!
Look at http://msdn.microsoft.com/en-us/library/aa921087.aspx
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 13 Dec 2010 11:49:00 +0000 (12:49 +0100)]
Open log files as text files on Windows
By giving the "t" flag to _fdopen() on Windows, the file will be
opened in a "translate mode", where it will take care of converting
\n to \r\n, and also look for the CTRL-Z mark when opening the log
file in append mode.
Samuli Seppänen [Tue, 15 Mar 2011 14:37:41 +0000 (16:37 +0200)]
Replaced config-win32.h with win/config.h.in
The original config-win32.h - a static header file - has been superceded by both
"domake-win" script and the new Python-based buildsystem. Transformed it into a
template file, win/config.h.in, which obtains the most commonly used build
parameters from win/settings.in.
Added support code to win/config.py and win/wb.py to preprocess win/config.h.in
and copy it to config.h, from where source and header files can find it.
Removed all references to config-win32.h. Also removed obsolete
PACKAGE_BUGREPORT and USE_PTHREAD variables from the win/config.h.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Samuli Seppänen [Tue, 8 Mar 2011 14:07:49 +0000 (16:07 +0200)]
Added support for prebuilt TAP-drivers. Automated embedding manifests.
Removed win/make_dist.py's dependency on TAP-driver and tapinstall.exe building.
Also added manifest embedding commands to win/make_dist.py. To avoid duplicate
code moved the "build_vc" method from win/build.py to win/wb.py and renamed it
"run_in_vs_shell".
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Fri, 18 Mar 2011 04:51:59 +0000 (04:51 +0000)]
Fixed issue where a client might receive multiple push replies from
a server if it sent multiple push requests due to the server being
slow to respond. This could cause the client to process pushed
options twice, leading to duplicate pushed routes, among other issues.
The fix, implemented server-side, is to reply only once to a push
request even if multiple requests are received.
Gert Doering [Sun, 7 Mar 2010 18:28:55 +0000 (19:28 +0100)]
Implement IPv6 in TUN mode for Windows TAP driver.
* install-win32/settings.in: bump version to 9.7, TAP_RELDATE to "07/03/2010".
* tap-win32/proto.h: add data types and definitions needed for IPv6
* tap-win32/types.h: add m_UserToTap_IPv6 ethernet header for IPv6 packets
* tap-win32/tapdrvr.c: implement support for IPv6 in TUN mode:
- IPv6 packets User->OS need correct ether type
- IPv6 packets OS->User get correctly forwarded
- IPv6 neighbour discovery packets for "fe80::8" (magic address
installed as route-nexthop by OpenVPN.exe) get answered locally
(cherry picked from commit 175e17a5abd5969f6803a9cc9587b7959e1100ae)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 28 Feb 2011 13:57:49 +0000 (14:57 +0100)]
Fix packaging of config-win32.h and service-win32/msvc.mak
The config-win32.h and service-win32/msvc.mak was not included
into the final source balls when using 'make dist', which is
crucial for Windows building.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Samuli Seppänen <samuli@openvpn.net>
Samuli Seppänen [Fri, 18 Feb 2011 09:39:27 +0000 (11:39 +0200)]
Temporary snprintf-related fix to service-win32/openvpnserv.c
This is intended just as a TEMPORARY solution to get the 2.2-RC released.
The intesion is to get this fixed with a better solution for the final 2.2
release. This patch has also been discussed here:
Samuli Seppänen [Sat, 19 Feb 2011 08:15:12 +0000 (10:15 +0200)]
Changes to buildsystem patchset
Implemented changes to the buildsystem patchset suggested by jamesyonan in IRC
meeting on 17th Feb 2010:
1) Remove variables added to version.m4 and use win/settings.in instead
2) Add ENABLE_<FEATURE> configuration to win/settings.in instead of parsing
config-win32.h for them
This patch applies on top of the previous 13 patches.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:32:35 +0000 (16:32 +0200)]
Added first version of NSI installer script to win/openvpn.nsi
This win/openvpn.nsi file is a heavily cleaned-up version of the
install-win32/openvpn.nsi file. The key differences:
- paths have been adapted to new buildsystem's requirements
- obsolete XGUI support has been removed
- unused Windows version detection has been removed
- variables specific to new build system (win/settings.in, version.m4) are
imported
- a few new installer options have been introduced:
- install lzo2.dll
- install msvcr90.dll (a requirement from VS2008 builds)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:25:40 +0000 (16:25 +0200)]
Several modifications to win/make_dist.py to allow building the NSI installer
Added copying of all remaining openvpn dependencies to dist directory so that
the NSI installer script (win/openvpn.nsi) can find and use them more easily.
This includes openvpn.exe, openvpnserv.exe, libpkcs11-helper-1.dll, openssl.exe,
and example files. The associated, external DDL/manifest files are copied also,
so that embedding them with mt.exe is easier. This is a temporary solution until
nmake makefiles are modified to automate this process, except for a few of the
library dependencies (lzo2.dll and libpkcs11-helper-1.dll).
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:16:14 +0000 (16:16 +0200)]
Added configure.h and version.m4 variable parsing to win/config.py
Python-based buildsystem uses win/config.py to obtain global build parameters
from various sources. Added parsing of the (fake) configure.h and version.m4 to
it so that other Python build files can use them.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:14:28 +0000 (16:14 +0200)]
Added command-line switch to win/build_all.py to skip TAP driver building
Modified win/build_all.py so that by giving -n or --notap switch the TAP driver
is not built. This is useful if using prebuilt TAP drivers, or when WinDDK is
not installed.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:06:05 +0000 (16:06 +0200)]
Added comments and made small modifications to win/msvc.mak.in
The win/msvc.mak.in file is used as basis for msvc.mak file which drives
openvpn.exe building. This change separates output file from LINK32_FLAGS and
adds helpful comments to the win/msvc.mak.in file.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 14:03:31 +0000 (16:03 +0200)]
Added support for viewing config-win32.h paramters to win/show.py
The win/show.py tools is used to view build parameters interactively. This
changes it so that it displays parameters parsed from config-win32.h in addition
to those from win/settings.in.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:53:19 +0000 (15:53 +0200)]
Added helper functionality to win/wb.py
This change adds several helper functions to win/wb.py:
- config-win32.h parser (to read build configuration options)
- helper function to cd to service-win32 for openvpnserv.exe building
- code to dynamically generate TAP-driver -related variables from version.m4,
required by tap-win32/tapdrv.c
- configure.h generator to allow viewing build options using openvpn --version
- creation of temporary version.m4-based file to allow importing it's variables
to the NSI installer script (win/openvpn.nsi)
- helper function to rename files (used in win/make_dist.py)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Samuli Seppänen [Fri, 11 Feb 2011 13:28:13 +0000 (15:28 +0200)]
Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
Previously parts of TAP-driver version information were stored in
win/settings.in. This patch moves all of it to version.m4. This patch also
cleans up and adds comments to win/settings.in
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
projects / thirdparty / openvpn.git / log
