summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Tagged security fix in 2.1-rc9 as CVE-2008-3459.james2008-08-101-0/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3218 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to newjames2008-08-102-14/+44
| | | | | | | | --script-security rules. Also adds retrying if the addresses are in use (Matthias Andree). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3217 e7ae566f-a301-0410-adde-c780ea21d3b5
* Reverted r3181, accomplish the same thing via a special casejames2008-08-053-21/+16
| | | | | | | | | | for Windows stdcall functions in configure.ac (Alon Bar-Lev). Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO and USE_SSL flags are enabled (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3183 e7ae566f-a301-0410-adde-c780ea21d3b5
* Workaround for MinGW autoconf issue where HAVE_SETSOCKOPT,james2008-08-051-0/+12
| | | | | | | | HAVE_GETSOCKOPT, and HAVE_POLL are undefined even though the underlying functions are present. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3181 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added additional warnings to flag common gotchas:james2008-08-055-27/+133
| | | | | | | | | | | | | | | | | | | | | | * Warn when ethernet bridging that the IP address of the bridge adapter is probably not the same address that the LAN adapter was set to previously. * When running as a server, warn if the LAN network address is the all-popular 192.168.[0|1].x, since this condition commonly leads to subnet conflicts down the road. * Primarily on the client, check for subnet conflicts between the local LAN and the VPN subnet. Added a 'netmask' parameter to get_default_gateway, to return the netmask of the adapter containing the default gateway. Only implemented on Windows so far. Other platforms will return 255.255.255.0. Currently the netmask information is only used to warn about subnet conflicts. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3179 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dnsjames2008-08-041-1/+1
| | | | | | | | on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, ignore it. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3177 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added "--server-bridge" (without parameters) to enablejames2008-08-0214-34/+427
| | | | | | | | | | | | | | | | | | | DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses. Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN. Modified client.conf and server.conf to reflect new option modes. Incremented version to 2.1_rc9a. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3164 e7ae566f-a301-0410-adde-c780ea21d3b5
* Version 2.1_rc9v2.1_rc9james2008-08-011-2/+2
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3155 e7ae566f-a301-0410-adde-c780ea21d3b5
* In Windows build, package a statically linked openssl.exe to work aroundjames2008-07-314-13/+6
| | | | | | | | observed instabilities in the dynamic build since the migration to OpenSSL 0.9.8h. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3149 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated ChangeLog and version number.james2008-07-312-1/+22
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3147 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added additional warnings for:james2008-07-271-0/+7
| | | | | | | | | | | * --tls-remote -- some people misunderstand the semantics * --script-security -- warn if script-security will allow user-defined scripts to be called, and also warn separately if passwords may be passed to scripts via the environment git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3129 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added additional defensive programming to buffer.[ch] functions.james2008-07-272-26/+118
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3128 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added a warning message when passwords are cached in memory.james2008-07-271-0/+4
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3127 e7ae566f-a301-0410-adde-c780ea21d3b5
* Perform additional input validation on options pulledjames2008-07-267-64/+230
| | | | | | | by client from server. Fixes --iproute vulnerability. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3126 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed compiler warnings in Windows build (MinGW).james2008-07-266-5/+8
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3125 e7ae566f-a301-0410-adde-c780ea21d3b5
* Completely revamped the system for calling external programs and scripts:james2008-07-2623-420/+1098
| | | | | | | | | | | | | | | | | | | | | | * All external programs and scripts are now called by execve() on unix and CreateProcess on Windows. * The system() function is no longer used. * Argument lists for external programs and scripts are now built by the new argv_printf function which natively outputs to string arrays (i.e. char *argv[] lists), never truncates its output, and eliminates the security issues inherent in formatting and parsing command lines, and dealing with argument quoting. * The --script-security directive has been added to offer policy controls on OpenVPN's execution of external programs and scripts. Also added a new plugin example (openvpn/plugin/examples/log.c) that logs information to stdout for every plugin method called by OpenVPN. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added argv_x functions to buffer.[ch] to be used to safely buildjames2008-07-233-0/+265
| | | | | | | | up argv strings for execve without the possibility of truncation or misinterpretation of mid-argument spacing. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3107 e7ae566f-a301-0410-adde-c780ea21d3b5
* buf_printf will now return false on errors, such as truncationjames2008-07-192-3/+8
| | | | | | | due to overflow. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3085 e7ae566f-a301-0410-adde-c780ea21d3b5
* Modified extract_x509_field_ssl to return a status value indicatingjames2008-07-191-37/+41
| | | | | | | | | | | | | success/error, and any truncation of output due to an insufficiently large output buffer will be cause for error. In verify_callback, read X509 Subject Name without truncation. In verify_callback, rather than silently truncating Common Name at 64 bytes, throw an error if Common Name is larger than 64 bytes. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3084 e7ae566f-a301-0410-adde-c780ea21d3b5
* Replace leading dash ('-') characters in an X509 name with underbars ('_')james2008-07-193-0/+19
| | | | | | | | before calling user-defined scripts, to preclude the chance of a leading dash being interpreted as an option prefix. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3083 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added a warning when plugins are specified withoutjames2008-07-183-1/+28
| | | | | | | an absolute pathname. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3082 e7ae566f-a301-0410-adde-c780ea21d3b5
* Reverted some recent buffer.[ch] changes, including r3058 (except forjames2008-07-183-64/+21
| | | | | | | | | | likely() and unlikely() macro additions to syshead.h) and r3061. I would like to give more thought to the bigger issue of fortifying buffer.[ch] through the use of additional defensive programming techniques. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3081 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed format string issue in read_inline_file,james2008-07-181-1/+1
| | | | | | | used in the config file parser. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3078 e7ae566f-a301-0410-adde-c780ea21d3b5
* status_printf function will now set error flag onjames2008-07-182-7/+24
| | | | | | | | | | output truncation or failure of write() to write the expected number of bytes. Raised STATUS_PRINTF_MAXLEN to 512 (from 256). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3077 e7ae566f-a301-0410-adde-c780ea21d3b5
* gen_path will no longer silently truncate the generatedjames2008-07-182-1/+15
| | | | | | | filename at 256 bytes. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3076 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed code inclusion bug that was erroneously testingjames2008-07-182-6/+9
| | | | | | | | | defined(P2MP_SERVER) rather than P2MP_SERVER. Fixed compile issues when USE_CRYPTO is undefined. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3075 e7ae566f-a301-0410-adde-c780ea21d3b5
* Modified create_temp_filename to create unpredictablejames2008-07-181-5/+12
| | | | | | | filenames. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3074 e7ae566f-a301-0410-adde-c780ea21d3b5
* Previously, OpenVPN might log a client's auth-user-passjames2008-07-173-2/+19
| | | | | | | | | | password if the verbosity was set to a high debug level such as 7 or higher. Normally this would only be used by developers. Now, even at high debug levels, the password will not be output. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3073 e7ae566f-a301-0410-adde-c780ea21d3b5
* gen_path now rejects filenames that match Windowsjames2008-07-173-1/+72
| | | | | | | device names such as CON, NUL, LPT1, etc. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3072 e7ae566f-a301-0410-adde-c780ea21d3b5
* Call prng_init after fork in background processjames2008-07-171-0/+4
| | | | | | | | | | created by port_share_open, so as to ensure a newly seeded PRNG sequence. This is strictly defensive programming since port_share_proxy currently does not use the PRNG. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3070 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added warning when using chroot without specifying user and group.james2008-07-171-0/+3
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3069 e7ae566f-a301-0410-adde-c780ea21d3b5
* Check for multiplication overflow on ALLOC_ARRAY* functions.james2008-07-172-4/+16
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3068 e7ae566f-a301-0410-adde-c780ea21d3b5
* Removed old version of extract_x509_field.james2008-07-171-40/+0
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3066 e7ae566f-a301-0410-adde-c780ea21d3b5
* Support wraparound of reliable.[ch] packet IDs. Injames2008-07-171-12/+44
| | | | | | | | | | practice, wraparound of the packet ID sequence is extremely unlikely since the sequence is restarted for each mid-session TLS renegotiation. But we will support it for completeness. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3065 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed a potential information leak in the new NTLM phase 3 code,james2008-07-172-8/+21
| | | | | | | | | | | as well as a failure of the code to check the return value from base64_decode. Fixed compiler warnings in the new NTLM phase 3 code about implicit casting between signed and unsigned char *. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3064 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed issue in read_key_file, where the return value ofjames2008-07-171-1/+3
| | | | | | | read() wasn't being checked for errors. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3063 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added SOCKET_SND_RCV_BUF_MAX constant (set to 1000000) to limit thejames2008-07-162-5/+16
| | | | | | | maximum size passed to setsockopt SNDBUF/RCVBUF. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3062 e7ae566f-a301-0410-adde-c780ea21d3b5
* In the Windows version of tun_finalize, on errors that wouldjames2008-07-161-1/+6
| | | | | | | | | return -1, set buf->len to 0 rather than -1. While downstream code is set up to consider the buffer invalidated if its length is <= 0, this change makes the code cleaner and safer. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3061 e7ae566f-a301-0410-adde-c780ea21d3b5
* Used unlikely() macro to tell compiler that msg() willjames2008-07-161-1/+1
| | | | | | | usually be silent. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3060 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added likely() and unlikely() branch prediction hint macrosjames2008-07-164-21/+68
| | | | | | | | | | | | | to syshead.h Introduced BUF_MAX constant to limit struct buffer offset and length values. BUF_MAX has been set to 2^20. Use likely() and unlikely() macros in buffer.h code to allow the compiler to generate more efficient code. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3058 e7ae566f-a301-0410-adde-c780ea21d3b5
* Copyright change OpenVPN Solutions LLC -> Telethra, Inc.james2008-07-14153-159/+159
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
* Version 2.1_rc8v2.1_rc8james2008-06-132-5/+13
| | | | | | | | | On Windows, use -leay32 and -lssl32 to link with OpenSSL. On Windows, bundle pkcs11-helper-1.06-beta1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2997 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated copyright notice to 2008.james2008-06-11150-152/+152
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated version & changelog.james2008-06-114-4/+77
| | | | | | | | | | Updated build-pkcs11-helper.sh to build from OpenSSL 0.9.8h. Added pkcs11-related fixes to easy-rsa/2.0/vars. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2994 e7ae566f-a301-0410-adde-c780ea21d3b5
* Merged connection profiles fromjames2008-06-1123-582/+1076
| | | | | | | http://svn.openvpn.net/projects/openvpn/test/conn git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2993 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated version to 2.1_rc7e.james2008-06-1130-569/+2495
| | | | | | | | | | | | | | | | | | | Added client authentication and packet filtering capability to management interface. Extended packet filtering capability to work on both --dev tun and --dev tap tunnels. Updated valgrind-suppress file. Made "Linux ip addr del failed" error nonfatal. Amplified --client-cert-not-required warning. Added #pragma pack to proto.h. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added support for building and linking withjames2008-06-046-6/+91
| | | | | | | openssl-0.9.8h on Windows. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2982 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed unbounded memory growth bug injames2008-06-043-2/+18
| | | | | | | | | | environmental variable code that could have caused long-running OpenVPN sessions with many TLS renegotiations to incrementally increase memory usage over time. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2981 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed an issue in extract_x509_field_ssl where the extractionjames2008-06-041-1/+1
| | | | | | | | | | would fail on the first field of the subject name, such as the common name in: /CN=foo/emailAddress=foo@bar.com git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2980 e7ae566f-a301-0410-adde-c780ea21d3b5
* In auth-pam authentication module, even when in debug mode,james2008-06-041-2/+8
| | | | | | | never output passwords to stderr. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2979 e7ae566f-a301-0410-adde-c780ea21d3b5
generated by cgit (git 2.34.1) at 2024-06-06 22:51:27 +0000