| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
read /proc/net/route
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-5-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10111
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
short connection losses)
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-7-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10106
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-6-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10112
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Routing loops are avoided using the VPNService API
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10113
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
This not done via android_control since calling management from management
leads to an infinitive loop
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10110
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-8-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10108
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- introduce get_default_gateway_ipv6() and add stub functions with the
implementation plan to the 4 major code blocks here (Windows,
Linux/Android, *BSD and Solaris, "others")
- add &rgi6 to print_default_gateway(), and teach it to print v4, v6
or both, depending on the calling environment
- unlike IPv4 (today), get_default_gateway_ipv6() is passed the actual
target IPv6 address of the server we're looking for, so we can handle
more complicated routing setups ("default to eth0, vpn server to ppp0")
correctly
- consequently, --show-gateway has an optional parameter now, the
IPv6 address to look up (for debugging)
- document --show-gateway and the extra option in openvpn.8
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-5-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10087
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
route_gateway_address -> route_ipv6_gateway_address
route_gateway_info -> route_ipv6_gateway_info
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-4-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10088
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adjust "struct route_ipv6_list" (and all users) to reflect changes
to "struct route_list" done in commit 7fb0e07e, namely:
- new member "rl6->iflags" (RL_* flags)
- new member "rl6->spec_flags" (RTSA_* flags)
- new member "rl6->remote_host_ipv6" (--remote address we're talking to)
- "rl6->routes_added"
--> "rl6->iflags & RL_ROUTES_ADDED"
- "rl6->did_redirect_default_gateway"
--> "rl6->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY"
- "rl6->did_local"
--> "rl6->iflags & RL_DID_LOCAL"
- "rl6->remote_endpoint_defined"
--> "rl6->spec_flags & RTSA_REMOTE_ENDPOINT"
- "rl6->default_metric_defined"
--> "rl6->spec_flags & RTSA_DEFAULT_METRIC"
deviating from IPv4 route_list, there is no "route_special_addr spec"
sub-struct, because it's not considered useful (rl->spec.flags becomes
rl6->spec_flags, the IPv6 equivalent of everything else in rl->spec just
lives inside struct route_ipv6_list)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10084
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adjust "struct route_ipv6" (and all users) to reflect changes
to "struct route_ipv4" done in commit 7fb0e07e, namely:
- new member "r6->flags"
- "r6->defined" becomes "r6->flags & RT_DEFINED"
- "r6->metric_defined" becomes "r6->flags & RT_METRIC_DEFINED"
- route addition status is stored in "r6->flags & RT_ADDED"
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10083
|
|
|
|
|
|
|
|
|
|
|
| |
preresolve
Closes ticket #591
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1438859835-3977-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10005
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit b131c7b974d9d4d3f0 introduced a check to create a meaningful
warning if we try to read a password after daemon()izing (by checking
whether stdin or stderr is connected to a tty). For some reason this
breaks on Windows builds if run under GUI control - but since Windows
doesn't have this particular daemon() issue anyway, just #ifndef WIN32
the offending code.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1438692796-14663-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10000
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sebastian Krahmer from the SuSE security team reported that the buffer
overflow check in openvpn_decrypt() was too strict according to the
cipher update function contract:
"The amount of data written depends on the block alignment of the
encrypted data: as a result the amount of data written may be anything
from zero bytes to (inl + cipher_block_size - 1) so outl should contain
sufficient room."
This stems from the way CBC mode works, which caches input and 'flushes'
it block-wise to the output buffer. We do allocate enough space for this
extra block in the output buffer for CBC mode, but not for CFB/OFB modes.
This patch:
* updates the overflow check to also verify that the extra block required
according to the function contract is available.
* uses buf_inc_len() to double-check for overflows during en/decryption.
* also reserves the extra block for non-CBC cipher modes.
In practice, I could not find a way in which this would fail. The plaintext
is never longer than the ciphertext, and the implementations of CBC/OFB/CBC
for AES and BF in both OpenSSL and PolarSSL/mbed TLS do not use the buffer
beyond the plaintext length when decrypting. However, some funky OpenSSL
engine I did not check *might* use the buffer space required by the
function contract. So we should still make sure we have enough room
anyway.
v2 - always ASSERT() on buf_inc_len(). It is a double-check so should
really not fail, but if it fails there has been a buffer overflow.
At that point the best thing we can do is assert out. (The primary
check *is* handled gracefully, and just drops the packet.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1438165826-32762-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9974
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
Was broken in commit 9de35d4, missing backslash in include/Makefile.am
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1438030010-953-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9967
|
|
|
|
|
|
|
|
|
|
| |
Was broken in commit 9de35d4.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1438027198-23305-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9964
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also updated the log_v3 sample-plugin to demonstrate how this
works.
$ openvpn --plugin log_v3.so --dev tun
Fri Jul 10 15:17:28 2015 OpenVPN 2.3_git
[git:dev/plugin-version/f05d8623a29078bf+].....
...more.openvpn.logging...
log_v3: OpenVPN 2.3_git (Major: 2, Minor: 3, Patch:
git:dev/plugin-version/f05d8623a29078bf+)
...more.openvpn.logging...
$
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1436534548-21507-3-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9904
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
This is to provide more fine grained information to plug-ins
about the OpenVPN environment when OpenVPN was built.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1436534548-21507-2-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9905
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
buffer limit
The check does only for strlen(line) space and buf_printf will only use at
most space -1 and not print the final character ('\n') in this corner.
Since a missing \n only breaks certificates at the start and end marker,
missing line breaks otherwise do not trigger this error.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1438011191-19389-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9956
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I was wrong to assume that adding the const qualifier to the pointer-to-
fixed-size-array contruction used in options_hash_changed_or_zero() was
allowed. GCC actually warns about this, but I was using clang and clang
seems to be fine with the contruction. To make GCC happy too, reintroduce
the md5_digest wrapped struct, and use that when passing around the digest.
This reverts the "struct md5_digest" parts of 827de237860813d2859a, but
keeps the rest.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1437910039-30101-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9949
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "plugin" option has one required argument, and an optional one.
This fixes a regression in 3d6a4cd
(https://community.openvpn.net/openvpn/ticket/557).
Signed-off-by: Daniel Hahler <git@thequod.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20150721100836.GV382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9932
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commits da9b292733e929a2900dc32d37f0424c3d588366 and
315f6fbc7f657a7f1127628bd714f468709d5185 broke the use case where we are
asking password from the management client. The password is always asked
before daemonization. With this fix we avoid this and ask it via management
interface in the same spot as before the mentioned commits. Tested on Linux.
v2: This patch was first submitted by Christian Pellegrin (from Google),
and reworked by Steffan Karger (from the OpenVPN team) to also work for
setups with --management-query-passwords but without --auth-user-pass.
Signed-off-by: Steffan Karger <steffan@karger.me>
Signed-off-by: Christian Pellegrin <chripell@google.com>
Tested-by: Christian Pellegrin <chripell@google.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55A6C46C.5080601@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9927
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
Trac #574, #576
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1436857794-29419-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9923
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This resolves --askpass treating stdin as a file during the file access
check. In turn, this leads to openvpn failing to start if this option is
set to stdin.
By default, --askpass reads the certificate's password from stdin rather
than a file. Without passing the CHKACC_ACPTSTDIN flag to
check_file_access(), stdin is marked as being a nonexistent file.
Trac #248
Signed-off-by: James Geboski <jgeboski@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <55A41225.2020705@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9918
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
passwords.
With the --daemon / SSL init reordering in da9b292733, we fail if we
daemonize first and then try to ask for a private key passphrase (or,
for that matter, username+password if --auth-nocache is set) - but
no meaningful error message was printed, instead depending on operating
system and library versions, either we looped around "ssl init failed"
or died with an unspecified "fatal error".
So: check if get_user_pass_cr() is called in a context that needs
"from_stdin", but both stdin and stderr are not connected to a tty
device (which getpass() needs). In that case, print a meaningful
error message pointing to --askpass, and die.
Trac #574 and #576
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1436814607-16707-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9916
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The init sequence was changed to daemonize before the crypto init to fix
issues on FreeBSD some commits ago. This introduced a regression where
we would no longer query for passwords before daemonizing, as described
in trac #574 and #576.
This commit restores the correct order, and adds a bit of const
correctness since we're touching this now code anyway.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1436477759-5884-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9901
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Because even VS2013 is incapable of doing C99.
Signed-off-by: Steffan Karger <steffan@karger.me>
Tested-by: Fish Wang <fish.thss@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxKrPXnc1+PPH4dQV1OksY_0t3ewqRnqVrjhZL+i2Pbkmw@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9859
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of limiting the control channel TCP/UDP packet payload size at
'100 bytes + real control channel overhead' (~140 bytes ethernet payload),
increase the max TCP/UDP payload size to '1250 bytes - calculated overhead'
(~1210 bytes ethernet payload).
Note that this patch does *not* yield an optimal solution, but it is a
simple and rather safe change that will improve connection setup times
significantly.
v2: use the mininum value of --link-mtu and 1250 to give the user a way to
reduce control packet size if really needed.
trac #545
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435693496-10931-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9841
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
(2.3 reports as warning only, 2.4 reports as M_FATAL)
trac #568
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435581995-11820-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9830
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a linux tun interface is closed (e.g. on disconnect)
an optional ipv6 addr that was previously set is deleted now.
Without this patch a later reconnect could fail with
'Linux ip -6 addr add failed: external program exited with error status: 2'
and openvpn would exit.
This is mainly relevant for persistant tun devices (staying around
after openvpn exits) but can also happen at reconnect.
If addresses are *supposed* to stay around on openvpn exit, run
openvpn with --ifconfig-noexec and configure IPv4/IPv6 addresses
manually before openvpn starts (or using an --up script).
Trac #141
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435248080-12670-1-git-send-email-Holger.Kummert@Sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9810
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Throw an error if an option has extra parameters; previously they
were silently ignored (see also trac #557)
This feature was discussed on the openvpn-devel mailing list
(http://thread.gmane.org/gmane.network.openvpn.devel/9599).
The (modified) message "Unrecognized option or missing or extra
parameter(s)" is used except for a few options:
* The --help option: An extra parameter for --help generates a
specific error message after showing the syntax message. This
is done to help a user who tries "--help tls-cipher" or similar,
hoping to get more information about the "tls-cipher" option.
* The --dhcp-option option: It has its own similar message, into
which " or extra" has been inserted.
* Ten options such as --up that accept a command (instead of a
path) already detect extra parameters and generate specific
error messages that mention double-quoting commands which
contain embedded spaces.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAEsd45RvRfmqetu-EoFjSdyBk5F9X1K5muPGu-+_+30TMNOU_A@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9783
URL: https://community.openvpn.net/openvpn/ticket/557
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we split daemonizing from changing directory in commit da9b292
(f025de005d719201a69ad0313d545a1ddd244752 in release/2.3), we can
now simply write the pid file immediately after daemonizing.
This not only fixes the bug reported in trac #563, but also further
simplifies the code.
trac #563
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1434665325-3225-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9793
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For "topology subnet", we only pretend to have a subnet and keep
using the tun if in point-to-point mode - but for that to fully
work, the "remote" address needs to be different from the "local"
address. So just arbitrarily construct one from the on-link
subnet - base+1, if "that is not us", base+2, otherwise.
Fix trac #481
See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Tested-By: Anton Sayetsky <vsasjason@gmail.com>
Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430071438-31675-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9606
|
|
|
|
|
|
|
|
|
|
| |
Trac: #395
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1433231982-24945-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9777
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A non-working nameserver in /etc/resolv.conf could lead to endless
loops inside openvpn_getaddrinfo(), because many systems will only
pick up changes to resolv.conf if res_init() is called again.
To reproduce, run openvpn with --resolv-retry infinite (2.3) or
--resolv-retry "a high number" (master) on a BSD system. Linux
glibc seems to stat() resolv.conf on calls to getaddrinfo() and
pick up changes automatically.
Trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433080749-6892-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9763
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When specifying redirect-private option and not specifying route-gateway
or ifconfig options, OpenVPN fails to add the route to the remote host
with the following message:
NOTE: unable to redirect default gateway -- VPN gateway parameter
(--route-gateway or --ifconfig) is missing
In redirect_default_route_to_vpn() the check for remote endpoint happens
even though it is not used by redirect-private - make check conditional
on RG_REROUTE_GW (= --redirect-gateway).
Trac #261
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20150531120327.GE382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9761
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows has no EAI_SYSTEM (introduced by 5f6c01ea6172ed), but everyone
has EAI_AGAIN - which also fits ("a temporary failure in name resolution").
Trac #276
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1433178914-7842-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9768
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inspired by libguestfs' configure.ac hack - test automake version,
and if 1.12 or newer, use m4 magic to pass "serial_tests" option
to AM_INIT_AUTOMAKE().
https://www.redhat.com/archives/libguestfs/2013-February/msg00102.html
Trac #427
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: <1433185487-9724-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9769
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A signal (except SIGUSR1) received while waiting for getaddrinfo() is
considered fatal, so openvpn_getaddrinfo() is destroying the returned
information with freeaddrinfo(), but still signalled "success" (0)
to the caller - so if the caller accessed *res before checking
*signal_received, it would access just-free()ed memory, which on some
platforms still worked and on others caused a crash.
Also, ensure that *ai is also NULLed in the caller now.
Trac #276
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433104918-9523-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9764
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release pCertName, if SecCertificateCopyValues() fails.
Found via cppcheck.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Cc: Vasily Kulikov <segoon@openwall.com>
Acked-by: Vasily Kulikov <segoon@openwall.com>
Message-Id: <1429540256-4906-1-git-send-email-yegorslists@googlemail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9600
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
| |
This reverts commit fc03ca9d13e35c40bdf1c3c676db2adf48c60223,
because it breaks "autoreconf -vif" on autoconf versions older
than 1.12 - like, CentOS 6, Debian 7, ...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our "make check" testsuite creates quite a bit of output which is
intended to help pinpointing the exact reason for failure - hidden by
default by automake 1.12 and up, which default to "parallel-tests" which
has no benefit for us. So, just set the automake option to revert to
the old behaviour.
See also: https://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html
Trac #427
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Message-ID: <20150524193011.GK382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9738
Acked-by: David Sommerseth <openvpn.list@topphemmelig.net>
|
|
|
|
|
|
|
|
|
|
|
| |
point out that this is for "data channel" packets
trac #463
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1432674063-15916-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9746
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
But keep the chdir to / at the place where deamon() was before, to preserve
the current behaviour wrt relative paths in the config.
This should fix the issue reported in trac #480, without changing the
behaviour visible to the end user.
Note that by moving the daemon() call to an earlier stage of the init
process, we no longer have to call platform_mlockall() again, or do a
pkcs11_forkFixup().
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430144937-4149-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9609
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The internal machinery wants TLS for this to work, so just add this
to the (long) list of options not allowed unless either --tls-client
or --tls-server is active. For added sanity, add an ASSERT() call
to the place where this combination caused a NULL ptr reference, and
document the restriction.
Fix trac #373
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1432472554-24666-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9736
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Attached are patches for the master and release/2.3 branches. The only
difference is that in the master patch, a line referencing the
requirement for OpenSSL 0.9.7 is removed, since master already requires
OpenSSL >= 0.9.8.
-Steffan
Content-Type: text/x-patch;
name="2.3-Clarify-capath-option-in-manpage.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="2.3-Clarify-capath-option-in-manpage.patch"
>From 3626088e146dbf959d7ec73f4e7cc5ab24c1ad57 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 24 May 2015 11:18:34 +0200
Subject: [PATCH] Clarify --capath option in manpage
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55619DC4.2020108@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9732
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4880739c17b502d00a removed DNS randomization, and the dual-stack
patches for 2.4 completely changed the getaddrinfo() result handling again,
but neither fact ever made it into the man page.
Trac #411
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1432454172-1318-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9730
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAEsd45SHoEtahdVT95a+N-zmjRG4nH3QPxBZoGpnh1pykjSU4A@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9723
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the code tried to find res_init(), and on some systems
got it wrong in configure, silently not-using res_init(), leading
to unexpected failures to re-init the resolver.
We know that all supported OSes (except Windows) have res_init(), so
change the call to "#ifndef WIN32", and adjust configure.ac to just
find the library to link (if any). With that, failures to find
res_init() are no longer "hidden" but clearly visible at link time.
AC_SEARCH_LIBS() bits inspired by CUPS' cups_network.m4 (GPLv2)
Fix (part of) trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430162841-5840-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9614
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes trac #225 ('--auth-user-pass FILE' and '--auth-nocache' problem).
This patch is based on the changes suggested by ye_olde_iron in the trac
ticket. Also added a note to the manpage to inform people to use
absolute paths when combining --auth-user-pass file and --auth-nocache.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1432386145-15045-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9717
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
"make check" self-test was broken after commit db950be85d37 due to
do_ifconfig_setenv() not checking whether tt->did_ifconfig_setup
was set (which isn't, for "dev null" type setups)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1432404098-29401-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9718
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|