summaryrefslogtreecommitdiffstats
path: root/src/openvpn/options.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix commit c67acea173dc9ee37220f5b9ff14ede081181992Arne Schwabe2015-10-151-1/+1
| | | | | | | | | | | Move things to the proper place, ensure that line_ptr is actually properly initialized for *every* line read, not just for the first one Acked-by: Lev Stipakov <lstipakov@gmail.com> Message-Id: 1444827956-2169-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/10271 Signed-off-by: David Sommerseth <davids@redhat.com>
* Remove support for snappy compression.Gert Doering2015-10-111-10/+0
| | | | | | | | | | | | | | | | | LZ4 is using less CPU at similar performance, and it is easier to build and support for binary installs (as it does not require C++ and a C++ runtime). Since it was never supported in any formally released OpenVPN version, just drop it again. This leaves in the compression opcode for Snappy for documentation purposes. trac #617 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1444494889-28925-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10251
* Fix "White space before end tags can break the config parser"janjust2015-10-111-1/+4
| | | | | | | | | | trac #569 Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1444493569-24026-1-git-send-email-janjust@nikhef.nl> URL: http://article.gmane.org/gmane.network.openvpn.devel/10249 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Added support for TLS Keying Material Exporters [RFC-5705]Daniel Kubec2015-10-101-0/+27
| | | | | | | | | | | | | Keying Material Exporter [RFC-5705] allow additional keying material to be derived from existing TLS channel. This exported keying material can then be used for a variety of purposes. [DS: Updated man page to document both upper and lower length boundaries] Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com Acked-by: David Sommerseth <davids@redhat.com>
* Replace strdup() calls for string_alloc() callsSteffan Karger2015-10-041-1/+1
| | | | | | | | | | | | As reported by Bill Parker in trac #600, strdup() return values are not always correctly checked for failed allocations. This patch adds missing checks by using string_alloc(), which performs the required checks. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <561130FC.8090008@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10176 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement '--redirect-gateway ipv6'Gert Doering2015-09-201-0/+7
| | | | | | | | | | | | | | | | | | | Add "ipv6" and "!ipv4" sub-options to "--redirect-gateway" option. This is done in the same way as in the OpenVPN 3 code base, so "--redirect-gateway ipv6" will redirect both IPv4 and IPv6 - if you want v6-only, use "--redirect-gateway ipv6 !ipv4". The actual implementation is much simpler than for IPv4 - we just add a few extra routes to the route_ipv6_option_list and leave it to init_route_ipv6_list() to figure out whether there is an overlap with IPv6 transport, and if yes, insert a host route to the VPN server via the current IPv6 default gateway. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1441985627-14822-8-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10086
* Remove #ifdefs for client nat support.Arne Schwabe2015-09-151-17/+1
| | | | | | | | | The client-nat feature was always unconditionally enabled Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1442309019-7586-3-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/10109 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Create basic infrastructure for IPv6 default gateway handling / redirection.Gert Doering2015-09-151-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | - introduce get_default_gateway_ipv6() and add stub functions with the implementation plan to the 4 major code blocks here (Windows, Linux/Android, *BSD and Solaris, "others") - add &rgi6 to print_default_gateway(), and teach it to print v4, v6 or both, depending on the calling environment - unlike IPv4 (today), get_default_gateway_ipv6() is passed the actual target IPv6 address of the server we're looking for, so we can handle more complicated routing setups ("default to eth0, vpn server to ppp0") correctly - consequently, --show-gateway has an optional parameter now, the IPv6 address to look up (for debugging) - document --show-gateway and the extra option in openvpn.8 Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1441985627-14822-5-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10087 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Show extra-certs in current parameters, fix clang warning and logic error in ↵Arne Schwabe2015-08-081-1/+2
| | | | | | | | | | | preresolve Closes ticket #591 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1438859835-3977-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/10005 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix commit e473b7c if an inline file happens to have a line break exactly at ↵Arne Schwabe2015-07-271-1/+1
| | | | | | | | | | | | | | | buffer limit The check does only for strlen(line) space and buf_printf will only use at most space -1 and not print the final character ('\n') in this corner. Since a missing \n only breaks certificates at the start and end marker, missing line breaks otherwise do not trigger this error. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1438011191-19389-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9956 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* options: fix option check for "plugin"Daniel Hahler2015-07-221-1/+1
| | | | | | | | | | | | | The "plugin" option has one required argument, and an optional one. This fixes a regression in 3d6a4cd (https://community.openvpn.net/openvpn/ticket/557). Signed-off-by: Daniel Hahler <git@thequod.de> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20150721100836.GV382@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9932 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix --askpass not allowing for password input via stdinJames Geboski2015-07-131-2/+2
| | | | | | | | | | | | | | | | | | This resolves --askpass treating stdin as a file during the file access check. In turn, this leads to openvpn failing to start if this option is set to stdin. By default, --askpass reads the certificate's password from stdin rather than a file. Without passing the CHKACC_ACPTSTDIN flag to check_file_access(), stdin is marked as being a nonexistent file. Trac #248 Signed-off-by: James Geboski <jgeboski@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <55A41225.2020705@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9918 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Report missing end-tags of inline files as errorsArne Schwabe2015-06-301-1/+8
| | | | | | | | | | | | (2.3 reports as warning only, 2.4 reports as M_FATAL) trac #568 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1435581995-11820-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9830 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fail if options have extra parameters [v2]Jonathan K. Bullard2015-06-211-267/+276
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Throw an error if an option has extra parameters; previously they were silently ignored (see also trac #557) This feature was discussed on the openvpn-devel mailing list (http://thread.gmane.org/gmane.network.openvpn.devel/9599). The (modified) message "Unrecognized option or missing or extra parameter(s)" is used except for a few options: * The --help option: An extra parameter for --help generates a specific error message after showing the syntax message. This is done to help a user who tries "--help tls-cipher" or similar, hoping to get more information about the "tls-cipher" option. * The --dhcp-option option: It has its own similar message, into which " or extra" has been inserted. * Ten options such as --up that accept a command (instead of a path) already detect extra parameters and generate specific error messages that mention double-quoting commands which contain embedded spaces. Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <CAEsd45RvRfmqetu-EoFjSdyBk5F9X1K5muPGu-+_+30TMNOU_A@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9783 URL: https://community.openvpn.net/openvpn/ticket/557 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Disallow usage of --server-poll-timeout in --secret key mode.Gert Doering2015-05-241-0/+3
| | | | | | | | | | | | | | | The internal machinery wants TLS for this to work, so just add this to the (long) list of options not allowed unless either --tls-client or --tls-server is active. For added sanity, add an ASSERT() call to the place where this combination caused a NULL ptr reference, and document the restriction. Fix trac #373 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1432472554-24666-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9736
* Fix null pointer dereference in options.cJonathan K. Bullard2015-05-231-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <CAEsd45SHoEtahdVT95a+N-zmjRG4nH3QPxBZoGpnh1pykjSU4A@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9723 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove size limit for files inlined in configSteffan Karger2015-05-021-1/+10
| | | | | | | | | | | | | | | | As described in trac #484, the current inline file size limit of 10000 bytes is becoming an issue for some users. Since RSA keys and signature sizes are increasing, we need to adjust our limits. As #484 reports, 10000 can be too small for PKCS#12 files with 4K RSA keys. Instead of postponing this issue by increasing the static limit, dynamically increase the buffer size while reading. This keeps the memory usage limited but does allow for larger inlined files. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1430122342-11742-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9607 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Print helpful error message on --mktun/--rmtun if not available.Gert Doering2015-04-281-2/+0
| | | | | | | | | | | | | | | OpenVPN only supports --mktun/--rmtun to create/destroy persistant tunnels on Linux. On BSD OSes, "ifconfig tun0 create" can do the same job, so we do not actually need to support it - but the previous error message ("unknown option") wasn't helpful. So always accept the option now, and on non-supported systems, direct user to manpage. Trac #85 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Message-Id: <1430219063-12291-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9617
* Mac OS X Keychain management clientVasily Kulikov2015-04-131-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for using certificates stored in the Mac OSX Keychain to authenticate with the OpenVPN server. This works with certificates stored on the computer as well as certificates on hardware tokens that support Apple's tokend interface. The patch is based on the Windows Crypto API certificate functionality that currently exists in OpenVPN. This patch version implements management client which handles RSA-SIGN command for RSA offloading. Also it handles new 'NEED-CERTIFICATE' request to pass a certificate from the keychain to OpenVPN. OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when --management-external-cert is used. It is implemented as a multiline command very similar to an existing 'RSA-SIGN' command. The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049. v4: - added '--management-external-cert' argument - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed as cmdline's identity template - fixed typo in help output option name - added '--management-external-cert' info in openvpn(8) manpage - added 'certificate' command documentation into doc/management-notes.txt v3: - used new 'NEED-CERTIFICATE' command for certificate data request instead of 'NEED-OK' - improved option checking - improved invalid certificate selection string handling - added man page for keychain-mcd - handle INFO, FATAL commands from openvpn and show them to user * ACK from Arne Schwabe for OpenVPN part * ACK from James based on Arne's testing v2 (http://sourceforge.net/p/openvpn/mailman/message/33225603/): - used management interface to communicate with OpenVPN process v1 (http://sourceforge.net/p/openvpn/mailman/message/33125844/): - used RSA_METHOD to extend openvpn itself Signed-off-by: Vasily Kulikov <segoon@openwall.com> -- Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20150225160718.GA6306@cachalot> URL: http://article.gmane.org/gmane.network.openvpn.devel/9486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix incorrect use of get_ipv6_addr() for iroute options.Gert Doering2015-03-081-1/+1
| | | | | | | | | get_ipv6_addr() returns "bool/false", not "int < 0" to signal error. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1425819401-18465-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9532
* Fix mssfix default value in connection_list contextLev Stipakov2015-03-071-1/+1
| | | | | | | | | | | | | | | | | | | Due to this bug, mssfix hasn't been assigned to fragment value and used default value (1450) instead. As a consequence, TCP packets get fragmented, which causes performance penalty. Since dual stack patch (commit 23d61c56b9fd218c39ad151b01b7e2d6690e6093) OpenVPN uses options->connection_list, even for single remote. This fix assigns mssfix value to fragment value for connection_entry inside connection_list instead of connection_entry inside options struct (which does not work for connection_list case). Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1425587636-23338-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9507 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add option to disable Diffie Hellman key exchange by setting '--dh none'Steffan Karger2015-01-041-4/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | As requested on the mailing list and in trac ticket #410, add an option to disable 'traditional' Diffie Hellman key exchange. People want to be able to create ecdh-only configurations. This patch also disables RSA key exchange by default for OpenSSL builds, to prevent that people who set "--dh none" but have an OpenSSL version that doesn't support ECDH end up with a less secure connection. Note that users that specify their own --tls-cipher override these defaults and thus can still use whatever OpenSSL supports (and might thus end up with less secure connections). PolarSSL does not allow to easily disable RSA key exchange during runtime, but its default compile options do not include RSA key exchange based cipher suites. Finally update the manpage to reflect the new behaviour, and while touching it change the text to motivate users towards a more secure configuration. v2 - disable RSA key exchange by default Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove ENABLE_SSL define (and --disable-ssl configure option)Steffan Karger2014-12-311-55/+9
| | | | | | | | | | | | | | | | | | | Remove the --disable-ssl configure option and accompanying ENABLE_SSL defines in the master/2.4 branch, to reduce the code and testing complexity a bit. This does not remove to runtime option to run without SSL, just the compile time option to not include any SSL-related code. During the community meeting in November 2014 there were no objections amongst he developers present. Also, this has been announced on the -users and -devel mailing lists two weeks ago, without any response whatsoever. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <54A4248A.1090501@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Set tls-version-max to 1.1 if cryptoapicert is usedSteffan Karger2014-12-281-0/+18
| | | | | | | | | | | | | | | | | | | OpenVPN's current cryptoapicert implementation does not support TLS 1.2 (and newer). Fixing this requires a rewrite of our cryptoapi code to use Microsofts' "Cryptography API: Next Generation", and several hacks to work around that API. As long as we don't fix that, make openvpn automatically cap the TLS version to 1.1 when using cryptoapi (and tell the user we're doing so). This enables the user to use cryptoapi + TLS version negotiation (upto TLS 1.1) without having to change his configuration. This patch has been tested on Windows 8.1 for both the master and release/2.3 branches. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make 'provider' option to --show-pkcs11-ids optional where p11-kit is presentDavid Woodhouse2014-12-271-2/+29
| | | | | | | | | | Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1418905506.21260.6.camel@infradead.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9355 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a91a06cb291414c9e657377e44f7a57343ae7f5a)
* pkcs11: Load p11-kit-proxy.so module by defaultDavid Woodhouse2014-12-271-0/+9
| | | | | | | | | | | | | | | If the user specifies --pkcs11-id or --pkcs-id-management but neglects to explicitly provide a --pkcs11-provider argument, and if the system has p11-kit installed, then load the p11-kit proxy module so that the system-configured tokens are available. Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1418303015.31745.78.camel@infradead.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/9342 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1)
* sockets: Remove the limitation of --tcp-nodelay to be server-onlyDavid Sommerseth2014-12-091-1/+3
| | | | | | | | | | | | | | | | | | The assert(0) happening if trying to use --tcp-nodelay in a client config is really not helpful at all. When this assert(0) was removed, another warning appeared that this could only be used in server configs. That itself is also quite silly, as clients can choose to use --socket-flags TCP_NODELAY in the client config instead. This behaviour does not help the user in any way. This patch removes the server-only restriction and rather provides a more helpful warning when using --tcp-nodelay on the client side. Trac: 489 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1418118764-17846-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9334
* Peer-id patch v7Lev Stipakov2014-11-271-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in internal structs. Changes in v7: A few nitpicks. Changes in v6: Fixed: Make sure float won't happen if hmac check failed (regression). Fixed: Access outside of bounds of array, which has caused memory corruption and crash. Various review fixes. Changes in v5: Protection agains replay attack by commiting float changes only after existing packet processing flow has completed. If peer floats to an address which is already taken by another active session, drop float packet, otherwise disconnect existing session. Changes in v4: Handles correctly float to an address which is used by another peer. This also has fixed crash on assert in multi_client_disconnect. Changes in v3: Bugfix: If float happens after TLS renegotiation and there are no data packets between reneg and float, server will not recognize floated client. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1416755831-21250-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9270 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add --tls-version-maxSteffan Karger2014-11-141-3/+19
| | | | | | | | | | | | | | | Because using TLS 1.2 breaks certain setups, a user might want to enforce a maximum TLS version to use. This patch adds that option. This patch removes a number of #ifdefs from ssl_polarssl.c, because the polarssl versions we currently support (polar 1.2 for openvpn 2.3, and polar 1.3 for openvpn-master) have all versions unconditionally enabled. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <544EC052.3080809@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix clang warning in options.cSteffan Karger2014-09-151-2/+2
| | | | | | | | | | | | | | | fixed warning: expression which evaluates to zero treated as a null pointer constant of type 'struct addrinfo *' Seems to be innocent, but clang is correct that this is strange. init_tun() expects two pointers, but options_string() tried to feed it two uint32_t values. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Message-Id: <1408568426-19601-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9004 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Always enable http-proxy and socks-proxyArne Schwabe2014-07-181-36/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1404735142-31420-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8840 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Do not upcase x509-username-field for mixed-case arguments.Andris Kalnozols2014-07-101-4/+22
| | | | | | | | | | | | | | I revisited options.c to refine its brute-force upcasing behavior. Now, the upcasing is done only if the option argument is all lowercase. Mixed-case arguments and those with the "ext:" prefix are left unchanged. This preserves the original intent of the "helpful" upcasing feature for backwards compatibility while limiting its scope in a straightforward way. Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move #include "ssl_verify.h" from ssl.h to the source files that need it.Steffan Karger2014-06-011-0/+1
| | | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8749 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fixed some compile issues with show_library_versions()James Yonan2014-05-201-6/+9
| | | | | | | | | | | | | | | | | | | * Refactored show_library_versions to work around the fact that some compilers (such as MSVC 2008) can't handle #ifdefs inside of macro references. * Declare show_library_versions() in options.h because it's referenced by other files such as openvpn.c. * Declare get_ssl_library_version() as returning const char *, to avoid loss of const qualifier in ssl_openssl.c. Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1399589436-8730-7-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8711 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a91a2d6ad7b139ec78d61c8616b8447847e9ecc6)
* Conditionalize calls to print_default_gateway on !ENABLE_SMALLGert Doering2014-04-301-1/+1
| | | | | | | | | | | | | Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the combination "configure --enable-small --enable-debug" didn't work. Fix. Fix trac #397 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-251-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add SSL library version reporting.Gert Doering2014-04-181-0/+18
| | | | | | | | | | | | Print the version of the SSL and LZO library (if any) used. SSL library version is also sent as IV_SSL=<version> to the server if --push-peer-info is enabled. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20140416152456.GI16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
* Bump minimum OpenSSL version to 0.9.8Steffan Karger2014-03-231-9/+0
| | | | | | | | | | | | | OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Don't show the connection profile store in options->ce if there is a ↵Arne Schwabe2014-03-231-2/+5
| | | | | | | | | | | | | connection_list defined. Entries in options->ce are never used and overwritten by the first usable connection profile on initialisation. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-8-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8377 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce an option to resolve dns names in advance for --remote, --local ↵Arne Schwabe2014-03-231-0/+12
| | | | | | | | | | | | | | | and --http-proxy Also introduce x_gc_addspeical function that allows to add objects with a custom free function to the gc. Some additional addrinfo cleanup Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395576786-17507-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8386 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-221-0/+8
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix warning for max-routes: do not quit when parsing an old configuration. ↵Arne Schwabe2014-03-171-2/+4
| | | | | | | | | | Format the message to be more like the other deprecated options Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395060345-30870-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8354 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce safety check for http proxy optionsArne Schwabe2014-03-171-0/+2
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395061013-1802-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8353 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* grow route lists dynamicallyHeiko Hund2014-02-231-25/+8
| | | | | | | | | | | | | This removes the need for the --max-routes option. Instead of allocating a fixed size array for the route(-option)s they are managed in linked lists instead. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1392746395-19246-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8295 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* remove some 'unused variable' warningsGert Doering2014-01-111-0/+2
| | | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389371142-26705-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8197
* Fix spurious ignoring of pushed config options (trac#349).Jens Wagner2014-01-071-0/+1
| | | | | | | | | | | | | | | | | | | | | | | The function incoming_push_message(...) in push.c uses a local variable option_types_found, that gets passed to do_up(...). If the server push got split into several parts, only the last part (PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0 locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored. So e.g. a ping config, pushed by the server in the first push, followed by a lot of "push route" configs, causing a second push message, will have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those options will be silently ignored. The patch resolves that, by introducing "push_option_types_found" in "c->options" and using that as storage. Fix trac bug #349. Acked-by: Gert Doering <gert@greenie.muc.de> URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement LZ4 compression.Gert Doering2014-01-061-0/+10
| | | | | | | | | | | | | | | | | | Implement LZ4 compression, similar to the existing snappy / push-peer-info model: a LZ4 capable client will send IV_LZ4=1 to the server, and the algorithm is selected by pushing "compress lz4" back. LZ4 does not compress as well as LZO or Snappy, but needs far less CPU and is much faster, thus better suited for mobile devices. See https://code.google.com/p/lz4/ for more details. LZ4 include and library path can be specified by specifying LZ4_LIBS=... and LZ4_CFLAGS=... on the configure command line. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1388613479-22377-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8153
* Add warning for using connection block variables after connection blocksArne Schwabe2013-12-171-7/+23
| | | | | | | | | | | | | | | In 2.3 some options that were allowed only in global config before have been moved to connection blocks. This changes the behaviour if the variables were defined after connection block. This patch adds a warning to catch these mistakes. Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE] for connection blocks Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8117 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix file checks when --chroot is being usedDavid Sommerseth2013-12-161-21/+61
| | | | | | | | | | | | | | | | | | | | | | | | | Commit 0f2bc0dd92f43c9 started to introduce some file sanity checking before OpenVPN started to avoid harder to explain issues due to missing files or directories later on. But that commit did not consider --chroot at all. Which would basically cause OpenVPN to complain on non-missing files, because it would not consider that the files where inside a chroot. This patch is based on the thoughts in a patch by Josh Cepek [1], but trying to simplify it at bit. [1] <http://thread.gmane.org/gmane.network.openvpn.devel/7873>, (Message-ID: l142b7$15v$1@ger.gmane.org) [v2 - Simplify the changes in check_cmd_access(), let the chroot tackling happen only in check_file_access_chroot() only] Trac-ticket: 330 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1385382778-4723-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8060 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement listing on IPv4/IPv6 dual socket on all platformArne Schwabe2013-11-291-0/+4
| | | | | | | | | | With this patch OpenVPN will listen on Ipv4 as well as IPv6 when an IPv6 socket is used. Using bind ipv6only will disable this behavior Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1385382680-5912-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8052 Signed-off-by: Gert Doering <gert@greenie.muc.de>
generated by cgit (git 2.34.1) at 2024-04-26 06:29:50 +0000