summaryrefslogtreecommitdiffstats
path: root/src/openvpn/ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* Increase control channel packet size for faster handshakesSteffan Karger2015-07-011-2/+3
| | | | | | | | | | | | | | | | | | | | | | Instead of limiting the control channel TCP/UDP packet payload size at '100 bytes + real control channel overhead' (~140 bytes ethernet payload), increase the max TCP/UDP payload size to '1250 bytes - calculated overhead' (~1210 bytes ethernet payload). Note that this patch does *not* yield an optimal solution, but it is a simple and rather safe change that will improve connection setup times significantly. v2: use the mininum value of --link-mtu and 1250 to give the user a way to reduce control packet size if really needed. trac #545 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1435693496-10931-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9841 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Re-read auth-user-pass file on (re)connect if requiredSteffan Karger2015-05-231-2/+2
| | | | | | | | | | | | | | Fixes trac #225 ('--auth-user-pass FILE' and '--auth-nocache' problem). This patch is based on the changes suggested by ye_olde_iron in the trac ticket. Also added a note to the manpage to inform people to use absolute paths when combining --auth-user-pass file and --auth-nocache. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1432386145-15045-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9717 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Mac OS X Keychain management clientVasily Kulikov2015-04-131-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for using certificates stored in the Mac OSX Keychain to authenticate with the OpenVPN server. This works with certificates stored on the computer as well as certificates on hardware tokens that support Apple's tokend interface. The patch is based on the Windows Crypto API certificate functionality that currently exists in OpenVPN. This patch version implements management client which handles RSA-SIGN command for RSA offloading. Also it handles new 'NEED-CERTIFICATE' request to pass a certificate from the keychain to OpenVPN. OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when --management-external-cert is used. It is implemented as a multiline command very similar to an existing 'RSA-SIGN' command. The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049. v4: - added '--management-external-cert' argument - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed as cmdline's identity template - fixed typo in help output option name - added '--management-external-cert' info in openvpn(8) manpage - added 'certificate' command documentation into doc/management-notes.txt v3: - used new 'NEED-CERTIFICATE' command for certificate data request instead of 'NEED-OK' - improved option checking - improved invalid certificate selection string handling - added man page for keychain-mcd - handle INFO, FATAL commands from openvpn and show them to user * ACK from Arne Schwabe for OpenVPN part * ACK from James based on Arne's testing v2 (http://sourceforge.net/p/openvpn/mailman/message/33225603/): - used management interface to communicate with OpenVPN process v1 (http://sourceforge.net/p/openvpn/mailman/message/33125844/): - used RSA_METHOD to extend openvpn itself Signed-off-by: Vasily Kulikov <segoon@openwall.com> -- Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20150225160718.GA6306@cachalot> URL: http://article.gmane.org/gmane.network.openvpn.devel/9486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* New approach to handle peer-id related changes to link-mtu.Gert Doering2015-02-151-4/+6
| | | | | | | | | | | | | | | | | | | | | | Instead of statically increasing link-mtu by +3, keep the old value for OCC compatibility with old servers/clients, and only increase link-mtu if peer-id option is enabled (right now: is pushed by server). If link-mtu has been set in the config, keep configured value, and log warning (because the extra overhead has to decrease tun-mtu). Reserve extra +3 bytes in frame->extra_link. v2: use frame->extra_link, not frame->extra_buffer (receive path on server) introduce frame_add_to_link_mtu() to manipulate frame->link_mtu value rework comments to make more clear what is happening This reverts commit f95010ad247a8998e0c39e394236251fca316849. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1423390725-13438-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9450
* Account for peer-id in frame size calculationSteffan Karger2015-01-231-6/+4
| | | | | | | | | | | | | | | Data channel packet using P_DATA_V2 will use three bytes extra for the peer-id. This needs to be accounted for, otherwise OpenVPN will throw TCP/UDP packet too large on write to [AF_INET]10.1.1.1:1194 warnings. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Lev Stipakov <lstipakov@gmail.com> Message-Id: <1422042761-10014-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9418 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add option to disable Diffie Hellman key exchange by setting '--dh none'Steffan Karger2015-01-041-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | As requested on the mailing list and in trac ticket #410, add an option to disable 'traditional' Diffie Hellman key exchange. People want to be able to create ecdh-only configurations. This patch also disables RSA key exchange by default for OpenSSL builds, to prevent that people who set "--dh none" but have an OpenSSL version that doesn't support ECDH end up with a less secure connection. Note that users that specify their own --tls-cipher override these defaults and thus can still use whatever OpenSSL supports (and might thus end up with less secure connections). PolarSSL does not allow to easily disable RSA key exchange during runtime, but its default compile options do not include RSA key exchange based cipher suites. Finally update the manpage to reflect the new behaviour, and while touching it change the text to motivate users towards a more secure configuration. v2 - disable RSA key exchange by default Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove ENABLE_SSL define (and --disable-ssl configure option)Steffan Karger2014-12-311-2/+2
| | | | | | | | | | | | | | | | | | | Remove the --disable-ssl configure option and accompanying ENABLE_SSL defines in the master/2.4 branch, to reduce the code and testing complexity a bit. This does not remove to runtime option to run without SSL, just the compile time option to not include any SSL-related code. During the community meeting in November 2014 there were no objections amongst he developers present. Also, this has been announced on the -users and -devel mailing lists two weeks ago, without any response whatsoever. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <54A4248A.1090501@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Drop too-short control channel packets instead of asserting out.Steffan Karger2014-11-281-1/+5
| | | | | | | | | | | | | | | | | | This fixes a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT(). OpenVPN would previously ASSERT() that control channel packets have a payload of at least 4 bytes. An authenticated client could trigger this assert by sending a too-short control channel packet to the server. Thanks to Dragana Damjanovic for reporting the issue. This bug has been assigned CVE-2014-8104. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Peer-id patch v7Lev Stipakov2014-11-271-7/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in internal structs. Changes in v7: A few nitpicks. Changes in v6: Fixed: Make sure float won't happen if hmac check failed (regression). Fixed: Access outside of bounds of array, which has caused memory corruption and crash. Various review fixes. Changes in v5: Protection agains replay attack by commiting float changes only after existing packet processing flow has completed. If peer floats to an address which is already taken by another active session, drop float packet, otherwise disconnect existing session. Changes in v4: Handles correctly float to an address which is used by another peer. This also has fixed crash on assert in multi_client_disconnect. Changes in v3: Bugfix: If float happens after TLS renegotiation and there are no data packets between reneg and float, server will not recognize floated client. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1416755831-21250-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9270 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add --tls-version-maxSteffan Karger2014-11-141-1/+1
| | | | | | | | | | | | | | | Because using TLS 1.2 breaks certain setups, a user might want to enforce a maximum TLS version to use. This patch adds that option. This patch removes a number of #ifdefs from ssl_polarssl.c, because the polarssl versions we currently support (polar 1.2 for openvpn 2.3, and polar 1.3 for openvpn-master) have all versions unconditionally enabled. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <544EC052.3080809@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* cleanup: remove #if 0'ed function initiate_untrusted_session() from ssl.c.Steffan Karger2014-07-031-16/+0
| | | | | | | | | | Has been inside the #if 0 since 'git tree epoch' (sept-2005) and was not referenced, from either code, nor dead code nor comment. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1404336688-15036-1-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove dependency on manage.h from ssl_verify.hSteffan Karger2014-06-011-1/+20
| | | | | | | | | | | verify_user_pass_enabled() is a function on a tls_session, and belongs in ssl.c. Moving the function removes the dependency on manage.h. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-5-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix ssl.c, ssl_verify_* includesSteffan Karger2014-06-011-4/+0
| | | | | | | | | | | | | * ssl.c: remove three unneeded includes * ssl_verify_polarssl.h: remove two unneeded includes * ssl_verify_openssl.c: add missing ssl_verify_openssl.h and error.h includes, and reorder includes. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8753 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-251-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add SSL library version reporting.Gert Doering2014-04-181-0/+1
| | | | | | | | | | | | Print the version of the SSL and LZO library (if any) used. SSL library version is also sent as IV_SSL=<version> to the server if --push-peer-info is enabled. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20140416152456.GI16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
* Add openssl-specific common cipher list names to ssl.c.Steffan Karger2014-03-231-0/+13
| | | | | | | | | | | This adds a number of commonly used cipher list names to ssl.c, which makes OpenVPN not give a "translation not found" warning when using these. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8316 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* remove some 'unused variable' warningsGert Doering2014-01-111-2/+1
| | | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389371142-26705-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8197
* Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=Gert Doering2014-01-091-2/+2
| | | | | | | | | | Use shorter variable name to signal the same thing (see f3a2cd255a3bc73) to save space in the buffer used by the collective IV_ info sent to server. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389296891-1487-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8183
* Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.Steffan Karger2014-01-051-4/+1
| | | | | | | | | | | | | | | | This adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export ciphers by default in OpenVPN 2.4+. Also let tls_ctx_restrict_ciphers always be called, also when *cipher_list is NULL. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <52C8922E.3030607@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8173 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Refactor tls_ctx_use_external_private_key()Joachim Schipper2013-11-231-7/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the context's certificate chain was stored on return, used by tls_ctx_use_external_private_key() only and free()d immediately thereafter. PolarSSL also supported this output parameter, but returned a pointer to the context's certificate chain (rather than to a copy of the certificate, as OpenSSL does) - which meant that we would have to #ifdef the free(). PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot store a pointer to (instead of a copy of) the cert. So remove the output parameter from tls_ctx_load_cert_file() and incorporate the needed functionality directly into tls_ctx_use_external_private_key() (which is straightforward for both OpenSSL and PolarSSL, as long as you don't try to support both at once.) Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7888 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove duplicate cipher entries from TLS translation table.Max Muster2013-11-201-4/+0
| | | | | | | | | Patch from trac#304 - the translation table OpenSSL<->IANA contained duplicates for four IANA names, causing translation backwards to fail. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-By: Steffan Karger <steffan.karger@fox-it.com> URL: https://community.openvpn.net/openvpn/ticket/304
* Add reporting of UI version to basic push-peer-info set.Arne Schwabe2013-11-151-7/+9
| | | | | | | | | | | | | | | If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the server. Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>", for example "de.blinkt.openvpn 0.5.47" for the ICS Android version. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net> Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7646 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* MSVC fixesJames Yonan2013-08-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes to allow compilation with Microsoft Visual Studio 2008 * Fixed several instances of declarations after statements. * In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror. * ssl.c is trying to access multi_output_peer_info_env function in multi.c, causing an undefined symbol warning at compile time. ssl.c is strictly a client of multi.c (but not the other way around), therefore ssl.c does not include multi.h and should not depend on multi.h API. To fix, moved validate_peer_info_line and multi_output_peer_info_env from multi.c to misc.c. * MSVC doesn't support %z as a printf format specifier for size_t * MSVC doesn't support a const variable being used to dimension an array. * Explicitly cast the third parameter to setsockopt to const void * Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1375049135-21444-1-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7777 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* TLS version negotiationJames Yonan2013-07-111-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updated the TLS negotiation logic to adaptively try to connect using the highest TLS version supported by both client and server. Previously, OpenVPN (when linked with OpenSSL) would always connect using TLS 1.0. Also added tls-version-min directive to force a higher TLS version than 1.0: tls-version-min <version> ['or-highest'] -- sets the minimum TLS version we will accept from the peer. Examples for version include "1.0" (default), "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation. Examples: tls-version-min 1.1 -- fail the connection unless peer can connect at TLS 1.1 or higher. tls-version-min 1.2 or-highest -- require that the peer connect at TLS 1.2 or higher, however if the local SSL implementation doesn't support TLS 1.2 (as it wouldn't if linked with an older version of OpenSSL), reduce the minimum required version to the highest version supported by the local SSL implementation (such as TLS 1.0). This is intended to allow client configurations to target higher TLS versions that are supported on the server, even if some older clients don't support these versions yet. [ This is a merged patch from on the following commits on git://github.com/jamesyonan/openvpn.git 03a5599202bdc3ba07983dc4efdae387fb8fb436 d23005413b0e0f28a3c48a6342f494763d5c9b40 ] Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743 URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744 Message-Id: 51C77F12.1090802@openvpn.net Signed-off-by: David Sommerseth <davids@redhat.com>
* Remove the --disable-eurephia configure optionDavid Sommerseth2013-07-031-4/+1
| | | | | | | | | | | | | | | | This "feature" has been enabled since OpenVPN 2.2 without any reports that this has been causing issues. All it does is to add an extra environment variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest hash. Lets just simplify things by removing the possibility to disable this environment variable. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* PATCHv3 Remove unused variables or put them to the defines they are being ↵Arne Schwabe2013-06-201-4/+0
| | | | | | | | | | used in Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1366059999-31731-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7511 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix another #ifdef/#if P2MP_SERVERArne Schwabe2013-06-011-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1370013992-18592-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix #ifdefs for P2MP_SERVERArne Schwabe2013-05-311-1/+1
| | | | | | | | | | | (Fix check introduced by commit a8be73799be1639, testing with #ifdef instead of #if - P2MP_SERVER is always defined, and can be "0" or "1") Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1369949680-9499-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7637 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make push-peer-info visible in "normal" per-instance environment.Gert Doering2013-05-271-13/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this patch, peer-info pushed by clients in the TLS handshake is only visible on the management interface, and only if --management-client-auth is enabled. With this patch, received records are sanitized and put into the normal "multi instance" environment, where it can be evaluated by --client-connect or --auth-user-pass-verify scripts and plugins, etc. Only records matching a fairly strict "name=value" format are accepted, and only names starting with IV_ or UV_ are exported, to avoid clients sending funny stuff and playing havoc with script/plugin environments on the server. In the "value" part, spaces, non-printable characters and shell metacharacters are replaced by '_'. The change is somewhat invasive as reception of the peer_info string was only done when username+password are expected from the client, but the data is always there (if the client sends no username/password, it will send 0-length strings, so always extracting 3 strings is safe). Also, the sanitation function validate_peer_info_line() and the opts->peer_info field were only compiled in #ifdef MANGEMENT_DEF_AUTH... Patch v3: do not call the old man_output_peer_info_env() anymore, unless a management env-filter has been set (= ensure IV_ and UV_ stuff is sent at most *once*, and exactly the way OpenVPN AS expects it). Add substituting of "bad" characters in the environment values. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1367757373-31637-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7582
* Always push basic set of peer info values to server.James Yonan2013-05-271-15/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | On the client, allow certain peer info fields to be pushed even if push-peer-info isn't specified in the config. This is needed to allow the compression handshake to work correctly (i.e. where the client indicates its support for LZO and/or Snappy). Fields that have privacy implications such as Mac Address and UV_* environment variables will not be pushed to the server as before unless push-peer-info is specified by client config. v1: equivalent to OpenVPN SVN r8225 (2.1.21c) v2: distinguish 3 levels of peer-info detail --push-peer-info specified --> send all we have --pull specified --> send basic set, as per r8225 default --> send nothing (do not leak from server) v3: undo extra whitespace changes in v1 and v2 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
* Added support for the Snappy compression algorithmJames Yonan2013-05-191-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Android platform specific changes.Arne Schwabe2013-05-011-0/+2
| | | | | | | | | | | | | On Android 4.0 (TARGET_ANDROID) the real opening of the tun is handled by the (Java) application controlling OpenVPN. Instead of calling ifconfig/route call the management to do the work. When running openvpn as root openvpn should be compiled as TARGET_LINUX Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1367350151-23089-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7570 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Switch to IANA names for TLS ciphers.Steffan Karger2013-03-221-0/+147
| | | | | | | | | | | | | Added translation table and functions to translate between TLS OpenSSL and IANA (IETF) cipher suite names. The previously used OpenSSL names are still accepted, but a deprecation warning is issued. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363942465-3251-6-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7439 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Removed stray "Fox-IT hardening" string.Adriaan de Jong2012-04-281-1/+1
| | | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1333351687-3732-5-git-send-email-dejong@fox-it.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6212 Signed-off-by: David Sommerseth <davids@redhat.com>
* Added support for new PolarSSL 1.1 RNGAdriaan de Jong2012-04-271-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch, while retaining PolarSSL 1.0 support, introduces the PolarSSL 1.1 DRBG. This RNG adds a number of features, including support for personalisation strings and multiple entropy sources. Personalisation strings have been implemented, based on PID, program name, place within memory, and a hash of the user's certificate. The entropy sources used are the platform default ones. Which ones these are depends on how PolarSSL was built, but usually this includes: - /dev/urandom or the Windows CryptoAPI RNG - the HAVEGE RNG - the output of PolarSSL's hardclock() call (usually RDTSC) Finally, this patch moves to only one instance of the RNG per OpenVPN instance, instead of one per keystate Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: Eelse-jan Stutvoet <stutvoet@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: 1333351687-3732-1-git-send-email-dejong@fox-it.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6210 Signed-off-by: David Sommerseth <davids@redhat.com> Notes: This patch was ACKed by James Yonan in an IRC meeting March 29, 2012 under the condition that PolarSSL 1.0 and havege support is removed later on. Currently, the meeting minutes have not been made public. (David Sommerseth, Fri Apr 27 21:31:03 UTC 2012)
* build: move out config.h include from sysheadAlon Bar-Lev2012-03-221-0/+6
| | | | | | | | | | | Yet another step in reducing the syshead.h content. Conditional compilation of sources needs to be based on a minimum program prefix (config.h only). Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: proper crypto detection and usageAlon Bar-Lev2012-03-221-3/+3
| | | | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: properly process lzo-stubAlon Bar-Lev2012-03-221-1/+1
| | | | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Samuli Seppänen <samuli@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: proper pkcs11-helper detection and usageAlon Bar-Lev2012-03-221-1/+1
| | | | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Samuli Seppänen <samuli@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: standard directory layoutAlon Bar-Lev2012-03-221-0/+3373
Suitable for mature project. root - administrative stuff doc - documents src - sources tests - tests distro - distro specific files sample - samples SIDE EFFECT: many changes to rpm spec. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-27 11:51:44 +0000