summaryrefslogtreecommitdiffstats
path: root/src/openvpn/ssl_verify.c
Commit message (Collapse)AuthorAgeFilesLines
* Allow for CN/username of 64 characters (fixes off-by-one)Steffan Karger2015-03-061-3/+3
| | | | | | | | | | | | | | | This is an alternative patch to fix the issue reported in trac #515 by Jorge Peixoto. Instead of increasing the TLS_USERNAME_LEN define, do +1 at the relevant places in the code. Also see Jorge's original patch and the discussion on the maillinglist: http://thread.gmane.org/gmane.network.openvpn.devel/9438 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <54F8CC9B.9040104@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9508 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Disallow lameduck's float to an address taken by another clientLev Stipakov2015-01-221-1/+1
| | | | | | | | | | | | | | | Existing check didn't take into account the case when floated client is lame duck (CN for lame duck is NULL), which allowed lame duck to float to an address taken by another client. As a fix we use cert_hash_compare function which, besides fixing mentioned case, also allows lame duck to float to an address already taken by the same client. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1420658798-29943-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9386 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove ENABLE_SSL define (and --disable-ssl configure option)Steffan Karger2014-12-311-2/+2
| | | | | | | | | | | | | | | | | | | Remove the --disable-ssl configure option and accompanying ENABLE_SSL defines in the master/2.4 branch, to reduce the code and testing complexity a bit. This does not remove to runtime option to run without SSL, just the compile time option to not include any SSL-related code. During the community meeting in November 2014 there were no objections amongst he developers present. Also, this has been announced on the -users and -devel mailing lists two weeks ago, without any response whatsoever. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <54A4248A.1090501@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-271-0/+5
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Upgrade to PolarSSL 1.3Steffan Karger2014-04-211-3/+3
| | | | | | | | | | | | | | | This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL: * Support for EC-crypto in TLS (but not yet for external pkcs11/management keys) * Support for AES-NI (if PolarSSL is compiled with AES-NI support) Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Bump minimum OpenSSL version to 0.9.8Steffan Karger2014-03-231-4/+0
| | | | | | | | | | | | | OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove the --disable-eurephia configure optionDavid Sommerseth2013-07-031-2/+0
| | | | | | | | | | | | | | | | This "feature" has been enabled since OpenVPN 2.2 without any reports that this has been causing issues. All it does is to add an extra environment variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest hash. Lets just simplify things by removing the possibility to disable this environment variable. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* PATCHv3 Remove unused variables or put them to the defines they are being ↵Arne Schwabe2013-06-201-0/+2
| | | | | | | | | | used in Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1366059999-31731-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7511 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* add new option for X.509 name verificationHeiko Hund2013-03-071-5/+10
| | | | | | | | | | | | | | Add the option --verify-x509-name to provide the functionality of the now deprecated --tls-remote. The new option accepts RFC 2253 subject DNs only and compares RDN or RDN prefix only if configured explicitly. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1362670601-18660-1-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add --compat-names optionHeiko Hund2012-09-121-9/+45
| | | | | | | | | | | | | | | | | | | | | | | | With this option, users can basically undo the changes of the UTF-8 support commit 5e86fd93779482b90a191f929edebe414cd78a4f. It's here for short term compatibility and should be removed again as soon as possible. When OpenSSL is used, the subject strings will be in the proprietary format again. Generally username, X.509 CN, and X.509 subject will again be subject to '_' replacemant, unless the "no-remapping" flag is also specified. That flag ensures compatibility with setups using the --no-name-remapping option, that has been removed in 2.3. [v2: More comments related to compat_flags() added by DS plus using COMPAT_FLAG_QUERY expclit] [v3: Improved the man page entry for --compat-names, after suggestions from Bernhard R. Link] Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1347377664-15462-1-git-send-email-dazo@users.sourceforge.net URL: http://article.gmane.org/gmane.network.openvpn.devel/7053
* cleanup: gc usageAlon Bar-Lev2012-04-021-23/+30
| | | | | | | | | | | | | | | | Cleanup of "Use the garbage collector when retrieving x509 fields" patch series. Discussed at [1]. There should be an effort to produce common function prologue and epilogue, so that cleanups will be done at single point. [1] http://comments.gmane.org/gmane.network.openvpn.devel/5401 Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Migrated x509_get_sha1_hash to use the garbage collectorAdriaan de Jong2012-03-301-5/+2
| | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Migrated x509_get_serial to use the garbage collectorAdriaan de Jong2012-03-301-14/+14
| | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Migrated x509_get_subject to use of the garbage collectorAdriaan de Jong2012-03-301-3/+4
| | | | | | | | | This also cleans up a messy call in pkcs11.c to _openssl_get_subject, as discussed at FOSDEM. Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: move wrappers into platform moduleAlon Bar-Lev2012-03-241-4/+4
| | | | | | | | | + Some fixups within the platform.c functions. - need to check environment set on Windows. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: move out config.h include from sysheadAlon Bar-Lev2012-03-221-0/+6
| | | | | | | | | | | Yet another step in reducing the syshead.h content. Conditional compilation of sources needs to be based on a minimum program prefix (config.h only). Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: proper crypto detection and usageAlon Bar-Lev2012-03-221-11/+11
| | | | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: standard directory layoutAlon Bar-Lev2012-03-221-0/+1218
Suitable for mature project. root - administrative stuff doc - documents src - sources tests - tests distro - distro specific files sample - samples SIDE EFFECT: many changes to rpm spec. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-26 19:51:22 +0000