summaryrefslogtreecommitdiffstats
path: root/src/openvpn
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix is_ipv6 in case of tap interface.Dmitrij Tejblum2014-04-291-1/+1
| | | | | | | | | | | | | While checking a packet on a TAP interface, is_ipv_X() in proto.c insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if the protocol is IPv6. So the protocol never match, and, thus, mssfix doesn't work for IPv6 on TAP interface. Fix that. Signed-off-by: Dmitrij Tejblum <dt@yandex.ru> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru> URL: http://article.gmane.org/gmane.network.openvpn.devel/8259 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-274-2/+70
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.Steffan Karger2014-04-271-1/+1
| | | | | | | | | | | hash was cast from char * to unsigned char * at the return of the function. This patch removes the implicit cast by declaring hash as unsigned char * . Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Repair --multihome on FreeBSD for IPv4 sockets.Gert Doering2014-04-251-2/+6
| | | | | | | | | | | | | | | | The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR case was sending a too-large control message (sizeof openvpn_pktinfo, which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo, leading to sendmsg() refusing to send the packet. Use RFC 2292 macros for alignment + size calculation. Fix trac#327 Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-257-1/+180
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve error reporting during key/cert loading with PolarSSL.Steffan Karger2014-04-211-4/+14
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Upgrade to PolarSSL 1.3Steffan Karger2014-04-219-193/+165
| | | | | | | | | | | | | | | This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL: * Support for EC-crypto in TLS (but not yet for external pkcs11/management keys) * Support for AES-NI (if PolarSSL is compiled with AES-NI support) Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add SSL library version reporting.Gert Doering2014-04-186-0/+42
| | | | | | | | | | | | Print the version of the SSL and LZO library (if any) used. SSL library version is also sent as IV_SSL=<version> to the server if --push-peer-info is enabled. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20140416152456.GI16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
* IPv6 address/route delete fix for Win8Gert Doering2014-04-132-2/+12
| | | | | | | | | | | | | Use "store=active" for IPv6 address and route deletion - seems to be required on Windows 8 and up, and not doing it will break OpenVPN reconnection (old addresses are not properly deleted, thus address can not be configured on connect). Reported-by: Cedric <cedric+openvpn@bgtn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net> Message-Id: <20140413170648.GU16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
* Fix SOCKSv5 method selectionYawning Angel2014-04-131-3/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So, RFC 1928 doesn't say anything about the METHODS field in the Method Selection message being ordered in terms of preference or anything, and the server is free to pick any of the METHODS offered by the client. Always sending a Method Selection message with NO AUTHENTICATION REQUIRED and USERNAME/PASSWORD set is broken on two fronts: * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD due to the credentials being missing, it shouldn't offer it to the server. * If the OpenVPN client has credentials, then it should always attempt to authenticate. This is a security product. "You can misconfigure it and it will work" is not acceptable. Setting a username/password when the SOCKS server doesn't require/support that as an option is the user not configuring it correctly, and should be treated as such. Also verify that the SOCKS server returned the auth that was requested. URL: https://github.com/OpenVPN/openvpn/pull/14 Fix trac #377, trac #148 Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140413130102.GR16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8488 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Work around Solaris getaddrinfo() returing ai_protocol=0Arne Schwabe2014-04-101-5/+2
| | | | | | | | | | | | | | | | Create_socket() and sub-functions assume that the ai_protocol value returned by getaddrinfo() is IPPROTO_UDP or IPPROTO_TCP. On Solaris, it is "0", because Solaris's socket() call will then "select the right protocol" - but it breaks our code. So remove ASSERT()s on ai_protocol, and also accept properly set ai_socktype (SOCK_DGRAM/SOCK_STREAM) values if ai_protocol is not set. Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140407201711.GN16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8428
* fix route struct nameHeiko Hund2014-04-011-1/+1
| | | | | | | | | | This slipped in with commit d0085293. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1396346803-31772-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8421 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix crash when using --inetd.Gert Doering2014-03-302-6/+7
| | | | | | | | | | | | | | | | | | Change "local" argument to socket_do_listen() to avoid calling "local->ai_addr" in the caller for the "do_listen == FALSE" case, in which case it could be NULL. Also, ensure "ai" is always initialized in socket_listen_accept() for the "!remote_dynamic" case - otherwise it will sometimes(!) crash in addrlist_match() later on. Get rid of spurious operator precedence warning concerning GETADDR_CACHE_MASK. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1396181376-32022-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8412
* Fix assert when using port-shareArne Schwabe2014-03-261-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-12-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Clean up of socket code.Arne Schwabe2014-03-263-103/+95
| | | | | | | | | | | Let socket_create take struct addrinfo as argument and use the entries of addrinfo to create the socket. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-11-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8370 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Disable unsupported TLS cipher modes by default, cleans --show-tls output.Steffan Karger2014-03-231-2/+2
| | | | | | | | | | | | This explicitly disables a number of tls ciphers that OpenVPN has currently no support for. OpenSSL will automatically detect this during negotiation, but --show-tls would erroneously show a number of unsupported ciphers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add openssl-specific common cipher list names to ssl.c.Steffan Karger2014-03-231-0/+13
| | | | | | | | | | | This adds a number of commonly used cipher list names to ssl.c, which makes OpenVPN not give a "translation not found" warning when using these. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8316 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Bump minimum OpenSSL version to 0.9.8Steffan Karger2014-03-236-52/+0
| | | | | | | | | | | | | OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add gateway and device to android control messagesArne Schwabe2014-03-231-3/+6
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-9-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Don't show the connection profile store in options->ce if there is a ↵Arne Schwabe2014-03-231-2/+5
| | | | | | | | | | | | | connection_list defined. Entries in options->ce are never used and overwritten by the first usable connection profile on initialisation. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-8-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8377 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix for server selecting address familyArne Schwabe2014-03-231-12/+12
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce an option to resolve dns names in advance for --remote, --local ↵Arne Schwabe2014-03-2310-139/+415
| | | | | | | | | | | | | | | and --http-proxy Also introduce x_gc_addspeical function that allows to add objects with a custom free function to the gc. Some additional addrinfo cleanup Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395576786-17507-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8386 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Adjusted autotools files to build more cleanly on newer autoconf/automake ↵David Sommerseth2014-03-231-1/+1
| | | | | | | | | | versions Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389803764-5879-1-git-send-email-davids@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8239 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-224-1/+38
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Workaround broken Android 4.4 VpnService API for persist-tun modeArne Schwabe2014-03-224-13/+68
| | | | | | | | | | | | | | | | In Android 4.4 it is not possible to open a new tun device and then close the old tun device without breaking the whole VPNService stack until the device is rebooted. Add new management method to ask the UI what method should be taken to ensure the optimal solution for the situation. Then do open-before-close or close-before-open inside open_tun() as requested. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-4-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8373 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move the initialization of the environment to the top so c2.es is initializedArne Schwabe2014-03-211-4/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8372 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix connecting to localhost on AndroidArne Schwabe2014-03-212-3/+35
| | | | | | | | | | Do not protect the link socket when connecting to localhost. Also only call the protect function on valid socket Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8375 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS ↵James Yonan2014-03-171-1/+1
| | | | | | | | | | | | | | | | | | | | | stateless session resumption. OpenVPN doesn't want or need SSL session renegotiation or resumption, as it handles renegotiation on its own. For this reason, OpenVPN always disables the SSL session cache: SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) However, even with the above code, stateless session resumption is still possible unless explicitly disabled with the SSL_OP_NO_TICKET flag. This patch does this. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8346 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix warning for max-routes: do not quit when parsing an old configuration. ↵Arne Schwabe2014-03-171-2/+4
| | | | | | | | | | Format the message to be more like the other deprecated options Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395060345-30870-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8354 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce safety check for http proxy optionsArne Schwabe2014-03-171-0/+2
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395061013-1802-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8353 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* grow route lists dynamicallyHeiko Hund2014-02-236-184/+130
| | | | | | | | | | | | | This removes the need for the --max-routes option. Instead of allocating a fixed size array for the route(-option)s they are managed in linked lists instead. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1392746395-19246-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8295 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* convert struct signal_info elementHeiko Hund2014-01-171-1/+1
| | | | | | | | | | | This one place was forgotten when the elements type was changed from bool to int in the dual stack patch 23d61c56. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389972638-8006-2-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8243 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* make sure sa_family_t is definedHeiko Hund2014-01-171-0/+7
| | | | | | | | | | | On Windows there's no sa_family_t. This patch defines it in syshead.h is configure did not find it in the system headers. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389972638-8006-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8242 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Replace copied structure elements with including <net/route.h>Gert Doering2014-01-161-93/+2
| | | | | | | | | | | | | | | | | | | | | | The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies of structures from <net/route.h> (struct rt_msghdr in particular). OpenBSD changed some structure elements, making OpenVPN incompatible, depending on the specific OpenBSD version. Clean up: remove copied definitions, replace by including <net/route.h> directly - this could not be done originally due to a conflict with "struct route" in OpenVPN and <net/route.h>, cleaned up by the previous commit. Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles with no warnings, and "openvpn --show-gateway" works, which is the only part of the code that uses the structures in question). Fix trac #340 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
* Rename 'struct route' to 'struct route_ipv4'Gert Doering2014-01-163-26/+26
| | | | | | | | | | | | To fix trac #340, we need to rename our "struct route" to avoid a collision with "struct route" from <net/route.h> on *BSD. No functional changes. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389650074-18455-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8231
* Fix compiler warnings in ssl_polarssl.cSteffan Karger2014-01-121-5/+8
| | | | | | | | | | | | | * Made some type casts explicit. * Changed type of sha256_hash to unsigned char[], because polar expects that. * Added missing error.h include. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389555572-6210-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8225 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()Steffan Karger2014-01-121-2/+0
| | | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389555572-6210-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8222 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix compiler warning for unused result of write()Steffan Karger2014-01-121-1/+2
| | | | | | | | | | Issue a warning instead of ignoring a failed write() completely. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389555572-6210-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8223 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Cleanup ir6->netbits handling.Gert Doering2014-01-113-59/+18
| | | | | | | | | | | | | | | | | Get rid of all "if (ir6->netbits>=0)" checks, as those are always true (unlike ir->netbits for IPv4, we don't do the special case for "if it's a host, put -1 in there" for IPv6). Merge mroute_helper_{add,del}_iroute and mroute_helper_{add,del}_iroute6 into unified mroute_helper_{add,del}_iroute46() function as they did the same thing anyway, just with slightly different parameters. Make Arne happy. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389371142-26705-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8198
* remove some 'unused variable' warningsGert Doering2014-01-113-3/+3
| | | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389371142-26705-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8197
* Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=Gert Doering2014-01-091-2/+2
| | | | | | | | | | Use shorter variable name to signal the same thing (see f3a2cd255a3bc73) to save space in the buffer used by the collective IV_ info sent to server. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389296891-1487-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8183
* Make code and documentation for --remote-random-hostname consistent.Gert Doering2014-01-091-18/+9
| | | | | | | | | | | | | | Documentation examples, description and code were disagreeing on what this option actually does. Now they will all agree that it will *prepend* a random-byte string to the hostname name before resolving to work around DNS caching (needs a "*" wildcard record in the zone). Fix trac #143 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
* Fix spurious ignoring of pushed config options (trac#349).Jens Wagner2014-01-073-1/+5
| | | | | | | | | | | | | | | | | | | | | | | The function incoming_push_message(...) in push.c uses a local variable option_types_found, that gets passed to do_up(...). If the server push got split into several parts, only the last part (PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0 locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored. So e.g. a ping config, pushed by the server in the first push, followed by a lot of "push route" configs, causing a second push message, will have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those options will be silently ignored. The patch resolves that, by introducing "push_option_types_found" in "c->options" and using that as storage. Fix trac bug #349. Acked-by: Gert Doering <gert@greenie.muc.de> URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Provide LZ4 sources in src/compat/ and use if no system lz4 library found.Gert Doering2014-01-061-0/+4
| | | | | | | | | | | Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4) if autoconf cannot find lz4.h or -llz4 in the system. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1388613479-22377-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8154
* Implement LZ4 compression.Gert Doering2014-01-068-4/+269
| | | | | | | | | | | | | | | | | | Implement LZ4 compression, similar to the existing snappy / push-peer-info model: a LZ4 capable client will send IV_LZ4=1 to the server, and the algorithm is selected by pushing "compress lz4" back. LZ4 does not compress as well as LZO or Snappy, but needs far less CPU and is much faster, thus better suited for mobile devices. See https://code.google.com/p/lz4/ for more details. LZ4 include and library path can be specified by specifying LZ4_LIBS=... and LZ4_CFLAGS=... on the configure command line. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1388613479-22377-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8153
* Disable export ciphers by default for OpenSSL builds.Steffan Karger2014-01-051-1/+3
| | | | | | | | | | | | | | | Export ciphers are deliberately weak ciphers, and not fully supported by OpenVPN since ephemeral RSA support has been removed a few commits ago. This commit removes them from the default cipher list to avoid confusion. PolarSSL does not support export ciphers, so no action required there. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-7-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8146 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.Steffan Karger2014-01-054-12/+24
| | | | | | | | | | | | | | | | This adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export ciphers by default in OpenVPN 2.4+. Also let tls_ctx_restrict_ciphers always be called, also when *cipher_list is NULL. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <52C8922E.3030607@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8173 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.Steffan Karger2014-01-031-18/+0
| | | | | | | | | | | | | | | | | | | | | This code would not really generate ephemeral keys every time it is called, but a single key that would be reused during process lifetime and returned each time the function was called; probably not what users would expect. TLS allowes ephemeral keys to be used only when no other key exchange, such as (ephemeral) Diffie-Hellman, is performed. The end result is that it was only used by a number of (weak) export ciphers, which could give users a false sense of security. So, instead of fixing a weak cipher mode, we'll just remove support for it completely. Plenty of better alternatives are available in TLS. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-5-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8152 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* If --tls-cipher is supplied, make --show-tls parse the list.Steffan Karger2014-01-034-9/+20
| | | | | | | | | | | | This allows to check the available TLS ciphers for a specific configuration by supplying both --tls-cipher and --show-tls options. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8150 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98Steffan Karger2014-01-031-2/+2
| | | | | | | | | | | | Commit 4b67f98 changed call to TLSv1_{client,server}_method() to SSLv23_{client,server}_method(), this commit updates the corresponding error messages to match the changes in the code. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering <gert@greenie.muc.de>
generated by cgit (git 2.34.1) at 2025-09-27 17:31:34 +0000