| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667866-14226-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8953
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8840
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPv4 routing code needs an IPv4 address to point a route to, and
in --topology subnet mode, the *server* did not have one set by default.
So we now just default --route-gateway to the next address right after
the server address - the specific address doesn't matter, as the correct
next-hop will not be resolved by the host OS but by the OpenVPN daemon.
All that is needed is "it's in the subnet routed to the tun interface".
Using the server address itself would work on unix, but doesn't work with
the Windows TAP driver (as it does not spoof ARP responses for itself).
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
|
|
|
|
|
|
|
|
|
|
|
| |
This restores support for pre-0.9.8f OpenSSL versions, which do not include
stateless session resumption, and the accompanying SSL_OP_NO_TICKET flag.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53C251E2.7050605@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8902
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
it is unconditionally enabled and OpenVPN does not compile if disabled
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8841
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All cipher suite names supplied through --tls-cipher are translated by
OpenVPN to IANA names, to get OpenSSL and PolarSSL configuration files
compatible. OpenSSL however supports cipher suite group names, like
'DEFAULT', 'HIGH', or 'ECDH'. To make OpenVPN not complain about these,
entries translating these to themselves were added to the translation
table. However, to make OpenVPN not still complain, the deprecated-name
check has to be reversed from 'if this is a deprecated name then complain'
to 'if this is not a iana name, then complain'. Which this commit does.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1404424065-24787-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8824
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also remove the bulky warning from init_key_type() and add the information
to the --show-ciphers output.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BAEF65.2070509@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8852
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AIX only has TAP interfaces, so always use gateway address as next hop,
not interface name.
AIX route works much more reliable if passed netbits than netmask - do so
(introducing a new helper function netmask_to_netbits2())
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-4-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8785
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AIX is special... ifconfig only works if it can add the data to
the ODM right away, so setup a local enviromnment set that has
"ODMDIR=/etc/objrepos" in it (hard-coded, nobody changes that).
Only --dev tap or --dev tapNN are supported right now. AIX has no
tun driver (so tun mode would need to dynamically add/remove ethernet
headers to/from AIX).
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8788
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Has been inside the #if 0 since 'git tree epoch' (sept-2005) and was not
referenced, from either code, nor dead code nor comment.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404336688-15036-1-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hi All,
OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt
TCP_NODELAY=1 failed (No kernel support) when attempting to use the
TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there,
however the required header file where TCP_NODELAY is defined is not being
included. This patch simply alters syshead.h to include <netinet/tcp.h> on
Darwin platforms.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8809
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return value of x509_get_numeric_string() was interpreted incorrectly
by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the
usage of oid represenation in --remote-cert-eku options.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8627
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure
the expected files and directories is in place. However, with
--client-config-dir and --ccd-exclusive, things are slightly different.
In both cases it is perfectly fine that files does not exists, and we
cannot know any file names beforehand due to these filenames being based
upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory
because the directory permissions are too restrictive, have wrong
ownership (triggered by the usage of --user/--group) or other security
mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a
client config file has been prepared. And if not, it continues without
trying to read it. So, if the privileges of the running OpenVPN process
is not allowed to open and read an existing file, OpenVPN will treat this
as a non-existing file without saying anything. This is clearly wrong.
So this patch adds an warning message in the OpenVPN log if it could
not open the file due to lack of permissions.
This will work fine on all *nix based OSes. Windows however reports
'no such file or directory' (errno=2/-ENOENT) even on privilege access
errors when the directory this file resides is too restrictive. But there
is no easy way to work around that. However, I believe that the initial
sanity checking at startup will catch that one, as it will check if the
directories it needs exists.
This patch has only gone through simple basic testing, with both too few
privileges and with proper privileges to the CCD directory. With wrong
privileges, the following error can be found if CN=Test client
Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file
'/etc/clients/Test client': Permission denied (errno=13)
[v2 - use openvpn_errno() instead of errno, for better platform support]
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8688
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv6 has the concept of "link local" addresses, fe80::<host id>, which
normally are present on every link, and are used for stuff like DHCPv6,
neighbor discovery, etc.
OpenVPN point-to-multipoint mode currently does neither configure them on
tun interfaces, nor are they handled in a meaningful way if a client OS
always has them (like Windows or Solaris) - so the log fills with many
lines of "MULTI: bad source address from client [fe80::...]", serving
no useful purpose.
This patch just recognizes IPv6 LL packets and silently drops them.
Further patches can build on this and add full link-local support, which
would require address learning (as the addresse are based on host IDs, not
assigned by the server).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.
There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <538A00AA.7090007@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8748
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Wrap ssl_verify.h in "#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)" to
make it empty for --disable-ssl builds.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401737019-15702-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8763
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Variable 'proxy' was set but never read, so remove it.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401645536-27849-6-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8750
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
verify_user_pass_enabled() is a function on a tls_session, and belongs in
ssl.c. Moving the function removes the dependency on manage.h.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401645536-27849-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8754
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401645536-27849-4-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8749
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ssl.c: remove three unneeded includes
* ssl_verify_polarssl.h: remove two unneeded includes
* ssl_verify_openssl.c: add missing ssl_verify_openssl.h and error.h
includes, and reorder includes.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401645536-27849-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8753
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
For symmetry with ssl_verify_openssl.c and release/2.3 branch.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401645536-27849-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8752
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Between the origin patch submission (2011) and now the cipher abstraction
layer has been added. This patch slipped through without proper adjustment.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53863C41.1020408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was 3 times mostly the same code, with the 4 traditional BSDs
only differing in a single line, while MacOS X had more refined code
to do not only gateway determination, but also netmask, interface name
and MAC address.
The MacOS X code works perfectly well on the other BSDs *if* one macro
is #ifdef'ed to use "(uint32_t)" on MacOS X and "(long)" on all other
BSDs, 32 and 64 bit variants. API change by OSX when going to 64bit.
Tested on FreeBSD 8.3/i386, FreeBSD 9.1/amd64, NetbSD 5.1/amd64,
OpenBSD 4.9/i386, OpenBSD 5.4/amd64 (= all affected platforms except
DragonFly BSD).
See also trac#42 and trac#340.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lazy-Ack-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1389706398-26922-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8233
|
|
|
|
|
|
|
|
|
| |
Since we now require OpenSSL 0.9.8, we don't need these anymore.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401045501-12343-4-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Both EVPCipherInit_ov() and EVPCipherUpdate_ov() wrapped OpenSSL functions
without any changes, so lets just use the functions directly.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401045501-12343-3-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401045501-12343-2-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sets SSL_MODE_RELEASE_BUFFERS if available, to keep openSSL memory
usage as low as possible.
For more info, see
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
https://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
See also trac #157
Signed-off-by: Cristian Rodriguez <crrodriguez@opensuse.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <5381FEFF.1040609@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactored show_library_versions to work around the fact
that some compilers (such as MSVC 2008) can't handle #ifdefs
inside of macro references.
* Declare show_library_versions() in options.h because it's
referenced by other files such as openvpn.c.
* Declare get_ssl_library_version() as returning const char *,
to avoid loss of const qualifier in ssl_openssl.c.
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1399589436-8730-7-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8711
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a91a2d6ad7b139ec78d61c8616b8447847e9ecc6)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but
the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the
combination "configure --enable-small --enable-debug" didn't work. Fix.
Fix trac #397
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While checking a packet on a TAP interface, is_ipv_X() in proto.c
insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if
the protocol is IPv6. So the protocol never match, and, thus,
mssfix doesn't work for IPv6 on TAP interface. Fix that.
Signed-off-by: Dmitrij Tejblum <dt@yandex.ru>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8259
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
the plugins. However, all plugins include openvpn-plugin.h, which need
crypto/ssl headers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8576
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes the representation of the tls_serial_{n} environment variable
from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.
Because hex representation for serials makes sense too, and to ease
transition for PolarSSL users, added tls_serial_hex_{n} that exports the
serial in hex represenation for both crypto library backends.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8649
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
hash was cast from char * to unsigned char * at the return of the function.
This patch removes the implicit cast by declaring hash as unsigned char * .
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8647
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR
case was sending a too-large control message (sizeof openvpn_pktinfo,
which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo,
leading to sendmsg() refusing to send the packet.
Use RFC 2292 macros for alignment + size calculation.
Fix trac#327
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lazy-Ack-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is based on Jan Just Keijser's patch from Feb 7, 2012.
When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the
heavy lifting. For OpenSSL builds, if a user specifies a curve using
--ecdh-curve, it first tries to override automatic selection using that
curve.
For older OpenSSL, tries the following things (in order of preference):
* When supplied, use the ecdh curve specified by the user.
* Try to extract the curve from the private key, use the same curve.
* Fall back on secp384r1 curve.
Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do
*not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be
used.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53597BEA.6080408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8625
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <53528943.3090205@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8555
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes support for PolarSSL 1.2. The mimimum version of PolarSSL
required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL:
* Support for EC-crypto in TLS (but not yet for external
pkcs11/management keys)
* Support for AES-NI (if PolarSSL is compiled with AES-NI support)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <53528943.3090205@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8555
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print the version of the SSL and LZO library (if any) used.
SSL library version is also sent as IV_SSL=<version> to the server if
--push-peer-info is enabled.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20140416152456.GI16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use "store=active" for IPv6 address and route deletion - seems to be
required on Windows 8 and up, and not doing it will break OpenVPN
reconnection (old addresses are not properly deleted, thus address can
not be configured on connect).
Reported-by: Cedric <cedric+openvpn@bgtn.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net>
Message-Id: <20140413170648.GU16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So, RFC 1928 doesn't say anything about the METHODS field in the Method
Selection message being ordered in terms of preference or anything, and
the server is free to pick any of the METHODS offered by the client.
Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
and USERNAME/PASSWORD set is broken on two fronts:
* If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
due to the credentials being missing, it shouldn't offer it to the
server.
* If the OpenVPN client has credentials, then it should always attempt to
authenticate. This is a security product. "You can misconfigure it and
it will work" is not acceptable. Setting a username/password when the
SOCKS server doesn't require/support that as an option is the user not
configuring it correctly, and should be treated as such.
Also verify that the SOCKS server returned the auth that was requested.
URL: https://github.com/OpenVPN/openvpn/pull/14
Fix trac #377, trac #148
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140413130102.GR16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8488
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create_socket() and sub-functions assume that the ai_protocol value
returned by getaddrinfo() is IPPROTO_UDP or IPPROTO_TCP. On Solaris,
it is "0", because Solaris's socket() call will then "select the right
protocol" - but it breaks our code. So remove ASSERT()s on ai_protocol,
and also accept properly set ai_socktype (SOCK_DGRAM/SOCK_STREAM) values
if ai_protocol is not set.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140407201711.GN16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8428
|
|
|
|
|
|
|
|
|
|
| |
This slipped in with commit d0085293.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1396346803-31772-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8421
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change "local" argument to socket_do_listen() to avoid calling
"local->ai_addr" in the caller for the "do_listen == FALSE" case,
in which case it could be NULL.
Also, ensure "ai" is always initialized in socket_listen_accept() for
the "!remote_dynamic" case - otherwise it will sometimes(!) crash in
addrlist_match() later on.
Get rid of spurious operator precedence warning concerning
GETADDR_CACHE_MASK.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1396181376-32022-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8412
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1395407925-25518-12-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8369
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Let socket_create take struct addrinfo as argument and use the entries of
addrinfo to create the socket.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1395407925-25518-11-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8370
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This explicitly disables a number of tls ciphers that OpenVPN has currently
no support for. OpenSSL will automatically detect this during negotiation,
but --show-tls would erroneously show a number of unsupported ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8318
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|