summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix --disable-ssl builds, were broken by cleanup in 63dc03d.Steffan Karger2014-06-021-1/+4
| | | | | | | | | | | Wrap ssl_verify.h in "#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)" to make it empty for --disable-ssl builds. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401737019-15702-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8763 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unused variable 'proxy' from socket_restart_pause()Steffan Karger2014-06-011-10/+0
| | | | | | | | | | Variable 'proxy' was set but never read, so remove it. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-6-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8750 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove dependency on manage.h from ssl_verify.hSteffan Karger2014-06-012-21/+20
| | | | | | | | | | | verify_user_pass_enabled() is a function on a tls_session, and belongs in ssl.c. Moving the function removes the dependency on manage.h. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-5-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move #include "ssl_verify.h" from ssl.h to the source files that need it.Steffan Karger2014-06-017-2/+6
| | | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8749 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix ssl.c, ssl_verify_* includesSteffan Karger2014-06-013-7/+5
| | | | | | | | | | | | | * ssl.c: remove three unneeded includes * ssl_verify_polarssl.h: remove two unneeded includes * ssl_verify_openssl.c: add missing ssl_verify_openssl.h and error.h includes, and reorder includes. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8753 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Use generic openvpn_x509_cert_t in ssl_verify_polarssl.cSteffan Karger2014-06-011-2/+2
| | | | | | | | | | For symmetry with ssl_verify_openssl.c and release/2.3 branch. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8752 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix merge error in a6c573d, the ssl ctx is now abstracted.Steffan Karger2014-05-281-1/+1
| | | | | | | | | | | Between the origin patch submission (2011) and now the cipher abstraction layer has been added. This patch slipped through without proper adjustment. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <53863C41.1020408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8745 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Merge get_default_gateway() implementation for all 4+1 BSD variants.Gert Doering2014-05-261-225/+21
| | | | | | | | | | | | | | | | | | | | | | This was 3 times mostly the same code, with the 4 traditional BSDs only differing in a single line, while MacOS X had more refined code to do not only gateway determination, but also netmask, interface name and MAC address. The MacOS X code works perfectly well on the other BSDs *if* one macro is #ifdef'ed to use "(uint32_t)" on MacOS X and "(long)" on all other BSDs, 32 and 64 bit variants. API change by OSX when going to 64bit. Tested on FreeBSD 8.3/i386, FreeBSD 9.1/amd64, NetbSD 5.1/amd64, OpenBSD 4.9/i386, OpenBSD 5.4/amd64 (= all affected platforms except DragonFly BSD). See also trac#42 and trac#340. Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389706398-26922-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8233
* Remove unneeded defines (were needed for pre-0.9.7 OpenSSL).Steffan Karger2014-05-261-8/+0
| | | | | | | | | Since we now require OpenSSL 0.9.8, we don't need these anymore. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401045501-12343-4-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unneeded wrapper functions in crypto_openssl.cSteffan Karger2014-05-261-16/+4
| | | | | | | | | | Both EVPCipherInit_ov() and EVPCipherUpdate_ov() wrapped OpenSSL functions without any changes, so lets just use the functions directly. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401045501-12343-3-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove function without effect (cipher_ok() always returned true).Steffan Karger2014-05-261-8/+2
| | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401045501-12343-2-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Use SSL_MODE_RELEASE_BUFFERS if availableCristian Rodriguez2014-05-251-0/+3
| | | | | | | | | | | | | | | | Sets SSL_MODE_RELEASE_BUFFERS if available, to keep openSSL memory usage as low as possible. For more info, see http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html https://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html See also trac #157 Signed-off-by: Cristian Rodriguez <crrodriguez@opensuse.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <5381FEFF.1040609@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fixed some compile issues with show_library_versions()James Yonan2014-05-205-9/+14
| | | | | | | | | | | | | | | | | | | * Refactored show_library_versions to work around the fact that some compilers (such as MSVC 2008) can't handle #ifdefs inside of macro references. * Declare show_library_versions() in options.h because it's referenced by other files such as openvpn.c. * Declare get_ssl_library_version() as returning const char *, to avoid loss of const qualifier in ssl_openssl.c. Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1399589436-8730-7-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8711 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a91a2d6ad7b139ec78d61c8616b8447847e9ecc6)
* Conditionalize calls to print_default_gateway on !ENABLE_SMALLGert Doering2014-04-302-2/+2
| | | | | | | | | | | | | Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the combination "configure --enable-small --enable-debug" didn't work. Fix. Fix trac #397 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
* Fix is_ipv6 in case of tap interface.Dmitrij Tejblum2014-04-291-1/+1
| | | | | | | | | | | | | While checking a packet on a TAP interface, is_ipv_X() in proto.c insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if the protocol is IPv6. So the protocol never match, and, thus, mssfix doesn't work for IPv6 on TAP interface. Fix that. Signed-off-by: Dmitrij Tejblum <dt@yandex.ru> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru> URL: http://article.gmane.org/gmane.network.openvpn.devel/8259 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix build system to accept non-system crypto library locations for plugins.Steffan Karger2014-04-272-3/+5
| | | | | | | | | | | | Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by the plugins. However, all plugins include openvpn-plugin.h, which need crypto/ssl headers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8576 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-274-2/+70
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.Steffan Karger2014-04-271-1/+1
| | | | | | | | | | | hash was cast from char * to unsigned char * at the return of the function. This patch removes the implicit cast by declaring hash as unsigned char * . Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Repair --multihome on FreeBSD for IPv4 sockets.Gert Doering2014-04-251-2/+6
| | | | | | | | | | | | | | | | The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR case was sending a too-large control message (sizeof openvpn_pktinfo, which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo, leading to sendmsg() refusing to send the packet. Use RFC 2292 macros for alignment + size calculation. Fix trac#327 Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-257-1/+180
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve error reporting during key/cert loading with PolarSSL.Steffan Karger2014-04-211-4/+14
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Upgrade to PolarSSL 1.3Steffan Karger2014-04-219-193/+165
| | | | | | | | | | | | | | | This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL: * Support for EC-crypto in TLS (but not yet for external pkcs11/management keys) * Support for AES-NI (if PolarSSL is compiled with AES-NI support) Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add SSL library version reporting.Gert Doering2014-04-186-0/+42
| | | | | | | | | | | | Print the version of the SSL and LZO library (if any) used. SSL library version is also sent as IV_SSL=<version> to the server if --push-peer-info is enabled. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20140416152456.GI16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
* IPv6 address/route delete fix for Win8Gert Doering2014-04-132-2/+12
| | | | | | | | | | | | | Use "store=active" for IPv6 address and route deletion - seems to be required on Windows 8 and up, and not doing it will break OpenVPN reconnection (old addresses are not properly deleted, thus address can not be configured on connect). Reported-by: Cedric <cedric+openvpn@bgtn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net> Message-Id: <20140413170648.GU16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
* Fix SOCKSv5 method selectionYawning Angel2014-04-131-3/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So, RFC 1928 doesn't say anything about the METHODS field in the Method Selection message being ordered in terms of preference or anything, and the server is free to pick any of the METHODS offered by the client. Always sending a Method Selection message with NO AUTHENTICATION REQUIRED and USERNAME/PASSWORD set is broken on two fronts: * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD due to the credentials being missing, it shouldn't offer it to the server. * If the OpenVPN client has credentials, then it should always attempt to authenticate. This is a security product. "You can misconfigure it and it will work" is not acceptable. Setting a username/password when the SOCKS server doesn't require/support that as an option is the user not configuring it correctly, and should be treated as such. Also verify that the SOCKS server returned the auth that was requested. URL: https://github.com/OpenVPN/openvpn/pull/14 Fix trac #377, trac #148 Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140413130102.GR16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8488 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Work around Solaris getaddrinfo() returing ai_protocol=0Arne Schwabe2014-04-101-5/+2
| | | | | | | | | | | | | | | | Create_socket() and sub-functions assume that the ai_protocol value returned by getaddrinfo() is IPPROTO_UDP or IPPROTO_TCP. On Solaris, it is "0", because Solaris's socket() call will then "select the right protocol" - but it breaks our code. So remove ASSERT()s on ai_protocol, and also accept properly set ai_socktype (SOCK_DGRAM/SOCK_STREAM) values if ai_protocol is not set. Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140407201711.GN16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8428
* fix route struct nameHeiko Hund2014-04-011-1/+1
| | | | | | | | | | This slipped in with commit d0085293. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1396346803-31772-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8421 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix crash when using --inetd.Gert Doering2014-03-302-6/+7
| | | | | | | | | | | | | | | | | | Change "local" argument to socket_do_listen() to avoid calling "local->ai_addr" in the caller for the "do_listen == FALSE" case, in which case it could be NULL. Also, ensure "ai" is always initialized in socket_listen_accept() for the "!remote_dynamic" case - otherwise it will sometimes(!) crash in addrlist_match() later on. Get rid of spurious operator precedence warning concerning GETADDR_CACHE_MASK. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1396181376-32022-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8412
* Fix assert when using port-shareArne Schwabe2014-03-261-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-12-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Clean up of socket code.Arne Schwabe2014-03-263-103/+95
| | | | | | | | | | | Let socket_create take struct addrinfo as argument and use the entries of addrinfo to create the socket. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-11-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8370 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Disable unsupported TLS cipher modes by default, cleans --show-tls output.Steffan Karger2014-03-231-2/+2
| | | | | | | | | | | | This explicitly disables a number of tls ciphers that OpenVPN has currently no support for. OpenSSL will automatically detect this during negotiation, but --show-tls would erroneously show a number of unsupported ciphers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add openssl-specific common cipher list names to ssl.c.Steffan Karger2014-03-231-0/+13
| | | | | | | | | | | This adds a number of commonly used cipher list names to ssl.c, which makes OpenVPN not give a "translation not found" warning when using these. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8316 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Bump minimum OpenSSL version to 0.9.8Steffan Karger2014-03-236-52/+0
| | | | | | | | | | | | | OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add gateway and device to android control messagesArne Schwabe2014-03-231-3/+6
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-9-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Don't show the connection profile store in options->ce if there is a ↵Arne Schwabe2014-03-231-2/+5
| | | | | | | | | | | | | connection_list defined. Entries in options->ce are never used and overwritten by the first usable connection profile on initialisation. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-8-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8377 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix for server selecting address familyArne Schwabe2014-03-231-12/+12
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce an option to resolve dns names in advance for --remote, --local ↵Arne Schwabe2014-03-2310-139/+415
| | | | | | | | | | | | | | | and --http-proxy Also introduce x_gc_addspeical function that allows to add objects with a custom free function to the gc. Some additional addrinfo cleanup Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395576786-17507-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8386 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Adjusted autotools files to build more cleanly on newer autoconf/automake ↵David Sommerseth2014-03-231-1/+1
| | | | | | | | | | versions Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389803764-5879-1-git-send-email-davids@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8239 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-224-1/+38
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Workaround broken Android 4.4 VpnService API for persist-tun modeArne Schwabe2014-03-224-13/+68
| | | | | | | | | | | | | | | | In Android 4.4 it is not possible to open a new tun device and then close the old tun device without breaking the whole VPNService stack until the device is rebooted. Add new management method to ask the UI what method should be taken to ensure the optimal solution for the situation. Then do open-before-close or close-before-open inside open_tun() as requested. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-4-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8373 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move the initialization of the environment to the top so c2.es is initializedArne Schwabe2014-03-211-4/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8372 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix connecting to localhost on AndroidArne Schwabe2014-03-212-3/+35
| | | | | | | | | | Do not protect the link socket when connecting to localhost. Also only call the protect function on valid socket Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8375 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS ↵James Yonan2014-03-171-1/+1
| | | | | | | | | | | | | | | | | | | | | stateless session resumption. OpenVPN doesn't want or need SSL session renegotiation or resumption, as it handles renegotiation on its own. For this reason, OpenVPN always disables the SSL session cache: SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) However, even with the above code, stateless session resumption is still possible unless explicitly disabled with the SSL_OP_NO_TICKET flag. This patch does this. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8346 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix warning for max-routes: do not quit when parsing an old configuration. ↵Arne Schwabe2014-03-171-2/+4
| | | | | | | | | | Format the message to be more like the other deprecated options Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395060345-30870-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8354 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce safety check for http proxy optionsArne Schwabe2014-03-171-0/+2
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395061013-1802-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8353 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* grow route lists dynamicallyHeiko Hund2014-02-236-184/+130
| | | | | | | | | | | | | This removes the need for the --max-routes option. Instead of allocating a fixed size array for the route(-option)s they are managed in linked lists instead. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1392746395-19246-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8295 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* convert struct signal_info elementHeiko Hund2014-01-171-1/+1
| | | | | | | | | | | This one place was forgotten when the elements type was changed from bool to int in the dual stack patch 23d61c56. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389972638-8006-2-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8243 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* make sure sa_family_t is definedHeiko Hund2014-01-171-0/+7
| | | | | | | | | | | On Windows there's no sa_family_t. This patch defines it in syshead.h is configure did not find it in the system headers. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389972638-8006-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8242 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Replace copied structure elements with including <net/route.h>Gert Doering2014-01-161-93/+2
| | | | | | | | | | | | | | | | | | | | | | The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies of structures from <net/route.h> (struct rt_msghdr in particular). OpenBSD changed some structure elements, making OpenVPN incompatible, depending on the specific OpenBSD version. Clean up: remove copied definitions, replace by including <net/route.h> directly - this could not be done originally due to a conflict with "struct route" in OpenVPN and <net/route.h>, cleaned up by the previous commit. Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles with no warnings, and "openvpn --show-gateway" works, which is the only part of the code that uses the structures in question). Fix trac #340 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
* Rename 'struct route' to 'struct route_ipv4'Gert Doering2014-01-163-26/+26
| | | | | | | | | | | | To fix trac #340, we need to rename our "struct route" to avoid a collision with "struct route" from <net/route.h> on *BSD. No functional changes. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389650074-18455-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8231
generated by cgit (git 2.34.1) at 2025-09-26 19:23:39 +0000