| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
03a5599202bdc3ba07983dc4efdae387fb8fb436
d23005413b0e0f28a3c48a6342f494763d5c9b40
]
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744
Message-Id: 51C77F12.1090802@openvpn.net
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-by: Jonathan K. Bullard <jkbullard@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
used in
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1366059999-31731-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7511
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1368873781-29552-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7598
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Tamas TEVESZ <ice@extreme.hu>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: alpine.GSO.2.03.1306080732510.23277@extreme.hu
URL: http://article.gmane.org/gmane.network.openvpn.devel/7667
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 51B1DBEF.1090705@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7664
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370013992-18592-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7647
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
At the moment script are only checked if P2MP_SERVER is defined. For
CLIENT_ONLY openvpn script were never checked.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7635
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all
script options are available by setting options->user_script_used
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7634
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
(Fix check introduced by commit a8be73799be1639, testing with #ifdef
instead of #if - P2MP_SERVER is always defined, and can be "0" or "1")
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369949680-9499-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7637
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
Very simple fix.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <0LzcMG-1ULZ4T0Fuc-014gq9@mail.gmx.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7628
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
script-security system.
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7625
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and
ipv6 are going out of scope before actually calling sendmsg(), so depending
on compiler optimization, garbage is passed to sendmsg() - fix by using
"union openvpn_pktinfo" and having that in scope all the time.
Problem reported and patch provided by "danta" in trac#297
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: https://community.openvpn.net/openvpn/ticket/297
Message-ID: <20130530184427.GP20843@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, peer-info pushed by clients in the TLS handshake
is only visible on the management interface, and only if
--management-client-auth is enabled.
With this patch, received records are sanitized and put into the normal
"multi instance" environment, where it can be evaluated by --client-connect
or --auth-user-pass-verify scripts and plugins, etc. Only records matching
a fairly strict "name=value" format are accepted, and only names starting
with IV_ or UV_ are exported, to avoid clients sending funny stuff and
playing havoc with script/plugin environments on the server. In the
"value" part, spaces, non-printable characters and shell metacharacters
are replaced by '_'.
The change is somewhat invasive as reception of the peer_info string was
only done when username+password are expected from the client, but the
data is always there (if the client sends no username/password, it will
send 0-length strings, so always extracting 3 strings is safe). Also,
the sanitation function validate_peer_info_line() and the opts->peer_info
field were only compiled in #ifdef MANGEMENT_DEF_AUTH...
Patch v3: do not call the old man_output_peer_info_env() anymore, unless
a management env-filter has been set (= ensure IV_ and UV_ stuff is sent
at most *once*, and exactly the way OpenVPN AS expects it). Add
substituting of "bad" characters in the environment values.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1367757373-31637-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7582
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
v3: undo extra whitespace changes in v1 and v2
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
|
| |
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <519F5ED0.4070109@nikhef.nl>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7605
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The new compression framework introduced by SVN r8206 only works for
a P2MP server if the compression settings are re-installed for each
client via management interface, ccd/ file or client-connect script,
but the "global" settings get lost due to (needlessly) clearing the
c2.comp_context in the per-client instance. Fixed. (also trac#273)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1366393268-27392-6-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7529
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added support for the Snappy compression algorithm which has shown to
have considerably better compression speed than LZO at a comparable
compression ratio.
To enable Snappy add:
compress snappy
to both client and server config files.
Alternatively, enable compression framing on the client:
compress
and have the server selectively push "compress snappy" to the client.
This change also extends the client capability handshake to include
IV_SNAPPY so the server can be aware that a connecting client supports
Snappy.
Note that the Snappy implementation also includes an improved framing
approach where the first byte of the compressed payload is replaced by
the compression control byte (the first payload byte is moved to the end
of the packet). This solves off-by-one alignment issues, which improves
performance on ARM.
By default, the configure script will try to build with Snappy support.
To disable, use the --disable-snappy option.
The --enable-lzo-stub configure directive is now --enable-comp-stub
(because it's not actually "lzo" but "compression-enabled packet framing")
Add compression overhead to extra buffer unconditionally, as long
as USE_COMP is defined.
OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7531
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Fixes bug #240.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Message-Id: <kn2pao$5sv$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7594
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation"). For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.
Fix trac#281 and trac#258.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1367608404-2257-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7581
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reverts commit 15ca5c297b556fbb, instead change ssl_openssl.c to use
"constrain_int()", which already exists in "integer.h".
Using this instead of min_int() ensures that the result is always bounded
to 0...256 even in the case of a potential MAX_INT overflow.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1367826941-22412-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7586
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This fixes an issue where a segfault happens in pf_cn_test() if no
packet filtering rules have been parsed. See the trac ticket for
more details.
Trac: 163
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fix adds support for using tcp6 as a proto in server or non-P2MP
modes, resolving a failed ASSERT in such cases.
Fixes the crash in trac#288.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <klul5d$8ta$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7578
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On Android changing the configuration of tun is not possible. So instead
of reconfiguring the tun device, open a new tun device and close the old
one if needed.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1367006372-14815-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7558
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On Android 4.0 (TARGET_ANDROID) the real opening of the tun is handled by
the (Java) application controlling OpenVPN. Instead of calling
ifconfig/route call the management to do the work. When running openvpn as
root openvpn should be compiled as TARGET_LINUX
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1367350151-23089-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7570
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Used for communicating with the Java side on Android to send
to-be-protected socket fd, and to receive tun fd.
For now under #ifdef ANDROID
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1367006045-13576-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7557
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
opening tun
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1367159559-22947-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7564
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the single 'git revision' line from the --version screen and
moves this information on the top, together with the OpenVPN version.
In addition this patch adds two git flags after the git committish. If
there exists changed but unstaged files when the build was done, a '+' is
appended after the committish. If there exists staged files (files which
have been added with 'git add') a '*' will be appended. These flags are
not exclusive.
This also simplifies the config-version.h generation by not using
sed parsing a template. It's just two lines which are generated, so
no need to complicate things more than needed.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1366375212-14886-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7522
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <516BCEA2.6000608@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7509
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add extra column to management queries for "status 2" or "status 3"
after "Virtual Address", empty if no IPv6 address assigned to this
client (or IPv6 not active at all).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130411150918.GW569@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7503
|
| |
|
|
|
|
|
|
|
|
|
|
| |
print an empty string.
Also use %lu instead of %u for printing unsigned long int
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1365687278-3921-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7498
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This add adds CID which is needed by a few other management commands to
the status output. This will change the output of status in the same way
commit ca18a638aa7cf316611f893127ba44131e57083c did.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1346422753-19520-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7021
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1CED409804E2164C8104F9E623B08B9013BC28A538@FOXDFT02.FOX.local>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7480
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This basically brings back the previously-working metric setting for
directly connected routes (add a "0" to the "route add" command) on
Solaris/OpenSolaris. It was working in f0eac1a59790, and got broken
by the route.c/route.h refactoring in 576dc96ca1ef1 - the patch
un-does that change to the TARGET_SOLARIS code, plus adds some more
descriptive comments.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1364314175-20758-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7460
|
| |
|
|
|
|
|
|
|
|
|
| |
commit 3b23b18dddb8f8f4a introduced usage of MIN(), and not all platforms
have the macro in "readily usable" system header files, most notably it's
missing on OpenSolaris and Android. Add macro if not defined yet.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130323112234.GM17727@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7450
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Notes:
This issue has been assigned to CVE-2013-2061
URL: http://www.openwall.com/lists/oss-security/2013/05/06/6
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2061
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Added translation table and functions to translate between TLS OpenSSL
and IANA (IETF) cipher suite names. The previously used OpenSSL names
are still accepted, but a deprecation warning is issued.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-6-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7439
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c
to translate between OpenVPN(/OpenSSL) and PolarSSL data channel
cipher algorithm names. OpenSSL does not require any translating,
PolarSSL does for a small number of algorithms. This improves on
config file compatibility between the OpenSSL and PolarSSL builds.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-5-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7435
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons
that the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7437
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of logging the fact that an error occured, log the error code and
description (when available in the PolarSSL build).
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7440
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7436
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On 3/20/2013 11:42, Arne Schwabe wrote:
> ACK. But I would change "debug verb" to "debug verbosity" and I think
> there should be no comma before "but"
This text change makes sense: I've adjusted it to read "NOTE: debug
verbosity..." and saved another byte removing the comma.
Updated patch attached.
--
Josh
>From d41a0237220f2fea6647a508a2ab07263e0f160b Mon Sep 17 00:00:00 2001
From: Josh Cepek <josh.cepek@usa.net>
Date: Tue, 19 Mar 2013 22:52:12 -0500
Subject: [PATCH] Warn when using verb levels >=7 without debug
This patch adds a log warning when using --verb levels at 7 or higher
when running on builds lacking debug support. Since official builds are
now built with enable_debug=no, this warning will help developers
identify why expected debug messages may not be present in log output.
The test and message output code is omitted when built with
enable_debug=yes or enable_small=yes.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <kicup2$gfv$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7425
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When built with enable_debug=no, the parameter output expected at --verb
4 is not printed due to use of #ifdef ENABLE_DEBUG in the responsible
code sections. This appears to be a mistake when looking at the
configure help text for enable_small and enable_debug.
This change keys the relevant code off of enable_small instead,
including the parameter listing when enale_small=no (the
configure-script default.) Most of this code is in options.c, with some
callers present in plugin.c/h and route.c/h. No function code is
changed, just the #ifdef values to use the small feature instead of
debug.
This means builds no longer need enable_debug=yes in order to get the
expected log output at verb 4.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <437RBuq1U8032S07.1361465626@web07.cms.usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7361
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
(Leftover check from the early days where --server-ipv6 also only
accepted /64 - nowadays we handle smaller pools just fine)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130120185030.GR22465@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7269
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Return value of mbuf_len() wrong - it's returning a length value, not
a yes/no value - so when the queue length approached 65 (full!), it
still only returned "1", leading to MBUF overflow later on. Change
from "bool" to "unsigned int", misbehaviour gone...
This fixes OpenVPN trac ticket #263.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Peter Caprioli <petercap@kth.se>
Message-Id: <20130312100706.GN953@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7396
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363032651-23934-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7388
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363032651-23934-3-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7389
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
The function name xor is also a reserved keyword in C++
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363032651-23934-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7390
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
