summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* PATCHv3 Remove unused variables or put them to the defines they are being ↵Arne Schwabe2013-06-208-19/+2
| | | | | | | | | | used in Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1366059999-31731-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7511 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve documentation and help text for --route-ipv6.Gert Doering2013-06-111-1/+1
| | | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1368873781-29552-1-git-send-email-gert@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7598 Signed-off-by: David Sommerseth <davids@redhat.com>
* Add support for client-cert-not-required for PolarSSL.Tamas TEVESZ2013-06-111-2/+14
| | | | | | | | Signed-off-by: Tamas TEVESZ <ice@extreme.hu> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: alpine.GSO.2.03.1306080732510.23277@extreme.hu URL: http://article.gmane.org/gmane.network.openvpn.devel/7667 Signed-off-by: David Sommerseth <davids@redhat.com>
* Do not pass struct tls_session* as void* in key_state_ssl_init().Steffan Karger2013-06-073-3/+7
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 51B1DBEF.1090705@fox-it.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7664 Signed-off-by: David Sommerseth <davids@redhat.com>
* Fix another #ifdef/#if P2MP_SERVERArne Schwabe2013-06-011-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1370013992-18592-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move checking of script file access into set_user_scriptArne Schwabe2013-05-311-22/+11
| | | | | | | | | | At the moment script are only checked if P2MP_SERVER is defined. For CLIENT_ONLY openvpn script were never checked. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7635 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move settings of user script into set_user_script functionArne Schwabe2013-05-313-30/+37
| | | | | | | | | | This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all script options are available by setting options->user_script_used Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7634 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix #ifdefs for P2MP_SERVERArne Schwabe2013-05-312-2/+2
| | | | | | | | | | | (Fix check introduced by commit a8be73799be1639, testing with #ifdef instead of #if - P2MP_SERVER is always defined, and can be "0" or "1") Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1369949680-9499-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7637 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Provide more accurate warning messageDavide Brini2013-05-301-1/+1
| | | | | | | | | | Very simple fix. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <0LzcMG-1ULZ4T0Fuc-014gq9@mail.gmx.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7628 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Only print script warnings when a script is used. Remove stray mention of ↵Arne Schwabe2013-05-302-7/+14
| | | | | | | | | | script-security system. Acked-by: Jan Just Keijser <janjust@nikhef.nl> Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix problem with UDP tunneling due to mishandled pktinfo structures.Gert Doering2013-05-301-6/+5
| | | | | | | | | | | | | | | | In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and ipv6 are going out of scope before actually calling sendmsg(), so depending on compiler optimization, garbage is passed to sendmsg() - fix by using "union openvpn_pktinfo" and having that in scope all the time. Problem reported and patch provided by "danta" in trac#297 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> URL: https://community.openvpn.net/openvpn/ticket/297 Message-ID: <20130530184427.GP20843@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
* Make push-peer-info visible in "normal" per-instance environment.Gert Doering2013-05-275-44/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this patch, peer-info pushed by clients in the TLS handshake is only visible on the management interface, and only if --management-client-auth is enabled. With this patch, received records are sanitized and put into the normal "multi instance" environment, where it can be evaluated by --client-connect or --auth-user-pass-verify scripts and plugins, etc. Only records matching a fairly strict "name=value" format are accepted, and only names starting with IV_ or UV_ are exported, to avoid clients sending funny stuff and playing havoc with script/plugin environments on the server. In the "value" part, spaces, non-printable characters and shell metacharacters are replaced by '_'. The change is somewhat invasive as reception of the peer_info string was only done when username+password are expected from the client, but the data is always there (if the client sends no username/password, it will send 0-length strings, so always extracting 3 strings is safe). Also, the sanitation function validate_peer_info_line() and the opts->peer_info field were only compiled in #ifdef MANGEMENT_DEF_AUTH... Patch v3: do not call the old man_output_peer_info_env() anymore, unless a management env-filter has been set (= ensure IV_ and UV_ stuff is sent at most *once*, and exactly the way OpenVPN AS expects it). Add substituting of "bad" characters in the environment values. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1367757373-31637-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7582
* Always push basic set of peer info values to server.James Yonan2013-05-273-17/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | On the client, allow certain peer info fields to be pushed even if push-peer-info isn't specified in the config. This is needed to allow the compression handshake to work correctly (i.e. where the client indicates its support for LZO and/or Snappy). Fields that have privacy implications such as Mac Address and UV_* environment variables will not be pushed to the server as before unless push-peer-info is specified by client config. v1: equivalent to OpenVPN SVN r8225 (2.1.21c) v2: distinguish 3 levels of peer-info detail --push-peer-info specified --> send all we have --pull specified --> send basic set, as per r8225 default --> send nothing (do not leak from server) v3: undo extra whitespace changes in v1 and v2 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
* make 'explicit-exit-notify' pullable againJan Just Keijser2013-05-241-2/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <519F5ED0.4070109@nikhef.nl> URL: http://article.gmane.org/gmane.network.openvpn.devel/7605 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix usage of 'compression ...' from global config.Gert Doering2013-05-191-4/+0
| | | | | | | | | | | | | The new compression framework introduced by SVN r8206 only works for a P2MP server if the compression settings are re-installed for each client via management interface, ccd/ file or client-connect script, but the "global" settings get lost due to (needlessly) clearing the c2.comp_context in the per-client instance. Fixed. (also trac#273) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-6-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7529
* Added support for the Snappy compression algorithmJames Yonan2013-05-1917-393/+898
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix Windows script execution when called from script hooksJosh Cepek2013-05-191-1/+4
| | | | | | | | | | | | | | | Console applications under Windows, such as batch scripts, require the CREATE_NO_WINDOW process flag when run without an actual console window present. This change allows such scripts to execute and impact the hook status by way of their return code. Fixes bug #240. Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Heiko Hund <heiko.hund@sophos.com> Message-Id: <kn2pao$5sv$1@ger.gmane.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7594 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix NULL-pointer crash in route_list_add_vpn_gateway().Gert Doering2013-05-182-3/+5
| | | | | | | | | | | | | | | Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl is valid (and if not, crash with a somewhat more meaningful message than "segmentation violation"). For the actual bugfix, change init code to always allocate a "struct route_list" for IPv4, even if no --route options have been seen in the config. Fix trac#281 and trac#258. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net> Message-Id: <1367608404-2257-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7581
* Use constrain_int() instead of MIN()+syshead.c compat definition - v2.Gert Doering2013-05-072-8/+1
| | | | | | | | | | | | | | Reverts commit 15ca5c297b556fbb, instead change ssl_openssl.c to use "constrain_int()", which already exists in "integer.h". Using this instead of min_int() ensures that the result is always bounded to 0...256 even in the case of a potential MAX_INT overflow. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1367826941-22412-1-git-send-email-gert@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7586 Signed-off-by: David Sommerseth <davids@redhat.com>
* Fix segfault when enabling pf plug-inssvimik2013-05-061-1/+1
| | | | | | | | | | This fixes an issue where a segfault happens in pf_cn_test() if no packet filtering rules have been parsed. See the trac ticket for more details. Trac: 163 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
* Fix proto tcp6 for server & non-P2MP modesJosh Cepek2013-05-031-0/+4
| | | | | | | | | | | | | This fix adds support for using tcp6 as a proto in server or non-P2MP modes, resolving a failed ASSERT in such cases. Fixes the crash in trac#288. Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <klul5d$8ta$1@ger.gmane.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7578 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Emulate persist-tun on AndroidArne Schwabe2013-05-011-1/+17
| | | | | | | | | | | | On Android changing the configuration of tun is not possible. So instead of reconfiguring the tun device, open a new tun device and close the old one if needed. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1367006372-14815-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7558 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Android platform specific changes.Arne Schwabe2013-05-019-5/+144
| | | | | | | | | | | | | On Android 4.0 (TARGET_ANDROID) the real opening of the tun is handled by the (Java) application controlling OpenVPN. Instead of calling ifconfig/route call the management to do the work. When running openvpn as root openvpn should be compiled as TARGET_LINUX Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1367350151-23089-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7570 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add ability to send/receive file descriptors via management interfaceArne Schwabe2013-05-012-0/+91
| | | | | | | | | | | | | Used for communicating with the Java side on Android to send to-be-protected socket fd, and to receive tun fd. For now under #ifdef ANDROID Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1367006045-13576-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7557 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Allow routes to be set before opening tun, similar to ifconfig before ↵Arne Schwabe2013-05-012-2/+20
| | | | | | | | | | opening tun Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1367159559-22947-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7564 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve the git revision trackingDavid Sommerseth2013-04-191-3/+3
| | | | | | | | | | | | | | | | | | | | This removes the single 'git revision' line from the --version screen and moves this information on the top, together with the OpenVPN version. In addition this patch adds two git flags after the git committish. If there exists changed but unstaged files when the build was done, a '+' is appended after the committish. If there exists staged files (files which have been added with 'git add') a '*' will be appended. These flags are not exclusive. This also simplifies the config-version.h generation by not using sed parsing a template. It's just two lines which are generated, so no need to complicate things more than needed. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1366375212-14886-1-git-send-email-dazo@users.sourceforge.net URL: http://article.gmane.org/gmane.network.openvpn.devel/7522
* Fixed usage of stale define USE_SSL to ENABLE_SSLSteffan Karger2013-04-151-2/+4
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <516BCEA2.6000608@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7509 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Print "Virtual IPv6 Address" on management interface queries [v4]Gert Doering2013-04-122-3/+6
| | | | | | | | | | | Add extra column to management queries for "status 2" or "status 3" after "Virtual Address", empty if no IPv6 address assigned to this client (or IPv6 not active at all). Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20130411150918.GW569@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7503
* Print client id only if compiled with man agent support. OtherwiseArne Schwabe2013-04-111-2/+11
| | | | | | | | | | | | print an empty string. Also use %lu instead of %u for printing unsigned long int Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1365687278-3921-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7498 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add the client id (CID) to the output of the status commandArne Schwabe2013-04-111-4/+5
| | | | | | | | | | | | This add adds CID which is needed by a few other management commands to the status output. This will change the output of status in the same way commit ca18a638aa7cf316611f893127ba44131e57083c did. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1346422753-19520-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7021 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fixed tls-cipher translation bug in openssl-buildSteffan Karger2013-04-051-2/+5
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1CED409804E2164C8104F9E623B08B9013BC28A538@FOXDFT02.FOX.local> URL: http://article.gmane.org/gmane.network.openvpn.devel/7480 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix directly connected routes for "topology subnet" on Solaris.Gert Doering2013-03-271-6/+9
| | | | | | | | | | | | | | This basically brings back the previously-working metric setting for directly connected routes (add a "0" to the "route add" command) on Solaris/OpenSolaris. It was working in f0eac1a59790, and got broken by the route.c/route.h refactoring in 576dc96ca1ef1 - the patch un-does that change to the TARGET_SOLARIS code, plus adds some more descriptive comments. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net> Message-Id: <1364314175-20758-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7460
* Add MIN() compatibility macroGert Doering2013-03-231-0/+7
| | | | | | | | | | | commit 3b23b18dddb8f8f4a introduced usage of MIN(), and not all platforms have the macro in "readily usable" system header files, most notably it's missing on OpenSolaris and Android. Add macro if not defined yet. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20130323112234.GM17727@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7450
* Use constant time memcmp when comparing HMACs in openvpn_decrypt.Steffan Karger2013-03-222-1/+27
| | | | | | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de> Notes: This issue has been assigned to CVE-2013-2061 URL: http://www.openwall.com/lists/oss-security/2013/05/06/6 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2061
* Switch to IANA names for TLS ciphers.Steffan Karger2013-03-224-4/+251
| | | | | | | | | | | | | Added translation table and functions to translate between TLS OpenSSL and IANA (IETF) cipher suite names. The previously used OpenSSL names are still accepted, but a deprecation warning is issued. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363942465-3251-6-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7439 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Config compatibility patch. Added translate_cipher_name.Steffan Karger2013-03-224-3/+75
| | | | | | | | | | | | | | | Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c to translate between OpenVPN(/OpenSSL) and PolarSSL data channel cipher algorithm names. OpenSSL does not require any translating, PolarSSL does for a small number of algorithms. This improves on config file compatibility between the OpenSSL and PolarSSL builds. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363942465-3251-5-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7435 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve verify_callback messagesSteffan Karger2013-03-221-3/+3
| | | | | | | | | | | | Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7437 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve PolarSSL key_state_read_{cipher, plain}text messagesSteffan Karger2013-03-221-2/+6
| | | | | | | | | | | | Instead of logging the fact that an error occured, log the error code and description (when available in the PolarSSL build). Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363942465-3251-3-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* PolarSSL-1.2 supportSteffan Karger2013-03-226-56/+29
| | | | | | | | | | | | | | Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port, new features have not been enabled. Only PolarSSL 1.2.5 and newer are accepted, as earlier versions contain unresolved (security) issues. Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7436 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* (updated) [PATCH] Warn when using verb levels >=7 without debugJosh Cepek2013-03-201-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On 3/20/2013 11:42, Arne Schwabe wrote: > ACK. But I would change "debug verb" to "debug verbosity" and I think > there should be no comma before "but" This text change makes sense: I've adjusted it to read "NOTE: debug verbosity..." and saved another byte removing the comma. Updated patch attached. -- Josh >From d41a0237220f2fea6647a508a2ab07263e0f160b Mon Sep 17 00:00:00 2001 From: Josh Cepek <josh.cepek@usa.net> Date: Tue, 19 Mar 2013 22:52:12 -0500 Subject: [PATCH] Warn when using verb levels >=7 without debug This patch adds a log warning when using --verb levels at 7 or higher when running on builds lacking debug support. Since official builds are now built with enable_debug=no, this warning will help developers identify why expected debug messages may not be present in log output. The test and message output code is omitted when built with enable_debug=yes or enable_small=yes. Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <kicup2$gfv$1@ger.gmane.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7425 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix parameter listing in non-debug builds at verb 4Josh Cepek2013-03-145-11/+11
| | | | | | | | | | | | | | | | | | | | | | | When built with enable_debug=no, the parameter output expected at --verb 4 is not printed due to use of #ifdef ENABLE_DEBUG in the responsible code sections. This appears to be a mistake when looking at the configure help text for enable_small and enable_debug. This change keys the relevant code off of enable_small instead, including the parameter listing when enale_small=no (the configure-script default.) Most of this code is in options.c, with some callers present in plugin.c/h and route.c/h. No function code is changed, just the #ifdef values to use the small feature instead of debug. This means builds no longer need enable_debug=yes in order to get the expected log output at verb 4. Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <437RBuq1U8032S07.1361465626@web07.cms.usa.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Permit pool size of /64.../112 for ifconfig-ipv6-poolGert Doering2013-03-141-2/+2
| | | | | | | | | | (Leftover check from the early days where --server-ipv6 also only accepted /64 - nowadays we handle smaller pools just fine) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20130120185030.GR22465@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7269
* Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.Gert Doering2013-03-121-1/+1
| | | | | | | | | | | | | | | | Return value of mbuf_len() wrong - it's returning a length value, not a yes/no value - so when the queue length approached 65 (full!), it still only returned "1", leading to MBUF overflow later on. Change from "bool" to "unsigned int", misbehaviour gone... This fixes OpenVPN trac ticket #263. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Peter Caprioli <petercap@kth.se> Message-Id: <20130312100706.GN953@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7396 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unused function no_tap_ifconfigArne Schwabe2013-03-121-10/+0
| | | | | | | | Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363032651-23934-4-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7388 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move static prototype definition from header into c fileArne Schwabe2013-03-122-2/+2
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363032651-23934-3-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7389 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unused function xorArne Schwabe2013-03-121-10/+0
| | | | | | | | | | The function name xor is also a reserved keyword in C++ Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363032651-23934-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/7390 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* add new option for X.509 name verificationHeiko Hund2013-03-076-23/+105
| | | | | | | | | | | | | | Add the option --verify-x509-name to provide the functionality of the now deprecated --tls-remote. The new option accepts RFC 2253 subject DNs only and compares RDN or RDN prefix only if configured explicitly. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1362670601-18660-1-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* make --tls-remote compatible with pre 2.3 configsHeiko Hund2013-03-071-0/+6
| | | | | | | | | | | | | | In openvpn 2.3.0 the semantics of the --tls-remote option changed. That broke more configurations than anticipated. To not break configurations that use --tls-remote with a legacy OpenSSL style DN anymore, it is now detected when such a DN is configured. When necessary the --compat-names option is then automatically enabled. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1361526263-1740-3-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7366 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* reintroduce --no-name-remapping optionHeiko Hund2013-03-071-7/+14
| | | | | | | | | | | The option is just an alias for --compat-names no-remapping and is introduced so pre-2.3 server configurations don't break. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1361526263-1740-2-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/7364 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix corner case in NTLM authentication (trac #172)Christian Niessner2013-03-071-2/+2
| | | | | | | | | | | | | | | | | The problem is located in the file proxy.c within "establish_http_proxy_passthru": To keep buffers small long base64-encoded NTLM-Strings are truncated. But the truncating is done on a wrong place: base 64 strings can be cut every 4 chars. the buffer is 128 bytes - including the terminating \0, so the usable data is only 127 bytes. And decoding a 127 char base64 string fails... this is why the ntlm authentication fails in certain cases (long strings)... Acked-by: Joerg Willmann <joe@clnt.de> URL: https://community.openvpn.net/openvpn/ticket/172 Signed-off-by: Gert Doering <gert@greenie.muc.de>
generated by cgit (git 2.34.1) at 2024-06-29 23:00:05 +0000