| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer). Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API. As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so). This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.
This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418905506.21260.6.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9355
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a91a06cb291414c9e657377e44f7a57343ae7f5a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The coding style was somewhat chaotic. Cleaning it up using the astyle
tool. The style parameters are coherent to what was agreed upon at the
Munich Hackathon 2014 [1].
astyle --style=allman --indent=spaces=4 -c
Also included a "Local variables" section which some editors may pick
up automatically.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418078751-3614-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9331
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The assert(0) happening if trying to use --tcp-nodelay in a client
config is really not helpful at all. When this assert(0) was removed,
another warning appeared that this could only be used in server
configs. That itself is also quite silly, as clients can choose to
use --socket-flags TCP_NODELAY in the client config instead. This
behaviour does not help the user in any way.
This patch removes the server-only restriction and rather provides
a more helpful warning when using --tcp-nodelay on the client side.
Trac: 489
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418118764-17846-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9334
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed a few compiler warnings:
down-root.c:164:4: warning: implicit declaration of function 'warn'
[-Wimplicit-function-declaration]
down-root.c:239:5: warning: implicit declaration of function 'err'
[-Wimplicit-function-declaration]
down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable]
down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: 1418074541-24987-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9327
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For every float event we generate prefix, which allocates 256 + 64
bytes. That memory is reclaimed when client disconnects, so long lasting
and constantly floating sessions drain memory.
As a fix use preallocated buffer inside multi_instance for storing
multi_prefix.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: 1418057325-13265-1-git-send-email-lstipakov@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9321
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds peer-id to the status output which might help analyze floating
logs. This will change the output of status in the same way commit
662ce6acc065bddf6490b3494725b8b3987b7def did.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418058362-13480-1-git-send-email-lstipakov@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9322
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is not a full update, but just updates some data channel-related docs
I came across. Other pages probably need a bit of attention too.
Stuff that was changed:
* Explain data channel crypto format in crypto.h
* Add P_DATA_V1 and P_DATA_V2 packet format spec
* Remove '2.1' from title
* Update some OpenSSL-specific text
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9318
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9306
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
If down-root fails it will now use warn() to provide some more information
about what went wrong, by retrieving the error message via errno.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416262460-9158-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9247
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system() call is prone to shell expansions and provides far more
environments variables to the executable run than what is usually
preferred. By moving over to exevce() shell expansions are far more
difficult to achieve and only the OpenVPN provided environment
variables are available.
This is a response to the patch submitted to openvpn-devel ML:
http://article.gmane.org/gmane.network.openvpn.devel/7919
v2 - Pulling it up again, fixing a few whitespace and spelling issues
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416148262-20978-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9238
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.
Changes in v7:
A few nitpicks.
Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory
corruption and crash.
Various review fixes.
Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.
If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.
Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.
Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated
client.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416755831-21250-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9270
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Found via cppcheck and compile-tested.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416745303-23641-1-git-send-email-yegorslists@googlemail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9266
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Found via cppcheck and compile-tested.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416687215-26904-1-git-send-email-yegorslists@googlemail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9263
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add missing #define for IPV6_V6ONLY sockopt.
Fix last remaining fallout of dual-stack patch set in connect() call
for "not CONNECT_NONBLOCK" case.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1416257903-24629-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9246
|
|
|
|
|
|
|
|
|
|
| |
Just add a few valid casts that shut up mingw gcc.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416068708-6871-2-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9229
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The local member in struct link_socket_address went away a while ago.
Fixing the code to compile again under Windows. While there, also
fix the code to deal with struct link_socket_info.af == AF_UNSPEC
(The breakage this fixes was introduced by the dual-stack socket
rework, most likely commit 6c5db192c30ff0c6b89e2e0aefec00329de39302)
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416068708-6871-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9228
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some commits ago, the cipher mode checks were cleaned up to
remove code duplication (and fix the issue in #471), but broke
'--cipher none' (reported in #473). This commit fixes that.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <545DED2C.5070002@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9217
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414230851-5350-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9195
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6e469f46e94b2bd0fc1509f2bfbda4d6b5374b14)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Between versions 1.2 and 1.3, polarssl changed the errors
returned by the X509 parsing functions, which broke the OpenVPN
implementation for password protected private keys in polarssl
builds. This patch fixes that by checking for the new errors in
OpenVPN.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5432E951.6020405@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modification to address bug where OpenVPN enters state where it is
unresponsive and cannot be terminated. Log output is continuous spew
of "code=995" errors.
Revised fix for code=995 sped bug.
Adding new tap adapters while connected:
https://community.openvpn.net/openvpn/ticket/430
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-2-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9165
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-3-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9167
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a long-running, busy server using either a plug-in which hooks into
OPENVPN_PLUGIN_CLIENT_CONNECT or a configuration using --client-connect
a lot of unused files will be lingering and potentially filling up
the file system with temporary files if the plug-in or --client-connect
script fails.
This patch ensures that these files are always removed in the end,
regardless if the plug-in or script succeeds or fails.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20141012195919.GU3738@type
URL: http://thread.gmane.org/gmane.network.openvpn.devel/9104/focus=9118
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For each recognized extension in a certificate, extract_x509_extension()
would issue an "ASN1 ERROR: can not handle field type" debug message at
verb 2. Reduce that to verb 9 (D_TLS_ERRORS -> D_TLS_DEBUG) and alter the
message text accordingly.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53E6A61C.7010106@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8981
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Currently, when compiling with --enable-iproute2 , OpenVPN does not
create a correct route when the user is connected to the Internet
without a gateway (e.g. via ppp). This patch implements the
corresponding FIXME.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54259015.2030005@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9056
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is another systemd implementation clean-up. It was found that
SELinux will block OpenVPN from checking /sys/fs/cgroups. As OpenVPN
only checked /sys/fs/cgroups and /sys/fs/cgroups/systemd to see if
systemd was available or not, it was considered better to query
systemd directly to see whether or not to query for usernames and
passwords via systemd.
This patch has been compile tested on Fedora 19 and Fedora 21 alpha and
function tested on Fedora 19.
v2 - Use PKG_CHECK_MODULES() + check for libsystemd before
libystemd-daemon. systemd >= 209 use a unified library
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1412356567-27125-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9072
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
No functional changes, just add missing includes and make casts explicit.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1408396155-9017-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8991
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fixed warning: expression which evaluates to zero treated as a
null pointer constant of type 'struct addrinfo *'
Seems to be innocent, but clang is correct that this is strange.
init_tun() expects two pointers, but options_string() tried to
feed it two uint32_t values.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1408568426-19601-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9004
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Does not actually change behaviour, but fixes compiler warnings
and properly initializing is good habit anyway.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1408568426-19601-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9003
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every four input characters, openvpn_base64_decode called token_decode,
which in turn called strlen() on the remaining input. This means that
base64 decoding in openvpn had quadratic complexity.
All we really need to know is whether the token is complete, so replace
the check to check just that, and make the complexity linear wrt the
input length.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5408494D.7050407@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9016
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do the proper closing of the pipe ends which is not being used,
also in error situations. Moved the closing of the parent side
before the waitpid(), to be consistent with the child side (as
early as possible).
Also improved the error messages with more details.
[v2 - Don't call close() if execve() fails]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 20140909202408.GK1118@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/9036
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the SYSTEMD_ASK_PASSWORD_PATH executable cannot be found, we
don't consider systemd as running.
[v2 - Don't clean up white-space]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 20140909202044.GJ1118@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/9035
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 9449e6a9eba30c9ed054f57d630a88c9f087080f introduced the
openvpn_popen() function to support retrieving passwords via systemd.
It was discovered that the child processes openvpn fork()ed would
be lingering around until openvpn stopped. This was due to the lack
of a wait() call.
This patch also cleans up a few minor white-space issues in the same
code segment.
[v2 proper initialisation of status variable]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1409930731-15263-2-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9021
|
|
|
|
|
|
|
|
|
|
|
| |
Gentoo Linux installs this in /usr/bin by default. Also, the user may
have installed it in /usr/local/bin if building from source.
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1404419045-14728-1-git-send-email-floppym@gentoo.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/8825
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667866-14226-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8953
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8840
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPv4 routing code needs an IPv4 address to point a route to, and
in --topology subnet mode, the *server* did not have one set by default.
So we now just default --route-gateway to the next address right after
the server address - the specific address doesn't matter, as the correct
next-hop will not be resolved by the host OS but by the OpenVPN daemon.
All that is needed is "it's in the subnet routed to the tun interface".
Using the server address itself would work on unix, but doesn't work with
the Windows TAP driver (as it does not spoof ARP responses for itself).
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
|
|
|
|
|
|
|
|
|
|
|
| |
This restores support for pre-0.9.8f OpenSSL versions, which do not include
stateless session resumption, and the accompanying SSL_OP_NO_TICKET flag.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53C251E2.7050605@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8902
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
it is unconditionally enabled and OpenVPN does not compile if disabled
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8841
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All cipher suite names supplied through --tls-cipher are translated by
OpenVPN to IANA names, to get OpenSSL and PolarSSL configuration files
compatible. OpenSSL however supports cipher suite group names, like
'DEFAULT', 'HIGH', or 'ECDH'. To make OpenVPN not complain about these,
entries translating these to themselves were added to the translation
table. However, to make OpenVPN not still complain, the deprecated-name
check has to be reversed from 'if this is a deprecated name then complain'
to 'if this is not a iana name, then complain'. Which this commit does.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1404424065-24787-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8824
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also remove the bulky warning from init_key_type() and add the information
to the --show-ciphers output.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BAEF65.2070509@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8852
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AIX only has TAP interfaces, so always use gateway address as next hop,
not interface name.
AIX route works much more reliable if passed netbits than netmask - do so
(introducing a new helper function netmask_to_netbits2())
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-4-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8785
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AIX is special... ifconfig only works if it can add the data to
the ODM right away, so setup a local enviromnment set that has
"ODMDIR=/etc/objrepos" in it (hard-coded, nobody changes that).
Only --dev tap or --dev tapNN are supported right now. AIX has no
tun driver (so tun mode would need to dynamically add/remove ethernet
headers to/from AIX).
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8788
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|