summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* cleanup: remove #if 0'ed function initiate_untrusted_session() from ssl.c.Steffan Karger2014-07-031-16/+0
| | | | | | | | | | Has been inside the #if 0 since 'git tree epoch' (sept-2005) and was not referenced, from either code, nor dead code nor comment. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1404336688-15036-1-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix socket-flag/TCP_NODELAY on Mac OS XJames Bekkema2014-06-301-0/+8
| | | | | | | | | | | | | | | | | Hi All, OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support) when attempting to use the TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there, however the required header file where TCP_NODELAY is defined is not being included. This patch simply alters syshead.h to include <netinet/tcp.h> on Darwin platforms. Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8809 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix bug that incorrectly refuses oid representation eku's in polar buildsSteffan Karger2014-06-241-1/+1
| | | | | | | | | | | | The return value of x509_get_numeric_string() was interpreted incorrectly by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the usage of oid represenation in --remote-cert-eku options. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8627 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve error reporting on file access to --client-config-dir and ↵David Sommerseth2014-06-221-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | --ccd-exclusive OpenVPN will do some simple sanity checking at startup to ensure the expected files and directories is in place. However, with --client-config-dir and --ccd-exclusive, things are slightly different. In both cases it is perfectly fine that files does not exists, and we cannot know any file names beforehand due to these filenames being based upon the certificate's CN field. The problem arises when OpenVPN cannot open files inside a directory because the directory permissions are too restrictive, have wrong ownership (triggered by the usage of --user/--group) or other security mechanisms the OS uses. When a client connects, the test_file() function is used to check if a client config file has been prepared. And if not, it continues without trying to read it. So, if the privileges of the running OpenVPN process is not allowed to open and read an existing file, OpenVPN will treat this as a non-existing file without saying anything. This is clearly wrong. So this patch adds an warning message in the OpenVPN log if it could not open the file due to lack of permissions. This will work fine on all *nix based OSes. Windows however reports 'no such file or directory' (errno=2/-ENOENT) even on privilege access errors when the directory this file resides is too restrictive. But there is no easy way to work around that. However, I believe that the initial sanity checking at startup will catch that one, as it will check if the directories it needs exists. This patch has only gone through simple basic testing, with both too few privileges and with proper privileges to the CCD directory. With wrong privileges, the following error can be found if CN=Test client Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file '/etc/clients/Test client': Permission denied (errno=13) [v2 - use openvpn_errno() instead of errno, for better platform support] Trac: #277 Trac-URL: https://community.openvpn.net/openvpn/ticket/277 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8688 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Drop incoming fe80:: packets silently now.Gert Doering2014-06-081-2/+11
| | | | | | | | | | | | | | | | | | | | | | | IPv6 has the concept of "link local" addresses, fe80::<host id>, which normally are present on every link, and are used for stuff like DHCPv6, neighbor discovery, etc. OpenVPN point-to-multipoint mode currently does neither configure them on tun interfaces, nor are they handled in a meaningful way if a client OS always has them (like Windows or Solaris) - so the log fills with many lines of "MULTI: bad source address from client [fe80::...]", serving no useful purpose. This patch just recognizes IPv6 LL packets and silently drops them. Further patches can build on this and add full link-local support, which would require address learning (as the addresse are based on host IDs, not assigned by the server). Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
* refine assertion to allow other modes than CBCHeiko Hund2014-06-051-1/+1
| | | | | | | | | | | | | | | cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB are used the assertion outlen == iv_len is always false. There's no CBC mode defined for the GOST 28147-89 block cipher. Hence this patch is needed for it to work. It's needed for other ciphers like BF-CFB as well, though. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <538A00AA.7090007@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8748 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix --disable-ssl builds, were broken by cleanup in 63dc03d.Steffan Karger2014-06-021-1/+4
| | | | | | | | | | | Wrap ssl_verify.h in "#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)" to make it empty for --disable-ssl builds. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401737019-15702-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8763 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unused variable 'proxy' from socket_restart_pause()Steffan Karger2014-06-011-10/+0
| | | | | | | | | | Variable 'proxy' was set but never read, so remove it. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-6-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8750 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove dependency on manage.h from ssl_verify.hSteffan Karger2014-06-012-21/+20
| | | | | | | | | | | verify_user_pass_enabled() is a function on a tls_session, and belongs in ssl.c. Moving the function removes the dependency on manage.h. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-5-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move #include "ssl_verify.h" from ssl.h to the source files that need it.Steffan Karger2014-06-017-2/+6
| | | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8749 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix ssl.c, ssl_verify_* includesSteffan Karger2014-06-013-7/+5
| | | | | | | | | | | | | * ssl.c: remove three unneeded includes * ssl_verify_polarssl.h: remove two unneeded includes * ssl_verify_openssl.c: add missing ssl_verify_openssl.h and error.h includes, and reorder includes. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8753 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Use generic openvpn_x509_cert_t in ssl_verify_polarssl.cSteffan Karger2014-06-011-2/+2
| | | | | | | | | | For symmetry with ssl_verify_openssl.c and release/2.3 branch. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401645536-27849-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8752 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix merge error in a6c573d, the ssl ctx is now abstracted.Steffan Karger2014-05-281-1/+1
| | | | | | | | | | | Between the origin patch submission (2011) and now the cipher abstraction layer has been added. This patch slipped through without proper adjustment. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <53863C41.1020408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8745 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Merge get_default_gateway() implementation for all 4+1 BSD variants.Gert Doering2014-05-261-225/+21
| | | | | | | | | | | | | | | | | | | | | | This was 3 times mostly the same code, with the 4 traditional BSDs only differing in a single line, while MacOS X had more refined code to do not only gateway determination, but also netmask, interface name and MAC address. The MacOS X code works perfectly well on the other BSDs *if* one macro is #ifdef'ed to use "(uint32_t)" on MacOS X and "(long)" on all other BSDs, 32 and 64 bit variants. API change by OSX when going to 64bit. Tested on FreeBSD 8.3/i386, FreeBSD 9.1/amd64, NetbSD 5.1/amd64, OpenBSD 4.9/i386, OpenBSD 5.4/amd64 (= all affected platforms except DragonFly BSD). See also trac#42 and trac#340. Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389706398-26922-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8233
* Remove unneeded defines (were needed for pre-0.9.7 OpenSSL).Steffan Karger2014-05-261-8/+0
| | | | | | | | | Since we now require OpenSSL 0.9.8, we don't need these anymore. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401045501-12343-4-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unneeded wrapper functions in crypto_openssl.cSteffan Karger2014-05-261-16/+4
| | | | | | | | | | Both EVPCipherInit_ov() and EVPCipherUpdate_ov() wrapped OpenSSL functions without any changes, so lets just use the functions directly. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401045501-12343-3-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove function without effect (cipher_ok() always returned true).Steffan Karger2014-05-261-8/+2
| | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1401045501-12343-2-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Use SSL_MODE_RELEASE_BUFFERS if availableCristian Rodriguez2014-05-251-0/+3
| | | | | | | | | | | | | | | | Sets SSL_MODE_RELEASE_BUFFERS if available, to keep openSSL memory usage as low as possible. For more info, see http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html https://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html See also trac #157 Signed-off-by: Cristian Rodriguez <crrodriguez@opensuse.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <5381FEFF.1040609@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fixed some compile issues with show_library_versions()James Yonan2014-05-205-9/+14
| | | | | | | | | | | | | | | | | | | * Refactored show_library_versions to work around the fact that some compilers (such as MSVC 2008) can't handle #ifdefs inside of macro references. * Declare show_library_versions() in options.h because it's referenced by other files such as openvpn.c. * Declare get_ssl_library_version() as returning const char *, to avoid loss of const qualifier in ssl_openssl.c. Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1399589436-8730-7-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8711 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a91a2d6ad7b139ec78d61c8616b8447847e9ecc6)
* Conditionalize calls to print_default_gateway on !ENABLE_SMALLGert Doering2014-04-302-2/+2
| | | | | | | | | | | | | Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the combination "configure --enable-small --enable-debug" didn't work. Fix. Fix trac #397 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
* Fix is_ipv6 in case of tap interface.Dmitrij Tejblum2014-04-291-1/+1
| | | | | | | | | | | | | While checking a packet on a TAP interface, is_ipv_X() in proto.c insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if the protocol is IPv6. So the protocol never match, and, thus, mssfix doesn't work for IPv6 on TAP interface. Fix that. Signed-off-by: Dmitrij Tejblum <dt@yandex.ru> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru> URL: http://article.gmane.org/gmane.network.openvpn.devel/8259 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix build system to accept non-system crypto library locations for plugins.Steffan Karger2014-04-272-3/+5
| | | | | | | | | | | | Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by the plugins. However, all plugins include openvpn-plugin.h, which need crypto/ssl headers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8576 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-274-2/+70
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398588561-18964-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.Steffan Karger2014-04-271-1/+1
| | | | | | | | | | | hash was cast from char * to unsigned char * at the return of the function. This patch removes the implicit cast by declaring hash as unsigned char * . Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Repair --multihome on FreeBSD for IPv4 sockets.Gert Doering2014-04-251-2/+6
| | | | | | | | | | | | | | | | The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR case was sending a too-large control message (sizeof openvpn_pktinfo, which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo, leading to sendmsg() refusing to send the packet. Use RFC 2292 macros for alignment + size calculation. Fix trac#327 Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
* Add support for elliptic curve diffie-hellmann key exchange (ECDH)Steffan Karger2014-04-257-1/+180
| | | | | | | | | | | | | | | | | | | | | | | | This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve error reporting during key/cert loading with PolarSSL.Steffan Karger2014-04-211-4/+14
| | | | | | | | Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Upgrade to PolarSSL 1.3Steffan Karger2014-04-219-193/+165
| | | | | | | | | | | | | | | This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL: * Support for EC-crypto in TLS (but not yet for external pkcs11/management keys) * Support for AES-NI (if PolarSSL is compiled with AES-NI support) Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Message-Id: <53528943.3090205@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add SSL library version reporting.Gert Doering2014-04-186-0/+42
| | | | | | | | | | | | Print the version of the SSL and LZO library (if any) used. SSL library version is also sent as IV_SSL=<version> to the server if --push-peer-info is enabled. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20140416152456.GI16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
* IPv6 address/route delete fix for Win8Gert Doering2014-04-132-2/+12
| | | | | | | | | | | | | Use "store=active" for IPv6 address and route deletion - seems to be required on Windows 8 and up, and not doing it will break OpenVPN reconnection (old addresses are not properly deleted, thus address can not be configured on connect). Reported-by: Cedric <cedric+openvpn@bgtn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net> Message-Id: <20140413170648.GU16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
* Fix SOCKSv5 method selectionYawning Angel2014-04-131-3/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So, RFC 1928 doesn't say anything about the METHODS field in the Method Selection message being ordered in terms of preference or anything, and the server is free to pick any of the METHODS offered by the client. Always sending a Method Selection message with NO AUTHENTICATION REQUIRED and USERNAME/PASSWORD set is broken on two fronts: * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD due to the credentials being missing, it shouldn't offer it to the server. * If the OpenVPN client has credentials, then it should always attempt to authenticate. This is a security product. "You can misconfigure it and it will work" is not acceptable. Setting a username/password when the SOCKS server doesn't require/support that as an option is the user not configuring it correctly, and should be treated as such. Also verify that the SOCKS server returned the auth that was requested. URL: https://github.com/OpenVPN/openvpn/pull/14 Fix trac #377, trac #148 Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140413130102.GR16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8488 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Work around Solaris getaddrinfo() returing ai_protocol=0Arne Schwabe2014-04-101-5/+2
| | | | | | | | | | | | | | | | Create_socket() and sub-functions assume that the ai_protocol value returned by getaddrinfo() is IPPROTO_UDP or IPPROTO_TCP. On Solaris, it is "0", because Solaris's socket() call will then "select the right protocol" - but it breaks our code. So remove ASSERT()s on ai_protocol, and also accept properly set ai_socktype (SOCK_DGRAM/SOCK_STREAM) values if ai_protocol is not set. Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140407201711.GN16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8428
* fix route struct nameHeiko Hund2014-04-011-1/+1
| | | | | | | | | | This slipped in with commit d0085293. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1396346803-31772-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8421 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix crash when using --inetd.Gert Doering2014-03-302-6/+7
| | | | | | | | | | | | | | | | | | Change "local" argument to socket_do_listen() to avoid calling "local->ai_addr" in the caller for the "do_listen == FALSE" case, in which case it could be NULL. Also, ensure "ai" is always initialized in socket_listen_accept() for the "!remote_dynamic" case - otherwise it will sometimes(!) crash in addrlist_match() later on. Get rid of spurious operator precedence warning concerning GETADDR_CACHE_MASK. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1396181376-32022-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8412
* Fix assert when using port-shareArne Schwabe2014-03-261-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-12-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Clean up of socket code.Arne Schwabe2014-03-263-103/+95
| | | | | | | | | | | Let socket_create take struct addrinfo as argument and use the entries of addrinfo to create the socket. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-11-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8370 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Disable unsupported TLS cipher modes by default, cleans --show-tls output.Steffan Karger2014-03-231-2/+2
| | | | | | | | | | | | This explicitly disables a number of tls ciphers that OpenVPN has currently no support for. OpenSSL will automatically detect this during negotiation, but --show-tls would erroneously show a number of unsupported ciphers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add openssl-specific common cipher list names to ssl.c.Steffan Karger2014-03-231-0/+13
| | | | | | | | | | | This adds a number of commonly used cipher list names to ssl.c, which makes OpenVPN not give a "translation not found" warning when using these. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8316 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Bump minimum OpenSSL version to 0.9.8Steffan Karger2014-03-236-52/+0
| | | | | | | | | | | | | OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add gateway and device to android control messagesArne Schwabe2014-03-231-3/+6
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-9-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Don't show the connection profile store in options->ce if there is a ↵Arne Schwabe2014-03-231-2/+5
| | | | | | | | | | | | | connection_list defined. Entries in options->ce are never used and overwritten by the first usable connection profile on initialisation. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-8-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8377 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix for server selecting address familyArne Schwabe2014-03-231-12/+12
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce an option to resolve dns names in advance for --remote, --local ↵Arne Schwabe2014-03-2310-139/+415
| | | | | | | | | | | | | | | and --http-proxy Also introduce x_gc_addspeical function that allows to add objects with a custom free function to the gc. Some additional addrinfo cleanup Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395576786-17507-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8386 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Adjusted autotools files to build more cleanly on newer autoconf/automake ↵David Sommerseth2014-03-231-1/+1
| | | | | | | | | | versions Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389803764-5879-1-git-send-email-davids@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8239 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-224-1/+38
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Workaround broken Android 4.4 VpnService API for persist-tun modeArne Schwabe2014-03-224-13/+68
| | | | | | | | | | | | | | | | In Android 4.4 it is not possible to open a new tun device and then close the old tun device without breaking the whole VPNService stack until the device is rebooted. Add new management method to ask the UI what method should be taken to ensure the optimal solution for the situation. Then do open-before-close or close-before-open inside open_tun() as requested. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-4-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8373 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move the initialization of the environment to the top so c2.es is initializedArne Schwabe2014-03-211-4/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8372 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix connecting to localhost on AndroidArne Schwabe2014-03-212-3/+35
| | | | | | | | | | Do not protect the link socket when connecting to localhost. Also only call the protect function on valid socket Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8375 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS ↵James Yonan2014-03-171-1/+1
| | | | | | | | | | | | | | | | | | | | | stateless session resumption. OpenVPN doesn't want or need SSL session renegotiation or resumption, as it handles renegotiation on its own. For this reason, OpenVPN always disables the SSL session cache: SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) However, even with the above code, stateless session resumption is still possible unless explicitly disabled with the SSL_OP_NO_TICKET flag. This patch does this. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8346 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix warning for max-routes: do not quit when parsing an old configuration. ↵Arne Schwabe2014-03-171-2/+4
| | | | | | | | | | Format the message to be more like the other deprecated options Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395060345-30870-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8354 Signed-off-by: Gert Doering <gert@greenie.muc.de>
generated by cgit (git 2.34.1) at 2025-09-17 16:46:06 +0000