summaryrefslogtreecommitdiffstats
path: root/ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* Updated copyright date to 2010.James Yonan2010-04-281-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
* Modified ">PASSWORD:Verification Failed" management interfaceJames Yonan2010-03-121-1/+1
| | | | | | | | | notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5468 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed an issue where if reneg-sec was set to 0 on the client,James Yonan2010-03-061-2/+5
| | | | | | | | | | | so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5464 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed an issue where AUTH_FAILED was not being properly deliveredjames2010-01-161-0/+4
| | | | | | | to the client when a bad password is given for mid-session reauth. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
* Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,james2009-11-131-1/+4
| | | | | | | make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
* On server, lock client-provided certs against mid-session TLSjames2009-10-251-3/+134
| | | | | | | | renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
* On server, lock session username against changes in mid-session TLSjames2009-10-241-2/+29
| | | | | | | | renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added the ability for the server to provide a custom reason stringjames2009-09-291-1/+18
| | | | | | | | | | | | when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. For more info, see management/management-notes.txt, and look for references to "client-reason-text". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5012 e7ae566f-a301-0410-adde-c780ea21d3b5
* Eliminated the limitation on the number of options that can be pushedjames2009-09-271-3/+3
| | | | | | | | | | | | | to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. Remember that to make use of this feature to allow many routes to be pushed to clients, the client config file must specify the max-routes option, and the number of pushed routes cannot exceed this limit. Also, both server and client must include this commit. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
* Update copyright to 2009.james2009-05-301-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed issue of symbol conflicts interfering with Windows CryptoAPIjames2009-05-301-4/+4
| | | | | | | functionality (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4475 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed issue involving an #ifdef in a macro reference that breaks early gccjames2009-01-271-2/+5
| | | | | | | compilers. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3903 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added server-side --opt-verify option: clients that connectjames2008-11-181-0/+5
| | | | | | | | with options that are incompatible with those of the server will be disconnected. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added --no-name-remapping option to allow Common Name, X509 Subject,james2008-10-311-3/+12
| | | | | | | | | and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added server-side --auth-user-pass-optional directive, to allowjames2008-10-281-9/+12
| | | | | | | | | connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
* Save X509 Subject fields to environment, using the naming convention:james2008-10-281-0/+54
| | | | | | | X509_{cert_depth}_{name}={value} git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3459 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed informational message in ssl.c to properly indicatejames2008-10-271-1/+5
| | | | | | | deferred authentication. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3457 e7ae566f-a301-0410-adde-c780ea21d3b5
* Copyright notice changed to reflect change in name ofjames2008-10-061-1/+1
| | | | | | | Telethra to OpenVPN Technologies. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed bug in intra-session TLS key rollover that was introduced withjames2008-09-081-18/+39
| | | | | | | deferred authentication features in 2.1_rc8. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3316 e7ae566f-a301-0410-adde-c780ea21d3b5
* 2.1_rc8 and earlier did implicit shell expansion on scriptjames2008-09-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded, so for example: client-connect "docc CLIENT-CONNECT" would fail to work because execve would try to execute a script called "docc CLIENT-CONNECT" instead of "docc" with "CLIENT-CONNECT" as the first argument. This patch fixes the issue, bringing the script argument semantics back to pre 2.1_rc9 behavior in order to preserve backward compatibility while still using execve or CreateProcess to execute the script/executable. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5
* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, whichjames2008-08-101-2/+2
| | | | | | | the new implementation of extract_x509_field_ssl depends on. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3220 e7ae566f-a301-0410-adde-c780ea21d3b5
* Completely revamped the system for calling external programs and scripts:james2008-07-261-21/+19
| | | | | | | | | | | | | | | | | | | | | | * All external programs and scripts are now called by execve() on unix and CreateProcess on Windows. * The system() function is no longer used. * Argument lists for external programs and scripts are now built by the new argv_printf function which natively outputs to string arrays (i.e. char *argv[] lists), never truncates its output, and eliminates the security issues inherent in formatting and parsing command lines, and dealing with argument quoting. * The --script-security directive has been added to offer policy controls on OpenVPN's execution of external programs and scripts. Also added a new plugin example (openvpn/plugin/examples/log.c) that logs information to stdout for every plugin method called by OpenVPN. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
* Modified extract_x509_field_ssl to return a status value indicatingjames2008-07-191-37/+41
| | | | | | | | | | | | | success/error, and any truncation of output due to an insufficiently large output buffer will be cause for error. In verify_callback, read X509 Subject Name without truncation. In verify_callback, rather than silently truncating Common Name at 64 bytes, throw an error if Common Name is larger than 64 bytes. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3084 e7ae566f-a301-0410-adde-c780ea21d3b5
* Replace leading dash ('-') characters in an X509 name with underbars ('_')james2008-07-191-0/+3
| | | | | | | | before calling user-defined scripts, to preclude the chance of a leading dash being interpreted as an option prefix. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3083 e7ae566f-a301-0410-adde-c780ea21d3b5
* Removed old version of extract_x509_field.james2008-07-171-40/+0
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3066 e7ae566f-a301-0410-adde-c780ea21d3b5
* Copyright change OpenVPN Solutions LLC -> Telethra, Inc.james2008-07-141-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated copyright notice to 2008.james2008-06-111-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
* Updated version to 2.1_rc7e.james2008-06-111-20/+154
| | | | | | | | | | | | | | | | | | | Added client authentication and packet filtering capability to management interface. Extended packet filtering capability to work on both --dev tun and --dev tap tunnels. Updated valgrind-suppress file. Made "Linux ip addr del failed" error nonfatal. Amplified --client-cert-not-required warning. Added #pragma pack to proto.h. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed an issue in extract_x509_field_ssl where the extractionjames2008-06-041-1/+1
| | | | | | | | | | would fail on the first field of the subject name, such as the common name in: /CN=foo/emailAddress=foo@bar.com git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2980 e7ae566f-a301-0410-adde-c780ea21d3b5
* Incremented version to 2.1_rc7d.james2008-06-041-32/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
* Support asynchronous/deferred authentication injames2008-05-241-44/+157
| | | | | | | | | | OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin handler. See documentation in openvpn-plugin.h and example usage in plugin/defer/simple.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2969 e7ae566f-a301-0410-adde-c780ea21d3b5
* Moved branch into official BETA21 position.james2008-05-121-8/+2
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2959 e7ae566f-a301-0410-adde-c780ea21d3b5
* The new function extract_x509_field_ssl tends to breakjames2008-02-171-1/+11
| | | | | | | | | in early versions of OpenSSL 0.9.6. Now we will fall back to the old function extract_x509_field for OpenSSL 0.9.6. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2749 e7ae566f-a301-0410-adde-c780ea21d3b5
* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASSjames2008-01-211-1/+47
| | | | | | | | to allow forward slash characters ("/") in the X509 common name (Pavel Shramov). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2638 e7ae566f-a301-0410-adde-c780ea21d3b5
* Simple fix where options->ca_file was used withoutjames2008-01-211-1/+1
| | | | | | | first being checked against NULL. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2635 e7ae566f-a301-0410-adde-c780ea21d3b5
* Use pkcs11-helper as external library, can be downloadedjames2007-10-221-3/+5
| | | | | | | from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2418 e7ae566f-a301-0410-adde-c780ea21d3b5
* AUTO_USERID feature -- if the auth-user-pass option is usedjames2007-08-171-1/+1
| | | | | | | | with some argument ARG, then -ARG will be appended to the username string that is sent to the server. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2259 e7ae566f-a301-0410-adde-c780ea21d3b5
* New try at AUTO_USERID.james2006-11-131-1/+7
| | | | | | | | | | | | | | Implemented AUTO_USERID using MD5(MAC address(primary network adapter)). Currently implemented for Linux and Windows. Basically if ENABLE_AUTO_USERID is defined, the --auth-user-pass option will not prompt for username/password, but will rather generate a unique username and blank password. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1459 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed bug introduced with the --port-share directivejames2006-06-301-1/+1
| | | | | | | | | | back in r893 which causes TLS soft resets (1 per hour by default) in TCP server mode to force a blockage of tunnel packets and later time-out and restart the connection. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1076 e7ae566f-a301-0410-adde-c780ea21d3b5
* pkcs11 changes:james2006-06-291-5/+8
| | | | | | | | | | -r 1046:1053 https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21 1. Modified ssl.c to not FATAL and return to init.c so auth-retry will work. 2. Modifed pkcs11-helper.c to fix some problem with multiple providers. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1070 e7ae566f-a301-0410-adde-c780ea21d3b5
* I've recently worked on a better version of pkcs11-helper. I've also mergedjames2006-04-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be able to use smartcards. The changes allows the following features: 1. Thread safe, is activated if USE_PTHREAD. 2. Slot event - Will allow us in the future to disconnect VPN when smartcard is removed. In order to support this OpenVPN must support threading... At least SIGUSR1 from a different thread. Threading should be supported in both Windows and Linux. -- currently disabled. When I talk about threading support it is just support in configuration script and that the method that SIGUSR1 self can be called from a different thread. I already handle the monitor threads. 3. Certificate enumeration - Will allow us to finally have one configuration file for all users! When you add the plugin GUI stuff you talked about, we will be able to display a list of available certificates for the user to select. -- currently disabled. 4. Data object manipulation - Will allow us to store tls-auth on the smartcard as well. -- currently disabled. 5. Many other minor improvements. Alon Bar-Lev git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added --port-share option for allowing OpenVPN and HTTPSjames2006-02-161-2/+4
| | | | | | | server to share the same port number. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@893 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added OPENVPN_PLUGIN_TLS_FINAL plugin callback.james2005-12-281-1/+11
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@862 e7ae566f-a301-0410-adde-c780ea21d3b5
* svn merge -r 845:854 $SO/trunk/openvpn .james2005-12-141-2/+2
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@855 e7ae566f-a301-0410-adde-c780ea21d3b5
* Merged --remote-cert-ku, --remote-cert-eku, andjames2005-11-121-0/+117
| | | | | | | | --remote-cert-tls from Alon's branch: svn merge -r 793:796 $SO/contrib/alon/BETA21/openvpn . git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@797 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added ENABLE_INLINE_FILES feature.james2005-11-081-22/+242
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@784 e7ae566f-a301-0410-adde-c780ea21d3b5
* More PKCS#11 changes.james2005-11-011-1/+1
| | | | | | | Merged with https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21@752 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@753 e7ae566f-a301-0410-adde-c780ea21d3b5
* Windows reliability changes:james2005-10-311-2/+0
| | | | | | | | | | | * Added code to make sure that the local PATH environmental variable points to the Windows system32 directory. * Added new --ip-win32 adaptive mode which tries 'dynamic' and then fails over to 'netsh' if the DHCP negotiation fails. * Made --ip-win32 adaptive the default. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@739 e7ae566f-a301-0410-adde-c780ea21d3b5
* Removed #warn from ssl.cjames2005-10-241-1/+0
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@717 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added actual remote address used to the ">STATE" alertjames2005-10-201-0/+2
| | | | | | | in the management interface (Rolf Fokkens). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@701 e7ae566f-a301-0410-adde-c780ea21d3b5