From ae1884c0cbf42c21e54922c150cde44c43200340 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 13 Dec 2010 09:27:08 +0000 Subject: Misc fixes to r6708. Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 1 - 1 file changed, 1 deletion(-) (limited to 'init.c') diff --git a/init.c b/init.c index a46fbde..0de2fcc 100644 --- a/init.c +++ b/init.c @@ -1163,7 +1163,6 @@ initialization_sequence_completed (struct context *c, const unsigned int flags) management_post_tunnel_open (management, tun_local); } #endif - } /* -- cgit From 9356bae859938c30808aa0d2ee764bdcbb5dbe0d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Wed, 5 Jan 2011 00:50:11 +0000 Subject: Added --x509-track option. Version 2.1.3e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6780 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'init.c') diff --git a/init.c b/init.c index 0de2fcc..e694a70 100644 --- a/init.c +++ b/init.c @@ -2049,6 +2049,10 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.client_config_dir_exclusive = options->client_config_dir; #endif +#ifdef ENABLE_X509_TRACK + to.x509_track = options->x509_track; +#endif + /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { -- cgit From 15be3202b279abc431597db5d11e826eaf1c1bb6 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 10 Jan 2011 19:13:02 +0000 Subject: * added --management-up-down option to allow management interface to be notified of tunnel up/down events. * pulled --ip-win32 options will be suppressed on the client if --route-nopull option is specified. Version 2.1.3f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'init.c') diff --git a/init.c b/init.c index e694a70..7f072ae 100644 --- a/init.c +++ b/init.c @@ -1177,7 +1177,14 @@ do_route (const struct options *options, struct env_set *es) { if (!options->route_noexec && route_list) - add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es); + { + add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es); + setenv_int (es, "redirect_gateway", route_list->did_redirect_default_gateway); + } +#ifdef ENABLE_MANAGEMENT + if (management) + management_up_down (management, "UP", es); +#endif if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP)) { @@ -1385,7 +1392,10 @@ do_close_tun (struct context *c, bool force) #ifdef ENABLE_MANAGEMENT /* tell management layer we are about to close the TUN/TAP device */ if (management) - management_pre_tunnel_close (management); + { + management_pre_tunnel_close (management); + management_up_down (management, "DOWN", c->c2.es); + } #endif /* delete any routes we added */ @@ -1527,7 +1537,6 @@ pull_permission_mask (const struct context *c) unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS - | OPT_P_IPWIN32 | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS | OPT_P_SETENV @@ -1541,7 +1550,7 @@ pull_permission_mask (const struct context *c) | OPT_P_PULL_MODE; if (!c->options.route_nopull) - flags |= OPT_P_ROUTE; + flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); return flags; } -- cgit From 6a8ea97069b8edb4a50744faae3bab8ecd931840 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 14 Feb 2011 03:46:37 +0000 Subject: Implemented get_default_gateway_mac_addr for Mac OS X (previously, was only defined for Windows and Linux). This enables OS X to report the MAC address of the default gateway to the server for ID purposes when client-side --push-peer-info option is specified. Also, minor fix to OS X get_default_gateway function: * include net/route.h directly rather than selectively paste stuff from it into route.c git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6925 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'init.c') diff --git a/init.c b/init.c index 7f072ae..70357e1 100644 --- a/init.c +++ b/init.c @@ -600,6 +600,27 @@ init_static (void) return false; #endif +#ifdef TEST_GET_DEFAULT_GATEWAY + { + struct gc_arena gc = gc_new (); + in_addr_t addr; + char macaddr[6]; + + if (get_default_gateway(&addr, NULL)) + msg (M_INFO, "GW %s", print_in_addr_t(addr, 0, &gc)); + else + msg (M_INFO, "GDG ERROR"); + + if (get_default_gateway_mac_addr(macaddr)) + msg (M_INFO, "MAC %s", format_hex_ex (macaddr, 6, 0, 1, ":", &gc)); + else + msg (M_INFO, "GDGMA ERROR"); + + gc_free (&gc); + return false; + } +#endif + #ifdef GEN_PATH_TEST { struct gc_arena gc = gc_new (); -- cgit From 1c5ff7722dbd3e32aa3e5b7d5cb77773f083472d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 13 Mar 2011 06:59:25 +0000 Subject: Added optional journal directory argument to "port-share" directive, for reporting client IP origins of proxied connections. git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7031 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'init.c') diff --git a/init.c b/init.c index 70357e1..4214233 100644 --- a/init.c +++ b/init.c @@ -520,7 +520,9 @@ init_port_share (struct context *c) if (!port_share && (c->options.port_share_host && c->options.port_share_port)) { port_share = port_share_open (c->options.port_share_host, - c->options.port_share_port); + c->options.port_share_port, + MAX_RW_SIZE_LINK (&c->c2.frame), + c->options.port_share_journal_dir); if (port_share == NULL) msg (M_FATAL, "Fatal error: Port sharing failed"); } -- cgit From 9df9e13f7c20e0c046b71de859e08a07edf0eb4f Mon Sep 17 00:00:00 2001 From: James Yonan Date: Tue, 15 Mar 2011 05:06:23 +0000 Subject: Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity. Version 2.1.3k git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7033 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'init.c') diff --git a/init.c b/init.c index 4214233..d0a1baa 100644 --- a/init.c +++ b/init.c @@ -1981,7 +1981,7 @@ do_init_crypto_tls_c1 (struct context *c) } else { - msg (M_INFO, "Re-using SSL/TLS context"); + msg (D_INIT_MEDIUM, "Re-using SSL/TLS context"); } } -- cgit From 0db046f253e86a3dd7583e2f7a13b21e7eba7493 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sat, 26 Mar 2011 21:16:40 +0000 Subject: Added "auth-token" client directive, which is intended to be pushed by server, and that is used to offer a temporary session token to clients that can be used in place of a password on subsequent credential challenges. This accomplishes the security benefit of preventing caching of the real password while offering most of the advantages of password caching, i.e. not forcing the user to re-enter credentials for every TLS renegotiation or network hiccup. auth-token does two things: 1. if password caching is enabled, the token replaces the previous password, and 2. if the management interface is active, the token is output to it: >PASSWORD:Auth-Token: Also made a minor change to HALT/RESTART processing when password caching is enabled. When client receives a HALT or RESTART message, and if the message text contains a flags block (i.e. [FFF]:message), if flag 'P' (preserve auth) is present in flags, don't purge the Auth password. Otherwise do purge the Auth password. Version 2.1.3o git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'init.c') diff --git a/init.c b/init.c index d0a1baa..7738f00 100644 --- a/init.c +++ b/init.c @@ -1929,7 +1929,7 @@ do_init_crypto_tls_c1 (struct context *c) msg (M_FATAL, "Error: private key password verification failed"); break; case AR_INTERACT: - ssl_purge_auth (); + ssl_purge_auth (false); case AR_NOINTERACT: c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ break; -- cgit From ac1310528a248c99e039e7afaf48724ad1b7f10e Mon Sep 17 00:00:00 2001 From: James Yonan Date: Thu, 31 Mar 2011 23:18:06 +0000 Subject: Added more packet ID debug info at debug level 3 for debugging false positive packet replays. Version 2.1.3q. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7109 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'init.c') diff --git a/init.c b/init.c index 7738f00..a1a1a8f 100644 --- a/init.c +++ b/init.c @@ -1833,7 +1833,7 @@ do_init_crypto_static (struct context *c, const unsigned int flags) if (options->replay) { packet_id_init (&c->c2.packet_id, options->replay_window, - options->replay_time); + options->replay_time, "STATIC", 0); c->c2.crypto_options.packet_id = &c->c2.packet_id; c->c2.crypto_options.pid_persist = &c->c1.pid_persist; c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; -- cgit From 4d453a1792b04f01a8c313157402ce0501ae809c Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sat, 2 Apr 2011 08:21:28 +0000 Subject: Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions when the client daemon was running in UDP/TCP adaptive mode, and transitioned from TCP to UDP. The bug would cause a single dropped packet in UDP mode to trigger a barrage of packet replay errors followed by a disconnect and reconnect. Version 2.1.3r git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'init.c') diff --git a/init.c b/init.c index a1a1a8f..ef09e8e 100644 --- a/init.c +++ b/init.c @@ -102,13 +102,6 @@ update_options_ce_post (struct options *options) options->ping_rec_timeout_action = PING_RESTART; } #endif -#ifdef USE_CRYPTO - /* - * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence). - */ - if (link_socket_proto_connection_oriented (options->ce.proto)) - options->replay_window = options->replay_time = 0; -#endif } #if HTTP_PROXY_FALLBACK @@ -1832,8 +1825,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags) /* Initialize packet ID tracking */ if (options->replay) { - packet_id_init (&c->c2.packet_id, options->replay_window, - options->replay_time, "STATIC", 0); + packet_id_init (&c->c2.packet_id, + link_socket_proto_connection_oriented (options->ce.proto), + options->replay_window, + options->replay_time, + "STATIC", 0); c->c2.crypto_options.packet_id = &c->c2.packet_id; c->c2.crypto_options.pid_persist = &c->c1.pid_persist; c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; @@ -2034,6 +2030,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.replay = options->replay; to.replay_window = options->replay_window; to.replay_time = options->replay_time; + to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto); to.transition_window = options->transition_window; to.handshake_window = options->handshake_window; to.packet_timeout = options->tls_timeout; -- cgit From 7966d75a9d41453a56e41eaae7b0fd64f75f7ec3 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 25 Apr 2011 04:58:34 +0000 Subject: Added new "extra-certs" and "verify-hash" options (see man page for details). Increase the timeout after SIGUSR1 restart when restart is not due to server_poll_timeout. Version 2.1.3v git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7215 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'init.c') diff --git a/init.c b/init.c index ef09e8e..b1f65a9 100644 --- a/init.c +++ b/init.c @@ -1706,8 +1706,10 @@ socket_restart_pause (struct context *c) if (auth_retry_get () == AR_NOINTERACT) sec = 10; +#if 0 /* not really needed because of c->persist.restart_sleep_seconds */ if (c->options.server_poll_timeout && sec > 1) sec = 1; +#endif #endif if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) @@ -2057,6 +2059,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.ns_cert_type = options->ns_cert_type; memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); to.remote_cert_eku = options->remote_cert_eku; + to.verify_hash = options->verify_hash; to.es = c->c2.es; #ifdef ENABLE_DEBUG -- cgit From e4359af463463097dd80e679836905bcd8ad7a13 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 25 Apr 2011 06:21:57 +0000 Subject: Fixed compile issues on Windows. Version 2.1.3w git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7219 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'init.c') diff --git a/init.c b/init.c index b1f65a9..e5ca358 100644 --- a/init.c +++ b/init.c @@ -2056,6 +2056,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.verify_command = options->tls_verify; to.verify_x509name = options->tls_remote; to.crl_file = options->crl_file; + to.ssl_flags = options->ssl_flags; to.ns_cert_type = options->ns_cert_type; memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); to.remote_cert_eku = options->remote_cert_eku; @@ -2076,7 +2077,6 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.tmp_dir = options->tmp_dir; - to.ssl_flags = options->ssl_flags; if (options->ccd_exclusive) to.client_config_dir_exclusive = options->client_config_dir; #endif -- cgit