- When the number of retries per remote exceeds a limit
(hard coded to 5), double the restart pause interval
for each additional retry per remote.
- Trigger a SIGHUP to reset the retry count when the pause
interval exceeds 1024 times the base value of restart pause.
(removed in v2 of the patch)
The base value of restart pause is set using --connect-retry
(5 seconds by default).
v2 changes (based on suggestions from Arne Schwabe <arne@rfc2549.org>)
- Do not throw SIGHUP.
- Add an optional argument to "--connect-retry n [m]" where 'm'
specifies the max value of restart pause interval (default
300 sec).
E.g., "--connect-retry 5 1800" will cause the restart pause to
scale up starting at 5 until it exceeds 1800 seconds at which
point it gets capped at 1800.
- If n == m no slow down will occur.
- While at it, fix typos and clarify the description of connect-retry-max
in the man page and Changes.rst
v3 changes (on further feedback from arne@rfc2549.org):
- Limiting the base value of retry wait interval to 16 bits moved
to options.c
- Apply backoff only in the udp and tcp-client modes. Backing off on
tcp-server could be exploited by a client in p2p-mode to maliciously
slow it down (thanks to Arne Schwabe for pointing this out.
- Fix typo in Changes.rst: "third argument" -> "second argument"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1467732770-19110-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12050
Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi_release_io_lock() and the calls to this function are not providing
anything at all. Lets remove it and make the overall code less suprising.
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1467889519-8193-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12058
These options were probably introduced long before we had multiple
remote/connection entries. For all other connection entries, OpenVPN will
go on with the next connection if it fails. For proxies, if it fails in
some ways it works the same, for other failures it completely stops.
Removing the *-proxy-retry and defaulting to retry makes the behavior more
predictiable. Stopping after one try (regardless of reason) can be achieved
with --max-connect-retry 1
V2: Add reason for removing, remove from manpage, give a hint at
--max-connet-retry
V3: Collapse the two ifs in options.c to one block
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466771230-5266-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11988
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- The process id is returned as a message formatted in the same manner
as error messages from the service to the client: i.e., a three-line
message with error number formatted as 0x%08x on line 1, followed by
the PID in format 0x%08x on line 2 and a description that reads as
"Process ID" on line 3. Error number is set to zero to indicate
this is an informational message.
This provides a way for service clients to check the status of openvpn
and terminate it without needing management interface or exit event.
Useful when the interactive service is used from a launch script, or
to force-terminate openvpn from the GUI if/when needed.
v2 changes: format of the message changed as described above.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466736656-27501-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11984
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Allow --management-external-cert as an alternative to --cert
- Also make sure --cert and --management-external-cert are not
both specified, and clarify in the man page that the latter
must be used with --management-external-key.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466132093-1178-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11929
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The inline directive http-proxy-user-pass can be used to
specify proxy credentials in config, e.g.:
http-proxy proxy.tld 3128 auto-nct
<http-proxy-user-pass>
foo
bar
</http-proxy-user-pass>
This usage is already supported by OpenVPN 3.
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456993146-63968-9-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11283
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For targets with space constraints, one might want to compile mbed TLS
without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make
sure OpenVPN still compiles if that is the case.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change all timeouts before the first packet from the OpenVPN
server are unified into the server-poll-timeout option.
The default of 120s has been chosen to be a safe value is larger as it is
larger the sums of the old small timeouts.
V3: fix some whitespace/typos problems
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465656195-12722-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11899
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There's quite a bit of our code that fails compilation with
"gcc -pedantic -ansi" and should not be changed - like, LZ4 using
"long long" variables which C90 does not have. Be pragmatic.
trac #616
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465477232-25826-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11882
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Take upstream release from https://github.com/Cyan4973/lz4/releases,
copy lz4-r131/lib/lz4.c to src/compat/compat-lz4.c
copy lz4-r131/lib/lz4.h to src/compat/compat-lz4.h
change #include line in compat-lz4.c to use "compat-lz4.h" not "lz4.h"
add "config.h" block and wrap in #ifdef NEED_COMPAT_LZ4 / #endif
No other changes to upstream code.
This commit is quite huge, but this is because we bundled a fairly old
version and upstream refactored quite a lot of code, changed // comments
to /* */ style, etc - to review, compare compat-lz4.* files to upstream.
v2: add missing #ifdef NEED_COMPAT_LZ4 wrapping
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1465473089-20754-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11879
Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi_top_init() is always called with alloc_buffers=true, so just remove
the argument and alloc unconditionally.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465388443-15484-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11851
Signed-off-by: Gert Doering <gert@greenie.muc.de>
"Be conservative in what you send, be liberal in what you accept"
When receiving packets, the real limitation of how much data we can accept
is the size of our internal buffers, not the maximum size we expect
incoming packets to have.
I ran into this while working on cipher negotiation, which will need
separate bookkeeping for the required internal buffer size, and the
link/tun MTU. Basing this code on the buffer size instead of c2->frame
makes that easier. A nice side-effect of this change is that it
simplifies the code.
This should also reduce the impact of using asymmetric tun/link MTU's,
such as in trac ticket #647.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465388443-15484-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11850
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows exit notification to complete and finally trigger SIGTERM.
The current practice of allowing a restart in this state clears
the exit notification timer data and thus loses the SIGTERM.
Trac #687
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465274660-11009-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11814
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v2 changes:
- Add the flag "ignore" and have "reject" trigger a restart.
- Unlimited number of filters: yes, going against the consensus,
but the code looks simpler and cleaner this way.
- New commit message to reflect the changes.
Usage: --pull-filter accept|ignore|reject "option"
Permit a client to selectively accept, ignore or reject options
pushed by the server. May be used multiple times. The filters
are applied in the order specified to each pushed option received.
The filtering stops as soon as a match is found. The action "ignore"
removes the option and continues processing the next option, while
"reject" flags an error and restarts the connection with SIGUSR1.
Prefix matching is used so that all options starting with the
specified "option" string are filtered.
Example:
pull-filter accept "route 192.168."
pull-filter ignore "route "
pull-filter accept "ifconfig 10.9.0."
pull-filter reject "ifconfig "
will ignore all pushed routes except those starting with "192.168."
and reject the assigned ip unless its in the "10.9.0.0/24"
range. A match of the reject filter will trigger a restart. SIGUSR1
restart is used instead of SIGHUP so as to try the next remote
for reconnection.
Note the space at the end of "route " to not reject "route-gateway",
for example. All options not matched by any filter are accepted.
Acknowledges shameless imitation of --push-remove.
Inspired by Trac #682.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465162884-32520-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11808
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Remove and recreate WFP filters during restart even when
tun/tap is not re-opened. This is needed for resolving the remote.
Patch same as for v2.3 except for passing 'msg_channel'.
See also: http://article.gmane.org/gmane.network.openvpn.user/36990
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465055833-13681-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11788
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was missed by commit 6a33a34dee
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465070945-5426-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11789
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Continuing to fix breakage caused by commit 40cb4cfc5d.
It seems it was a conflict in vendor/Makefile.am's distdir target,
confusing autotools so it wouldn't actually parse that directory
properly. The result was that 'make distcheck' would fail and
tarballs created would just ship with an empty vendor/ directory.
Also remove the 'foreign' AUTOMAKE_OPTIONS flag, as we don't use
that many places at all. Things work well without this flag.
The comment had to be moved to a single line, otherwise the
white spaces between the end of the variable assignment and the
hash character got added to the variable.
[v3 - Further improve white space issues, now 'make clean'
should work too]
[v2 - Fix white space issues in path variables]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464976163-6162-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11778
Commit 40cb4cfc5d added infrastructure to write unit tests using
cmocka. This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.
The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated. As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional. If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.
[v2 - Also check if cmake is available, as cmocka depends on that
to be built ]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.
URL: https://github.com/OpenVPN/openvpn/pull/34
Acked-by: Steffan Karger <steffan@karger.me>
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1463736310-17846-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11682
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.
Add a minimal test for searchandreplace as a proof of concept.
[ Modified during commit: Enhanced documentation of functions in utils.h
to comply with doxygen standards ]
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-3-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11724
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.
cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).
cmocka is build during 'make check' and installed in vendor/dist/.
[1] https://cmocka.org/
[2] https://lwn.net/Articles/558106/
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-2-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11725
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Currently realloc failure in UpdateWaitHandles() is handled by
triggering exit_event and waiting for all active worker threads
to terminate. However, at this point the wait handles array
will contain an invalid value (handle of the latest thread that
is terminated), causing a cycle of WAIT_FAILED <-> continue and
trashing of the eventlog.
Fix:
- Update the wait handles again after removing the last thread:
this should not fail as no extra memory is needed. Do not set
the exit event; existing connections are not terminated.
- In case of WAIT_FAILED, break out of the while loop and exit
instead of continue. This usually happens when one or more
handles are invalid, which is hard to recover from.
Other changes:
- Use minimal initial allocation size so that the realloc code path
gets exercised (2 or more connections will cause realloc).
- Use a temp variable to check the return value of realloc().
- Initialize handles array pointer to NULL.
v2 changes:
- Increased initial allocation to 10 (warn: now 10 or more connections
needed to exercise the realloc code path).
- Moved up the declaration of "LPHANDLE tmp" to please stone-age MSVC.
Tested using a dummy realloc that returns NULL.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463942372-26958-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11708
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Correctly handle CIDR masks when pushing clients addressing from an IPv6
pool. This change ignores the incorrectly used `bits` argument to the
--ifconfig-ipv6-pool option.
The code to save any provided CIDR mask after the pool IP is left in;
this may someday become useful when we move to allow IPv6 pools without
relying on an IPv4 pool assignment.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53F1DA95.7020701@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8990
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this option, the server can remove individual options from the
set pushed to a client (call from --client-config-dir file, or from
--client-connect script or plugin). Options are removed at parse
time, so it is possible to do stuff like:
push-remove route-ipv6
push "route-ipv6 fd00::/8"
to first remove all IPv6 route options set so far, then add something
specific (what "push-reset" does to all the options).
Arguments to push-remove are strncmp()'ed to option string, so partial
matches like
push-remove "route-ipv6 2001:"
are possible ("remove all IPv6 routes starting with 2001:").
Implementation of remove_iroutes_from_push_route_list() had to be changed
slightly to stop it from re-enabling all disabled options again.
v2: documentation (Changes.rst, doc/openvpn.8)
remove surplus gc_arena
implement filtering of "ifconfig-ipv6"
v3: correct quoting in commit message
only handle a single argument per push-remove statement - if multiple
options are to be removed, just use multiple push-remove statements
Trac #29, #614
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1463393584-8318-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11665
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The call to the service returns promptly after delegating the job to
a thread, before the task is completed. In the thread, "net stop dnscache",
"net start dnscache", "ipconfig /flushdns" and "ipconfig /register-dns"
are executed in that order.
Parallel execution of these commands is prevented by a lock that is
common to all connections started by the service.
Note: "net stop .." is used instead of "sc stop.." as the latter can
return before the service has fully stopped (in STOP_PENDING state),
causing the subsequent start to fail.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1457671646-4322-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11354
Signed-off-by: Gert Doering <gert@greenie.muc.de>
During windows power events such as sleep or suspend, the TUN/TAP
I/O aborts and openvpn signals SIGHUP so as to automatically reconnect
on resume (since commit ea66a2b5cdb2..). During the SIGHUP processing
operations such as address and route deletion are expected to fail. Such
failures should be treated as non-fatal to allow for this automatic
recovery logic to work. Currently, when the address deletion is handled
by netsh, errors are treated as M_FATAL. This patch changes the error
level to M_WARN.
Resolves Trac #71 (comments 37 to 43)
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463185884-4355-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11656
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.
The issue is that the port-share code calls openvpn_connect()
which in turn calls select(). When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.
The fix is to use poll() (if available) instead of select().
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Integration tests run by t_client.sh use sudo to run openvpn as root.
If the t_client.sh script is configured to use sudo then the user
must enter the password quickly because t_client assumes a startup
failure if openvpn does not start quick enough.
If the user is not quick enough, then the tests fails.
This change will refresh the sudo timestamp at the start of the script.
Tested on MacOS X & Ubuntu Precise
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <280154CA-9468-429B-BCAC-DB632C0AFB32@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11622
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-lmbedx509 needs to be before -lmbedcrypto, otherwise you end up with
unresolved symbols mbedtls_pk_load_file and mbedtls_pk_parse_subpubkey
on systems with static mbedtls libraries and a linker that only does
one left-to-right resolving pass through these.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20160505115050.GA81579@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11605
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of just printing the contents of the flags variable, try to
convert it to a human-readable error string and print that instead.
This will for example print "The certificate is signed with an
unacceptable key (eg bad curve, RSA too short).", instead of
"flags=10000".
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1462306478-21059-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11594
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.
v2: bail out immediately on failure.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1462438933-14902-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11599
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When for some reason the dependencies of the compiled mbed TLS libaries
(libmbedtls, libmbedcrypto and libmbedx509) are not correct, the configure
script will fail to link against libmbedcrypto and/or libmbedx509. This
is reported to happen after using 'make install' to install mbedtls.
This patch makes sure the configure tests link to all three. The build
process itself already did.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1462126986-2686-1-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_client.rc is a config file used in integration tests (t_client.sh).
It is a local (developer/machine) specific file not intended to be
verisonized.
A template file can be found at ./tests/t_client.rc-sample
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <80711231-C760-410A-B8A5-F2B1D46C22CE@neuhalfen.name>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The patch looks huge, but it's just file renames, and required changes in
includes / Makefiles. Use 'git diff -C' or a tool like gitk to easily
review this patch.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460918143-408-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11459
Signed-off-by: Gert Doering <gert@greenie.muc.de>
PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move
the master branch on to the 2.x series.
This patch purges all references to polarssl, except for file names and
some comments referring to 1.2 and earlier, which were never released as
'mbed TLS'. A separate patch for the file names follows, so the real
changes are easier to spot without git-fu.
This patch intends to not change any behaviour.
The vast majority of this patch is just renaming functions and structs.
There are some small changes in the implementation:
* In ssl_polarssl.c: the debug callback prototype changed, so our
implementation changed a bit too.
* in ssl_polarssl.c: the old polarssl ssl_context is now split into a
mbedtls_ssl_config and mbedtls_ssl_context. The intention is that
mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context
contains the per-connection state. That doesn't work for us, because
we use per-connection verify callback data, while the verify callback
is registered on mbed_tls_config. Therefore we still need to init a
mbed_tls_config struct for each connection.
* in ssl_polarssl.c: the mbed bio handling changed, so our
implementation changed a bit too.
* in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse
functions now fail if we don't provide a NUL-terminated string, so use
strlen()+1 as the length argument to include the terminating NUL.
I tested this patch to work with:
* 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1)
* static key mode
* TLS mode with PEM key file
* TLS mode with password protected PEM key file
* TLS mode with management-external-key
* TLS mode with PKCS#11
* TLS mode with inline ca/key/cert/dh
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11458
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch is a variant of the patch to implement x509-track for
PolarSSL that was sent to openvpn-devel@ by James Yonan
(<1456993146-63968-7-git-send-email-james@openvpn.net>). It still uses
some of the original code from James, but proposes a different
implementation.
This patch does the following things differently:
* Do not introduce NID_* defines that need to be maintained. Instead,
just use the short name of the attribute for identification. This
has the advantage that we automatically support everything that
PolarSSL supports, it is less code and we do not have maintain the
list. But the disadvantage is that this approach will not error out
when an unknown attribute name is supplied. PolarSSL (at least 1.3,
I didn't check 2.x) does not provide the functions required to do
that. Instead of erroring out, this implementation will just
silently ignore the unknown --x509-track attribute name.
* Remove the ENABLE_X509_TRACK define completely - it depended just on
ENABLE_CRYPTO anyway.
* Move the --x509-track option parsing out of ENABLE_MANAGEMENT, since
it does not depend on management functionality.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL1w8e_o-GjS2jETZWxYdMbS2iKABPc6OZBA8bOVycjtA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11350
Signed-off-by: Gert Doering <gert@greenie.muc.de>
509_get_sha1_hash() is supposed to return the certificate fingerprint,
which is the hash of the entire certificate - including the signature -
and not just the 'to be signed' data (cert->tbs in polarssl).
This changes externally visible behavior for polarssl builds: it will
change the value of the tls_digest_N values exported to the environment
for scripts.
v2 Steffan Karger: added commit message and Changes.rst entry.
Code unchanged from v1 by James.
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL=QYUy6N+jKgxVVuftmF=75mSEz3rYUbisT245UfB5Dg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11396
Signed-off-by: Gert Doering <gert@greenie.muc.de>
