OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_PKEY. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170612134330.20971-3-logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14795.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509. We have to use the defined
functions to do so.
In x509_verify_ns_cert_type() in particular, this means that we
cannot directly check for the extended flags to find whether the
certificate should be used as a client or as a server certificate.
We need to leverage the X509_check_purpose() API yet this API is
far stricter than the currently implemented check. So far, I have
not been able to find a situation where this stricter test fails
(although I must admit that I haven't tested that very well).
We double-check the certificate purpose using "direct access" to the
internal of the certificate object (of course, this is not a real
direct access, but we still fetch ASN1 strings within the X509 object
and we check the internal value of these strings). This allow us to
warn the user if there is a discrepancy between the X509_check_purpose()
return value and our internal, less strict check.
We use these changes to make peer_cert a non-const parameter to
x509_verify_ns_cert_type(). The underlying library waits for a
non-const pointer, and forcing it to be a const pointer does not make
much sense (please note that this has an effect on the mbedtls part
too).
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170612134330.20971-2-logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The COPYRIGHT.GPL file was slightly out-of-sync with the last GPLv2
license from Free Software Foundation, Inc.
The changes are primarily a new address, which required touching almost
all the project files.
Except of that, it is just minor adjustments to formatting, removal of
form-feed characters and referencing "GNU Lesser General Public License"
instead of "GNU Library General Public License".
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170329093648.10156-1-davids@openvpn.net>
URL: https://www.mail-archive.com/search?l=mid&q=20170329093648.10156-1-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 039a89c331 changed the OpenSSL check slightly, but that
broke ./configure on systems which do not install the openssl.pc
pkg-config support file. This is typically an issue on most of the BSD
platforms, where the OpenSSL package from the base repository does not
provide that file.
We should anyway in this case have a better check of OpenSSL version
available. So in the case pkg-config fails, it will run an additional
test looking for the OpenSSL version number in the opensslv.h header
file and check against that version number.
I did consider to rip out the pkg-config test all together, but decided
to let it stay. If pkg-config works, it provides much more details to
the ./configure script than just the version number check - such as
include and library paths if those are outside the default system paths.
If the user adds OPENSSL_CFLAGS or OPENSSL_LIBS to the ./configure
script, the pkg-config will not be run. But this patch ensures that the
OpenSSL version is also checked in this situation.
This patch have been tested on Scientic Linux 7.3 (RHEL clone) and
FreeBSD 10.3-RELEASE-p11.
v5 - Remove the right OPENSSL_LIBS and preserve the old one
- In PKG_CHECK_MODULES(), check for openssl instead of libssl
+ libcrypto
- Fix tab/space issues once again
v4 - Move the CFLAGS/LDFLAGS declarations before the manual
version test; otherwise we're still testing the system install
version
v3 - Remove not needed and duplicated OPENSSL_LIBS assignment
- Fix tab/space issues in modified lines
v2 - Don't use try to simplify the version matching, use the full
OPENSSL_VERSION_NUMBER
- Fixed typo (OpneSSL -> OpenSSL)
- Improve a few comments
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170424143910.20118-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14503.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
This also makes it possible to remove a few workaronds which was
needed earlier, as well as some left overs from v0.9.6.
This also makes ./configure really stop running unless a new enough
OpenSSL library is found.
Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
openssl-1.0.1e.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170411173133.18060-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including RSA_METHOD. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <79d89580db6fd92c059dabc4f5f4d83b72bb9d3d.1487859361.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14175.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Older versions of autoconf generate an empty "else fi" block for empty
fields in an AC_CHECK_FUNCS() macro. This breaks on e.g. RHEL6.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1487846138-22231-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1487846138-22231-1-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_OBJECT. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <c849c9778d2b2faa4eb4d31367b37d993da5eb85.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14080.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE. We have to use the defined functions
to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <8e6d66e3a9a40abb3d7c99c48ba59bad1037d0ef.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including SSL_CTX. We have to use the defined functions
to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <a77187a66affdba318ef70e0e218b69cdad509d1.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14088.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The plugin path handling cleanup (4590c383) introduced GNUism and broke
builds on system not using GNU Make (like *BSD).
Revert back to let configure generate the header file. Instead let make
add an extra CFLAG that defines PLUGIN_LIBDIR.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170127084927.21040-1-list@eworm.de>
URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13966.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Drop --with-plugindir, instead use an environment variable PLUGINDIR
to specify the plugin directory.
This puts a define into include/openvpn-plugin.h.in which has the plugin
directory.
The configure script does not know about the final plugin path. Thus we
have to make Make generate the final header file for us.
As the path is always available remove the compile time condition (and
dead code) from src/openvpn/plugin.c.
v2: The configure script can not evaluate the final $libdir path. So
use make to create a header file on the containing the final path.
v3: Fix whitespace errors and gitignore location.
v4: No extra header file, generate src/openvpn/plugin.h on the fly.
Remove condition and dead code.
v5: Move the define to include/openvpn-plugin.h.in and let make generate
the final header file.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170125201947.17197-1-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20170125201947.17197-1-list@eworm.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.
So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-2-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
- Also make tests that require --wrap option to be
conditional on this support
[ DS: Removed AC_DEFINE([HAVE_LD_WRAP_SUPPORT],...) at commit time
as we now see no real use for such a #define in config.h ]
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1484772172-19758-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13897.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
AC_ARG_ENABLE() was used wrong, which led enable_async_push to
always be set, regardless if --enable-async-push or --disable-async-push
was used.
Also spotted the exact same patch when writing this commit message as
GitHub PR#70.
Trac: #786
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1481062251-18349-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13411.html
commit 35be7e0d5 removed most references to compat-stdbool.h but
overlooked configure and "make dist"
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1479628060-32673-1-git-send-email-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13135.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fixes builds that use MBEDTLS_CFLAGS and friends to tell the build where
the header files and libraries are. Also alphabetically orders some of
the listed files in relates Makefile.am files.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479152603-5103-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13050.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
misc.c is too crowded with different things to perform any
sane unit testing due to its dependencies. So, in order to re-write
the #ifdef'ed tests for the argv_* family of functions into unit
tests I moved them into a dedicated file.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: <1477672963-5724-2-git-send-email-heiko.hund@sophos.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12811.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The "Don't dereference type-punned pointers" patch introduced an anonymous
union, which older compilers do not support (or refuse to support when
-std=c99 is defined). Add a configure check, and some wrapper defines to
repair builds on those compilers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479060203-4472-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1479060203-4472-1-git-send-email-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 8cac9b98d5 introduced using in_port_t which is not
available on (all?) mingw build environments.
Add configure check, falling back to uint16_t.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161113155535.68355-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13021.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In systemd after version 216, systemd-ask-password will support --echo
which
will avoid masking the user input. As OpenVPN uses this mechanism
collecting
usernames when systemd is available, this will avoid the input of
usernames to
be masked.
This patch also adds the --icon argument, which is aimed at graphical
inputs.
For example when OpenVPN is started at system boot-time using a graphical
boot
interface such as Plymouth.
[v2 - Avoid pkg.m4 hacks and use pkgconfig/autoconf methods to flag
if systemd is recent enough for --echo support]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: 1470926035-434-1-git-send-email-davids@openvpn.net
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12405.html
This provides exactly the same systemd functionality which existed
before the query user infrastructure got implemented.
[v5 - Ensure NULL termination fix in d09fbf958f is included ]
[v4 - change disapproved &= syntax ]
[v3 - Remove QUERY_USER_EXEC_ALTERNATIVE macro, simplify
alternatives definition directly in console.h. For
now only depend on ENABLE_SYSTEMD]
[v2 - Removed the QUERY_USER_FOREACH macro]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: 1470999445-4288-1-git-send-email-davids@openvpn.net
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12424.html
Solaris' header files to not make necessary macros (like CMSG_SPACE)
available unless told "this is the API level we want" - thus, do so.
This fixes --multihome on OpenSolaris 11 (at least).
(v2: same patch as in 6eaa70e80a, reverted in e25d03a4cc, and now
with correct description)
trac #750
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161010073931.54469-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12634.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Solaris' header files to not make necessary macros (like CMSG_SPACE)
available unless told "this is the API level we want" - thus, do so.
This fixes --multihome on OpenSolaris 11 (at least).
trac #750
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161010073931.54469-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12634.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On OS X openssl/x509.h is not in the standard include path and the
files still try to include since the includes only depend on on
ENABLE_CRYPTO_OPENSSL.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111006-16401-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1474111006-16401-1-git-send-email-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
NetBSD has introduced IP_PKTINFO and struct in_pktinfo, but does not
have the "ipi_spec_dst" structure element, causing compilation errors.
Introduce a check for that (AC_CHECK_MEMBER) in configure.ac, and
change all "#ifdef HAVE_IN_PKTINFO" to also check "HAVE_IPI_SPEC_DST".
Patch inspired by NetBSD pkgsrc patch set.
(Note: with that patch, OpenVPN --multihome is still broken for IPv4
on NetBSD 7.0.1 / amd64, but that's a different issue)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20160916190242.44897-1-gert@greenie.muc.de>
URL: http://www.mail-archive.com/search?l=mid&q=20160916190242.44897-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously, we would use the compiler's default C version, which defaults
to gnu89 for GCC < 5, gnu11 for GCC > 5, and c11 for clang, but might even
differ per distro.
One of the reasons to accept the gnu89 default of GCC < 4.9, was that MSVC
didn't support c99. But in MSVC 2015, MS finanally fixed that.
Having to support c89 in the codebase occasionally forces us to write less
readable code, for example by forcing all declaration to be at the starting
of a block (which includes 'for loop initial declarations').
Let's be clear about what standard we obey, and stop punishing ourselves
with c89/gnu89. Let's switch the master branch to c99.
v2: don't try to detect pedantic mode based on __STRICT_ANSI__, since that
will be defined when using -std=c99.
v3: only set -std=c99 if there is no -std= already present in CFLAGS
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1472760870-11769-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00194.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
There's quite a bit of our code that fails compilation with
"gcc -pedantic -ansi" and should not be changed - like, LZ4 using
"long long" variables which C90 does not have. Be pragmatic.
trac #616
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465477232-25826-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11882
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 40cb4cfc5d added infrastructure to write unit tests using
cmocka. This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.
The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated. As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional. If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.
[v2 - Also check if cmake is available, as cmocka depends on that
to be built ]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.
Add a minimal test for searchandreplace as a proof of concept.
[ Modified during commit: Enhanced documentation of functions in utils.h
to comply with doxygen standards ]
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-3-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11724
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.
cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).
cmocka is build during 'make check' and installed in vendor/dist/.
[1] https://cmocka.org/
[2] https://lwn.net/Articles/558106/
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-2-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11725
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
-lmbedx509 needs to be before -lmbedcrypto, otherwise you end up with
unresolved symbols mbedtls_pk_load_file and mbedtls_pk_parse_subpubkey
on systems with static mbedtls libraries and a linker that only does
one left-to-right resolving pass through these.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20160505115050.GA81579@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11605
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When for some reason the dependencies of the compiled mbed TLS libaries
(libmbedtls, libmbedcrypto and libmbedx509) are not correct, the configure
script will fail to link against libmbedcrypto and/or libmbedx509. This
is reported to happen after using 'make install' to install mbedtls.
This patch makes sure the configure tests link to all three. The build
process itself already did.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1462126986-2686-1-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move
the master branch on to the 2.x series.
This patch purges all references to polarssl, except for file names and
some comments referring to 1.2 and earlier, which were never released as
'mbed TLS'. A separate patch for the file names follows, so the real
changes are easier to spot without git-fu.
This patch intends to not change any behaviour.
The vast majority of this patch is just renaming functions and structs.
There are some small changes in the implementation:
* In ssl_polarssl.c: the debug callback prototype changed, so our
implementation changed a bit too.
* in ssl_polarssl.c: the old polarssl ssl_context is now split into a
mbedtls_ssl_config and mbedtls_ssl_context. The intention is that
mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context
contains the per-connection state. That doesn't work for us, because
we use per-connection verify callback data, while the verify callback
is registered on mbed_tls_config. Therefore we still need to init a
mbed_tls_config struct for each connection.
* in ssl_polarssl.c: the mbed bio handling changed, so our
implementation changed a bit too.
* in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse
functions now fail if we don't provide a NUL-terminated string, so use
strlen()+1 as the length argument to include the terminating NUL.
I tested this patch to work with:
* 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1)
* static key mode
* TLS mode with PEM key file
* TLS mode with password protected PEM key file
* TLS mode with management-external-key
* TLS mode with PKCS#11
* TLS mode with inline ca/key/cert/dh
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11458
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add Authenticated Encryption with Additional Data (AEAD) support for
ciphers, which removes the need for a separate HMAC step. The MAC is
integrated into the cipher and the MAC tag is prepended to the payload.
This patch is inspired by the patch originally submitted by Kenny Root
on the openvpn-devel mailinglist, but does a number things differently:
* Don't support XTS (makes no sense for VPN)
* Don't support CCM (needs extra code to make it actually work)
* Don't force the user to specify "auth none" (that would break
tls-auth)
* Add support for PolarSSL (and change internal API for this)
* Update openvpn frame size ('link mtu') calculation for AEAD modes
* Use the HMAC key as an implicit part of the IV to save 8 bytes per
data channel network packet.
* Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets.
By using the negotiated HMAC key as an implicit part of the IV for
AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each
packet sent. This is particularly interesting for connections which
transfer many small packets, such as remote desktop or voip connections.
The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher
operation, which requires the IV to be unique (but does not require
unpredictability).
IV uniqueness is guaranteed by using a combination of at least 64-bits
of the HMAC key (unique per TLS session), and a 32-bit packet counter.
The last 32-bit word of the 128-bit cipher block is not part of the IV,
but is used as a block counter.
AEAD cipher mode is not available for static key mode, since IV
uniqueness is harder the guarantee over sessions, and I believe
supporting AEAD in static key mode too is not worth the extra
complexity. Modern setups should simply use TLS mode.
OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those
versions have an unnecessary check that fails to update the cipher if
the tag was not already set. 1.0.1d, which fixes that, was released in
February 2013. People should have updated, and distros should have
backported the fix by now.
Changes in v2:
* Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work
in AEAD mode.
* Do not make AEAD support configurable in ./configure.
* Get rid of '12' magic constant in openvpn_encrypt_aead().
* Update manpage to explain that --auth is ignored for the data channel
when using an AEAD cipher.
* Move setting the IV in AEAD cipher modes to the IV generation code.
This is a more natural place and now we can pull iv[] into the IV
generation scope.
* Read packet ID directly from packet buffer instead of from iv buffer,
to remove the need for an extra buffer.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11162
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A missing , in the previous configure.ac patch caused the autodetection to
fail. While fixing that, I noticed I can simplify the check by using the
documented ${ac_cv_search_function} cache variable instead of the nested
AC_SEARCH_LIBS.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1453150181-21453-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11010
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This reworks the crypto library configuration, to make it both simpler to
understand and more usable:
* Only check for OpenSSL when building against OpenSSL (and similar for
PolarSSL/mbed TLS).
* Bail out early if a problem with the library is detected.
* Set CRYPTO_{LIBS,FLAGS} immediately after the crypto library checks,
removing the need for an extra switch-case later on.
* We no longer support building openvpn with crypto but without ssl, so
we can also simplify the logic in configure.ac accordingly.
As a 'side effect' (this actually triggered me), this fixes a bug that
would cause a user-specified OPENSSL_{CRYPTO,SSL}_LIBS to be overwritten
by AC_CHECK_LIB if there are openssl headers available in the PATH.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452436639-16838-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10978
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also send it with peer-info as IV_PLAT_VER.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451422957-23951-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10904
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This options is enabled in virtually all distributions and gives no real
security benefit.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448808959-10565-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10661
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Libraries should be specified from left-to-right as most-dependent to
least-dependent. Thus, -lssl comes first, then -lcrypto.
(This does not fail when pkg-config finds your libraries for you, since
we tell it '-lssl needs -lcrypto' and we then end up with
"-lcrypto -lssl -lcrypto", which is not pretty but does work.)
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1448750881-10767-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10649
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since commit 67a67e39, we use API calls that were introduced in polarssl
1.3.8. Update the configure check to reflect that.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448274384-22953-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10563
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v3:
* better comments
* better variable naming
* include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined
v2:
More careful inotify_watchers handling
* Ensure that same multi_instance is added only once
* Ensure that multi_instance is always removed
v1:
This feature speeds up connection establishment in cases when async
authentication result is not ready when first push request arrives. At
the moment server sends push reply only when it receives next push
request, which comes 5 seconds later.
Implementation overview.
Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if
system supports inotify.
Add inotify descriptor to an event loop. Add inotify watch for a
authentication control file. Store mapping between watch descriptor and
multi_instance in a dictionary. When file is closed, inotify fires an
event and we continue with connection establishment - call client-
connect etc and send push reply.
Inotify watch descriptor got automatically deleted after file is closed
or when file is removed. We catch that event and remove it from the
dictionary.
Feature is easily tested with sample "defer" plugin and following settings:
auth-user-pass-optional
setenv test_deferred_auth 3
plugin simple.so
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Add doxygen comment
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: <1444493065-13506-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10248
Signed-off-by: David Sommerseth <davids@redhat.com>
LZ4 is using less CPU at similar performance, and it is easier to
build and support for binary installs (as it does not require C++
and a C++ runtime). Since it was never supported in any formally
released OpenVPN version, just drop it again.
This leaves in the compression opcode for Snappy for documentation
purposes.
trac #617
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444494889-28925-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10251
To get access to that functionality, bump Windows API level for MinGW
compilation from NTDDI_WINXP/_WIN32_WINNT_WINXP to ..._VISTA, and
shuffle around WIN32 includes a bit in syshead.h
MinGW 32 seems to be broken regarding MIB_TCP_STATE enum, so add typedef
for that - surrounding #ifdefs found by googling do not work yet -> TODO!
Extend add_route_ipv6() and delete_route_ipv6() to handle routes not on
the tap adapter but on ifindex-addressed interfaces ("interface=nn"),
and while at it, fix deletion of IPv6 routes with gateway address.
NOTE: this breaks Windows XP compatibility as GetBestRoute2() is not
available there, so even when not using IPv6, the binary will not run.
(Lightly) tested on Win7/64.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1441985627-14822-11-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10085
More recent MinGW versions have these functions (if compiling at
_VISTA level or higher), but the normal AC_CHECK_FUNCS() check does
not find them because the necessary header file is not #include'd and
the libws2_32 not linked - and our compat functions are incompatible
with the definitions in <ws2tcpip.h>, so compilation fails.
Fix with a custom AC_LINK_IFELSE()/AC_LANG_PROGRAM() construct.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Tested-by: Heiko Hund <heiko.hund@sophos.com>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442953884-54602-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10165
This is to provide more fine grained information to plug-ins
about the OpenVPN environment when OpenVPN was built.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1436534548-21507-2-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9905
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously, the code tried to find res_init(), and on some systems
got it wrong in configure, silently not-using res_init(), leading
to unexpected failures to re-init the resolver.
We know that all supported OSes (except Windows) have res_init(), so
change the call to "#ifndef WIN32", and adjust configure.ac to just
find the library to link (if any). With that, failures to find
res_init() are no longer "hidden" but clearly visible at link time.
AC_SEARCH_LIBS() bits inspired by CUPS' cups_network.m4 (GPLv2)
Fix (part of) trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430162841-5840-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9614
Fixes compilation error on linux with musl libc because of
conflicting ethhdr declarations in <netinet/if_ether.h> and
<linux/if_ether.h> which is included from <linux/if_tun.h>
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20150516134604.GA2302@euler>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9690
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove the --disable-ssl configure option and accompanying ENABLE_SSL
defines in the master/2.4 branch, to reduce the code and testing
complexity a bit.
This does not remove to runtime option to run without SSL, just the compile
time option to not include any SSL-related code.
During the community meeting in November 2014 there were no objections
amongst he developers present. Also, this has been announced on the -users
and -devel mailing lists two weeks ago, without any response whatsoever.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A4248A.1090501@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9371
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f1d3cf062)
enable_crypto_ofb_cfb is "yes" by default, so the --help screen
should show --disable-ofb-cfb and not --enable-ofb-cfb.
enable_small and enable_password_save are both "no" by default, so
the --help screen should state "default: no". Now it says "yes" as
default, but is really disabled in the reality.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416852578-7581-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9278
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is another systemd implementation clean-up. It was found that
SELinux will block OpenVPN from checking /sys/fs/cgroups. As OpenVPN
only checked /sys/fs/cgroups and /sys/fs/cgroups/systemd to see if
systemd was available or not, it was considered better to query
systemd directly to see whether or not to query for usernames and
passwords via systemd.
This patch has been compile tested on Fedora 19 and Fedora 21 alpha and
function tested on Fedora 19.
v2 - Use PKG_CHECK_MODULES() + check for libsystemd before
libystemd-daemon. systemd >= 209 use a unified library
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1412356567-27125-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9072
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This restores support for pre-0.9.8f OpenSSL versions, which do not include
stateless session resumption, and the accompanying SSL_OP_NO_TICKET flag.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53C251E2.7050605@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8902
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781
Signed-off-by: Gert Doering <gert@greenie.muc.de>
force "have_tap_header=yes", as configure won't like AIX headers otherwise
(no tun related headers, just <net/if_tap.h>).
force ROUTE to be "/usr/sbin/route" - not executable by non-root users, so
configure testing for executables will not find it
force "ac_cv_header_net_if_h=no", because AIX' <net/if.h> pulls in AIX'
<net/route.h>, which #defines ROUTE_H, disabling our "route.h"... (and
we don't need <net/if.h> on AIX anyway)
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8787
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Only check for SSL_OP_NO_TICKET if building with --enable-ssl and using
openssl. This fixes cross-compiling polarssl builds for Windows (where
pkg-config would find the system openssl library, but the cross compiler
would not have openssl for the target platform).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403461119-21440-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8795
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Useful for example during development or automated builds, to make the
build error out if new warnings are introduced.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1401359947-31144-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8747
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This removes support for PolarSSL 1.2. The mimimum version of PolarSSL
required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL:
* Support for EC-crypto in TLS (but not yet for external
pkcs11/management keys)
* Support for AES-NI (if PolarSSL is compiled with AES-NI support)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <53528943.3090205@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8555
Signed-off-by: Gert Doering <gert@greenie.muc.de>
AC_EGREP_CPP uses CPPFLAGS, not CFLAGS. Make sure the macro can find
OpenSSL by temporarily adding OPENSSL_CRYPTO_FLAGS to CPPFLAGS.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Message-Id: <5339EFFC.6090908@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8419
Signed-off-by: Gert Doering <gert@greenie.muc.de>
SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption".
This is something we do not want nor need, but could potentially be used
for a future attack. OpenVPN 2.4 requires the flag to be set and will fail
configure if the flag is not present.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxJh17KYmVU1BVa5kp4iJsUJT+xnXp0rVU_3g3c5hPnqDQ@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8389
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 0.9.7 and older are considered obsolete (see
http://www.openssl.org/news/news.html). This patch updates configure.ac to
require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are
now no longer needed.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8392
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On Windows there's no sa_family_t. This patch defines it in
syshead.h is configure did not find it in the system headers.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389972638-8006-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8242
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as
src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4)
if autoconf cannot find lz4.h or -llz4 in the system.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1388613479-22377-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8154
Implement LZ4 compression, similar to the existing snappy / push-peer-info
model: a LZ4 capable client will send IV_LZ4=1 to the server, and the
algorithm is selected by pushing "compress lz4" back.
LZ4 does not compress as well as LZO or Snappy, but needs far less CPU
and is much faster, thus better suited for mobile devices. See
https://code.google.com/p/lz4/ for more details.
LZ4 include and library path can be specified by specifying LZ4_LIBS=...
and LZ4_CFLAGS=... on the configure command line.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1388613479-22377-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8153
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
This fixes bug#343.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <5284F32D.3000206@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7968
Signed-off-by: Gert Doering <gert@greenie.muc.de>
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In config.h, it would state:
/* Enable systemd support */
#define ENABLE_PLUGIN 1
instead of
/* Enable plug-in support */
#define ENABLE_PLUGIN 1
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600130-6075-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7658
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-by: Jonathan K. Bullard <jkbullard@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Added support for the Snappy compression algorithm which has shown to
have considerably better compression speed than LZO at a comparable
compression ratio.
To enable Snappy add:
compress snappy
to both client and server config files.
Alternatively, enable compression framing on the client:
compress
and have the server selectively push "compress snappy" to the client.
This change also extends the client capability handshake to include
IV_SNAPPY so the server can be aware that a connecting client supports
Snappy.
Note that the Snappy implementation also includes an improved framing
approach where the first byte of the compressed payload is replaced by
the compression control byte (the first payload byte is moved to the end
of the packet). This solves off-by-one alignment issues, which improves
performance on ARM.
By default, the configure script will try to build with Snappy support.
To disable, use the --disable-snappy option.
The --enable-lzo-stub configure directive is now --enable-comp-stub
(because it's not actually "lzo" but "compression-enabled packet framing")
Add compression overhead to extra buffer unconditionally, as long
as USE_COMP is defined.
OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7531
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When polarssl is compiled without pkcs11 support, or a required
pkcs11-helper library is missing, configure will now issue an error.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-7-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7441
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7436
Signed-off-by: Gert Doering <gert@greenie.muc.de>
AM_CONFIG_HEADER has been deprecated for some time, finally it is removed
on automake 1.13. The attached patch replaces it with AC_CONFIG_HEADERS and
fixes build process with latest automake.
Acked-by: Matthias Andree <matthias.andree@gmx.de>
Message-Id: 20130108093912.7ae7c6f8@leda
URL: http://article.gmane.org/gmane.network.openvpn.devel/7222
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These days it is highly unlikely that OpenVPN will be built in a non-IPv6
capable Linux environment. So remove compile-time related macros identifying
that.
This also solves an issue which was introduced in commit 51bd56f46f
where HAVE_TUN_PI is no longer detected. The tun_pi struct is defined in
linux/if_tun.h, which will be checked for later on. As this struct has history
in linux/if_tun.h all back to the beginning of the kernel git tree (2.6.12-rc2,
April 2005), it is considered not needed to check for this struct explicit.
[ v2: Commit 7c0a2b5f2b modifies some of the checks this patch touches. This
patch just adopts to those changes ]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Message-Id: 1335521425-23391-1-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6351
This is required to build an Android binary.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Do not rely on system symbol throught sources
but on autoconf detection.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Use limits.h for maximum value.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
Windows and solaris has something in common, in both
the tap header is external. So make the Windows tap-windows.h
search common to all platform.
Display an error if we cannot find tap header.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
tap-windows.h is provided by the tap project
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Remove all references to gettimeofday() from main project.
SIDE EFFECT: mingw will use its own internal gettimeofday().
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
compat should not use any of the main project headers or conventions,
it should be a standalone library that provides missing library
functions.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
1. properly detect.
2. Link only required components.
3. No way we don't have LoadLibrary on Windows.
4. ENABLE_PLUGIN should be controlled in autoconf.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Introduce tap-windows.h which is modified tap-win32/common.h.
Except of function rename, it is the same without the tap_id.
This file should be provided as part of tap-win32 MSI.
For now we hold a copy.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
This patch makes openvpn read unicode from the console and convert the input
to UTF-8. And then display UTF-8 output to the console correctly.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
When trying to compile OpenVPN on RHEL5/CentOS5, it would fail
due to missing declaration of SO_MARK. SO_MARK is a feature which
first arrived in 2.6.26, and was never backported to RHEL5's 2.6.18
kernel base.
This patch adds a check at configure time, to see if SO_MARK is
available or not.
Signed-off-by: David Sommerseth <davids@redhat.com>
Visual Studio does not enable certiain standard Unix functions,
such as access(). By defining _CRT_NONSTDC_NO_WARNINGS and
_CRT_SECURE_NO_WARNINGS, these functions are enabled.
This patch also adds a ./configure check for access() as well,
in case this needs to be implemented on other platforms lacking
this feature. Which is why HAVE_ACCESS is defined in win/config.h.in
Thanks to Alon Bar-Lev for helping solving this.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5179/focus=5200
This kicks out the openvpn_basename() function from misc.[ch] and puts
glibc equivalents into compat.[ch]. This is to provide the same
functionality on platforms not having a native basename() function
available.
In addition this patch adds dirname() which commit 0f2bc0dd92
depends. Without dirname(), openvpn won't build in Visual Studio.
v2: Move all functions from compat.h to compat.c
v3: Use glibc versions of basename() and dirname() instead
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5178/focus=5215
Systemd requires console query to be forwarded using its own
tool.
Signed-off-by: Frederic Crozat <fcrozat@suse.com>
Acked-by: David Sommerseth <davids@redhat.com>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5073/focus=5277
Signed-off-by: David Sommerseth <davids@redhat.com>
- Crypto library
- SSL library
- PKCS#11 support
For missing features, please see README.polarssl
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>