Age | Commit message (Collapse) | Author |
|
Change-Id: Ic377958d303b1dcfa9d877d3a63ecf39bdff7aef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240315170054.2368254-1-frank@lichtenheld.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/58749316/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b25c6d7e861d446b7a2e03cbcfb892d554c1ef73)
|
|
Previously, when using a third argument to --http-proxy other
than auto/auto-nct, order did matter between --http-proxy and
--http-proxy-user-pass. Always prefer --http-proxy-user-pass
when given.
Change-Id: I6f402db2fb73f1206fbc1139c47d2bf4378376fa
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240122092122.8591-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28099.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a634cc5eccd55f1d14197da7376bb819bdf72cb6)
|
|
With NTLMv2 the target information buffer can be rather large
even with normal domain setups.
In my test setup it was 152 bytes starting at offset 71.
Overall the base64 encode phase 2 response was 300 byte long.
The linked documentation has 98 bytes at offset 60. 128 byte
is clearly too low.
While here improve the error messaging, so that if the buffer
is too small at least one can determine that in the log.
Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117094952.25938-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28052.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Completely replaced by the CMake build system now.
v2:
- rebase on top of my dist fixes
Change-Id: I807cffa40f18faa1adec4e15e84c032877a2b92e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230926095118.29924-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230926095118.29924-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
On Linux those functions actually take void pointer,
so no behavior change there. On Windows, we avoid
warnings about unsigned char vs char.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230203191440.136050-6-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26144.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7acd93a6bef2dd9b660571c29b5f41c8ca351161)
|
|
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ccf9d57249acb9bc9a450aec3e613bda631415f5)
|
|
Signals are ordered as SIGUSR2, SIGUSR1, SIGHUP, SIGTERM, SIGINT
in increasing priority. Lower priority signals are not allowed to
overwrite higher ones.
This should fix Trac #311, #639 -- SIGTER/SIGINT lost during dns
resolution (except for the Windows-specific bug handled in previous commit).
On sending SIGTERM during dns resolution, it still takes several seconds
to terminate as the signal will get processed only after getaddrinfo times
out twice (in phase1 and phase2 inits).
Github: fixes OpenVPN/openvpn#205
Trac: #311, #639
Note: one has to still wait for address resolution to time out as
getaddrinfo() is no interruptible. But a single ctrl-C (and some
patience) is enough.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230101215109.1521549-4-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25871.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3a7257925791a086c1ac88362a8eb422be518b14)
|
|
- Do not directly update signal_received: always use register_signal()
throw_signal() or signal_reset().
To facilitate this, register_signal() now takes c->sig as an argument
instead of the context c itself, and sig_info struct is passed-in to
functions that need to set a signal.
- openvpn_getaddrinfo() is updated in a following commit as it
could benefit from some logic changes that we may or may not want
to do.
No functional changes.
TODO:
(i) update signal handling in openvpn_getaddrinfo
(ii) enforce signal priority
(iii) fix signal handling on Windows
for 2.7?
(iv) replace system-V signal with POSIX sigaction
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230101215109.1521549-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 05715485b45816e18b52ffb9b47ca22a55abb334)
|
|
NTLMv1 is ancient and not considered secure anymore and we are not
aware of any users or software still requiring this feature.
Additionally it currently depends on our "doing single DES using
3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing
NTLMv1 will also allow us to remove that workaround.
Reported-By: Trial of Bits (TOB-OVPN-7)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221215190143.2107896-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25731.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e005b8d1fda1ad1e26fe0dbe7e09184a1f19b553)
|
|
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Update the update-copyright script to include more contributors as well
as correcting a few typos
- Correct a copyright address in the source code to now used address
(dazo)
- Update copyright year to 2021
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net
URL: https://sourceforge.net/p/openvpn/mailman/message/37299719/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
We (and OpenSSL) already use calling free on null pointers in a number
of places and also C99 standards says free(NULL) does nothing.
The if (x) free(x) calls more often make code harder to read, instead
of easier, remove these NULL checks in favour of directly calling
free(x).
The OpenSSL *_free methods are also safe to call with NULL and
pkcs11h_certificate_freeCertificateIdList is also safe to be called with
NULL.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201023113431.26691-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21216.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Mykola Baibuz <mykola.baibuz@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191014112145.251-1-mykola.baibuz@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18937.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
There are an amazing number of brackets that were either
totally missing, or have snuck up on the "for(...){"
line. Further, uncrustify wants "|" in multi-line
logical expressions now at the beginning of the new
line, and "PRIi64" now gets surrounding spaces.
Added "sp_after_semi_for_empty=Add" to uncrustify.conf
to leave a few for() statements alone that look better
the way they are.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20181130135641.11533-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17970.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
The autumn of 2017, OpenVPN Technologies, Inc changed name to just
OpenVPN Inc. Otherwise, extend the copyright to cover 2018 as well.
With the exception of the company name change, all changes have been
performed by the dev-tools/update-copyright.sh script.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180131140314.11103-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16418.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The HTTP proxy credentials are stored in a static variable that is
possibly initialized before each connection attempt.
However, the variable is never "released" therefore get_user_pass()
refuses to overwrite its content and leaves it as it is.
Consequently, if the user config contains multiple connection profiles
with different http-proxy, each having its own credentials, only the
first user/pass couple is loaded and the others are all ignored.
This leads to connection failures because the proper credentials are
not associated with the right proxy server.
The root of the misbehaviour seems to be located in the fact that,
despite the argument force passed to get_user_pass_http() being true,
no action is taken to release the static object containing the
credentials.
Fix the misbehaviour by releasing the http-proxy credential object
when the reload is "forced".
Trac: #836
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan@karger.me>
Tested-by: David Sommerseth <davids@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20171204044907.32261-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16007.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
Functions used only in the file where they are
defined and not exported in any header, should
always defined as static in order to make the scope
clear to the compiler and the developers.
Add the static attribute where missing.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170811090744.31750-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15202.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
The COPYRIGHT.GPL file was slightly out-of-sync with the last GPLv2
license from Free Software Foundation, Inc.
The changes are primarily a new address, which required touching almost
all the project files.
Except of that, it is just minor adjustments to formatting, removal of
form-feed characters and referencing "GNU Lesser General Public License"
instead of "GNU Library General Public License".
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170329093648.10156-1-davids@openvpn.net>
URL: https://www.mail-archive.com/search?l=mid&q=20170329093648.10156-1-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Prevents that the client crashes if the peer does not specify
the 'realm' and/or 'nonce' values. These pointers are
dereferenced in DigestCalcHA1() and DigestCalcResponse();
hence, if not set, a null-pointer dereference would occur.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497574736-2092-1-git-send-email-gv@guidovranken.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
get_proxy_authenticate() is called with a "gc" parameter which MUST
be NULL, otherwise string_alloc() will allocate memory in the gc_arena
while the caller expects the result to be durable and will do explicit
free() when no longer needed. Remove gc parameter, call string_alloc()
with "NULL" so this is clearly visible.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170609205029.11002-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14768.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EL11jDxO+c1Gu0FvunqwUTW2uxjy910+A-s63Nr5O3NWw@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14758.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
We want { and } aligned, which means also adding a newline between each
for() and {, while() and {, etc.
Also, we agreed to always use braces with conditionals. The previous
uncrustify config added these for if()s, now also add these for while()
and for().
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1484403020-6857-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13875.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482350454-27280-2-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13653.html
|
|
This is the first commit of the big reformatting task. This
is performed by running the ./dev-tools/reformat-all.sh script.
This is based upon the v3 reformat-all.sh/uncrustify.conf version
which is now applied to git master.
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
These options were probably introduced long before we had multiple
remote/connection entries. For all other connection entries, OpenVPN will
go on with the next connection if it fails. For proxies, if it fails in
some ways it works the same, for other failures it completely stops.
Removing the *-proxy-retry and defaulting to retry makes the behavior more
predictiable. Stopping after one try (regardless of reason) can be achieved
with --max-connect-retry 1
V2: Add reason for removing, remove from manpage, give a hint at
--max-connet-retry
V3: Collapse the two ifs in options.c to one block
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466771230-5266-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11988
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The inline directive http-proxy-user-pass can be used to
specify proxy credentials in config, e.g.:
http-proxy proxy.tld 3128 auto-nct
<http-proxy-user-pass>
foo
bar
</http-proxy-user-pass>
This usage is already supported by OpenVPN 3.
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456993146-63968-9-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11283
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
server-poll-timeout to 120s
With this change all timeouts before the first packet from the OpenVPN
server are unified into the server-poll-timeout option.
The default of 120s has been chosen to be a safe value is larger as it is
larger the sums of the old small timeouts.
V3: fix some whitespace/typos problems
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465656195-12722-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11899
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
On many platforms (not Windows, for once), FD_SET() can write outside the
given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do
that, add an ASSERT() to error out with a clear error message when this
does happen.
This patch was inspired by remarks about FD_SET() from Sebastian Krahmer
of the SuSE Security Team.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456996968-29472-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11285
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8840
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
resolve the port together with the hostname.
This delays error reporting from config parsing to resolving of host
addresses. But it allows statements like
remote openvpn.example.org openvpn
port https
management localhost ntp
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385064495-25877-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8018
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
d0cb816cf8be68359617b61a55799f6330901f6a introduced add_proxy_headers(),
passing "port" as "const char *" - but it should be an "int". As port
is not yet actually used inside add_proxy_headers(), it's just a warning.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384526517-6020-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7973
|
|
There are some patched OpenVPN versions out there without source code
(e.g. NDMVPN) that support adding custom http header.
This patch adds custom header to OpenVPN and supports the syntax that the
"in the wild" variants use.
Patch v3 also prints all custom headers with other http options in --verb 5
Patch v4 does clean up the add_proxy_header function
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382688143-17247-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7946
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
used in
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1366059999-31731-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7511
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The problem is located in the file proxy.c within
"establish_http_proxy_passthru": To keep buffers small long
base64-encoded NTLM-Strings are truncated.
But the truncating is done on a wrong place: base 64 strings can be
cut every 4 chars. the buffer is 128 bytes - including the terminating
\0, so the usable data is only 127 bytes. And decoding a 127 char
base64 string fails... this is why the ntlm authentication fails in
certain cases (long strings)...
Acked-by: Joerg Willmann <joe@clnt.de>
URL: https://community.openvpn.net/openvpn/ticket/172
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit af1bf85a introducing the --management-query-proxy option
broke the initialization of HTTP proxy options by not assigning
the allocated object to the options element in the function
init_http_proxy_options_once().
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1343639122-8658-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6913
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Make openvpn query for proxy information through the
management interface. This allows GUIs to provide (automatically
detected) proxy information on a per connection basis.
This new option supersedes the undocumented --http-proxy-fallback
option and puts the responsibilty for HTTP proxy fallback handling
to the GUI caring for such.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Reviewed-by: James Yonan <james@openvpn.net>
Message-Id: 1342009010-9735-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6841
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
WSAGetLastError() is just a wrapper for GetLastError(). So, there's
no need to differentiate between socket related and other errors.
This patch removes all special handling of socket errors in favor
of simplifying the codebase somewhat.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1342542316-32563-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6876
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
During discussion on FOSDEM 2012 it was decided that proxy auto detection
is best done in the GUI as it's highly platform specific and shouldn't be
handled in openvpn itself for every supported platform in openvpn itself.
This removes --auto-proxy from openvpn.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1328446029-30523-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/5333
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Yet another step in reducing the syshead.h content.
Conditional compilation of sources needs to be based on
a minimum program prefix (config.h only).
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Suitable for mature project.
root - administrative stuff
doc - documents
src - sources
tests - tests
distro - distro specific files
sample - samples
SIDE EFFECT: many changes to rpm spec.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|