Permalink
Commits on May 19, 2014
  1. Merge tag 'v2.3.4' of https://github.com/OpenVPN/openvpn into release…

    hazenme committed May 19, 2014
    …-v2.3.4
    
    OpenVPN 2.3.4
    
    2014.04.30 -- Version 2.3.4
    Arne Schwabe (1):
          Fix man page and OSCP script: tls_serial_{n} is decimal
    
    Dmitrij Tejblum (1):
          Fix is_ipv6 in case of tap interface.
    
    Gert Doering (7):
          IPv6 address/route delete fix for Win8
          Add SSL library version reporting.
          Minor t_client.sh cleanups
          Repair --multihome on FreeBSD for IPv4 sockets.
          Rewrite manpage section about --multihome
          More IPv6-related updates to the openvpn man page.
          Conditionalize calls to print_default_gateway on !ENABLE_SMALL
    
    James Yonan (2):
          Use native strtoull() with MSVC 2013.
          When tls-version-min is unspecified, revert to original versioning approach.
    
    Steffan Karger (4):
          Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
          Fix OCSP_check.sh to also use decimal for stdout verification.
          Fix build system to accept non-system crypto library locations for plugins.
          Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
    
    Yawning Angel (1):
          Fix SOCKSv5 method selection
    
    kangsterizer (1):
          Fix typo in sample build script to use LDFLAGS
Commits on Apr 30, 2014
  1. Preparing for release v2.3.4 (ChangeLog, version.m4)

    cron2 committed Apr 30, 2014
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
  2. Make serial env exporting consistent amongst OpenSSL and PolarSSL bui…

    syzzer authored and cron2 committed Apr 28, 2014
    …lds.
    
    This changes the representation of the tls_serial_{n} environment variable
    from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.
    
    Because hex representation for serials makes sense too, and to ease
    transition for PolarSSL users, added tls_serial_hex_{n} that exports the
    serial in hex represenation for both crypto library backends.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <535EB49E.5090809@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8664
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
  3. When tls-version-min is unspecified, revert to original versioning ap…

    jamesyonan authored and cron2 committed Apr 28, 2014
    …proach.
    
    For OpenSSL, this means to use TLSv1_(client|server)_method rather
    than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
    for specific TLS versions to disable.
    
    For PolarSSL, this means to implicitly control the TLS version via allowed
    ciphersuites.
    
    Point out off-by-default-now setting in the openvpn(8) man page.
    
    This patch is only included in the release/2.3 branch, because it's a
    stopgap measure.  2.4 will have it on-by-default, when the remaining
    handshake problems are fully debugged and solved.
    
    Signed-off-by: James Yonan <james@openvpn.net>
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: James Yonan <james@openvpn.net>
    Message-Id: <535EC5FE.6060302@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8665
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
  4. Conditionalize calls to print_default_gateway on !ENABLE_SMALL

    cron2 committed Apr 29, 2014
    Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but
    the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the
    combination "configure --enable-small --enable-debug" didn't work. Fix.
    
    Fix trac #397
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
    (cherry picked from commit c29e08a2f33234fb705a8323c0d9e1e07b0773fd)
Commits on Apr 29, 2014
  1. Fix is_ipv6 in case of tap interface.

    tejblum authored and cron2 committed Feb 8, 2014
    While checking a packet on a TAP interface, is_ipv_X() in proto.c
    insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if
    the protocol is IPv6. So the protocol never match, and, thus,
    mssfix doesn't work for IPv6 on TAP interface. Fix that.
    
    Signed-off-by: Dmitrij Tejblum <dt@yandex.ru>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8259
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit db037c20086587a609ef33127c15de080270f2cb)
Commits on Apr 27, 2014
  1. Fix build system to accept non-system crypto library locations for pl…

    syzzer authored and cron2 committed Apr 21, 2014
    …ugins.
    
    Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
    the plugins. However, all plugins include openvpn-plugin.h, which need
    crypto/ssl headers.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8576
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit ea31bc680fc83946b2cc8d0c93544a1ab2a01d63)
  2. More IPv6-related updates to the openvpn man page.

    cron2 committed Apr 26, 2014
    Point to correct kernel version for --multihome and IPv4-mapped
    addresses (3.15, Tore Anderson).
    
    Remove old reference to http://www.greenie.net/ from the IPv6 section,
    as the code and documentation in here is more current than on that site.
    Some more additions and clarifications.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Tore Anderson <tore@fud.no>
    Message-Id: <1398511854-3609-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8642
    (cherry picked from commit 2a97e69e71d4afb9c32268890e13db19cb73196b)
  3. Fix OCSP_check.sh to also use decimal for stdout verification.

    syzzer authored and cron2 committed Apr 27, 2014
    This is an extra fix needed on top of 959d607, which already changes the
    serial parameter to correctly use decimal representation.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398588561-18964-2-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8650
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 6ea78cbef6367590567156a20106c620fec224c9)
  4. Change signedness of hash in x509_get_sha1_hash(), fixes compiler war…

    syzzer authored and cron2 committed Apr 27, 2014
    …ning.
    
    hash was cast from char * to unsigned char * at the return of the function.
    This patch removes the implicit cast by declaring hash as unsigned char * .
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8647
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit d4309c21d9cde43c777985e373242afa78afefa1)
Commits on Apr 25, 2014
  1. Rewrite manpage section about --multihome

    cron2 committed Apr 25, 2014
    Part of the information was confusing, part was outdated, and part was
    just not making sense.  Pointed out in trac#348.
    
    Also add note about Linux IPv4-mapped issues as per trac#306.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1398453555-19706-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8635
    (cherry picked from commit abe18c69a61b42e5ac68b77f66198fc15be99e31)
  2. Repair --multihome on FreeBSD for IPv4 sockets.

    cron2 committed Jan 19, 2014
    The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR
    case was sending a too-large control message (sizeof openvpn_pktinfo,
    which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo,
    leading to sendmsg() refusing to send the packet.
    
    Use RFC 2292 macros for alignment + size calculation.
    
    Fix trac#327
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Lazy-Ack-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
    (cherry picked from commit 661d914c8732a208580b1eab167255c85da162c9)
  3. Fix man page and OSCP script: tls_serial_{n} is decimal

    schwabe authored and cron2 committed Mar 28, 2014
    Commit 7d5e26c fixed extracting serial but did not change the format,
    which always has been decimal. This patch fixes the manpage and
    OSCP.sh script to conform with the implementation.
    Acked-by: James Yonan <james@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8409
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 959d60789b6f0bd74296600f58f626cfa9738f78)
  4. openvpn: Fix paths for Android

    hazenme committed Apr 25, 2014
    Fixes location of /dev/tun and /system/xbin/iptables /system/bin/ip and /system/bin/route
  5. openvpn: Fix build

    hazenme committed Apr 25, 2014
Commits on Apr 24, 2014
Commits on Apr 21, 2014
  1. Minor t_client.sh cleanups

    cron2 committed Apr 20, 2014
    - remove built tests/t_client.sh script on "make clean"
    - ignore Linux iproute2 "ssthresh <n>" output that sometimes shows up
      in "ip -6 route show" and breaks before/after comparison
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1398019261-30180-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8557
    (cherry picked from commit 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce)
  2. Use native strtoull() with MSVC 2013.

    jamesyonan authored and cron2 committed Apr 21, 2014
    MSVC 2013 C library now defines strtoull() function,
    so use the native implementation when available.
    
    Signed-off-by: James Yonan <james@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398064204-26476-3-git-send-email-james@openvpn.net>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8561
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 6b8e2f4a8143a7260a06b6999dcb21c4c72fc620)
Commits on Apr 18, 2014
  1. Add SSL library version reporting.

    cron2 committed Apr 13, 2014
    Print the version of the SSL and LZO library (if any) used.
    
    SSL library version is also sent as IV_SSL=<version> to the server if
    --push-peer-info is enabled.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <20140416152456.GI16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
    (cherry picked from commit 1ec984b154aa3247ef58c9d44e7e477880b632b1)
Commits on Apr 13, 2014
  1. IPv6 address/route delete fix for Win8

    cron2 committed Apr 13, 2014
    Use "store=active" for IPv6 address and route deletion - seems to be
    required on Windows 8 and up, and not doing it will break OpenVPN
    reconnection (old addresses are not properly deleted, thus address can
    not be configured on connect).
    
    Reported-by: Cedric <cedric+openvpn@bgtn.net>
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net>
    Message-Id: <20140413170648.GU16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
    (cherry picked from commit 4b4fac9184fcea1eab4f4223309211780cee188a)
  2. Fix SOCKSv5 method selection

    Yawning Angel authored and cron2 committed Mar 10, 2014
    So, RFC 1928 doesn't say anything about the METHODS field in the Method
    Selection message being ordered in terms of preference or anything, and
    the server is free to pick any of the METHODS offered by the client.
    
    Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
    and USERNAME/PASSWORD set is broken on two fronts:
    
     * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
       due to the credentials being missing, it shouldn't offer it to the
    server.
    
     * If the OpenVPN client has credentials, then it should always attempt to
       authenticate.  This is a security product.  "You can misconfigure it and
       it will work" is not acceptable.  Setting a username/password when the
       SOCKS server doesn't require/support that as an option is the user not
       configuring it correctly, and should be treated as such.
    
    Also verify that the SOCKS server returned the auth that was requested.
    
    URL: OpenVPN/openvpn#14
    Fix trac #377, trac #148
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20140413130102.GR16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8488
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 2903eba5dfe35c981329a833845e24de3882161a)
  3. Fix typo in sample build script to use LDFLAGS

    kangsterizer authored and cron2 committed Apr 13, 2014
    Came in as github pull request #15
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-By: Arne Schwabe <arne@rfc2549.org>
    (cherry picked from commit a95358af543b9106f4ef481e4556d1d03459d058)
Commits on Apr 8, 2014
  1. Preparing for v2.3.3 (ChangeLog, version.m4)

    cron2 committed Apr 8, 2014
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits on Mar 23, 2014
  1. Add openssl-specific common cipher list names to ssl.c.

    syzzer authored and cron2 committed Mar 1, 2014
    This adds a number of commonly used cipher list names to ssl.c, which makes
    OpenVPN not give a "translation not found" warning when using these.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8316
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 0146fd00c3bd70a470290be7be27ee75db2db63b)
  2. Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions

    cron2 committed Mar 23, 2014
    058e889 introduced using SSL_OP_NO_TICKET, leading to build failures on
    systems that could build 2.3.2 fine.  Inside the 2.3 release train, we
    do not want to change requirements, so for those build environments, ignore
    missing SSL_OP_NO_TICKET.  2.4 will require more recent OpenSSL, though.
    
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <20140322183508.GZ16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8384
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits on Mar 17, 2014
  1. Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disab…

    jamesyonan authored and cron2 committed Mar 17, 2014
    …le TLS stateless session resumption.
    
    OpenVPN doesn't want or need SSL session renegotiation or
    resumption, as it handles renegotiation on its own.
    
    For this reason, OpenVPN always disables the SSL session cache:
    
    SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF)
    
    However, even with the above code, stateless session resumption
    is still possible unless explicitly disabled with the
    SSL_OP_NO_TICKET flag.  This patch does this.
    
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8346
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 25f4d4b49bff342fd9dd54cd22f14c9de49e9f8b)
  2. Introduce safety check for http proxy options

    schwabe authored and cron2 committed Mar 17, 2014
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1395061013-1802-1-git-send-email-arne@rfc2549.org>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8353
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 087b510365d9aad8f656a8fb0cc07d51511be9d0)
Commits on Jan 23, 2014
  1. Fix "." in description of utun.

    Thomas Veerman authored and cron2 committed Jan 23, 2014
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 66ff10ef5197b6c70429a15e572aeb2d4073b470)
Commits on Jan 16, 2014
  1. Replace copied structure elements with including <net/route.h>

    cron2 committed Jan 13, 2014
    The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies
    of structures from <net/route.h> (struct rt_msghdr in particular).
    
    OpenBSD changed some structure elements, making OpenVPN incompatible,
    depending on the specific OpenBSD version.  Clean up: remove copied
    definitions, replace by including <net/route.h> directly - this could
    not be done originally due to a conflict with "struct route" in OpenVPN
    and <net/route.h>, cleaned up by the previous commit.
    
    Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles
    with no warnings, and "openvpn --show-gateway" works, which is the only
    part of the code that uses the structures in question).
    
    Fix trac #340
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
    (cherry picked from commit 615fb9ef36310f85fd6171301128a12740444455)
  2. Rename 'struct route' to 'struct route_ipv4'

    cron2 committed Jan 13, 2014
    To fix trac #340, we need to rename our "struct route" to avoid a
    collision with "struct route" from <net/route.h> on *BSD.
    
    No functional changes.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1389650074-18455-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8231
    (cherry picked from commit b57e005b8f232760081875937a53e8e7d235faa6)
Commits on Jan 12, 2014
  1. Document issue with --chroot, /dev/urandom and PolarSSL.

    cron2 committed Jan 11, 2014
    See trac#218
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <1389441036-12538-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8213
    (cherry picked from commit b238a1f2d4b2cdcfc844689b33fd3ac43ed31c1c)
Commits on Jan 9, 2014
  1. Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=

    cron2 committed Jan 9, 2014
    Use shorter variable name to signal the same thing (see f3a2cd255a3bc73)
    to save space in the buffer used by the collective IV_ info sent to server.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1389296891-1487-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8183
    (cherry picked from commit 7efaca734b8d633441ec3d7def2a2768864dedcf)
  2. Make code and documentation for --remote-random-hostname consistent.

    cron2 committed Nov 17, 2013
    Documentation examples, description and code were disagreeing on what
    this option actually does.  Now they will all agree that it will
    *prepend* a random-byte string to the hostname name before resolving
    to work around DNS caching (needs a "*" wildcard record in the zone).
    
    Fix trac #143
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
    (cherry picked from commit 7de8f3f322c1a1c13022a0243267624930dac5c9)