Commit 4d0c7788 authored by Alberto Gonzalez Iniesta's avatar Alberto Gonzalez Iniesta

Merge tag 'upstream/2.3.5'

Upstream version 2.3.5
parents 52a3e3b0 63862ed1
OpenVPN Change Log
Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net>
Copyright (C) 2002-2014 OpenVPN Technologies, Inc. <sales@openvpn.net>
2014.10.24 -- Version 2.3.5
Andris Kalnozols (2):
Fix some typos in the man page.
Do not upcase x509-username-field for mixed-case arguments.
Arne Schwabe (1):
Fix server routes not working in topology subnet with --server [v3]
David Sommerseth (4):
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
Don't let openvpn_popen() keep zombies around
Add systemd unit file for OpenVPN
systemd: Use systemd functions to consider systemd availability
Gert Doering (3):
Drop incoming fe80:: packets silently now.
Fix t_lpback.sh platform-dependent failures
Call init script helpers with explicit path (./)
Heiko Hund (1):
refine assertion to allow other modes than CBC
Hubert Kario (2):
ocsp_check - signature verification and cert staus results are separate
ocsp_check - double check if ocsp didn't report any errors in execution
James Bekkema (1):
Fix socket-flag/TCP_NODELAY on Mac OS X
James Yonan (6):
Fixed several instances of declarations after statements.
In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
Define PATH_SEPARATOR for MSVC builds.
Fixed some compile issues with show_library_versions()
Jann Horn (1):
Remove quadratic complexity from openvpn_base64_decode()
Mike Gilbert (1):
Add configure check for the path to systemd-ask-password
Philipp Hagemeister (2):
Add topology in sample server configuration file
Implement on-link route adding for iproute2
Samuel Thibault (1):
Ensure that client-connect files are always deleted
Steffan Karger (13):
Remove function without effect (cipher_ok() always returned true).
Remove unneeded wrapper functions in crypto_openssl.c
Fix bug that incorrectly refuses oid representation eku's in polar builds
Update README.polarssl
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Add proper check for crypto modes (CBC or OFB/CFB)
Improve --show-ciphers to show if a cipher can be used in static key mode
Extend t_lpback tests to test all ciphers reported by --show-ciphers
Don't exit daemon if opening or parsing the CRL fails.
Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
Fix regression with password protected private keys (polarssl)
ssl_polarssl.c: fix includes and make casts explicit
Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
TDivine (1):
Fix "code=995" bug with windows NDIS6 tap driver.
2014.04.30 -- Version 2.3.4
Arne Schwabe (1):
......
......@@ -335,6 +335,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -363,6 +364,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -403,6 +405,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -7,7 +7,7 @@ To Build and Install,
make
make install
This version depends on at least PolarSSL v1.1.
This version depends on PolarSSL 1.2 (and requires at least 1.2.10).
*************************************************************************
......@@ -17,12 +17,10 @@ in the PolarSSL version of OpenVPN:
* PKCS#12 file support
* --capath support - Loading certificate authorities from a directory
* Windows CryptoAPI support
* Management external key support
* X.509 alternative username fields (must be "CN")
Plugin/Script features:
* X.509 Serial number is in hex, not decimal as with OpenSSL
* X.509 subject line has a different format than the OpenSSL subject line
* X.509 certificate export does not work
* X.509 certificate tracking
......@@ -253,6 +253,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -281,6 +282,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -321,6 +323,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -254,6 +254,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -282,6 +283,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -322,6 +324,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -197,6 +197,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -225,6 +226,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -265,6 +267,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -76,6 +76,9 @@
#define HAVE_OPENSSL_ENGINE 1
#define PATH_SEPARATOR '\\'
#define PATH_SEPARATOR_STR "\\"
#ifndef __cplusplus
#define inline __inline
#endif
......
......@@ -60,6 +60,9 @@
/* Enable multi-homed UDP server capability */
#undef ENABLE_MULTIHOME
/* Enable OFB and CFB cipher modes */
#undef ENABLE_OFB_CFB_MODE
/* Allow --askpass and --auth-user-pass passwords to be read from a file */
#undef ENABLE_PASSWORD_SAVE
......@@ -90,7 +93,7 @@
/* Enable strict options check between peers */
#undef ENABLE_STRICT_OPTIONS_CHECK
/* Enable systemd support */
/* Enable systemd integration */
#undef ENABLE_SYSTEMD
/* Enable --x509-username-field feature */
......@@ -394,6 +397,9 @@
/* Define to 1 if you have the `res_init' function. */
#undef HAVE_RES_INIT
/* Define to 1 if you have the `sd_booted' function. */
#undef HAVE_SD_BOOTED
/* Define to 1 if you have the `select' function. */
#undef HAVE_SELECT
......@@ -472,6 +478,9 @@
/* Define to 1 if you have the `system' function. */
#undef HAVE_SYSTEM
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
#undef HAVE_SYSTEMD_SD_DAEMON_H
/* Define to 1 if you have the <sys/epoll.h> header file. */
#undef HAVE_SYS_EPOLL_H
......@@ -629,6 +638,9 @@
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Path to systemd-ask-password tool */
#undef SYSTEMD_ASK_PASSWORD_PATH
/* The tap-windows id */
#undef TAP_WIN_COMPONENT_ID
......
This diff is collapsed.
......@@ -60,6 +60,13 @@ AC_ARG_ENABLE(
[enable_crypto="yes"]
)
AC_ARG_ENABLE(
[ofb-cfb],
[AS_HELP_STRING([--enable-ofb-cfb], [enable support for OFB and CFB cipher modes @<:@default=yes@:>@])],
,
[enable_crypto_ofb_cfb="yes"]
)
AC_ARG_ENABLE(
[ssl],
[AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based key exchange @<:@default=yes@:>@])],
......@@ -350,15 +357,18 @@ AC_ARG_VAR([IPROUTE], [full path to ip utility])
AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
AC_ARG_VAR([MAN2HTML], [path to man2html utility])
AC_ARG_VAR([GIT], [path to git utility])
AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([SYSTEMD_ASK_PASSWORD], [systemd-ask-password],, [$PATH:/usr/local/bin:/usr/bin:/bin])
AC_CHECK_PROGS([NETSTAT], [netstat], [netstat], [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc]) # tests
AC_CHECK_PROGS([MAN2HTML], [man2html])
AC_CHECK_PROGS([GIT], [git]) # optional
AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool])
AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
AC_DEFINE_UNQUOTED([SYSTEMD_ASK_PASSWORD_PATH], ["$SYSTEMD_ASK_PASSWORD"], [Path to systemd-ask-password tool])
#
# Libtool
......@@ -890,6 +900,31 @@ if test "${have_lzo}" = "yes"; then
CFLAGS="${saved_CFLAGS}"
fi
dnl
dnl Check for systemd
dnl
if test "$enable_systemd" = "yes" ; then
PKG_CHECK_MODULES([libsystemd], [systemd libsystemd],
[],
[PKG_CHECK_MODULES([libsystemd], [libsystemd-daemon])]
)
AC_CHECK_HEADERS(systemd/sd-daemon.h,
,
[
AC_MSG_ERROR([systemd development headers not found.])
])
saved_LIBS="${LIBS}"
LIBS="${LIBS} ${libsystemd_LIBS}"
AC_CHECK_FUNCS([sd_booted], [], [AC_MSG_ERROR([systemd library is missing sd_booted()])])
OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}"
AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])
LIBS="${saved_LIBS}"
fi
AC_MSG_CHECKING([git checkout])
GIT_CHECKOUT="no"
if test -n "${GIT}" -a -d "${srcdir}/.git"; then
......@@ -930,7 +965,6 @@ test "${enable_def_auth}" = "yes" && AC_DEFINE([ENABLE_DEF_AUTH], [1], [Enable d
test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], [1], [Enable internal packet filter])
test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers])
test "${enable_password_save}" = "yes" && AC_DEFINE([ENABLE_PASSWORD_SAVE], [1], [Allow --askpass and --auth-user-pass passwords to be read from a file])
test "${enable_systemd}" = "yes" && AC_DEFINE([ENABLE_SYSTEMD], [1], [Enable systemd support])
case "${with_crypto_library}" in
openssl)
......@@ -962,6 +996,7 @@ fi
if test "${enable_crypto}" = "yes"; then
test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}"
AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library])
......@@ -1054,6 +1089,7 @@ AC_SUBST([OPTIONAL_CRYPTO_CFLAGS])
AC_SUBST([OPTIONAL_CRYPTO_LIBS])
AC_SUBST([OPTIONAL_LZO_CFLAGS])
AC_SUBST([OPTIONAL_LZO_LIBS])
AC_SUBST([OPTIONAL_SYSTEMD_LIBS])
AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])
AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
......
......@@ -97,12 +97,19 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
"$nonce" \
-CAfile "$verify" \
-url "$ocsp_url" \
-serial "${serial}" 2>/dev/null)
-serial "${serial}" 2>&1)
if [ $? -eq 0 ]; then
# check that it's good
# check if ocsp didn't report any errors
if echo "$status" | grep -Eq "(error|fail)"; then
exit 1
fi
# check that the reported status of certificate is ok
if echo "$status" | grep -Fq "^${serial}: good"; then
exit 0
# check if signature on the OCSP response verified correctly
if echo "$status" | grep -Fq "^Response verify OK"; then
exit 0
fi
fi
fi
fi
......
......@@ -254,6 +254,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -282,6 +283,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -322,6 +324,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -197,6 +197,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -225,6 +226,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -265,6 +267,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -148,7 +148,7 @@ case "$1" in
for c in `/bin/ls *.conf 2>/dev/null`; do
bn=${c%%.conf}
if [ -f "$bn.sh" ]; then
. $bn.sh
. ./$bn.sh
fi
rm -f $piddir/$bn.pid
$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
......
......@@ -161,7 +161,7 @@ case "$1" in
for c in `/bin/ls *.conf 2>/dev/null`; do
bn=${c%%.conf}
if [ -f "$bn.sh" ]; then
. $bn.sh
. ./$bn.sh
fi
rm -f $piddir/$bn.pid
$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
......
......@@ -13,7 +13,7 @@
Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Name: openvpn
Version: 2.3.4
Version: 2.3.5
Release: 1
URL: http://openvpn.net/
Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
......
......@@ -231,6 +231,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -259,6 +260,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -299,6 +301,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -1606,7 +1606,7 @@ and
in server mode configurations.
The server timeout is set twice the value of the second argument.
This ensures that a timeout is dectected on client side
This ensures that a timeout is detected on client side
before the server side drops the connection.
For example,
......@@ -2459,7 +2459,7 @@ Normally, adaptive compression is enabled with
.B \-\-comp-lzo.
Adaptive compression tries to optimize the case where you have
compression enabled, but you are sending predominantly uncompressible
compression enabled, but you are sending predominantly incompressible
(or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer
of a large, compressed file. With adaptive compression,
OpenVPN will periodically sample the compression process to measure its
......@@ -2660,7 +2660,7 @@ on sufficiently fast hardware. SSL/TLS authentication must
be used in this mode.
.\"*********************************************************
.TP
.B \-\-server network netmask
.B \-\-server network netmask ['nopool']
A helper directive designed to simplify the configuration
of OpenVPN's server mode. This directive will set up an
OpenVPN server which will allocate addresses to clients
......@@ -2695,6 +2695,9 @@ expands as follows:
if !nopool:
ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
push "route-gateway 10.8.0.1"
if route-gateway unset:
route-gateway 10.8.0.2
.in -4
.ft
.fi
......@@ -3498,7 +3501,7 @@ like this:
.B
/C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
.IP
In addition the old behavivour was to remap any character other than
In addition the old behaviour was to remap any character other than
alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to
underscore ('_'). The X.509 Subject string as returned by the
.B tls_id
......@@ -4354,7 +4357,7 @@ A different mode can be specified for each provider.
Mode is encoded as hex number, and can be a mask one of the following:
.B 0
(default) \-\- Try to determind automatically.
(default) \-\- Try to determine automatically.
.br
.B 1
\-\- Use sign.
......@@ -4745,12 +4748,44 @@ the tls-verify script returns. The file name used for the certificate
is available via the peer_cert environment variable.
.\"*********************************************************
.TP
.B \-\-x509-username-field fieldname
Field in x509 certificate subject to be used as username (default=CN).
.B Fieldname
will be uppercased before matching. When this option is used, the
.B \-\-verify-x509-username
option will match against the chosen fieldname instead of the CN.
.B \-\-x509-username-field [ext:\]fieldname
Field in the X.509 certificate subject to be used as the username (default=CN).
Typically, this option is specified with
.B fieldname
as either of the following:
.B \-\-x509-username-field
emailAddress
.br
.B \-\-x509-username-field ext:\fRsubjectAltName
The first example uses the value of the "emailAddress" attribute in the
certificate's Subject field as the username. The second example uses
the
.B ext:
prefix to signify that the X.509 extension
.B fieldname
"subjectAltName" be searched for an rfc822Name (email) field to be used
as the username. In cases where there are multiple email addresses
in
.B ext:fieldname\fR,
the last occurrence is chosen.
When this option is used, the
.B \-\-verify-x509-name
option will match against the chosen
.B fieldname
instead of the Common Name.
.B Please note:
This option has a feature which will convert an all-lowercase
.B fieldname
to uppercase characters, e.g., ou -> OU. A mixed-case
.B fieldname
or one having the
.B ext:
prefix will be left as-is. This automatic upcasing feature
is deprecated and will be removed in a future release.
.\"*********************************************************
.TP
.B \-\-tls-remote name (DEPRECATED)
......
......@@ -243,6 +243,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -271,6 +272,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -311,6 +313,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -224,6 +224,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -252,6 +253,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -292,6 +294,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -83,9 +83,16 @@ key server.key # This file should be kept secret
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
# 2048 bit keys.
dh dh1024.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
......
......@@ -254,6 +254,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -282,6 +283,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -322,6 +324,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -246,6 +246,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -274,6 +275,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -314,6 +316,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......
......@@ -119,6 +119,7 @@ openvpn_LDADD = \
$(OPTIONAL_PKCS11_HELPER_LIBS) \
$(OPTIONAL_CRYPTO_LIBS) \
$(OPTIONAL_SELINUX_LIBS) \
$(OPTIONAL_SYSTEMD_LIBS) \
$(OPTIONAL_DL_LIBS)
if WIN32
openvpn_SOURCES += openvpn_win32_resources.rc
......
......@@ -181,7 +181,7 @@ openvpn_DEPENDENCIES = $(top_builddir)/src/compat/libcompat.la \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1)
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
......@@ -316,6 +316,7 @@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
......@@ -344,6 +345,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
......@@ -384,6 +386,8 @@ infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
......@@ -451,7 +455,8 @@ openvpn_SOURCES = base64.c base64.h basic.h buffer.c buffer.h \
openvpn_LDADD = $(top_builddir)/src/compat/libcompat.la \
$(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) \
$(OPTIONAL_PKCS11_HELPER_LIBS) $(OPTIONAL_CRYPTO_LIBS) \
$(OPTIONAL_SELINUX_LIBS) $(OPTIONAL_DL_LIBS) $(am__append_3)
$(OPTIONAL_SELINUX_LIBS) $(OPTIONAL_SYSTEMD_LIBS) \
$(OPTIONAL_DL_LIBS) $(am__append_3)
all: all-am
.SUFFIXES:
......
......@@ -110,7 +110,7 @@ token_decode(const char *token)
int i;
unsigned int val = 0;
int marker = 0;
if (strlen(token) < 4)
if (!token[0] || !token[1] || !token[2] || !token[3])
return DECODE_ERROR;
for (i = 0; i < 4; i++) {
val *= 64;
......