Commit Graph

23 Commits

Author SHA1 Message Date
james
673f583f76 The maximum number of "route" directives (specified in the config
file or pulled from a server) can now be configured via the new
"max-routes" directive.

Previously, the limit was set to 100 and fixed by a compile-time
constant.  Now the limit is dynamic and can be modified by the
"max-routes" directive.  If max-routes is not specified, the default
limit is 100.

Note that this change does not address the maximum size of the
pushed options string sent from server to client, which is still
controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4967 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-17 23:43:37 +00:00
james
d7fa38f2a9 Update copyright to 2009.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30 21:38:49 +00:00
james
a828135275 * Added additional method parameter to --script-security to preserve
backward compatibility with system() call semantics used in OpenVPN
  2.1_rc8 and earlier.  To preserve backward compatibility use:

    script-security 3 system


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3495 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-17 04:28:07 +00:00
james
367ed084db Copyright notice changed to reflect change in name of
Telethra to OpenVPN Technologies.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-06 07:33:45 +00:00
james
b8fb090c16 2.1_rc8 and earlier did implicit shell expansion on script
arguments since all scripts were called by system().
The security hardening changes made to 2.1_rc9 no longer
use system(), but rather use the safer execve or CreateProcess
system calls.  The security hardening also introduced a
backward incompatibility with 2.1_rc8 and earlier in that
script parameters were no longer shell-expanded, so
for example:

  client-connect "docc CLIENT-CONNECT"

would fail to work because execve would try to execute
a script called "docc CLIENT-CONNECT" instead of "docc"
with "CLIENT-CONNECT" as the first argument.

This patch fixes the issue, bringing the script argument
semantics back to pre 2.1_rc9 behavior in order to preserve
backward compatibility while still using execve or CreateProcess
to execute the script/executable.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-06 09:42:17 +00:00
james
b551bec9bc Added additional defensive programming to buffer.[ch] functions.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3128 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-27 05:31:09 +00:00
james
5a2e9a2587 Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and
  CreateProcess on Windows.

* The system() function is no longer used.

* Argument lists for external programs and scripts are now built by the new
  argv_printf function which natively outputs to string arrays (i.e.
  char *argv[] lists), never truncates its output, and eliminates the security
  issues inherent in formatting and parsing command lines, and dealing with
  argument quoting.

* The --script-security directive has been added to offer policy controls on
  OpenVPN's execution of external programs and scripts.

Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-26 07:27:03 +00:00
james
26bb4c740b Added argv_x functions to buffer.[ch] to be used to safely build
up argv strings for execve without the possibility of truncation
or misinterpretation of mid-argument spacing.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3107 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-23 19:51:27 +00:00
james
bda8d38b0c buf_printf will now return false on errors, such as truncation
due to overflow.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3085 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19 03:39:59 +00:00
james
7621883663 Replace leading dash ('-') characters in an X509 name with underbars ('_')
before calling user-defined scripts, to preclude the chance of a leading
dash being interpreted as an option prefix.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3083 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19 00:29:31 +00:00
james
cc1d3998d2 Reverted some recent buffer.[ch] changes, including r3058 (except for
likely() and unlikely() macro additions to syshead.h) and r3061.

I would like to give more thought to the bigger issue of fortifying
buffer.[ch] through the use of additional defensive programming techniques.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3081 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-18 20:46:06 +00:00
james
8e986316d9 Check for multiplication overflow on ALLOC_ARRAY* functions.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3068 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-17 20:10:18 +00:00
james
5d89a3629c Added likely() and unlikely() branch prediction hint macros
to syshead.h

Introduced BUF_MAX constant to limit struct buffer offset and length
values.  BUF_MAX has been set to 2^20.

Use likely() and unlikely() macros in buffer.h code to allow the
compiler to generate more efficient code.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3058 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-16 20:36:54 +00:00
james
1c0cc4ad89 Copyright change OpenVPN Solutions LLC -> Telethra, Inc.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-14 18:59:09 +00:00
james
eca86913db Updated copyright notice to 2008.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11 21:59:26 +00:00
james
4e9a51d78f Merged connection profiles from
http://svn.openvpn.net/projects/openvpn/test/conn


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2993 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11 10:48:50 +00:00
james
90efcacba6 Updated version to 2.1_rc7e.
Added client authentication and packet filtering capability
to management interface.

Extended packet filtering capability to work on both --dev tun
and --dev tap tunnels.

Updated valgrind-suppress file.

Made "Linux ip addr del failed" error nonfatal.

Amplified --client-cert-not-required warning.

Added #pragma pack to proto.h.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11 08:45:09 +00:00
james
47ae8457f9 Incremented version to 2.1_rc7d.
Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED.  See comments in
openvpn-plugin.h for documentation.  Enabled by ENABLE_DEF_AUTH.

Added a simple packet filter functionality that can be driven by
a plugin.  See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.

See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.

"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication.  In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.

Added a test to configure.ac for LoadLibrary function on Windows.

Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.

setenv and setenv-safe directives may now omit a value argument
which defaults to "".


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-04 05:16:44 +00:00
james
dcc0b2447e Eliminated gcc 3.3.3 warnings on NetBSD
when ./configure --enable-strict is used.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1040 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-06-24 08:04:42 +00:00
james
f214bb2115 Added --auto-proxy directive to auto-detect HTTP or SOCKS
proxy settings (currently Windows only).


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@850 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-12-12 19:46:10 +00:00
james
eadf16a660 Removed annoying 'i' variable from add_option.
Allow plugin and push directives to have multiple
parameters specified instead of only 1 quoted
parameter.

Allow plugin and push directives to have multi-line
parameter lists, such as:

<plugin>
  my-plugin.so
  parm1
  parm2
</plugin>


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@785 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-11-09 07:30:14 +00:00
james
d40f2b204b Added ENABLE_INLINE_FILES feature.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@784 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-11-08 12:50:11 +00:00
james
6fbf66fad3 This is the start of the BETA21 branch.
It includes the --topology feature, and
TAP-Win32 driver changes to allow
non-admin access.



git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-09-26 05:28:27 +00:00