From e76e04c3f05538de220b6f5669002edabc0e865b Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 7 Mar 2013 22:28:38 +0100 Subject: Update openvpn src to git version 839a41ac3d4253ad048e93c84f2291fc684c44d4 (include x509-verify-name) (closes issue #144) --HG-- extra : rebase_source : d93dcf4130eccf3a136850495e382942eb675a8e --- openvpn/ChangeLog.IPv6 | 440 --------------------------------------- openvpn/INSTALL | 159 ++++++-------- openvpn/INSTALL-win32.txt | 29 +++ openvpn/README | 35 ++-- openvpn/configure.ac | 2 +- openvpn/doc/openvpn.8 | 117 +++++++++-- openvpn/src/openvpn/init.c | 7 +- openvpn/src/openvpn/options.c | 115 ++++++++-- openvpn/src/openvpn/options.h | 3 +- openvpn/src/openvpn/proxy.c | 4 +- openvpn/src/openvpn/ssl_common.h | 3 +- openvpn/src/openvpn/ssl_verify.c | 15 +- openvpn/src/openvpn/ssl_verify.h | 6 + openvpn/src/openvpn/syshead.h | 4 + 14 files changed, 335 insertions(+), 604 deletions(-) delete mode 100644 openvpn/ChangeLog.IPv6 (limited to 'openvpn') diff --git a/openvpn/ChangeLog.IPv6 b/openvpn/ChangeLog.IPv6 deleted file mode 100644 index 283fe6e6..00000000 --- a/openvpn/ChangeLog.IPv6 +++ /dev/null @@ -1,440 +0,0 @@ -Do 31. Dez 15:32:40 CET 2009 Gert Doering - - * Basic IPv6 p2mp functionality implemented - - * new options: - - server-ipv6 - - ifconfig-ipv6 - - ifconfig-ipv6-pool - - route-ipv6 - - iroute-ipv6 - - * modules touched: - - init.c: init & setup IPv6 route list & add/delete IPv6 routes - - tun.c: add "ifconfig" and "route" handling for IPv6 - - multi.c: IPv6 ifconfig-pool assignments - put to route-hash table - push to client - - pool.c: extend pools to handle IPv4+IPv6, and also return IPv6 address - IPv6 address saved to file if ifconfig-pool-persist is set - (but ignored on read due to the way pools work) - - mroute.c: handle reading src/dst addresses from IPv6 packets - (so multi.c can check against route-hash table) - handle printing of IPv6 mroute_addr structure - - helper.c: implement "server-ipv6" macro (->ifconfig-ipv6, pool, ...) - - options.c: implement all the new options - add helper functions for IPv6 address handling - - forward.c: tell do_route() about IPv6 routes - - route.c: handle IPv6 route lists + route option lists - extend add_routes() to do IPv4 + IPv6 route lists - extend delete_routes() to do IPv4 + IPv6 route lists - implement add_route_ipv6(), delete_route_ipv6() to call - system-dependend external program to do the work - - push.c: handle pushing of "ifconfig-ipv6" option - - socket.c: helper function to check & print IPv6 address strings - - * known issues: - - operating system support on all but Linux (ifconfig, route) - - route-ipv6 gateway handling - - iroute-ipv6 not implemented - - TAP support: ifconfig, routing (route needs gateway!) - - * release as patch 20091231-1 - -Thu Dec 31 17:02:08 CET 2009 - - * NetBSD port (NetBSD 3.1 on Sparc64) - - * mroute.c, socket.c: make byte/word access to in6_addr more portable - - * tun.c: fix IPv6 ifconfig arguments on NetBSD - - still doesn't work on NetBSD 3.1, "ifconfig tun0 inet6..." errors with - - ifconfig: SIOCAIFADDR: Address family not supported by protocol family - - (sys/net/if_tun.c, needs to be revision 1.80 or later, NetBSD PR 32944, - included in NetBSD 4.0 and up) - - -Fri Jan 1 14:07:15 CET 2010 - - * FreeBSD port (FreeBSD 6.3-p12 on i386) - - * tun.c: implement IPv6 ifconfig setting for FreeBSD - - * route.c: fix %s/%s argument to IPv6 route add/delete command for *BSD - - * TEST SUCCESS: FreeBSD 6.3-p12, server-ipv6, route-ipv6, ccd/iroute-ipv6 - - * multi.c: implement setting and deleting of iroute-ipv6 - (multi_add_iroutes(), multi_del_iroutes()) - * mroute.c: add mroute_helper_add_iroute6(), mroute_helper_del_iroute6() - * mroute.h: add prototypes, increase MR_HELPER_NET_LEN to 129 (/0.../128) - * multi.c: zeroize host part of IPv6 iroutes in multi_learn_in6_addr() - * mroute.c: implement mroute_addr_mask_host_bits() for IPv6 - - * TEST SUCCESS: Linux 2.6.30 (Gentoo)/iproute2, server-ipv6, ccd/iroute-ipv6 - - * TEST SUCCESS: Linux 2.6.30 (Gentoo)/ifconfig, client-ipv6 - - * TEST FAIL: NetBSD 5.0, IPv6 client - - "ifconfig tun0 .../64" does not create a "connected" route - - adding routes fails - - --> more work to do here. - - * release as patch 20100101-1 - - * TEST FAIL: - FreeBSD 6.3-p12 server "--topology subnet" - Linux/ifconfig client - - BSD sends ICMP6 neighbor solicitations, which are ignored by Linux - - server tun interface is not in p2p mode, client tun interface *is* - - * TEST SUCCESS: non-ipv6 enabled client -> "--server-ipv6" server - (warnings in the log file, but no malfunctions) - - -Sat Jan 2 19:48:35 CET 2010 - - * tun.c: change "ipv6_support()", do not turn off tt->ipv6 unconditionally - if we don't know about OS IPv6 support - just log warning - - * tun.c: implement "ifconfig inet6" setting for MacOS X / Darwin - - * route.c: split *BSD system dependent part of add/delete_route_ipv6() - into FreeBSD/Dragonfly and NetBSD/Darwin/OpenBSD variants - ("2001:db8::/64" vs. "2001:db8:: --prefixlen 64"). - - * tun.c: on MacOS X, NetBSD and OpenBSD, explicitely set on-link route - - * TEST SUCCESS: MacOS X, client-ipv6 with route-ipv6 - - -Sun Jan 3 10:55:31 CET 2010 - - * route.c: NetBSD fails with "-iface tun0", needs gateway address - (assume that the same syntax is needed for OpenBSD) - - * route.h: introduce "remote_endpoint_ipv6" into "struct route_ipv6_list" - - * init.c: pass "ifconfig_ipv6_remote" as gateway to init_route_ipv6_list() - - * route.c: - - init_route_ipv6(): use "remote_endpoint_ipv6" as IPv6 gateway address - if no gateway was specified explicitely - - - init_route_ipv6_list(): fill in "remote_endpoint_ipv6", if parseable - - - get rid of "GATEWAY-LESS ROUTE6" warning - - * route.c, add_route_ipv6() - - explicitely clear host bits of base address, to be able to more - easily set up "connected" /64 routes on NetBSD+Darwin - - - split system-dependent part between Darwin and NetBSD/OpenBSD - (Darwin can use "-iface tun0", NetBSD/OpenBSD get gateway address) - - - change Solaris comments from "known-broken" to "unknown" - - * tun.c: rework NetBSD tunnel initialization and tun_read() / tun_write() - to work the same way OpenBSD and NetBSD do - tunnel is put into - "multi-af" mode, and all packet read/write activity is prepended by - a 32 bit value specifying the address family. - - * TEST SUCCESS: NetBSD 5.0/Sparc64: client-ipv6 with route-ipv6 - - * TEST SUCCESS: MacOS X 10.5: client-ipv6 with route-ipv6 - - * (RE-)TEST SUCCESS: Linux/iproute2: server-ipv6 - Linux/ifconfig: client-ipv6 - FreeBSD 6.3: server-ipv6 - - * release as patch 20100103-1 - - * options.c: document all new options in "--help" - - * tun.c: fix typo in Solaris-specific section - - * socket.h, socket.c: change u_int32_t to uint32_t - (Solaris - and all the rest of the code uses "uintNN" anyway) - -Mon Jan 4 17:46:58 CET 2010 - - * socket.c: rework add_in6_addr() to use 32-bit access to struct in6_addr - (Solaris has no 16-bit values in union, but this is more elegant as well) - - * tun.c: fix "ifconfig inet6" command for Solaris - - * tun.c: make sure "tun0 inet6" is unplumbed first, cleanup leftovers - - * route.c: add routes with "metric 0" on solaris, otherwise they just - don't work (someone who understands Solaris might want to fix this). - - * Solaris "sort of" works now - ifconfig works, route add does not give - errors, "netstat -rn" looks right, but packets are discarded unless - the routes are installed with "metric 0". So we just use "metric 0"... - - * CAVEAT: Solaris "ifconfig ... preferred" interferes with source address - selection. So if there are any active IPv6 interfaces configured with - "preferred", packets leaving out the tunnel will use the wrong source - IPv6 address. Not fixable from within OpenVPN. - - * CAVEAT2: Solaris insists on doing DHCPv6 on tun0 interfaces by default, - so DHCPv6 solicitation packets will be seen. Since the server end has - no idea what to do with them, they are a harmless nuisance. Fixable - on the Solaris side via "ndpd.conf" (see ``man ifconfig''). - - * release as patch 20100104-1 - -Fri Jan 8 10:00:50 CET 2010 - - * import into git repository - - * options.c: add sanity checks for most typical error cases - (--ifconfig-ipv6-pool configured with no --ifconfig-ipv6, etc) - - * options.c: modify get_ipv6_addr() to be more flexible about netbits - (optional now, default to /64) and to return the address-without-netbits - string now (-> for options that want the IPv6 address in printable - form, but without /nn) - - * options.c: modify --ifconfig-ipv6 to optionally accept /netbits, - you can do now "ifconfig-ipv6 2001:df8::1/64 2001:df8::2" or just - "ifconfig-ipv6 2001:df8::5 2001:df8::7", defaulting to /64 - - * options.h: add necessary structure elements for --ifconfig-ipv6-push - - * options.c: implement "parse options" side of --ifconfig-ipv6-push - -Tue Jan 12 22:42:09 CET 2010 - - * tun.c: in TARGET_NETBSD #ifdef, distinguish between "old" code - (IPv4 only, but unmodified read/write) and "new" code (multi-af, - extra 32 bit AF on read/write of the tun interface) - pre-4.0 - NetBSD systems don't have TUNSIFHEAD, no way to have common code. - - * TEST SUCCESS: NetBSD 5.0/Sparc64: client-ipv6 with route-ipv6 (v4+v6) - - * TEST SUCCESS: NetBSD 3.1/Sparc64: client-ipv6 with route-ipv6 (v4-only) - -Thu Jan 14 15:41:50 CET 2010 - - * multi.c: if "--ifconfig-push" is used together with "--ifconfig-ipv6-pool" - and no "--ifconfig-ipv6-push" is seen, issue warning - the current - implementation of pools has IPv6 tied to IPv4, so if v4 does not use - the pool, it breaks for IPv6. Not a *big* problem (since there is - enough v6, just give those users a static v6 address as well), but needs - to be pointed out clearly. - - * release as patch 20100114-1 - -Tue Feb 16 14:43:28 CET 2010 - - * options.c: print "IPv6 payload patch" release date in "--version" - - * tun.c: undo change to init_tun() (moving "bool tun" and call to - "is_tun_p2p()" further up) - it wasn't needed and breaks "make check" - - * git stuff: rebase on David Sommerseth's openvpn-testing git tree - - * release as patch 20100216-1 - -Fri Feb 26 19:59:01 CET 2010 - - * init.c: initialize tuntap->ipv6 in do_init_tun() (to make sure it's - always initialized early-enough, independent of the sequence of - do_ifconfig()/open_tun() [see ifconfig_order() in tun.h]) - - * tun.c, init.c: remove "bool ipv6" argument to tuncfg(), open_tun() - and open_tun_generic() - obsoleted by previous change - - * tun.c: remove ipv6_support() - original purpose was unclear, and all - current platforms (except linux-very-old) fully support IPv6 now :-) - - * tun.c: initial implementation of "netsh" IPv6-ifconfig for Win32 - - * RE-TEST SUCCESS: Linux/i386/ifconfig, client-tun/net30, v4+v6 - -Sun Feb 28 17:05:57 CET 2010 - - * tun.c: NetBSD dependent part: correct destroying/re-creation of tun dev - - * tun.c: move adding of "connected" IPv6 prefix to new helper function, - add_route_connected_v6_net() - - * RE-TEST SUCCESS: NetBSD 5.0/Sparc64, client-tun/net30, v4+v6 - - * RE-TEST SUCCESS: NetBSD 3.1/Sparc64: client-tun/net30, v4-only - - * RE-TEST SUCCESS: Linux/i386/iproute2: server-tun/net30, v4+v6 - - * tun.c: add #ifdef TARGET_DARWIN block for *_tun() functions, to - be able to modify close_tun() for unconfiguring IPv6 - - * tun.c: on close_tun() on MacOS X, need to de-configure "lo0" route for - configured IPv6 address - - * RE-TEST SUCCESS: MacOS X (10.5)/i386: client-tun/net30, v4+v6 - - * route.c: implement ipv6 route adding / deletion via "netsh" for WIN32 - - * TEST FAIL: Windows XP fails, because the tun/tap driver does not - forward IPv6 frames kernel->userland if in "tun" mode - - * options.c: set IPv6 version to 20100228-1 - - * release as patch 20100228-1 - -Sun Mar 7 19:17:33 CET 2010 - - * options.c: set IPv6 version to 20100307-1 - - * TODO.IPv6: add note about OpenBSD TODO (#16) - - * route.c: set (and remove) "magic next hop" fe80::8 for IPv6 routes on - Win32 - - * install-win32/settings.in: bump TAP driver version from 9.6 to 9.7 - and TAP_RELDATE to "07/03/2010" - - * tap-win32/proto.h: add data types and definitions needed for IPv6 - - * tap-win32/types.h: add m_UserToTap_IPv6 ethernet header for IPv6 packets - - * tap-win32/tapdrvr.c: implement support for IPv6 in TUN mode: - - IPv6 packets User->OS need correct ether type - - IPv6 packets OS->User get correctly forwarded - - IPv6 neighbour discovery packets for "fe80::8" (magic address - installed as route-nexthop by OpenVPN.exe) get answered locally - - * TEST SUCCESS: WindowsXP/32bit: client-tun/net30, v4+v6 - - * tun.c: if IPv6 requested in TUN mode, and TUN/TAP driver version - is older than 9.7, log warning and disable IPv6 (won't work anyway). - - * release as patch 20100307-1 - -Sat Jul 10 14:37:52 CEST 2010 - - * TEST SUCCESS: point-to-point tun mode with --ifconfig-ipv6 between - Solaris10/sparc and Linux (Michal Ludvig) - (using the whiteboard tun driver on Solaris, otherwise "no IPv6") - -Sun Aug 8 12:30:44 CEST 2010 - - * route.c: split NetBSD and OpenBSD parts of add_route_ipv6() and - delete_route_ipv6(), implement OpenBSD variant - (needs "-prefixlen nn" while NetBSD uses "/nn") - - * tun.c: implement IPv6 ifconfig for OpenBSD - - * tun.c: destroy tunX interface at tun_close() on OpenBSD (cleanup) - - * TEST SUCCESS: OpenBSD 4.7: client-tun/net30, v4+v6 - -Thu Sep 2 21:18:32 CEST 2010 - - * tun.c: the TAP binary in 2.2-beta3 has the IPv6 related changes, but - the version number is 9.8 now -> check for 9.8, not 9.7 - -Wed Sep 22 22:20:37 CEST 2010 - - * tun.c: bugfix for Linux/iproute2/"topology subnet". Works :-) - - * TEST SUCCESS: Linux/ifconfig: client-tun/net30+subnet, v4+v6 - - * TEST SUCCESS: Linux/iproute2: client-tun/net30+subnet, v4+v6 - - * options.c: tag as 20100922-1 so "allmerged" users can see IPv6 change - -Fri Sep 24 17:57:41 CEST 2010 - - * TEST SUCCESS: Linux/: client-tap, v4+v6, ping6 on connected addr - - * TEST FAIL: Linux/: client-tap, v6, route6 (gateway missing) - -Do 21. Okt 19:36:49 CEST 2010 - - * t_client.sh.in: cherrypick commit f25fe91a40aa3f and 6f1e61b41be52 - (proper exit codes to signal "SKIP" if we do not want to run) - -So 16. Jan 17:25:23 CET 2011 - - * tun.c, route.c: cherrypick 121755c2cb4891f and f0eac1a5979096c67 - (TAP driver and "topology subnet" support for Solaris) - - * tun.c: add IPv6 configuration for TAP interfaces (:1 inet6) - - * tun.c: on close_tun on Solaris, unplumb IPv6 TUN or TAP interfaces - - * TEST SUCCESS: OpenSolaris: client-tun, v4+v6 - TEST SUCCESS: OpenSolaris: client-tap, v4+v6, ping6 on connected addr - TEST FAIL: OpenSolaris: client-tap, v6, route6 (gateway missing) - -So 24. Apr 16:51:45 CEST 2011 - - * rebase to "beta2.2" branch (at 2.2RC2 tag) - - * mroute.c: remove mroute_helper_lock/_unlock() calls for IPv6 - * socket.c: remove locking with L_INET_NTOA mutex - (all the threading stuff got removed by David Sommerseth for 2.2) - - * mroute.c: remove duplicate mroute_helper_add_iroute6() and - mroute_helper_del_iroute6() - "git rebase" artefact - - * ChangeLog.IPv6 and TODO.IPv6: add to commit - - * options.c: tag as 20110424-2 (2.2RC2) - - * TEST SUCCESS: Linux/ifconfig: client-tun/net30+subnet, v4+v6 - - * TEST SUCCESS: Linux/iproute2: client-tun/net30+subnet, v4+v6 - -Thu Apr 28 19:10:01 CEST 2011 - - * rebase to "origin/release/2.2" branch (at v2.2.0 tag) - -Thu May 19 20:51:12 CEST 2011 - - * include Windows "netsh add" -> "netsh set ... store=active" patch from - Seth Mos, to fix restart problems on Windows due to persistant addresses - - * TEST SUCCESS: Windows XP SP3: client-tun/net30, v4+v6 - -Sat May 21 17:03:20 CEST 2011 - - * tun.c: Solaris cleanup (use CLEAR() to zero-out "ifr") - - * tun.c: Windows cleanup: remove route and IPv6 address on disconnect - - * route.c, route.h: remove "static" from delete_route_ipv6(), needed - for ipv6-route cleanup on disconnect - - * TEST SUCCESS: Windows XP SP3: client-tun/net30, v4+v6 - - * TEST SUCCESS: Windows 7 Home Premium: client-tun/net30, v4+v6 - -So 22. Mai 14:46:12 CEST 2011 - - * Tony Lim: removing routes fails on windows if certain bits are set - in the "host part" (others are silently ignored) --> - - * route.c: create print_in6_addr_netbits_only() helper, call from - add_route_ipv6() and delete_route_ipv6() to get only network part - of route-to-be-modified - - * route.c: set 'store=active' on adding routes on WIN32 as well (Tony Lim) - - * options.c: bump IPv6 release to 20110522-1 - - * TEST SUCCESS: Linux/iproute2: client-tun/net30+subnet, v4+v6 - - * TEST SUCCESS: Windows XP SP3: client-tun/net30, v4+v6 - - * TEST SUCCESS: Windows 7 Home Premium: client-tun/net30, v4+v6 - - * TEST SUCCESS: OpenBSD 4.7: client-tun/net30, v4+v6 - TEST FAIL: OpenBSD 4.7: client-tun/subnet, v4 - (seems to be due to "topology subnet has just not been implemented yet") diff --git a/openvpn/INSTALL b/openvpn/INSTALL index 4ca72883..ed696673 100644 --- a/openvpn/INSTALL +++ b/openvpn/INSTALL @@ -12,36 +12,53 @@ QUICK START: Unix: ./configure && make && make-install - Windows MinGW, using MSYS bash shell: - ./domake-win (see comments in the script for more info) + Cross-compile for Windows on Unix - Windows Visual Studio: - python win\build_all.py + See INSTALL-win32.txt ************************************************************************* To download OpenVPN, go to: - http://openvpn.net/download.html + http://openvpn.net/download.html -For step-by-step installation instructions with real-world -examples see: +OpenVPN releases are also available as Debian/RPM packages: - http://openvpn.net/howto.html + https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos + +To download easy-rsa go to: + + https://github.com/OpenVPN/easy-rsa + +To download tap-windows driver source code go to: + + https://github.com/OpenVPN/tap-windows + +To get the cross-compilation environment go to: + + https://github.com/OpenVPN/openvpn-build + +For step-by-step instructions with real-world examples see: + + http://openvpn.net/howto.html + https://community.openvpn.net/openvpn/wiki For examples see: - http://openvpn.net/examples.html + http://openvpn.net/examples.html + +Also see the man page for more information, usage examples, and information on +firewall configuration. ************************************************************************* SUPPORTED PLATFORMS: - (1) Linux 2.2+ + (1) Linux (kernel 2.6+) (2) Solaris - (3) OpenBSD 3.0+ (Comes with OpenSSL and TUN devices by default) - (4) Mac OS X Darwin - (5) FreeBSD - (6) NetBSD + (3) OpenBSD 5.1+ + (4) Mac OS X Darwin 10.5+ + (5) FreeBSD 7.4+ + (6) NetBSD 5.0+ (7) Windows (WinXP and higher) SUPPORTED PROCESSOR ARCHITECTURES: @@ -55,14 +72,15 @@ REQUIRES: TUN/TAP Driver Configuration section below for more info. OPTIONAL (but recommended): - (1) OpenSSL library, necessary for encryption, version 0.9.5 or higher + (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher required, available from http://www.openssl.org/ - (2) LZO real-time compression library, required for link compression, + (2) PolarSSL library, an alternative for encryption, version 1.1 or higher + required, available from https://polarssl.org/ + (3) LZO real-time compression library, required for link compression, available from http://www.oberhumer.com/opensource/lzo/ OpenBSD users can use ports or packages to install lzo, but remember to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" directives to "configure", since gcc will not find them otherwise. - (3) Pthread library. OPTIONAL (for developers only): (1) Autoconf 2.59 or higher + Automake 1.9 or higher @@ -74,15 +92,18 @@ OPTIONAL (for developers only): CHECK OUT SOURCE FROM SOURCE REPOSITORY: - git clone https://github.com/OpenVPN/openvpn + Clone the repository: + + git clone https://github.com/OpenVPN/openvpn + git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn Check out stable version: - git checkout -b 2.2 remotes/origin/release/2.2 + git checkout -b 2.2 remotes/origin/release/2.2 Check out master (unstable) branch: - git checkout master + git checkout master ************************************************************************* @@ -112,7 +133,7 @@ BUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT: ************************************************************************* -LOOPBACK TESTS (after BUILD): +TESTS (after BUILD): make check (Run all tests below) @@ -126,6 +147,9 @@ Test SSL/TLS negotiations (runs for 2 minutes): ./openvpn --config sample/sample-config-files/loopback-client (In one window) ./openvpn --config sample/sample-config-files/loopback-server (Simultaneously in another window) +For more thorough client-server tests you can configure your own, private test +environment. See tests/t_client.rc-sample for details. + ************************************************************************* OPTIONS for ./configure: @@ -205,7 +229,7 @@ ENVIRONMENT for ./configure: ************************************************************************* -BUILDING ON LINUX 2.4+ FROM RPM +BUILDING ON LINUX 2.6+ FROM RPM You can build a binary RPM directly from the OpenVPN tarball file: @@ -224,7 +248,7 @@ startup or shutdown, based on OpenVPN .conf files in /etc/openvpn. See the comments in openvpn.init for more information. Installing the RPM will also configure the TUN/TAP device node -for linux 2.4. +for linux 2.6. Note that the current openvpn.spec file, which instructs the rpm tool how to build a package, will build OpenVPN with all options enabled, @@ -236,56 +260,15 @@ you edit the openvpn.spec file. TUN/TAP Driver Configuration: -* Linux 2.4 or higher (with integrated TUN/TAP driver): - - (1) make device node: mknod /dev/net/tun c 10 200 - (2a) add to /etc/modules.conf: alias char-major-10-200 tun - (2b) load driver: modprobe tun - (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward - - Note that either of steps (2a) or (2b) is sufficient. While (2a) - only needs to be done once per install, (2b) needs to be done once - per reboot. If you install from RPM (see above) and use the - openvpn.init script, these steps are taken care of for you. - -* Linux 2.2 or Solaris: +* Linux 2.6 or higher (with integrated TUN/TAP driver): - You should obtain - version 1.1 of the TUN/TAP driver from - http://vtun.sourceforge.net/tun/ - and follow the installation instructions. + (1) load driver: modprobe tun + (2) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward - If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be - suffering from a bug which causes connections to hang under heavy load. - The symptoms are very similar to the MTU problems discussed frequently - in the OpenVPN mailing lists. But it turns out that this bug is not caused by - MTU problems. It's a bug in the tun/tap driver. A patch is provided here: + Note that (1) needs to be done once per reboot. If you install from RPM (see + above) and use the openvpn.init script, these steps are taken care of for you. - http://openvpn.net/patch/tun-sb.patch - -* Solaris - - For 64 bit, I used the tun-1.1.tar.gz source and compiled it. - - Of course there is a but :) - In the tun-1-1\solaris\Makefile I changed a line so it compiles with 64 bit - - CFLAGS = $(DEFS) -m64 -O2 -Wall -D_KERNEL -I. - - I just added -m64 and it worked. - - The tun driver works fine as said previously, however we noticed there is a - minor problem when creating multiple tunnels on Solaris. - Mr Tycho Fruru changed the code in tun.c file where he locked the tun device - number to -1. This way it is impossible to specify the name of the tun device - but it is still possible to have multiple devices. - The modification will increment automatically meaning starting from tun0 ---> - tunX I know you are not responsible for the tun coding but if you think the - modification can be useful for you feel free to use it. - - http://openvpn.net/solaris/tun.c - -* FreeBSD 4.1.1+: +* FreeBSD: FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0, tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default. @@ -303,41 +286,23 @@ TUN/TAP Driver Configuration: * OpenBSD: - OpenBSD ships with tun0 and tun1 installed by default on pre-3.5 systems, - while 3.5 and later have dynamically created tun* devices so you only need + OpenBSD has dynamically created tun* devices so you only need to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun you plan to use to create the device(s) at boot. -* Mac OS X: - - 2005.02.13: Angelo Laub has developed a GUI for OS X: - - http://rechenknecht.net/OpenVPN-GUI/ - - 2004.10.26: Mattias Nissler has developed a new TUN/TAP driver for - MAC OS X: - - http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ - - Christoph Pfisterer's old TUN driver can be obtained at - http://chrisp.de/en/projects/tunnel.html -- note that it - is no longer being maintained. +* Solaris: -* Solaris9 Sparc/64 + You need a TUN/TAP kernel driver for OpenVPN to work: - The kernel module for solaris - can be generated by adding the -m64 switch to a modern - gcc compiler (I'm using 3.2) The resulting kernel driver - needs to be manually copied to /kernel/drv/sparcv9/ and then a - reconfiguration reboot. (boot -r). + http://www.whiteboard.ne.jp/~admin2/tuntap/ -* Windows XP/2003/Vista +* Windows XP/2003/Vista/7: - See domake-win for building instructions. - See INSTALL-win32.txt for usage info. + OpenVPN on Windows needs a TUN/TAP kernel driver to work. OpenVPN installers + include this driver, so installing it separately is not usually required. + The driver source code is available here: - See the man page for more information, usage examples, and - information on firewall configuration. + https://github.com/OpenVPN/tap-windows ************************************************************************* diff --git a/openvpn/INSTALL-win32.txt b/openvpn/INSTALL-win32.txt index 1ef3869c..7c056858 100644 --- a/openvpn/INSTALL-win32.txt +++ b/openvpn/INSTALL-win32.txt @@ -46,3 +46,32 @@ the lower-right corner of the screen. Right click on the system tray icon, and a menu should appear showing the names of your OpenVPN configuration files, and giving you the option to connect. + +BUILDING OPENVPN FOR WINDOWS + +Official OpenVPN Windows releases are cross-compiled on Linux using the +openvpn-build buildsystem: + + https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem + +First setup the build environment as shown in the above article. Then fetch the +openvpn-build repository: + + git clone https://github.com/OpenVPN/openvpn-build.git + +Review the build configuration: + + openvpn-build/generic/build.vars + openvpn-build/windows-nsis/build-complete.vars + +Build (unsigned): + + cd openvpn-build/windows-nsis + ./build-complete + +Build (signed): + + cd openvpn-build/windows-nsis + ./build-complete --sign --sign-pkcs12=\ + --sign-pkcs12-pass= \ + --sign-timestamp="" diff --git a/openvpn/README b/openvpn/README index 2c5e6f6f..349e08af 100644 --- a/openvpn/README +++ b/openvpn/README @@ -40,36 +40,33 @@ Other Files & Directories: * configure.ac -- script to rebuild our configure script and makefile. -* openvpn.spec -- RPM Spec file - To build an OpenVPN binary RPM, use the command: - - rpmbuild -tb [tarball] - - When you install the binary RPM, it will automatically - install sample-scripts/openvpn.init (see below) - -* sample-scripts/openvpn.init - - A sample init script for OpenVPN. See the file for - comments and additional information. - -* sample-scripts/verify-cn +* sample/sample-scripts/verify-cn A sample perl script which can be used with OpenVPN's --tls-verify option to provide a customized authentication test on embedded X509 certificate fields. -* sample-keys/ +* sample/sample-keys/ Sample RSA keys and certificates. DON'T USE THESE FILES FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. -* sample-config-files/ +* sample/sample-config-files/ A collection of OpenVPN config files and scripts from the HOWTO at http://openvpn.net/howto.html -* easy-rsa/ +************************************************************************* + +Note that easy-rsa and tap-windows are now maintained in their own subprojects. +Their source code is available here: + + https://github.com/OpenVPN/easy-rsa + https://github.com/OpenVPN/tap-windows + +The old cross-compilation environment (domake-win) and the Python-based +buildsystem have been replaced with openvpn-build: + + https://github.com/OpenVPN/openvpn-build - A simple guide to RSA key management, scripts included. - Also see http://openvpn.net/easyrsa.html +See the INSTALL file for usage information. diff --git a/openvpn/configure.ac b/openvpn/configure.ac index 2f780b7a..ddd322c1 100644 --- a/openvpn/configure.ac +++ b/openvpn/configure.ac @@ -32,7 +32,7 @@ m4_include(compat.m4) AC_DEFINE([OPENVPN_VERSION_RESOURCE], [PRODUCT_VERSION_RESOURCE], [Version in windows resource format]) AC_CONFIG_AUX_DIR([.]) -AM_CONFIG_HEADER([config.h]) +AC_CONFIG_HEADERS([config.h]) AC_CONFIG_SRCDIR([src/openvpn/syshead.h]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8 index d66bd665..2f6b32c4 100644 --- a/openvpn/doc/openvpn.8 +++ b/openvpn/doc/openvpn.8 @@ -346,20 +346,27 @@ block: .B connect-retry, .B connect-retry-max, .B connect-timeout, +.B explicit-exit-notify, .B float, +.B fragment, .B http-proxy, .B http-proxy-option, .B http-proxy-retry, .B http-proxy-timeout, +.B link-mtu, .B local, .B lport, +.B mssfix, +.B mtu-disc, .B nobind, .B port, .B proto, .B remote, .B rport, -.B socks-proxy, and -.B socks-proxy-retry. +.B socks-proxy, +.B socks-proxy-retry, +.B tun-mtu and +.B tun-mtu-extra. A defaulting mechanism exists for specifying options to apply to all @@ -3423,7 +3430,7 @@ the authenticated username as the common name, rather than the common name from the client cert. .\"********************************************************* .TP -.B \-\-compat\-names [no\-remapping] +.B \-\-compat\-names [no\-remapping] (DEPRECATED) Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: .IP @@ -3454,25 +3461,42 @@ characters in the usernames, X.509 Subject fields and Common Name variables and it complies to the RFC 2253, UTF\-8 String Representation of Distinguished Names. -As a backwards compatibility for the removed \-\-no\-name\-remapping feature in -older OpenVPN versions, the +The .B no\-remapping mode flag can be used with the .B \-\-compat\-names -option. -When this mode flag is used, the Common Name, Subject, and username strings are -allowed to include any printable character including space, but excluding -control characters such as tab, newline, and carriage-return. It ensures -compatibility with the -.B \-\-no\-name\-remapping -option of OpenVPN versions before v2.3. +option to be compatible with the now deprecated \-\-no\-name\-remapping option. +It is only available at the server. When this mode flag is used, the Common Name, +Subject, and username strings are allowed to include any printable character +including space, but excluding control characters such as tab, newline, and +carriage-return. no-remapping is only available on the server side. .B Please note: -This option will not be around for a long time. It is only implemented +This option is immediately deprecated. It is only implemented to make the transition to the new formatting less intrusive. It will be -removed either in OpenVPN v2.4 or v2.5. So please make sure you start -the process to support the new formatting as soon as possible. +removed either in OpenVPN v2.4 or v2.5. So please make sure you use the +.B \-\-verify-x509-name +option instead of +.B \-\-tls-remote +as soon as possible and update your scripts where necessary. +.\"********************************************************* +.TP +.B \-\-no\-name\-remapping (DEPRECATED) +The +.B \-\-no\-name\-remapping +option is an alias for +.B \-\-compat\-names\ no\-remapping. +It ensures compatibility with server configurations using the +.B \-\-no\-name\-remapping +option. + +.B Please note: +This option is now deprecated. It will be removed either in OpenVPN v2.4 +or v2.5. So please make sure you support the new X.509 name formatting +described with the +.B \-\-compat\-names +option as soon as possible. .\"********************************************************* .TP .B \-\-port-share host port [dir] @@ -4649,11 +4673,11 @@ is available via the peer_cert environment variable. Field in x509 certificate subject to be used as username (default=CN). .B Fieldname will be uppercased before matching. When this option is used, the ---tls-remote option will match against the chosen fieldname instead -of the CN. +.B \-\-verify-x509-username +option will match against the chosen fieldname instead of the CN. .\"********************************************************* .TP -.B \-\-tls-remote name +.B \-\-tls-remote name (DEPRECATED) Accept connections only from a host with X509 name or common name equal to .B name. @@ -4685,6 +4709,59 @@ option to verify the remote host, because works in a .B \-\-chroot environment too. + +.B Please also note: +This option is now deprecated. It will be removed either in OpenVPN v2.4 +or v2.5. So please make sure you support the new X.509 name formatting +described with the +.B \-\-compat-names +option as soon as possible by updating your configurations to use +.B \-\-verify-x509-name +instead. +.\"********************************************************* +.TP +.B \-\-verify-x509-name name type +Accept connections only if a host's X.509 name is equal to +.B name. +The remote host must also pass all other tests of verification. + +Which X.509 name is compared to +.B name +depends on the setting of type. +.B type +can be "subject" to match the complete subject DN (default), +"name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. +Which RDN is verified as name depends on the +.B \-\-x509-username-field +option. But it defaults to the common name (CN), e.g. a certificate with a +subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by: + +.B \-\-verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' +and +.B \-\-verify-x509-name Server-1 name +or you could use +.B \-\-verify-x509-name Server- name-prefix +if you want a client to only accept connections to "Server-1", "Server-2", etc. + +.B \-\-verify-x509-name +is a useful replacement for the +.B \-\-tls-verify +option to verify the remote host, because +.B \-\-verify-x509-name +works in a +.B \-\-chroot +environment without any dependencies. + +Using a name prefix is a useful alternative to managing +a CRL (Certificate Revocation List) on the client, since it allows the client +to refuse all certificates except for those associated +with designated servers. + +.B NOTE: +Test against a name prefix only when you are using OpenVPN with +a custom CA certificate that is under your control. +Never use this option with type "name-prefix" when your client certificates +are signed by a third party, such as a commercial web CA. .\"********************************************************* .TP .B \-\-x509-track attribute @@ -4722,7 +4799,7 @@ a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of -.B \-\-ns-cert-type, \-\-tls-remote, +.B \-\-ns-cert-type, \-\-verify-x509-name, or .B \-\-tls-verify. .\"********************************************************* @@ -4780,7 +4857,7 @@ a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of -.B \-\-remote-cert-tls, \-\-tls-remote, +.B \-\-remote-cert-tls, \-\-verify-x509-name, or .B \-\-tls-verify. .\"********************************************************* diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index 28121235..be2ca9df 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -2236,7 +2236,8 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.verify_command = options->tls_verify; to.verify_export_cert = options->tls_export_cert; - to.verify_x509name = options->tls_remote; + to.verify_x509_type = (options->verify_x509_type & 0xff); + to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; to.ssl_flags = options->ssl_flags; to.ns_cert_type = options->ns_cert_type; @@ -2498,12 +2499,10 @@ do_option_warnings (struct context *c) warn_on_use_of_common_subnets (); if (o->tls_client && !o->tls_verify - && !o->tls_remote + && o->verify_x509_type == VERIFY_X509_NONE && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku) msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); - if (o->tls_remote) - msg (M_WARN, "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page)."); #endif #endif diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 64c81cf2..8f0112ad 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -614,8 +614,8 @@ static const char usage_message[] = "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" " in an openvpn temporary file in [directory]. Peer cert is \n" " stored before tls-verify script execution and deleted after.\n" - "--tls-remote x509name: Accept connections only from a host with X509 name\n" - " x509name. The remote host must also pass all other tests\n" + "--verify-x509-name name: Accept connections only from a host with X509 subject\n" + " DN name. The remote host must also pass all other tests\n" " of verification.\n" "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" " nsCertType designation t = 'client' | 'server'.\n" @@ -1599,7 +1599,8 @@ show_settings (const struct options *o) SHOW_STR (cipher_list); SHOW_STR (tls_verify); SHOW_STR (tls_export_cert); - SHOW_STR (tls_remote); + SHOW_INT (verify_x509_type); + SHOW_STR (verify_x509_name); SHOW_STR (crl_file); SHOW_INT (ns_cert_type); { @@ -2115,7 +2116,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (options->stale_routes_check_interval) msg (M_USAGE, "--stale-routes-check requires --mode server"); - if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) msg (M_USAGE, "--compat-x509-names no-remapping requires --mode server"); } @@ -2287,7 +2287,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne MUST_BE_UNDEF (cipher_list); MUST_BE_UNDEF (tls_verify); MUST_BE_UNDEF (tls_export_cert); - MUST_BE_UNDEF (tls_remote); + MUST_BE_UNDEF (verify_x509_name); MUST_BE_UNDEF (tls_timeout); MUST_BE_UNDEF (renegotiate_bytes); MUST_BE_UNDEF (renegotiate_packets); @@ -3746,9 +3746,13 @@ read_config_file (struct options *options, line_num = 0; while (fgets(line, sizeof (line), fp)) { + int offset = 0; CLEAR (p); ++line_num; - if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc)) + /* Ignore UTF-8 BOM at start of stream */ + if (line_num == 1 && strncmp (line, "\xEF\xBB\xBF", 3) == 0) + offset = 3; + if (parse_line (line + offset, p, SIZE (p), file, line_num, msglevel, &options->gc)) { bypass_doubledash (&p[0]); check_inline_file_via_fp (fp, p, &options->gc); @@ -5474,13 +5478,6 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } - else if (streq (p[0], "compat-names")) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); - if (p[1] && streq (p[1], "no-remapping")) - compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); - } else if (streq (p[0], "opt-verify")) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6426,10 +6423,100 @@ add_option (struct options *options, options->tls_export_cert = p[1]; } #endif + else if (streq (p[0], "compat-names")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + if (options->verify_x509_type != VERIFY_X509_NONE && + options->verify_x509_type != TLS_REMOTE_SUBJECT_DN && + options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg (msglevel, "you cannot use --compat-names with --verify-x509-name"); + goto err; + } + msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration"); + compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); +#if P2MP_SERVER + if (p[1] && streq (p[1], "no-remapping")) + compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); + } + else if (streq (p[0], "no-name-remapping")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + if (options->verify_x509_type != VERIFY_X509_NONE && + options->verify_x509_type != TLS_REMOTE_SUBJECT_DN && + options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg (msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); + goto err; + } + msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration"); + compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); + compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); +#endif + } else if (streq (p[0], "tls-remote") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); - options->tls_remote = p[1]; + + if (options->verify_x509_type != VERIFY_X509_NONE && + options->verify_x509_type != TLS_REMOTE_SUBJECT_DN && + options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg (msglevel, "you cannot use --tls-remote with --verify-x509-name"); + goto err; + } + msg (M_WARN, "DEPRECATED OPTION: --tls-remote, please update your configuration"); + + if (strlen (p[1])) + { + int is_username = (!strchr (p[1], '=') || !strstr (p[1], ", ")); + int type = TLS_REMOTE_SUBJECT_DN; + if (p[1][0] != '/' && is_username) + type = TLS_REMOTE_SUBJECT_RDN_PREFIX; + + /* + * Enable legacy openvpn format for DNs that have not been converted + * yet and --x509-username-field (not containing an '=' or ', ') + */ + if (p[1][0] == '/' || is_username) + compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); + + options->verify_x509_type = type; + options->verify_x509_name = p[1]; + } + } + else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1])) + { + int type = VERIFY_X509_SUBJECT_DN; + VERIFY_PERMISSION (OPT_P_GENERAL); + if (options->verify_x509_type == TLS_REMOTE_SUBJECT_DN || + options->verify_x509_type == TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg (msglevel, "you cannot use --verify-x509-name with --tls-remote"); + goto err; + } + if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES)) + { + msg (msglevel, "you cannot use --verify-x509-name with " + "--compat-names or --no-name-remapping"); + goto err; + } + if (p[2]) + { + if (streq (p[2], "subject")) + type = VERIFY_X509_SUBJECT_DN; + else if (streq (p[2], "name")) + type = VERIFY_X509_SUBJECT_RDN; + else if (streq (p[2], "name-prefix")) + type = VERIFY_X509_SUBJECT_RDN_PREFIX; + else + { + msg (msglevel, "unknown X.509 name type: %s", p[2]); + goto err; + } + } + options->verify_x509_type = type; + options->verify_x509_name = p[1]; } else if (streq (p[0], "ns-cert-type") && p[1]) { diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index 909cb38a..e5de2f10 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -510,8 +510,9 @@ struct options const char *pkcs12_file; const char *cipher_list; const char *tls_verify; + int verify_x509_type; + const char *verify_x509_name; const char *tls_export_cert; - const char *tls_remote; const char *crl_file; const char *ca_file_inline; diff --git a/openvpn/src/openvpn/proxy.c b/openvpn/src/openvpn/proxy.c index 17748504..b4c917a8 100644 --- a/openvpn/src/openvpn/proxy.c +++ b/openvpn/src/openvpn/proxy.c @@ -499,7 +499,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, { struct gc_arena gc = gc_new (); char buf[512]; - char buf2[128]; + char buf2[129]; char get[80]; int status; int nparms; @@ -622,7 +622,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, openvpn_snprintf (get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof (buf2) - 1); nparms = sscanf (buf, get, buf2); - buf2[127] = 0; /* we only need the beginning - ensure it's null terminated. */ + buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ /* check for "Proxy-Authenticate: NTLM TlRM..." */ if (nparms == 1) diff --git a/openvpn/src/openvpn/ssl_common.h b/openvpn/src/openvpn/ssl_common.h index cb259a96..c62294f5 100644 --- a/openvpn/src/openvpn/ssl_common.h +++ b/openvpn/src/openvpn/ssl_common.h @@ -245,7 +245,8 @@ struct tls_options /* cert verification parms */ const char *verify_command; const char *verify_export_cert; - const char *verify_x509name; + int verify_x509_type; + const char *verify_x509_name; const char *crl_file; int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; diff --git a/openvpn/src/openvpn/ssl_verify.c b/openvpn/src/openvpn/ssl_verify.c index cac46e98..e651a8e0 100644 --- a/openvpn/src/openvpn/ssl_verify.c +++ b/openvpn/src/openvpn/ssl_verify.c @@ -369,16 +369,21 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, #endif /* OPENSSL_VERSION_NUMBER */ - /* verify X509 name or common name against --tls-remote */ - if (opt->verify_x509name && strlen (opt->verify_x509name) > 0) + /* verify X509 name or username against --verify-x509-[user]name */ + if (opt->verify_x509_type != VERIFY_X509_NONE) { - if (strcmp (opt->verify_x509name, subject) == 0 - || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0) + if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN + && strcmp (opt->verify_x509_name, subject) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN + && strcmp (opt->verify_x509_name, common_name) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX + && strncmp (opt->verify_x509_name, common_name, + strlen (opt->verify_x509_name)) == 0) ) msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); else { msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", - subject, opt->verify_x509name); + subject, opt->verify_x509_name); return FAILURE; /* Reject connection */ } } diff --git a/openvpn/src/openvpn/ssl_verify.h b/openvpn/src/openvpn/ssl_verify.h index 1d201523..e0bcba42 100644 --- a/openvpn/src/openvpn/ssl_verify.h +++ b/openvpn/src/openvpn/ssl_verify.h @@ -62,6 +62,12 @@ struct cert_hash_set { struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */ }; +#define VERIFY_X509_NONE 0 +#define VERIFY_X509_SUBJECT_DN 1 +#define VERIFY_X509_SUBJECT_RDN 2 +#define VERIFY_X509_SUBJECT_RDN_PREFIX 3 +#define TLS_REMOTE_SUBJECT_DN 1 + 0x100 +#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100 #define TLS_AUTHENTICATION_SUCCEEDED 0 #define TLS_AUTHENTICATION_FAILED 1 diff --git a/openvpn/src/openvpn/syshead.h b/openvpn/src/openvpn/syshead.h index 163d2bb2..db02c237 100644 --- a/openvpn/src/openvpn/syshead.h +++ b/openvpn/src/openvpn/syshead.h @@ -307,6 +307,10 @@ #include #endif +#ifdef HAVE_NETINET_TCP_H +#include +#endif + #ifdef HAVE_NET_IF_TUN_H #include #endif -- cgit v1.2.3