[Openvpn-devel] [PATCH 01/10] Added "remote-override" config directive.

2016-03-03 Thread James Yonan
remote-override -- replace the hostname in all remote directives with alt-remote. Merged from OpenVPN 2.1 Signed-off-by: James Yonan --- doc/openvpn.8 | 5 + src/openvpn/options.c | 8 +++- src/openvpn/options.h | 2 ++ 3 files changed, 14 insertions(+), 1

[Openvpn-devel] [PATCH 02/10] Added PIP_OPT_MASK for process_ip_header fast exit path.

2016-03-03 Thread James Yonan
Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. Merged from OpenVPN 2.1 Signed-off-by: James Yonan --- src/openvpn/forward.c | 8 +--- src/openvpn/forward.h | 4 +++- 2 files changed,

[Openvpn-devel] [PATCH 03/10] tls_serial_{n} value should be distinguishable as hex or decimal.

2016-03-03 Thread James Yonan
To accomplish this, prepend 'x' before hex serial numbers, so they can be distinguished from decimal serial numbers. For example: tls_serial_1 = "x4D:9B:7C:94" is equivalent to: tls_serial_1 = "1302035604" Currently, only PolarSSL generates hex serial numbers while OpenSSL returns decimal

[Openvpn-devel] [PATCH 04/10] Added flags parameter to format_hex_ex.

2016-03-03 Thread James Yonan
We add the flags parameter without changing the signature of the function by repurposing the space_break parameter into space_break_flags where the lower 8 bits are used for the previous space_break parameter and the higher bits are used for flag values. Added new flag FHE_CAPS that formats the

[Openvpn-devel] [PATCH 05/10] Extended x509-track for OpenSSL to report SHA1 fingerprint.

2016-03-03 Thread James Yonan
For example: x509-track "+SHA1" will extract the SHA1 fingerprints for all certs in the peer chain. This patch is ported from OpenVPN 2.1. Signed-off-by: James Yonan --- src/openvpn/ssl_verify_openssl.c | 114 +-- 1 file changed, 74

[Openvpn-devel] [PATCH 06/10] PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint.

2016-03-03 Thread James Yonan
Signed-off-by: James Yonan --- src/openvpn/ssl_verify_polarssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index e87d2e2..9d0d086 100644 --- a/src/openvpn/ssl_verify_polarssl.c +++

[Openvpn-devel] [PATCH 07/10] Implemented x509-track for PolarSSL.

2016-03-03 Thread James Yonan
Signed-off-by: James Yonan --- src/openvpn/ssl_verify_polarssl.c | 166 ++ src/openvpn/syshead.h | 2 +- 2 files changed, 167 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_verify_polarssl.c

[Openvpn-devel] [PATCH 08/10] Added ./configure flag to disable user-defined scripts.

2016-03-03 Thread James Yonan
Added ./configure --disable-scripts build flag to ignore the "script-security" directive in configs. This can be used to prevent configs from raising the script-security level to allow user-defined script execution. At the C level, script support is enabled by: /* Enable user-defined

[Openvpn-devel] [PATCH 09/10] Added directive to specify HTTP proxy credentials in config.

2016-03-03 Thread James Yonan
The inline directive http-proxy-user-pass can be used to specify proxy credentials in config, e.g.: http-proxy proxy.tld 3128 auto-nct foo bar This usage is already supported by OpenVPN 3. Signed-off-by: James Yonan --- src/openvpn/misc.c| 8

[Openvpn-devel] [PATCH 10/10] Bind to local socket before dropping privileges

2016-03-03 Thread James Yonan
Bind the local TCP/UDP socket before UID/GID downgrade, otherwise we cannot bind to ports < 1024. Signed-off-by: James Yonan --- src/openvpn/init.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index

[Openvpn-devel] [PATCH] hardening: add safe FD_SET() wrapper openvpn_fd_set()

2016-03-03 Thread steffan.karger
From: Steffan Karger On many platforms (not Windows, for once), FD_SET() can write outside the given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do that, add an ASSERT() to error out with a clear error message when this does happen. This patch was

[Openvpn-devel] manpage oddity

2016-03-03 Thread Jan Just Keijser
hi, the openvpn man page section on environment variables lists local The --local parameter. Set on program initiation and reset on SIGHUP. local_port The local port number, specified by --port or --lport. Set on program initiation and reset on SIGHUP. and

Re: [Openvpn-devel] manpage oddity

2016-03-03 Thread Gert Doering
Hi, On Thu, Mar 03, 2016 at 05:13:01PM +0100, Jan Just Keijser wrote: > and a few others. However, the actual name of these env vars is local_N, > local_port_N etc. I've checked the code and that has been the case > since v2.1 > > Two questions: > - why are we adding the number? per

Re: [Openvpn-devel] Handling bitness (32/64) for OpenVPN Windowsinstallers

2016-03-03 Thread ValdikSS
On 02/17/2016 06:16 PM, Samuli Seppänen wrote: > I don't think there are many (any?) 32-bit Windows operating systems > being bundled with new computers. The reason why Microsoft backpedaled > on dropping 32-bit support in Windows 10 seemed to be their free upgrade > program: they wanted the

[Openvpn-devel] Pushing multiple certificates from server

2016-03-03 Thread ValdikSS
Hello everyone, I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit one without a hassle for a clients. From a X.509 perspective it shouldn't be a problem, and I already have new CA self-signed and cross-signed with old CA, it should work just fine. While there's no