Selva Nair [Sun, 14 Feb 2016 17:28:01 +0000 (12:28 -0500)]
Send stdout and stderr of OpenVPN started by interactive service to NUL
Currently the service directs stdout/stderr of openvpn process to a pipe.
The
service never reads from it unless the process exits with an error. This
causes
the process to hang when large amount of log is written to stdout.
- Direct stdout/stderr to NUL
- Write the exit code (if nonzero) to the event log
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1455470881-32341-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11161 Signed-off-by: Gert Doering <gert@greenie.muc.de>
ValdikSS [Fri, 15 Jan 2016 23:35:38 +0000 (02:35 +0300)]
Update --block-outside-dns to work on Windows Vista
Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.
Selva Nair [Sat, 20 Feb 2016 03:13:08 +0000 (22:13 -0500)]
Restrict options/configs for startup through interactive service
Windows only:
- Allow only a set of whitelisted options in the command line options
passed by
interactive service clients unless
(i) user is the local Adminsitrator group
AND/OR
(ii) in a predefined group (see below)
Only the group membership is checked, the client process need not be
running with
any elevated privileges available to those groups.
- Restrict config files to config_dir or it sub directories unless (i)
and/or (ii) above
is true (config_dir is as defined in HKLM\Software\OpenVPN\config_dir)
- The predefined group may be set in the registry
HKLM\Software\OpenVPN\ovpn_admin_group
(default: "OpenVPN Administrators")
- The white-list of options is a simple flat array of option strings
(without leading --)
defined in validate.c
- Further options may be added to the whitelist without breaking the GUI
-- the startup
data is passed from the GUI to the service the same way as before.
Notes to GUI developers:
(i) If the user is an administrator, the service will grant all privileges
even if
the GUI is not running elevated. This is practically equivalent to
'highestAvailable' without the risks of running the GUI elevated.
(ii) If the option checks fail, openvpn is not started, but an error
message
is passed back to the service pipe and written to event log. Currently the
GUI does
not read from the service pipe -- this needs fixing.
v2 changes:
- checked non-unicode build and fixed an error -- in case anyone builds
non-unicode
- added an info message to event log when user auth succeeds
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1455937988-12414-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11225 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 22 Feb 2016 14:24:06 +0000 (15:24 +0100)]
Clean up get_tls_handhake_key()
This function has *much* more code than required. This commit cleans up
the function:
* Merge the handling of inline and non-inline code.
* Don't double-check key.2, since must_have_n_keys() already does that
(but keep the message about dropped passphrase support in 2.4).
* Remove stale references to 'passphrase' - we no longer support those
This commit should not change any behaviour except for log messages.
v2: Leave message about dropped passphrase support in place - this option
was dropped in 2.4, so it is indeed better to be clear about it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1456151046-16047-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11238 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 21 Feb 2016 01:08:11 +0000 (02:08 +0100)]
Minor AEAD patch cleanup
* Remove stale function declaration.
This slipped into the AEAD cipher modes patch, but the function is
now implemented as a static function is ssl.c.
* Add ASSERT() to ensure frame is not NULL.
* Fix "ENCRYPT TO" log message in openvpn_encrypt_aead().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456016892-8671-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11233 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 15 Feb 2016 20:07:11 +0000 (21:07 +0100)]
Add preliminary server-side support for negotiable crypto parameters
Add preliminary support for Negotiable Crypto Parameters 'level 2'
(IV_NCP=2), as proposed by James Yonan on the openvpn-devel mailinglist:
http://comments.gmane.org/gmane.network.openvpn.devel/9385
This patch makes a server push a 'cipher XXX' directive to the client,
if the client advertises "IV_NCP=2", where XXX is the cipher set in the
server config file.
This enables clients that have support for IV_NCP to connect to a
server, even when the client does not have the correct cipher specified
in it's config file.
Since pushing the cipher directive is quite similar to pushing peer-id,
I moved peer-id pushing to the same prepare_push_reply() function I
created for pushing cipher. Adding these directives as regular push
options allows us to use the existing 'push-continuation'
infrastructure. Note that we should not reduce safe_cap in
send_push_reply, because it was never increased to account for peer-id.
This is a preliminary patch, which will be followed by more patches to
add client support, and configurability.
v2:
* Reword doxygen of push_options_fmt()
* No longer push IV_NCP as a server
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+gSgFH3=+xO6QN4NDAYwf8jctYhe8VyRxD8e1L=D6LWg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11170 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 24 Oct 2015 14:44:09 +0000 (16:44 +0200)]
Add AEAD cipher support (GCM)
Add Authenticated Encryption with Additional Data (AEAD) support for
ciphers, which removes the need for a separate HMAC step. The MAC is
integrated into the cipher and the MAC tag is prepended to the payload.
This patch is inspired by the patch originally submitted by Kenny Root
on the openvpn-devel mailinglist, but does a number things differently:
* Don't support XTS (makes no sense for VPN)
* Don't support CCM (needs extra code to make it actually work)
* Don't force the user to specify "auth none" (that would break
tls-auth)
* Add support for PolarSSL (and change internal API for this)
* Update openvpn frame size ('link mtu') calculation for AEAD modes
* Use the HMAC key as an implicit part of the IV to save 8 bytes per
data channel network packet.
* Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets.
By using the negotiated HMAC key as an implicit part of the IV for
AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each
packet sent. This is particularly interesting for connections which
transfer many small packets, such as remote desktop or voip connections.
The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher
operation, which requires the IV to be unique (but does not require
unpredictability).
IV uniqueness is guaranteed by using a combination of at least 64-bits
of the HMAC key (unique per TLS session), and a 32-bit packet counter.
The last 32-bit word of the 128-bit cipher block is not part of the IV,
but is used as a block counter.
AEAD cipher mode is not available for static key mode, since IV
uniqueness is harder the guarantee over sessions, and I believe
supporting AEAD in static key mode too is not worth the extra
complexity. Modern setups should simply use TLS mode.
OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those
versions have an unnecessary check that fails to update the cipher if
the tag was not already set. 1.0.1d, which fixes that, was released in
February 2013. People should have updated, and distros should have
backported the fix by now.
Changes in v2:
* Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work
in AEAD mode.
* Do not make AEAD support configurable in ./configure.
* Get rid of '12' magic constant in openvpn_encrypt_aead().
* Update manpage to explain that --auth is ignored for the data channel
when using an AEAD cipher.
* Move setting the IV in AEAD cipher modes to the IV generation code.
This is a more natural place and now we can pull iv[] into the IV
generation scope.
* Read packet ID directly from packet buffer instead of from iv buffer,
to remove the need for an extra buffer.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11162 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Leonardo Basilio [Wed, 10 Feb 2016 10:19:39 +0000 (11:19 +0100)]
Correctly report TCP connection timeout on windows.
On nonblocking TCP connects, we set status = ETIMEOUT on failure.
On windows, depending on which header files are included, ETIMEOUT
is defined differently, and this leads to incomprehensible error
messages - so, always use WSAETIMEDOUT here.
Trac #651
Signed-off-by: Leonardo Basilio <leobasilio@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CACqLfMnBXwSY=MXyc7B1oMKwYE2Z_49G3mpkEPxbSAuG61tgZA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11085 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 7 Feb 2016 19:47:14 +0000 (20:47 +0100)]
Change openvpn_encrypt() to append to work buffer only
Preparation for AEAD cipher modes, which also have to authenticate the
opcode and peer-id of packets. To supply that information to
openvpn_encrypt(), I want to simply write those to the work buffer
before calling openvpn_encrypt(). That however requires that
openvpn_encrypt() never prepends something to the work buffer.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-7-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11074 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 7 Feb 2016 19:47:12 +0000 (20:47 +0100)]
Move key_ctx_bi into crypto_options
The encrypt and decrypt routines use struct crypto_options as their main
information source. A struct crypto_options would have a pointer to a
struct key_ctx_bi, which had to be updated at the correct moments to keep
them correct. Instead of doing this administration, just put the struct
key_ctx_bi inside crypto_options. Makes the code a little simpler too.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11078 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 7 Feb 2016 19:47:11 +0000 (20:47 +0100)]
Move crypto_options into key_state and stop using context in SSL-mode.
Moving crypto_options into key_state enables us to stop using the global
context for each packet encrypt/decrypt operation. Decoupling the crypto
from the global context removes the need to copy the relevant parts of
crypto_options for each processed packet, but instead enables us to just
pass along a pointer to the related crypto_options.
This paves the way for an efficient GCM cipher mode implementation, but is
probably fruitful too for threading and/or cipher negotiation.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-4-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11075 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 7 Feb 2016 19:47:10 +0000 (20:47 +0100)]
Remove reuse of key_type during init of data channel auth and tls-auth
Prepare for using AEAD cipher modes + tls-auth, as tls-auth might want to
use an HMAC, while the data channel uses e.g. GCM tags. This separates
the two initialisations. Also, error out (and give a clear error message)
if a user specifies tls-auth but no valid auth algorithm, which makes no
sense at all.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11073 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 26 Jan 2016 19:11:48 +0000 (20:11 +0100)]
interactive service v3
v1: Heiko Hund
- Message-ID: <2215306.x9ci9DhAZ9@de-gn-40970>
- extend openvpn service to provide "automatic service" and "interactive
service" (which is used by GUI and OpenVPN to run openvpn non-privileged
and still be able to install routes and configure IPv6 addresses)
- add --msg-channel <n> option to openvpn to tell it which pipe to use
to talk to the interactive service (used in tun.c for ifconfig + ARP
flush, and route.c for routing)
- add openvpn-msg.h with message definitions for talking to interactive
service
- routing in openvpn uses message-pipe automatically if --msg-channel <n>
is configured, no other option needed
- today, the integration in route.c and tun.c is windows-only, but could
be adapted to other platforms
v2: Steffan Karger
- Message-ID: <548D9046.5000600@karger.me>
- include "openvpn-msg.h" not "include/openvpn-msg.h"
- add $(top_srcdir)/include to openvpnsrv build for out-of-tree builds
v3: Gert Doering, rebasing and integrating review feedback
- rebased to 417fe4a72c
- r->metric_defined is now r->flags & RT_METRIC_DEFINED (c3ef2d2333fb)
- move "openvpn-msg.h" include inside #ifdef WIN32 (windows-only right now)
- hide "msg_channel" extra option inside tt->tuntap_options, so we do not
need an extra argument to all the add/del_route...() functions
- do_route_ipv6_service(): use r->adapter index (if set) for RGI6 routes
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com> (Service changes) Acked-by: Arne Schwabe <arne@rfc2549.org> (OpenVPN changes)
Message-Id: <1453835508-26119-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11027 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 18 Jan 2016 20:49:40 +0000 (21:49 +0100)]
configure.ac: fix polarssl autodetection
A missing , in the previous configure.ac patch caused the autodetection to
fail. While fixing that, I noticed I can simplify the check by using the
documented ${ac_cv_search_function} cache variable instead of the nested
AC_SEARCH_LIBS.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1453150181-21453-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11010 Signed-off-by: Gert Doering <gert@greenie.muc.de>
This reworks the crypto library configuration, to make it both simpler to
understand and more usable:
* Only check for OpenSSL when building against OpenSSL (and similar for
PolarSSL/mbed TLS).
* Bail out early if a problem with the library is detected.
* Set CRYPTO_{LIBS,FLAGS} immediately after the crypto library checks,
removing the need for an extra switch-case later on.
* We no longer support building openvpn with crypto but without ssl, so
we can also simplify the logic in configure.ac accordingly.
As a 'side effect' (this actually triggered me), this fixes a bug that
would cause a user-specified OPENSSL_{CRYPTO,SSL}_LIBS to be overwritten
by AC_CHECK_LIB if there are openssl headers available in the PATH.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452436639-16838-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10978 Signed-off-by: Gert Doering <gert@greenie.muc.de>
ValdikSS [Sat, 9 Jan 2016 15:53:45 +0000 (18:53 +0300)]
Clarify mssfix documentation
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1452354825-5096-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10969
Steffan Karger [Wed, 13 Jan 2016 16:09:08 +0000 (17:09 +0100)]
socks.c: fix check on get_user_pass() return value(s)
My compiler rightfully complains that the checks on creds.username and
creds.password always evaluate to true, so remove those checks.
Judging from the code, they were meant to check the returned values by
get_user_pass(). So instead of these non-functioning checks, just check
the return value of get_user_pass().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452701348-9577-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10993 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 7 Jan 2016 20:24:33 +0000 (21:24 +0100)]
polarssl: remove now redundant 128-bit blowfish key override
As of 1.3.0, polarssl/mbedtls now by default uses a 128 bit key for the
blowfish cipher (as opposed to the 32-bit (!) default they had previously).
Since we require polar 1.3+, we no longer need this fixup code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452198273-26493-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10956 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 7 Jan 2016 19:52:44 +0000 (20:52 +0100)]
Update manpage: OpenSSL might also need /dev/urandom inside chroot
As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot. This depends on OS, OS version and ssl library
configuration. Update the manpage to better explain this.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 7 Jan 2016 09:15:16 +0000 (10:15 +0100)]
polarssl: optimize polar_ok() for non-errors
Adding polar_ok() was a good plan for improving error reporting, but also
added two function calls (one to polar_log_func_line() and one to
polar_log_err()) for each function call wrapped with polar_ok().
Especially in the critical path, this is a waste of time.
To avoid this overhead, add a simple static inline wrapper to reduce it to
a single branch.
v2 - use a static inline wrapper to prevent evaluating 'errval' twice in
the macro.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452158116-17363-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10949 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 6 Jan 2016 20:59:03 +0000 (21:59 +0100)]
polarssl: actually use polarssl debug logging
We had the machinery in place, but did not actually use it because nothing
will be logged untill the debug threshold is increased.
This commit makes --verb 8 result is level 2 polar logging (which is
verbose, and --verb 9 result in level 3 polar logging (which is very
verbose). There are higher levels, but those are extremely verbose.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452113943-30684-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10945 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 3 Jan 2016 17:27:46 +0000 (18:27 +0100)]
Implement the compression V2 data format for stub and lz4.
Patch V2: Fix minor issues found by Steffan
Patch V3: split wire codes and compression flags
Patch V4: Fix further issues reported by Gert
Patch V5: really fix the issues that should be fixed in v2
Patch V6: fix more minor things
It has been tested against v3 server and again itself. From James Mail:
Compression V2
I have observed that compression in many cases, even when
enabled, often does not produce packet size reduction
because much of the packet data typically generated by web
sessions is already compressed. Further, the single byte that
precedes the packet and indicates whether or not compression
occurred has the unfortunate side effect of misaligning the IP
packet in cases where compression did not occur. To remedy this,
I propose a Compression V2 header that is optimized for the
case where compression does not occur.
a. No compression occurred and first byte of IP/Ethernet packet
is NOT 0x50 (0 bytes of overhead and maintains alignment):
[ uncompressed IP/Ethernet packet ]
b. No compression occurred and first byte of IP/Ethernet packet
is 0x50 (2 bytes of overhead but unlikely since no known
IP packet can begin with 0x50):
Steffan Karger [Sun, 3 Jan 2016 09:47:56 +0000 (10:47 +0100)]
Fix regression in setups without a client certificate
This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert). This bug was
introduced by commit 091edd8e on the master branch, and commit dfd940bb
on the release/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Phillip Smith [Tue, 22 Dec 2015 00:12:26 +0000 (11:12 +1100)]
Use bob.example.com and alice.example.com to improve clarity of documentation
This patch uses generic "bob.example.com" and "alice.example.com"
hostnames to replace the current "may" and "june" examples. Generic
names chosen rather than other names like "server"/"client" or
"head-office"/"remote-office" etc which may create other unintended
or implicit meanings to the reader.
The example.com domain is set aside defined by IANA for use as
documentation examples. Refer to: http://www.iana.org/domains/reserved
Using this well-known domain makes comprehension of documentation easier.
This patch incorporates feedback from Gert Doering and Selva Nair.
Signed-off-by: Phillip Smith <fukawi2@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1450743146-9050-1-git-send-email-fukawi2@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10875 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 20 Dec 2015 21:27:48 +0000 (22:27 +0100)]
cleanup: get rid of httpdigest.c type warnings
When I compile with --enable-strict, I only want to see warnings that are
relevant. So, change httpdigest.c to make the casts explicit.
This commit should not change behaviour.
v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead
of uint8_t.
v3: as further discussed on #openvpn-devel, don't use a 'colon' var, but
just add casts.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450646868-15346-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10871 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 14 Dec 2015 22:14:45 +0000 (23:14 +0100)]
Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2
The SSL_CTX_get0_certificate() function I used in 091edd8e is available in
OpenSSL 1.0.2+ only. Older versions seem to not have a useful alternative.
The remaining option would then be to create a cache for our parsed
certificate, but that would mean adding more struct members and code for
the select group of people that do use an up-to-date openvpn, but do not
update their openssl. I don't think that's worth it. So just disable the
code for older openssl versions.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450131285-30182-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10802 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 14 Dec 2015 20:09:18 +0000 (21:09 +0100)]
Warn user if their certificate has expired
Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450123758-31641-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10794 Signed-off-by: Gert Doering <gert@greenie.muc.de>
ValdikSS [Thu, 10 Dec 2015 20:51:55 +0000 (23:51 +0300)]
Add Windows DNS Leak fix using WFP ('block-outside-dns')
This option blocks all out-of-tunnel communication on TCP/UDP port 53
(except for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
This is the same patch as dd628d2e0d786e4 in release/2.3, except that it
is always compiled (on WIN32) here - we already require compilation for
Vista+ in master (-> 2.4).
Reviewed-by: Selva Nair <selva.nair@gmail.com> Reviewed-by: Lev Stipakov <lstipakov@gmail.com> Reviewed-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449780715-4027-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10744
Gert Doering [Wed, 9 Dec 2015 20:03:55 +0000 (21:03 +0100)]
Fix isatty() check for good.
Commit 079e5b9c13 introduced a check to see if we --daemon'ized before
trying to ask for a password (which would then fail with a non-intuitive
error), breaking querying systemd under certain conditions.
Move check from get_user_pass_cr() to get_console_input() and make it
"full featured" by not only checking isatty() for stdin/stderr but also
trying to open /dev/tty in case we still have a controlling tty - which
is what getpass() does under the hood, so if either of this works, we're
fine.
Arne Schwabe [Sun, 29 Nov 2015 14:55:59 +0000 (15:55 +0100)]
Remove --enable-password-save option
This options is enabled in virtually all distributions and gives no real
security benefit. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448808959-10565-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10661
Selva Nair [Fri, 27 Nov 2015 02:20:53 +0000 (21:20 -0500)]
Unbreak read username password from management
Commit 6e9373c846.. introduced a bug by which auth-user-pass
or need-ok input falls back to read-from-stdin after successfully
reading from management or console. Fix by treating stdin as the last
option for input.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448590853-26862-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10630 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 29 Nov 2015 09:39:24 +0000 (10:39 +0100)]
Support duplicate x509 field values in environment
As reported in trac #387, an x509 DN can contain duplicate fields.
Previously, we would overwrite any previous field value with a new one if
we would process a second same-name field. Now, instead, append _$N,
starting at N=1 to the name for each consequent field to export all fields
to the enviroment.
v2 - make better use of const qualifiers in env_set_get(), and use strcpy()
instead of memcpy() in setenv_str_incr()
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxLoZpanyqfpJuroMeOj_M=gU5JB+pqZqRxYqaiNP754-g@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10654 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 28 Nov 2015 22:48:01 +0000 (23:48 +0100)]
Fix openssl builds with custom-built library: specify most-dependent first
Libraries should be specified from left-to-right as most-dependent to
least-dependent. Thus, -lssl comes first, then -lcrypto.
(This does not fail when pkg-config finds your libraries for you, since
we tell it '-lssl needs -lcrypto' and we then end up with
"-lcrypto -lssl -lcrypto", which is not pretty but does work.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1448750881-10767-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10649 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 28 Nov 2015 19:58:37 +0000 (20:58 +0100)]
Un-break compilation on *BSD
Commit 2191c47165 introduced code to handle IP address query on
multihoming hosts for IP_PKTINFO-supporting OSes, but all the BSDs
need the "#elsif IP_RECVDSTADDR" variant... add code equivalent
to what we have in socket.c/print_link_socket_actual_ex()
Tested on FreeBSD 9.3/sparc64
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1448740717-60914-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10648
Heiko Hund [Wed, 25 Nov 2015 12:57:00 +0000 (13:57 +0100)]
extend management interface command "state"
Currently the state command shows only the tun/tap IPv4 address. The
IPv4 address of the remote peer is also displayed. In case you connect
via IPv6 it just shows the first 4 bytes of the address in IPv4 notation.
This patch extends the state command, so it handles IPv6 addresses.
In addition it also displays the local address and the both port numbers
of the connection, e.g.
Steffan Karger [Sat, 28 Nov 2015 10:38:25 +0000 (11:38 +0100)]
Fix rand_bytes return value checking
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of rand_bytes() in prng_bytes(), which we really should.
Failing to check the return value occurs if no prng is used (i.e. in
static key mode, or when explicitly disabled using --prng none).
prng_bytes() is used for generating IVs, session IDs and filenames.
The impact of failing to check the return value seems very limited:
Not generating random file names or session IDs could cause collisions in
(temporary) file names and/or session IDs. These in turn could cause
availability issues, but would not result in a breach in confidentiality
and/or integrity.
Our CBC mode protocol uses a packet id (timestamp + packet counter in
static key mode, or just the packet counter in TLS mode) at the start of
each packet (by default, but can be disabled using --no-iv and
--no-replay). Because the timestamp and packet counter are not
controllable by an attacker, it is not clear how predictable or even
repeating IVs could be used to mount an attack. (Note that the fact that
*I* can't find or come up with an attack is not a very strong argument,
this remains somewhat worrisome.)
CFB and OFB modes are not affected, because they do not rely on the prng
for IVS.
Finally, RAND_bytes() actually failing is quite unlikely, as that would
result in all sorts of other problems we should have heard about.
Of course, we still really should fix this, so this patch adds return
value checking of rand_bytes() inside prng_bytes(). The ASSERT() might be
a bit crude, so a follow-up patch that adds a return value to prng_bytes()
and proper return value checking probably makes sense. But at least this
is a quick and simple fix for the issue at hand.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10636 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 28 Nov 2015 10:38:24 +0000 (11:38 +0100)]
openssl: properly check return value of RAND_bytes()
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of RAND_bytes() correctly.
The RAND_bytes() man page first says "RAND_bytes() returns 1 on success,
0 otherwise.", but then a bit later "Both functions return -1 if they are
not supported by the current RAND method.". This second case was not
covered by our return value checking.
Note that if RAND_bytes() would return -1, it would *always* return -1 and
fail to generate random.
Also note that if RAND_bytes() would return -1, it would do so too in the
openssl internal ssl funtions. The openssl internal function do check the
return value properly, and connection setup would fail all together. If
that would be at least somewhat common, we would have received a *lot* of
bug reports. In other words, the error affects static key setups only,
and seems highly unlikely to occur in actual setups.
Only builds using OpenSSL as the crypto backend are affected.
This patch:
1. Changes the behaviour of rand_bytes() in openssl builds to match what
the doxygen claims (and polarssl builds already do).
2. Adds error reporting for RAND_bytes() failures.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10637 Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 11 Nov 2015 13:01:39 +0000 (14:01 +0100)]
Avoid partial authentication state when using --disabled in CCD configs
If an openvpn server is configured with --client-config-dir and a client
configuration file contains 'disabled', it is supposed to tell the client
it is not authorized to use the service.
This patch will ensure that the internal state in this scenario is a
complete CAS_FAILED state, and not CAS_PARTIAL if other authorization
steps passed.
Trac: #521 Tested-by: Eric Crist <ecrist@secure-computing.net> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447246899-22769-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 23 Nov 2015 20:58:55 +0000 (21:58 +0100)]
Fix memory leak in add_option() by simplifying get_ipv6_addr
If get_ipv6_addr() would fail *after* allocating memory for ipv6_local,
add_option() would fail to free that memory.
The fix here is to remove the allocation from get_ipv6_addr(), and create
a separate function for the strip-and-allocate, such that failures are
easier to handle.
v2 - remove free(options->ifconfig_ipv6_local), since that is now handled
by a garbage collector.
Memory leak found by coverity (in 2011!).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448312335-25908-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10573 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7e618994f3112ff4b29b9f08d087fb558636a6af)
Gert Doering [Mon, 23 Nov 2015 19:47:42 +0000 (20:47 +0100)]
Fix info.af == AF_UNSPEC case for server with --mtu-disc
Commit 2bed089d31a12c2 introduced "AF_UNSPEC" sockets when we do not know
the actual address family yet - for the "bind local" case, getaddrinfo()
will tell us what to do, but that information never made it into
sock->info.af - so, make it. Otherwise, trying to call --mtu-disc
on an OpenVPN server will cause a M_FATAL error in set_mtu_discovery())
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Christian Pellegrin <chripell@google.com>
Message-ID: <20151121200637.GD24952@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10547
Lev Stipakov [Tue, 17 Nov 2015 09:33:47 +0000 (11:33 +0200)]
Notify clients about server's exit/restart
When server exits / restarts (gets SIGUSR1, SIGTERM, SIGHUP, SIGINT) and
explicit-exit-notify is set, server sends RESTART control channel
command to all clients and reschedules received signal in 2 secs.
When client receives RESTART command, it either reconnects to the same
server or advances to the new one, depends on parameter comes with
RESTART command - behavior is controlled by explicit-exit-notify in the
server config.
v4:
- Rebase on top of master
- Remove #ifdef ENABLE_OCC around
connection_entry->explicit_exit_notification
since it is also used outside of OCC context
- Update usage message
v3:
- Use control channel "RESTART" command instead of new OCC code to
notify clients
- Configure on the server side (by value of explicit-exit-notify) if
client should reconnect to the same server or advance to the next one
- Fix compilation when OCC is disabled (--enable-small)
- Update man page
v2:
- Take into use explicit-exit-notify on the server side
- OCC_SHUTTING_DOWN renamed to OCC_SERVER_EXIT
- Code prettifying
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447752827-16720-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10515 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 17 Nov 2015 02:48:09 +0000 (21:48 -0500)]
Handle ctrl-C and ctrl-break events on Windows
v2 changes
- cleaner, hopefully easier to get a code review :)
- handles both console mode and service mode
-- >8 --
Handle ctrl-C or ctrl-Break sent to the console as a SIGTERM.
Depending on the console mode, windows delivers ctrl-C as a
keyboard input or as a signal. We handle both cases. This allows
graceful termination of openvpn from programs such as nssm.
Works in both console mode and service mode.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447728489-14991-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10513 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 21 Nov 2015 11:41:00 +0000 (12:41 +0100)]
polarssl: don't use deprecated functions anymore
A number of functions were deprecated in polarssl 1.3.11. Stop using
these, and use their alternatives instead.
This enables (and also almost forces) us to move the pkcs11 and external
key logic from the per-connection setup (key_state_ssl_init()) to the
per-instance setup (tls_ctx_use_{pkcs11,external_private_key}()).
Note that tls_ctx_use_external_private_key() is now placed right below
external_pkcs1_sign() and external_key_len(), instead of right above,
because it now needs to be aware of those static functions.
Steffan Karger [Sat, 21 Nov 2015 10:22:04 +0000 (11:22 +0100)]
polarssl: also allocate PKCS#11 certificate object on demand
Commit 444a93ea changed certificate allocation to be postponed until
actual usage to fix --client-cert-not-required / --verify-client-cert
for PolarSSL builds. However, I forgot to allocate when using pkcs11
(because that code does not use the tls_ctx_load_cert_file() function).
And while we're at it, use ALLOC_OBJ_CLEAR() instead of malloc + manual
check.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448101324-20310-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10543 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michal Ludvig [Sun, 11 Oct 2015 08:44:20 +0000 (10:44 +0200)]
Support for username-only auth file.
Make OpenVPN read the username from the auth file
parameter of --auth-user-pass and prompt for a
password if it's not in the file.
Rationale: Prior to this change OpenVPN either
required both username and password present in the
auth file or prompted for both on the console.
Unlike passwords usernames usually don't change and
can therefore be "hardcoded" in the config.
Signed-off-by: Michal Ludvig <mludvig@logix.net.nz>
Reviewed and updated to current master.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444553060-15946-1-git-send-email-dejong@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10255
Lev Stipakov [Wed, 11 Nov 2015 11:48:07 +0000 (13:48 +0200)]
Use adapter index instead of name for windows IPv6 interface config
Some windows machines get weird issues with netsh when using
adapter name on "netsh.exe interface ipv6 set address" command.
Changed logic to get adapter index and use it instead of adapter
name for netsh set address command.
v2:
* Remove netsh call which uses adapter name. After thoughtful testing
turns out that "adapter name" code branch is never used.
v3:
* Use interface=<idx> syntax.
* Add forward declaration of get_adapter_index_flexible to get
rid of warning.
* NOTE: temp variable is needed because argv_printf() does not
handle combined strings like "interface=%lu" today
Signed-off-by: Olli Mannisto <olmannisto@gmail.com> Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447242487-30243-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10484 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 5 Nov 2015 21:03:01 +0000 (22:03 +0100)]
Add macro to ensure we exit on fatal errors
Also prevents false positives in static analysis tools.
(Note that the current x_msg() code does properly exit, this is just a way
to make it trivial to see we will not return from msg() on fatal errors,
even for static analysis tools.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446757381-27863-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 6 Nov 2015 07:42:39 +0000 (08:42 +0100)]
Fix (potential) memory leak in init_route_list()
init_route() can allocate memory in netlist, but fail in many more ways
than just fail to allocate. Thus, always check and clean up netlist if
needed, instead of just when init_route() succeeds.
This fix is for master only. The release/2.3 branch cleans up netlist
immediately, and needs a different patch for a similar problem.
Found using coverity.
v2: initialize netlist to NULL
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446795759-3288-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10443 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 15 Oct 2015 22:43:15 +0000 (00:43 +0200)]
polarssl: add --verify-client-cert optional support
This adds support for the --verify-client-cert optional option in PolarSSL
builds, as was earlier added for OpenSSL builds by Jan-Just Keijser.
This patch also adds an additional sanity check that this option may only
be used in combination with some other authentication method, and changes
the warning message about this option to be displayed only once on startup,
instead of for each connecting client.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1444948995-18720-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10288 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 4 Nov 2015 18:59:38 +0000 (13:59 -0500)]
Fix termination when windows suspends/sleeps
When TUN/TAP I/O operation is aborted, restart with a SIGHUP instead of
terminate. The abort error from TAP is often triggered by system suspend
which is fully recoverable on resume. Catastrophic events will get caught
later during the restart. This solves the abnormal termination during
suspend/resume.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446663578-14471-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10438 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 15 Oct 2015 22:43:14 +0000 (00:43 +0200)]
polarssl: fix --client-cert-not-required
PolarSSL 1.3 determines whether to use a client key/cert based on the
private key and/or certificate structs being allocated or not. We
previously would always allocate the structs in
tls_ctx_{client,server}_new(), which made polarssl clients without a
client key/cert (can also be mgmt-external-key or pkcs11) fail to connect.
Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2
does not contain the 'pk' abtraction layer and therefore behaves slightly
different.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444948995-18720-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10287 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 21 Oct 2015 07:13:26 +0000 (10:13 +0300)]
Replace variable length array with malloc
Commit
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff73 4f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013
still requires
size of array to be compiler time constant. As a fix, use malloc/free.
v2:
Replace OPENSSL_malloc with gc_malloc
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445411606-13369-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10344 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 20 Oct 2015 22:38:26 +0000 (00:38 +0200)]
Fix memory leak in auth-pam plugin
As it says on the tin. aresp would not be free'd nor returned by
my_conv() on errors. Note that we never reach this code if allocation
of aresp failed.
Found with the Clang static analyzer.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1445380706-20864-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10338 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 21 Oct 2015 08:08:06 +0000 (10:08 +0200)]
hardening: add insurance to exit on a failed ASSERT()
The code behind our ASSERT() macro is pretty complex. Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call. As was suggested by Sebastian Krahmer
of the SuSE security team.
To make sure they that tools like clang static analyzer and coverity
understand that assert_failed() will not return, add an
__attribute__((__noreturn__)) annotation.
v2: use __attribute__ instead of inline to convince static analysers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445414886-11052-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lukasz Kutyla [Sat, 17 Oct 2015 19:15:15 +0000 (21:15 +0200)]
Fix privilege drop if first connection attempt fails
OpenVPN does not drop privileges (UID/GID/chroot) as requested according
to the configuration file and/or passed arguments if the first connection
attempt is not established successfully, this also includes applying
SELinux context.
Signals and restarts are processed after "context.first_time" is set to
"false", which results in omitting entire privilege dropping block in
"do_uid_gid_chroot()" when successful connection is finally made
(everything is initialized correctly and said function is called), since
"context.first_time" is used as block entry condition.
We modify "do_uid_gid_chroot()" in such a way that allows us to drop
privileges even when first connection attempt was unsuccessful.
Lev Stipakov [Sat, 10 Oct 2015 16:04:25 +0000 (19:04 +0300)]
Send push reply right after async auth complete
v3:
* better comments
* better variable naming
* include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined
v2:
More careful inotify_watchers handling
* Ensure that same multi_instance is added only once
* Ensure that multi_instance is always removed
v1:
This feature speeds up connection establishment in cases when async
authentication result is not ready when first push request arrives. At
the moment server sends push reply only when it receives next push
request, which comes 5 seconds later.
Implementation overview.
Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if
system supports inotify.
Add inotify descriptor to an event loop. Add inotify watch for a
authentication control file. Store mapping between watch descriptor and
multi_instance in a dictionary. When file is closed, inotify fires an
event and we continue with connection establishment - call client-
connect etc and send push reply.
Inotify watch descriptor got automatically deleted after file is closed
or when file is removed. We catch that event and remove it from the
dictionary.
Feature is easily tested with sample "defer" plugin and following settings:
Gert Doering [Sat, 10 Oct 2015 16:34:49 +0000 (18:34 +0200)]
Remove support for snappy compression.
LZ4 is using less CPU at similar performance, and it is easier to
build and support for binary installs (as it does not require C++
and a C++ runtime). Since it was never supported in any formally
released OpenVPN version, just drop it again.
This leaves in the compression opcode for Snappy for documentation
purposes.
trac #617
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444494889-28925-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10251
Socket configuration of MTU discovery was done unconditionally at IP level,
which has no effect for other protocols. This fixes the issue of OpenVPN
sending fragmented tcp6/udp6 packets even when 'mtu-disc yes' option is
passed.
Patch V2 (by Arne Schwabe): Rebase to current master and have
separate #ifdefs for IPv4 an IPv6
Signed-off-by: Julien Muchembled <jm@nexedi.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444470291-2980-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10229 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 2 Mar 2015 17:58:31 +0000 (19:58 +0200)]
Fast recovery when host is in unreachable network
When client connects to the server which is in unreachable network (for
example hostname got resolved into ipv6 address and client has no ipv6),
throw SIGUSR1 and connect to the next server without waiting 60 seconds
for "TLS key negotiation failed". Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1425319111-21291-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9498
Daniel Kubec [Sat, 4 Apr 2015 22:10:37 +0000 (00:10 +0200)]
sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in
A simple plug-in with a corresponding HTTP server and client which can authenticate
an HTTP user based on the authentication already done via an established OpenVPN
connection
[DS: Renamed the module at commit time from sso to keyingmaterialexporter to
avoid confusion with other Single-Sign-On solutions. Updated documentation
and commits accordingly. Added --pull to the client config]
Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
Daniel Kubec [Thu, 12 Mar 2015 14:14:20 +0000 (15:14 +0100)]
Added support for TLS Keying Material Exporters [RFC-5705]
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel. This exported keying material can then be
used for a variety of purposes.
[DS: Updated man page to document both upper and lower length boundaries]
Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com Acked-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
