]> git.ipfire.org Git - thirdparty/openvpn.git/log
thirdparty/openvpn.git
8 years agoLimit --reneg-bytes to 64MB when using small block ciphers contains
Steffan Karger [Fri, 28 Oct 2016 12:10:07 +0000 (14:10 +0200)] 
Limit --reneg-bytes to 64MB when using small block ciphers

Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks.  The 64 MB value has been selected with the researchers who
published the SWEET32 paper.

Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.

Furthermore, in contrast with the patch for master, this will not limit
--reneg-bytes on the client side.  This allows server administrators to
revert to the old behaviour, or increase --reneg-bytes to something they
believe is workable, without having to change client configs.  (The master
branch provides cipher negotiation as a real solution, so we can be
stricter there.)

v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
    language in warning message, add URL to man page, and only limit at the
    server side.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477656607-7440-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12799.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
9 years agoFix compilation in pedantic mode
Lev Stipakov [Tue, 4 Oct 2016 20:42:16 +0000 (23:42 +0300)] 
Fix compilation in pedantic mode

Replace C++ style comments, which are not allowed in ISO C90 standard,
with C style comments

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1475613736-1529-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12600.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoExclude peer-id from pulled options digest
Lev Stipakov [Tue, 4 Oct 2016 19:53:06 +0000 (22:53 +0300)] 
Exclude peer-id from pulled options digest

v2:
 - Use md5_* methods
 - Move digest update to separate method

Peer-id might change on restart and this should not trigger reopening
tun.

Trac #649
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1475610786-25781-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12598.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoFix --multihome for IPv6 on 64bit BSD systems.
Gert Doering [Sun, 9 Oct 2016 10:09:29 +0000 (12:09 +0200)] 
Fix --multihome for IPv6 on 64bit BSD systems.

The old code only worked if "struct openvpn*pktinfo" happened to use
the same structure packing as the CMSG_SPACE() / CMSG_LEN() macros
(which are part of the official API, see RFC 2292).

Get rid of "struct openvpn_*_pktinfo" definitions, replace them by
an opaque buffer sized large enough to fit IPv4 and IPv6 packet info
messages, as defined by CMSG_SPACE(sizeof(struct ...)).

On 32 bit platforms, the net result is the same.  On 64 bit platforms,
the new buffer is bigger than openvpn_pktinfo was, fixing an overflow
with ipi6_ifindex corruption on reception, and EINVAL on sendmsg().

The IPv4 related changes are only side effects of using the new buffer.

Fixes: FreeBSD 10.3/amd64, FreeBSD 9.3/sparc64, OpenBSD 6.0/amd64,
       NetBSD 7.0.1/i386.

Note: --multihome for IPv4 on NetBSD is still broken and non-fixable(!)
       as NetBSD lacks the necessary kernel code for the sendmsg() side.

Verified that "--multihome works as well as before" on FreeBSD 7.4/amd64,
       NetBSD 5.1/amd64, OpenBSD 4.9/i386, Linux/x86_64, Linux/i386,
       OpenSolaris 10 (--multihome needs -D_XPG4_2, see trac #750)

See also: ip(4), ip6(4), recv(2)

Trac #634, #327, #28

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161009100929.46472-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3fb246e38fc670c7dfff8ce4521c75c95c766c9e)

9 years agoadd POSTINIT_CMD_suf to t_client.sh and sample config
Gert Doering [Tue, 4 Oct 2016 11:38:54 +0000 (13:38 +0200)] 
add POSTINIT_CMD_suf to t_client.sh and sample config

We have pre-init and cleanup commands, but some test cases might need
or want to run a shell script after openvpn has initialized, but before
executing any tests (ifconfig comparison and ping).

Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161004113854.42470-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12594.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bae1ad7005fd9a1fadeed56370a9ac5422a33fee)

9 years agot_client.sh: Add prepare/cleanup possibilties for each test case
David Sommerseth [Sat, 16 Nov 2013 15:17:54 +0000 (16:17 +0100)] 
t_client.sh: Add prepare/cleanup possibilties for each test case

By adding PREPARE_$NUM and CLEANUP_$NUM variables containing command lines
to execute before and after the test case is run.

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1384615074-22345-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7990
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8fedf86abaf8fca8d0e9e81f70d7a5888a98b9ee)

9 years agoUpdate cipher-related man page text
Steffan Karger [Sun, 11 Sep 2016 14:51:17 +0000 (16:51 +0200)] 
Update cipher-related man page text

As reported in trac #732, the man page text for --cipher is no longer
accurate.  Update the text to represent current knowledge, about NCP and
SWEET32.

This does not hint at changing the default cipher, because we did not make
a decision on that yet.  If we do change the default cipher, we'll have to
update the text to reflect that.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agomake t_client robust against sudoers misconfiguration
Gert Doering [Sun, 2 Oct 2016 13:19:23 +0000 (15:19 +0200)] 
make t_client robust against sudoers misconfiguration

Instead of testing (and priming) sudo with "true", prime with
"kill -0 $$" (just test signalling ourselves).  If this fails,
we won't be able to kill the openvpn process we're going to
start later on -> thus, SKIP on failure.

This helps with misconfigured setups (especially on the buildbots)
that can correctly start openvpn but then not stop it later on -
leaving openvpn processes dangling around, requiring manual
intervention.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161002131923.36681-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8ca29af7c6d4759ce019ec9d0cd3eae4511a6804)

9 years agoAutomatically cache expected IPs for t_client.sh on the first run
Samuli Seppänen [Mon, 3 Oct 2016 10:51:27 +0000 (13:51 +0300)] 
Automatically cache expected IPs for t_client.sh on the first run

Previously one had to manually define correct values for the
EXPECT_IFCONFIG* variables based on what IPv4 and IPv6 addresses
the test VPN server handed out.

This was a tedious process especially with large number of tests,
as the IPs changed for every test client and for every test. With this
patch t_client.sh figures out the correct IP addresses using an
--up script and caches them to a separate file for later use.

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1475491887-740-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df0b00c253e41cce9567be79dbd3faa14c60473b)

9 years agoFix t_client runs on OpenSolaris
Gert Doering [Tue, 20 Sep 2016 09:19:14 +0000 (11:19 +0200)] 
Fix t_client runs on OpenSolaris

"grep -q" is not portable to non-GNU grep.  Replace with ">/dev/null".

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160920091914.37585-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160920091914.37585-1-gert@greenie.muc.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 38f98fdccd3eb6995b972fabb0ce4e00d3e3cb76)

9 years agoIncorporate the Debian typo fixes where appropriate and make show_opt default message...
Arne Schwabe [Thu, 14 Jul 2016 11:25:19 +0000 (13:25 +0200)] 
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer

Debian also incorrectly changes that the default for route parameters can
be specified by using "nil" instead of "default. The confusion is probably
coming from show_opt printing "nil" instead of "default". Change show_opt
to show "default (not set)" instead of "nil"

Original author: Alberto Gonzalez Iniesta <agi@inittab.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1468495519-25102-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1468495519-25102-1-git-send-email-arne@rfc2549.org

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c42fcbfe708f4c97da063642cf8874f0d4d1a645)

9 years agot_client.sh: Improve detection if the OpenVPN process did start during tests
David Sommerseth [Sat, 17 Sep 2016 11:18:05 +0000 (14:18 +0300)] 
t_client.sh: Improve detection if the OpenVPN process did start during tests

This will check the OpenVPN log file if the process initialized
successfully.

It will check the log file for 30 seconds before aborting the test run.
This also has the advantage of starting the testing quicker if the
initialization goes faster than 10 seconds (which was the old sleep time).

The umask is also set to a more permissive mode to ensure the test
script is capable of reading the OpenVPN PID file, as that will be
created by root.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111085-10678-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3712322ee1219e55640f2f4e5f822799edacd7cc)

9 years agot_client.sh: Add support for Kerberos/ksu
David Sommerseth [Sat, 17 Sep 2016 10:50:33 +0000 (13:50 +0300)] 
t_client.sh: Add support for Kerberos/ksu

If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.

If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.

When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.

[ v2 - Remove $* from RUN_SUDO for ksu config.  Old cruft which survived
       last review before patch submission.
     - Improve known state declaration of PREFER_KSU ]

[ v3 - Kick out bashism - '&>' redirect ]

This commit also includes commits f0892e6590cb247ef1012b0fe89f80eee2d56cc4
and f40f10ea9607934faeb2b8cd84aefff0e0790189 (via merge conflicts)

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474109433-4710-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6b25b99fe4b8bdf5cdba4a0fb247df40277d0525)

9 years agoskip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Ilya Shipitsin [Sat, 17 Sep 2016 09:33:09 +0000 (14:33 +0500)] 
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto

Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1474104789-31735-1-git-send-email-chipitsine@gmail.com>
URL: http://www.mail-archive.com/search?l=mid&q=1474104789-31735-1-git-send-email-chipitsine@gmail.com

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a85ba0e06badf9932e80deb53b68f50611943c6e)

9 years agot_client.sh: Make OpenVPN write PID file to avoid various sudo issues
David Sommerseth [Sat, 17 Sep 2016 09:20:26 +0000 (12:20 +0300)] 
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues

This resolves an issue where $! returns the PID of the sudo process instead
of the PID of OpenVPN and when sudo does not properly propagate signales
down to OpenVPN.

Trac: #738
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474104026-20615-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0926ebfe55347843af701216be9598827a1367a)

9 years agocleanup: remove code duplication in msg_test()
Steffan Karger [Thu, 1 Sep 2016 19:13:27 +0000 (21:13 +0200)] 
cleanup: remove code duplication in msg_test()

Use check_debug_level() instead of writing out the exact same check in
msg_test().

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1472757207-17900-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00192.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit d7ce876841d1d5b01940251f92780fdbb05b4df0)

9 years agoMake gnu89 support explicit
Steffan Karger [Fri, 16 Sep 2016 15:40:36 +0000 (17:40 +0200)] 
Make gnu89 support explicit

In the release/2.3 branch we support gnu89, basically to keep
pre-2015 MSVC happy.  Old gcc (<5) defaulted to gnu89.  But
gcc 5+ and clang default to gnu11/c11.  This patch makes our
gnu89 support explicit, such these newer compilers will also
point out gnu89 violations to developers.

v2: only set -std=gnu89 if no -std flag is present in $CFLAGS

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1474040436-9855-1-git-send-email-steffan@karger.me
URL: http://www.mail-archive.com/search?l=mid&q=1474040436-9855-1-git-send-email-steffan@karger.me
Signed-off-by: David Sommerseth <davids@openvpn.net>
9 years agoDo not abort t_client run if OpenVPN instance does not start.
Gert Doering [Tue, 13 Sep 2016 20:04:58 +0000 (22:04 +0200)] 
Do not abort t_client run if OpenVPN instance does not start.

Basically, an oversight - if one test instance does not start at all
(due to "tap driver not loaded") the whole script would exit, instead
of logging the failing instance and proceeding to the next test run.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160913200458.9906-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160913200458.9906-1-gert@greenie.muc.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit a7b02f7f660707f765881f35867b4d23d89b390f)

9 years agoUse AES ciphers in our sample configuration files and add a few modern 2.4 examples
Arne Schwabe [Tue, 12 Jul 2016 09:14:08 +0000 (11:14 +0200)] 
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples

Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: 1468314848-11820-1-git-send-email-arne@rfc2549.org
URL: http://www.mail-archive.com/search?l=mid&q=1468314848-11820-1-git-send-email-arne@rfc2549.org
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 6d036ebc221d933c0751107cea9efe4692c9d559)

9 years agoFix unittests for out-of-source builds
Steffan Karger [Mon, 15 Aug 2016 18:02:36 +0000 (20:02 +0200)] 
Fix unittests for out-of-source builds

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Matthias Andree <matthias.andree@gmx.de>
Message-Id: 1471284156-2324-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00027.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit ee4f37c3533667aee87fd39ba131e80f3c1cfde7)

9 years agoPreparing release of v2.3.12 v2.3.12
David Sommerseth [Tue, 23 Aug 2016 13:08:23 +0000 (15:08 +0200)] 
Preparing release of v2.3.12

Signed-off-by: David Sommerseth <davids@openvpn.net>
9 years agoRevert "Drop recursively routed packets"
David Sommerseth [Tue, 23 Aug 2016 14:01:40 +0000 (16:01 +0200)] 
Revert "Drop recursively routed packets"

Need to revert this patch as it breaks TAP interfaces.

This reverts commit 122469f5ad30b563cbefbc753d2a55af4227bb74.

Signed-off-by: David Sommerseth <davids@openvpn.net>
9 years agoDrop recursively routed packets
Lev Stipakov [Mon, 4 Jan 2016 12:43:44 +0000 (14:43 +0200)] 
Drop recursively routed packets

v2: better method naming

On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.

As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.

To prevent that, drop packets which have gateway IP as
destination address.

Tested on Win7/10, OS X.

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Trac: 642
Tested-by: ValdikSS <iam@valdikss.org.ru>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451911424-12970-1-git-send-email-lstipakov@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/34737757/
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e9d64bc03742c96a3d7fe2a473c43d40e5ba2001)

9 years agoDiscourage using 64-bit block ciphers
Steffan Karger [Tue, 16 Aug 2016 14:46:01 +0000 (16:46 +0200)] 
Discourage using 64-bit block ciphers

As discussed with the development team, we should start moving away from
ciphers with a small block size.  For OpenVPN in particular this means
moving away from 64-bit block ciphers, towards 128-bit block ciphers.
This patch makes a start with that by moving ciphers with a block
size < 128 bits to the bottom of the --show-ciphers output, and printing
a warning in the connection phase if such a cipher is used.

While touching this function, improve the output of --show-ciphers by
ordering the output alphabetically, and changing the output format
slightly.

[DS: Fixed C89 issues in patch, moving 'int nid' and 'size_t i' declaration
     to begining of function instead of in the for-loops.  This is also
     required to not break building on stricter compiler setups where C99
     must be enabled explicitly ]

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1471358761-8828-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00030.html
CVE: 2016-6329
Signed-off-by: David Sommerseth <davids@openvpn.net>
9 years agoFix '--cipher none --cipher' crash
Steffan Karger [Tue, 26 Jul 2016 13:57:13 +0000 (15:57 +0200)] 
Fix '--cipher none --cipher' crash

As reported in trac #699, OpenVPN crashes when an "--cipher none" option
is followed by "--cipher" (without arguments).  Fix the crash, and print a
warning to indicate that using --cipher of --auth without an argument is
deprecated.

This is a (partly) backport of the patch I sent for the master branch
yesterday.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1469541433-1671-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12107
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoPromptly close the netcmd_semaphore handle after use
Selva Nair [Tue, 14 Jun 2016 02:34:49 +0000 (22:34 -0400)] 
Promptly close the netcmd_semaphore handle after use

If more than one openvpn processes are running and one aborts
without releasing the semaphore, subsequent processes fail to get
a lock for the semaphore. This may be avoided by not keeping open
handles to the semaphore so that Windows can destroy it when no
open handles remain.

See also: http://article.gmane.org/gmane.network.openvpn.devel/11913

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465871689-13533-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11919
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6aa4c9091300f62fae0bf7a9198de0edd2d8b7c7)

9 years agoRemove NOP function and callers
David Sommerseth [Thu, 7 Jul 2016 11:03:16 +0000 (13:03 +0200)] 
Remove NOP function and callers

multi_release_io_lock() and the calls to this function are not providing
anything at all.  Lets remove it and make the overall code less suprising.

Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1467889519-8193-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12058
(cherry picked from commit 365506d1704f91f827f6e063dc87b325c40e9f29)

9 years agoMove ASSERT so external-key with OpenSSL works again
Arne Schwabe [Fri, 29 Nov 2013 12:32:40 +0000 (13:32 +0100)] 
Move ASSERT so external-key with OpenSSL works again

Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1385728360-32127-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8069

trac #693

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 68793f40e1d04409264d21dd24453d959828a306)

9 years agoComplete push-peer-info documentation and allow IV_PLAT_VER for other platforms than...
Arne Schwabe [Tue, 16 Feb 2016 12:04:40 +0000 (13:04 +0100)] 
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1455624280-3165-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11175

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 960524a9af899c83dbf2de255e063b7c66536d3e)

9 years agoDon't limit max incoming message size based on c2->frame
Steffan Karger [Wed, 8 Jun 2016 12:20:39 +0000 (14:20 +0200)] 
Don't limit max incoming message size based on c2->frame

"Be conservative in what you send, be liberal in what you accept"

When receiving packets, the real limitation of how much data we can accept
is the size of our internal buffers, not the maximum size we expect
incoming packets to have.

I ran into this while working on cipher negotiation, which will need
separate bookkeeping for the required internal buffer size, and the
link/tun MTU.  Basing this code on the buffer size instead of c2->frame
makes that easier.  A nice side-effect of this change is that it
simplifies the code.

This should also reduce the impact of using asymmetric tun/link MTU's,
such as in trac ticket #647.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465388443-15484-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11850
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3c1b19e04745177185decd14da82c71458442b82)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/socket.c

9 years agoIgnore SIGUSR1/SIGHUP during exit notification
Selva Nair [Tue, 7 Jun 2016 04:44:20 +0000 (00:44 -0400)] 
Ignore SIGUSR1/SIGHUP during exit notification

This allows exit notification to complete and finally trigger SIGTERM.
The current practice of allowing a restart in this state clears
the exit notification timer data and thus loses the SIGTERM.

Trac #687

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465274660-11009-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11814
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 63b3e000c9141f4ca03a374354da26334257bc18)

9 years agoAnother fix related to unit test framework
David Sommerseth [Fri, 3 Jun 2016 16:56:20 +0000 (18:56 +0200)] 
Another fix related to unit test framework

Continuing to fix breakage caused by commit 40cb4cfc5d011102.

It seems it was a conflict in vendor/Makefile.am's distdir target,
confusing autotools so it wouldn't actually parse that directory
properly.  The result was that 'make distcheck' would fail and
tarballs created would just ship with an empty vendor/ directory.

Also remove the 'foreign' AUTOMAKE_OPTIONS flag, as we don't use
that many places at all.  Things work well without this flag.

The comment had to be moved to a single line, otherwise the
white spaces between the end of the variable assignment and the
hash character got added to the variable.

 [v3 - Further improve white space issues, now 'make clean'
       should work too]
 [v2 - Fix white space issues in path variables]

Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464976163-6162-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11778
(cherry picked from commit 41ab12f06253cadc34fc47da865178de3db0bbdc)

9 years agoMake block-outside-dns work with persist-tun
Selva Nair [Sat, 4 Jun 2016 15:54:08 +0000 (11:54 -0400)] 
Make block-outside-dns work with persist-tun

- Remove and recreate WFP filters during restart even when
  tun/tap is not re-opened. This is needed for resolving the remote.

See also: http://article.gmane.org/gmane.network.openvpn.user/36990

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465055649-13628-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11787
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoClarify the fact that build instructions in README are for release tarballs
Samuli Seppänen [Tue, 31 May 2016 06:53:55 +0000 (09:53 +0300)] 
Clarify the fact that build instructions in README are for release tarballs

URL: https://github.com/OpenVPN/openvpn/pull/51
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <dazo@privateinternetaccess.com>
Message-Id: <1464677635-24251-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11746
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
(cherry picked from commit fdc24f1e986c5d8ecdf37c3d0f913f3549087852)

9 years agoPlug memory leak in mbedTLS backend
Ivo Manca [Tue, 31 May 2016 11:42:33 +0000 (13:42 +0200)] 
Plug memory leak in mbedTLS backend

Signed-off-by: Ivo Manca <pinkel@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1464694953-3681-1-git-send-email-pinkel@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11752
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
9 years agoOnly build and run cmocka unit tests if its submodule is initialized
David Sommerseth [Tue, 31 May 2016 10:28:46 +0000 (12:28 +0200)] 
Only build and run cmocka unit tests if its submodule is initialized

Commit 40cb4cfc5d01110 added infrastructure to write unit tests using
cmocka.  This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.

The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated.  As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional.  If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.

 [v2 - Also check if cmake is available, as cmocka depends on that
       to be built ]

Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
(cherry picked from commit 45f6e7991cfa3bb8a44f981b6cf1e794d617d51e)

9 years agoUpdate contrib/pull-resolv-conf/client.up for no DOMAIN
Jeffrey Cutter [Fri, 20 May 2016 09:25:10 +0000 (12:25 +0300)] 
Update contrib/pull-resolv-conf/client.up for no DOMAIN

When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.

URL: https://github.com/OpenVPN/openvpn/pull/34
Acked-by: Steffan Karger <steffan@karger.me>
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1463736310-17846-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11682
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
(cherry picked from commit 4a506b9ca2d8bbfaa5d49c6fe9a073d8ff3e59d1)

9 years agoAdd link to bug tracker
Leon Klingele [Mon, 30 May 2016 19:54:58 +0000 (22:54 +0300)] 
Add link to bug tracker

URL: https://github.com/OpenVPN/openvpn/pull/25
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <dazo@privateinternetaccess.com>
Message-Id: <1464638098-19187-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11735
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
(cherry picked from commit ac2309b889552f2a0382414ff46b2682c2101674)

9 years agoAdd a test for auth-pam searchandreplace
Jens Neuhalfen [Wed, 25 May 2016 17:57:56 +0000 (19:57 +0200)] 
Add a test for auth-pam searchandreplace

No functional changes.

Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.

Add a minimal test for searchandreplace as a proof of concept.

[ Modified during commit: Enhanced documentation of functions in utils.h
  to comply with doxygen standards ]

Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-3-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11724
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
(cherry picked from commit 4507bb6cd11799f72f1ede602315a60e03bb449c)

9 years agoAdd unit testing support via cmocka
Jens Neuhalfen [Wed, 25 May 2016 17:57:55 +0000 (19:57 +0200)] 
Add unit testing support via cmocka

cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.

cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).

cmocka is build during 'make check' and installed in vendor/dist/.

[1] https://cmocka.org/
[2] https://lwn.net/Articles/558106/

Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-2-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11725
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
(cherry picked from commit 40cb4cfc5d011102daec61ab39583cba0eeb3077)

9 years agoUpdate CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Samuli Seppänen [Thu, 19 May 2016 08:51:49 +0000 (11:51 +0300)] 
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463647909-18383-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11679
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 698f0dab76741f4ce8c1a98236786d59eca338ef)

9 years agoPush an IPv6 CIDR mask used by the server, not the pool's size
Josh Cepek [Mon, 18 Aug 2014 10:51:01 +0000 (05:51 -0500)] 
Push an IPv6 CIDR mask used by the server, not the pool's size

Correctly handle CIDR masks when pushing clients addressing from an IPv6
pool. This change ignores the incorrectly used `bits` argument to the
--ifconfig-ipv6-pool option.

The code to save any provided CIDR mask after the pool IP is left in;
this may someday become useful when we move to allow IPv6 pools without
relying on an IPv4 pool assignment.

Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53F1DA95.7020701@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8990
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c4ed931a70502a351ff1089aa1bfb8001586f788)

9 years agoMake error non-fatal while deleting address using netsh
Selva Nair [Sat, 14 May 2016 00:31:23 +0000 (20:31 -0400)] 
Make error non-fatal while deleting address using netsh

During windows power events such as sleep or suspend, the TUN/TAP
I/O aborts and openvpn signals SIGHUP so as to automatically reconnect
on resume (since commit ea66a2b5cdb2..). During the SIGHUP processing
operations such as address and route deletion are expected to fail. Such
failures should be treated as non-fatal to allow for this automatic
recovery logic to work. Currently, when the address deletion is handled
by netsh, errors are treated as M_FATAL. This patch changes the error
level to M_WARN.

Resolves Trac #71 (comments 37 to 43)

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463185884-4355-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11655
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoAdd CHACHA20-POLY1305 ciphersuite IANA name translations.
Dorian Harmans [Fri, 13 May 2016 16:44:52 +0000 (18:44 +0200)] 
Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1463157892-701-1-git-send-email-dorian@woohooyeah.nl>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11651

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e7ec6a3a11ecee54cb10de789668dd37c3f9fc54)

9 years agoFix polarssl / mbedtls builds
Steffan Karger [Fri, 13 May 2016 06:54:52 +0000 (08:54 +0200)] 
Fix polarssl / mbedtls builds

Commit 8a399cd3 hardened the OpenSSL default cipher list,
but also introduced a change in shared code that causes
polarssl / mbedtls builds to break when no --tls-cipher is
specified.

This fix is backported code from the master branch.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11647
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoPreparing for release v2.3.11 (ChangeLog, version.m4) v2.3.11
Gert Doering [Mon, 9 May 2016 19:12:30 +0000 (21:12 +0200)] 
Preparing for release v2.3.11 (ChangeLog, version.m4)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoImprove LZO, PAM and OpenSSL documentation
Samuli Seppänen [Mon, 9 May 2016 18:55:45 +0000 (21:55 +0300)] 
Improve LZO, PAM and OpenSSL documentation

Patch provided by Trac user dogbert2

Trac #590

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1462820145-24669-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11627
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoFixed port-share bug with DoS potential
James Yonan [Thu, 3 Mar 2016 07:48:12 +0000 (00:48 -0700)] 
Fixed port-share bug with DoS potential

Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.

The issue is that the port-share code calls openvpn_connect()
which in turn calls select().  When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.

The fix is to use poll() (if available) instead of select().

Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 007738e9d6030c8989713543e4f7308ff57be30f)

9 years agoFix buffer overflow by user supplied data
Jens Neuhalfen [Tue, 19 Apr 2016 18:42:55 +0000 (20:42 +0200)] 
Fix buffer overflow by user supplied data

Passing very long usernames/passwords for pam authentication could
possibly lead to a stack based buffer overrun in the auth-pam plugin.

Adds a dependency to C99 (includes stdbool.h)

Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <A4F03DE4-3E70-4815-B4B4-CC185E35CF2C@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11477
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7c0ecd1191e66fa242708f93baa4006ba0a73c7a)

9 years agoVarious Changes.rst fixes
Steffan Karger [Mon, 18 Apr 2016 18:25:58 +0000 (20:25 +0200)] 
Various Changes.rst fixes

This fixes some formatting issues, and updates the text for the cipher list
restriction to match the restrictions of 2.3 (rather than those of master
wrt 2.3).

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1461003958-14726-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11467
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoSupport reading the challenge-response from console
Selva Nair [Sun, 20 Dec 2015 19:12:53 +0000 (14:12 -0500)] 
Support reading the challenge-response from console

Trying to keep the footrpint small, this patch adds to the
convoluted code-flow in get_user_pass_cr(). Cleanup left for later.
-----8<-----

Currently prompting for a response to static-challenge
gets skipped when the username and passowrd are read
from a file. Further, dynamic challenge gets wrongly handled
as if its a username/password request.

The Fix:
- Add yet another flag in get_user_pass_cr() to
  set when prompting of response from console is needed.
- In receive_auth_failed(), the challenge text received
  from server _always_ copied to  the auth_challenge
  buffer: this is needed to trigger prompting from console
  when required.
- Also show the challenge text instead of an opaque
  "Response:" at the prompt.

While at it, also remove the special treatment of authfile ==
"management" in get_user_pass_cr(). The feature implied by that
test does not exist.

Tested:
  - username and optionally password from file, rest from console
  - the above with a static challenge
  - the above with a dynamic challenge
  - all of the above with systemd in place of console
  - all from management with and without static/dynamic
    challenge.

Thanks to Wayne Davison <wayne@opencoder.net> for pointing out the
issue with challenge-response, and an initial patch.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1450638773-11376-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10868
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9b0f1df2560441ab5ea80f053acd0161de8b6c7a)

9 years agoRestrict default TLS cipher list
Steffan Karger [Sun, 17 Apr 2016 18:23:32 +0000 (20:23 +0200)] 
Restrict default TLS cipher list

In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers.  Let's follow this example in OpenVPN and
also restrict the default list of negotiable TLS ciphers in 2.3.x.

This disables the following:
 * Export ciphers (these are broken on purpose...)
 * Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
   The LOW suite will be completely removed from OpenSSL in 1.1.0,
   the MEDIUM suite contains ciphers like RC4 and SEED.
 * Ciphers that are not supported by OpenVPN anyway (cleans up the list)

Note that users are able to override this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.

v2: add Changes.rst entry.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917412-29741-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11455
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoMake intent of utun device name validation clear
Jens Neuhalfen [Thu, 14 Apr 2016 17:58:07 +0000 (19:58 +0200)] 
Make intent of utun device name validation clear

Make intend of the validation clear when validating utun parameter in
open_darwin_utun.  The program logic remains unchanged.

Fixes the following compiler warning on Mac OS X:

tun.c:2847:19: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
  if (dev_node && !strcmp ("utun", dev_node)==0)
                  ^                         ~~
tun.c:2847:19: note: add parentheses after the '!' to evaluate the
comparison first
  if (dev_node && !strcmp ("utun", dev_node)==0)
                  ^
                   (                           )
tun.c:2847:19: note: add parentheses around left hand side expression to
silence this warning
  if (dev_node && !strcmp ("utun", dev_node)==0)
                  ^
                  (                         )
tun.c:2849:11: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
      if (!sscanf (dev_node, "utun%d", &utunnum)==1)
          ^                                     ~~
tun.c:2849:11: note: add parentheses after the '!' to evaluate the
comparison first
      if (!sscanf (dev_node, "utun%d", &utunnum)==1)
          ^
           (                                       )
tun.c:2849:11: note: add parentheses around left hand side expression to
silence this warning
      if (!sscanf (dev_node, "utun%d", &utunnum)==1)
          ^
          (                                     )

Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <3365AB24-33FD-4D9D-A57C-BF9240DC3D69@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11440
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6be0f0015d7485f0bf3c14a3a381a6f6496270a5)

9 years agoEnsure input read using systemd-ask-password is null terminated
Selva Nair [Thu, 14 Apr 2016 03:53:33 +0000 (23:53 -0400)] 
Ensure input read using systemd-ask-password is null terminated

Also properly check the return value of read() and leave room
for termination.
Fixes junk data occasionally seen in strings read through systemd.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1460606013-4983-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11437
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d09fbf958f1c0b15372b3e87d784ae666b91a96b)

9 years agoReplace MSG_TEST() macro for static inline msg_test()
Steffan Karger [Sun, 27 Mar 2016 14:18:16 +0000 (16:18 +0200)] 
Replace MSG_TEST() macro for static inline msg_test()

Using a static inline function instead of a macro has the advantages that
(1) 'flags' is not evaluated twice and (2) coverity will stop complaining
that 'Macro compares unsigned to 0 (NO_EFFECT)' each time we use flags
with loglevel 0 (e.g. M_FATAL or M_WARN).

This has a performance impact when compiler optimizations are fully
disabled ('-O0'), but should otherwise be as fast as using a macro.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459088296-5046-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11368
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bbde0a766c69f573746461415c6f5cd289272fff)

9 years agoFix memory leak in argv_extract_cmd_name()
Steffan Karger [Sun, 27 Mar 2016 15:22:10 +0000 (17:22 +0200)] 
Fix memory leak in argv_extract_cmd_name()

Reported by coverity (in 2009!):

1648 static char *
1649 argv_extract_cmd_name (const char *path)
1650 {
     1. Condition path, taking true branch
1651   if (path)
1652     {
1653       char *path_cp = string_alloc(path, NULL); /* POSIX basename()
implementaions may modify its arguments */
1654       const char *bn = basename (path_cp);
     2. Condition bn, taking true branch
1655       if (bn)
1656         {
     3. alloc_fn: Storage is returned from allocation function
string_alloc. [show details]
     4. var_assign: Assigning: ret = storage returned from
string_alloc(bn, NULL).
1657           char *ret = string_alloc (bn, NULL);
     5. noescape: Resource ret is not freed or pointed-to in strrchr.
1658           char *dot = strrchr (ret, '.');
     6. Condition dot, taking false branch
1659           if (dot)
1660             *dot = '\0';
1661           free(path_cp);
     7. Condition ret[0] != 0, taking false branch
1662           if (ret[0] != '\0')
1663             return ret;
     CID 27023 (#2-1 of 2): Resource leak (RESOURCE_LEAK)8.
leaked_storage: Variable ret going out of scope leaks the storage it
points to.
1664         }
1665     }
1666   return NULL;
1667 }

This function is only used by argv_printf_arglist(), and in a very specific
case, so it might be that this leak can not even occur.  But coverity is
clearly right that this is a bug, so let's just fix it.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459092130-19905-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11369
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be16d5f6b050248f503455e4a0e8f3aaaa38bdc7)

9 years agohardening: add safe FD_SET() wrapper openvpn_fd_set()
Steffan Karger [Thu, 3 Mar 2016 09:22:48 +0000 (10:22 +0100)] 
hardening: add safe FD_SET() wrapper openvpn_fd_set()

On many platforms (not Windows, for once), FD_SET() can write outside the
given fd_set if an fd >= FD_SETSIZE is given.  To make sure we don't do
that, add an ASSERT() to error out with a clear error message when this
does happen.

This patch was inspired by remarks about FD_SET() from Sebastian Krahmer
of the SuSE Security Team.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456996968-29472-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11285
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94)

9 years agoReport Windows bitness
Lev Stipakov [Sun, 7 Feb 2016 20:21:32 +0000 (22:21 +0200)] 
Report Windows bitness

Trac #599

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1454876492-6588-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11086
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 15f78acfae2f99b74a72b5766559f28c2d1d3cac)

9 years agoFix OCSP_check.sh
Steffan Karger [Thu, 25 Feb 2016 14:10:34 +0000 (15:10 +0100)] 
Fix OCSP_check.sh

As reported in trac #582, the OCSP_check.sh script should use grep -E,
instead of grep -F when it uses ^ in the expression.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456409434-14784-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11254
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ab0f846de6991345c30f5b69817304183d347e0e)

9 years agoUpdate --block-outside-dns to work on Windows Vista
ValdikSS [Fri, 15 Jan 2016 23:35:38 +0000 (02:35 +0300)] 
Update --block-outside-dns to work on Windows Vista

Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.

This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.

Trac #648

Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1452900938-3636-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10998

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 236769150f64087c590c718c76916ee3c8c9d3b5)

9 years agoCorrectly report TCP connection timeout on windows.
Leonardo Basilio [Wed, 10 Feb 2016 10:19:39 +0000 (11:19 +0100)] 
Correctly report TCP connection timeout on windows.

On nonblocking TCP connects, we set status = ETIMEOUT on failure.
On windows, depending on which header files are included, ETIMEOUT
is defined differently, and this leads to incomprehensible error
messages - so, always use WSAETIMEDOUT here.

Trac #651

Signed-off-by: Leonardo Basilio <leobasilio@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CACqLfMnBXwSY=MXyc7B1oMKwYE2Z_49G3mpkEPxbSAuG61tgZA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11085
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f5229e41d134b659e502bb2597c711aedaf8096)

9 years agoFix undefined signed shift overflow
Michael McConville [Fri, 5 Feb 2016 07:36:03 +0000 (08:36 +0100)] 
Fix undefined signed shift overflow

Originally discussed here:

https://github.com/OpenVPN/openvpn/pull/42

Thanks for your time,
Michael

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20160202191122.GE1675@thinkpad.swarthmore.edu>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11050

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d4d5d9259aeba152d5969fea048267fc97ca7530)

9 years agoClarify --block-outside-dns documentation
ValdikSS [Sat, 16 Jan 2016 14:05:26 +0000 (17:05 +0300)] 
Clarify --block-outside-dns documentation

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452953126-6283-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11001

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cc4761fcafdeceea1a4b004f91c9fb47ef8b19c1)

9 years agoClarify mssfix documentation
ValdikSS [Sat, 9 Jan 2016 15:53:45 +0000 (18:53 +0300)] 
Clarify mssfix documentation

Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1452354825-5096-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10969

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 651591525ee933c69f442d51d2b6064f2893181d)

9 years agoFix build with libressl
Niels Ole Salscheider [Sun, 10 Jan 2016 13:44:35 +0000 (14:44 +0100)] 
Fix build with libressl

Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1452433475-16779-1-git-send-email-niels_ole@salscheider-online.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10975
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9dfc2309c6b4143892137844197f5f84755f6580)

9 years agosocks.c: fix check on get_user_pass() return value(s)
Steffan Karger [Wed, 13 Jan 2016 16:09:08 +0000 (17:09 +0100)] 
socks.c: fix check on get_user_pass() return value(s)

My compiler rightfully complains that the checks on creds.username and
creds.password always evaluate to true, so remove those checks.

Judging from the code, they were meant to check the returned values by
get_user_pass().  So instead of these non-functioning checks, just check
the return value of get_user_pass().

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452701348-9577-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10993
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 982ab2364a68f2fca0cb9219b31bdabcd5aa4b49)

9 years agoUpdate manpage: OpenSSL might also need /dev/urandom inside chroot
Steffan Karger [Thu, 7 Jan 2016 19:52:44 +0000 (20:52 +0100)] 
Update manpage: OpenSSL might also need /dev/urandom inside chroot

As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot.  This depends on OS, OS version and ssl library
configuration.  Update the manpage to better explain this.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0609eb477bdcd7b23bd8072f69714592323cab2e)

9 years agopolarssl: improve logging
Steffan Karger [Thu, 7 Jan 2016 13:01:30 +0000 (14:01 +0100)] 
polarssl: improve logging

Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.

This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).

Use the new polar_log_err() and polar_ok() functions to provide more
log/debug output for polarssl errors.

This is commit is a combined cherry-pick of commits 6ef5df14d17d362d,
aa416be9, and 3a39bf7d from the master branch, adjusted to the
release/2.3 branch.

v2 - use static inline instead of macro for optimization, and include
     'enable polarssl debug logging'.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452171690-26822-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10952
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoopenssl: improve logging
Steffan Karger [Wed, 6 Jan 2016 20:51:04 +0000 (21:51 +0100)] 
openssl: improve logging

This improves OpenSSL logging and removes OpenSSL-specific error
printing code from error.c. The crypto_msg() functions provide
convenience wrappers, specific to OpenSSL. Instead of passing the
magical 'M_SSLERR' flag to msg(), a developer now just calls
crypto_msg() to get OpenSSL errors dumped to log.

This is commit is a combined cherry-pick of commits e795d6ba and
98ea2ec5 from the master branch, adjusted to the release/2.3 branch.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452113464-28062-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10944
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoPreparing for release v2.3.10 (ChangeLog, version.m4) v2.3.10
Gert Doering [Mon, 4 Jan 2016 09:27:55 +0000 (10:27 +0100)] 
Preparing for release v2.3.10 (ChangeLog, version.m4)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoFix regression in setups without a client certificate
Steffan Karger [Sun, 3 Jan 2016 09:47:56 +0000 (10:47 +0100)] 
Fix regression in setups without a client certificate

This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert).  This bug was
introduced by commit 091edd8e on the master branch, and commit dfd940bb
on the release/2.3 branch.

This bug was found by chipitsine and reported in trac ticket #644.

While touching this function, I also made this function conform to the
openvpn coding style.

v2 - fix memory leak in builds using pre-1.0.2 openssl

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 868d9d01802da9bbbb3a758981f3c7310a905813)

9 years agoRepair IPv6 netsh calls if Win XP is detected
Lev Stipakov [Tue, 29 Dec 2015 20:56:01 +0000 (22:56 +0200)] 
Repair IPv6 netsh calls if Win XP is detected

v2:
* Add compat-versionhelpers.h to compat/Makefile.am so that
  "make dist" will include it into tarball.
* Indentation

v1:
* Use adapter name instead of index when calling netsh.exe on
  WinXP - sadly XP does not support indexes
* Write Windows version to log
* Send it with peer-info as IV_PLAT_VER

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451422561-23635-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10903
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoMake certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and...
Jan Just Keijser [Sat, 26 Dec 2015 09:15:04 +0000 (10:15 +0100)] 
Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.

Integrating feedback from Steffan Karger, tested by Gert Doering on
FreeBSD 7.4 / OpenSSL 0.9.8.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20151226091900.GU24952@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10881
(cherry picked from commit 0e591a2fce325e2b91d429ea18aa6ed383330383)

9 years agoUse bob.example.com and alice.example.com to improve clarity of documentation
Phillip Smith [Tue, 22 Dec 2015 00:12:26 +0000 (11:12 +1100)] 
Use bob.example.com and alice.example.com to improve clarity of documentation

This patch uses generic "bob.example.com" and "alice.example.com"
hostnames to replace the current "may" and "june" examples. Generic
names chosen rather than other names like "server"/"client" or
"head-office"/"remote-office" etc which may create other unintended
or implicit meanings to the reader.

The example.com domain is set aside defined by IANA for use as
documentation examples. Refer to: http://www.iana.org/domains/reserved
Using this well-known domain makes comprehension of documentation easier.
This patch incorporates feedback from Gert Doering and Selva Nair.

Signed-off-by: Phillip Smith <fukawi2@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1450743146-9050-1-git-send-email-fukawi2@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10875
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f7319906a9dff58226821b1686fd80f4e4e3b35)

9 years agocleanup: get rid of httpdigest.c type warnings
Steffan Karger [Sun, 20 Dec 2015 21:27:48 +0000 (22:27 +0100)] 
cleanup: get rid of httpdigest.c type warnings

When I compile with --enable-strict, I only want to see warnings that are
relevant.  So, change httpdigest.c to make the casts explicit.

This commit should not change behaviour.

v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead
    of uint8_t.
v3: as further discussed on #openvpn-devel, don't use a 'colon' var, but
    just add casts.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450646868-15346-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10871
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0385cd4804c133d48857e4b3fbfe93a75ecc68a5)

9 years agoMake assert_failed() print the failed condition
Steffan Karger [Sun, 20 Dec 2015 10:44:09 +0000 (11:44 +0100)] 
Make assert_failed() print the failed condition

Easy change to make logging output more useful.

v2: don't print the failed condition if ENABLE_SMALL is defined.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450608249-9947-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10862
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9b36bd40d393620cce83392f4a56392ba391fb7c)

9 years agoWarn user if their certificate has expired
Steffan Karger [Sat, 19 Dec 2015 11:39:29 +0000 (12:39 +0100)] 
Warn user if their certificate has expired

Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt.  This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.

Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.

The SSL_CTX_get0_certificate() function is available in OpenSSL 1.0.2+
only.  Older versions seem to not have a useful alternative, and the
certificate reference we need is hidden in an opaque struct.  The
remaining option would then be to add extra workaround code for the select
group of people that do use an up-to-date openvpn, but do not update their
openssl.  I don't think that's worth it.  So just disable the code for
older openssl versions.

(This is a combination of commits 091edd8e and 644f2cdd from the master
branch, adjusted to apply to the release/2.3 branch cleanly)

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10855
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoPrepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
Gert Doering [Sat, 19 Dec 2015 13:24:28 +0000 (14:24 +0100)] 
Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoUpgrade OpenVPN 2.3 to PolarSSL 1.3
Steffan Karger [Sat, 19 Dec 2015 11:39:28 +0000 (12:39 +0100)] 
Upgrade OpenVPN 2.3 to PolarSSL 1.3

PolarSSL 1.2 is going end-of-support by 31-12-2015, so we have to move
on.  Newer versions of polarssl/mbedtls are already released (2.0-2.2),
but as previously agreed upon, we will just move release/2.3 to polar
1.3, where master has been for a while now.

This commit removes support for PolarSSL 1.2.  The mimimum required
version of PolarSSL is now 1.3.8.

This commit is a combination of a number of commits related to upgrading
or fixing polarssl 1.3 support from the master branch, adjusted to apply
to the release/2.3 branch:
03df3a99 Upgrade to PolarSSL 1.3
cc1cee74 Update openvpn-plugin.h for PolarSSL 1.3.
4b9eaa1e Fix regression with password protected private keys (polarssl)
d0f26fb5 polarssl: disable 1/n-1 record splitting
444a93ea polarssl: fix --client-cert-not-required
9571010a polarssl: also allocate PKCS#11 certificate object on demand
67a67e39 polarssl: don't use deprecated functions anymore
9d3b7cec polarssl: require >= 1.3.8

This commit was tested using:
 * Regular private key file
 * Password-protected private key file
 * PKCS#11
 * --management-external-key
 * CRL file (with and w/o revoked cert)
 * With and w/o tls-auth
 * RSA and ECDSA key/certs

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10856
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agopolarssl: fix unreachable code
Yegor Yefremov [Sun, 23 Nov 2014 12:21:43 +0000 (13:21 +0100)] 
polarssl: fix unreachable code

Found via cppcheck and compile-tested.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416745303-23641-1-git-send-email-yegorslists@googlemail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9266
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98c5de769d6bcd4822b2fd81ae4f4b05edff5c0e)

9 years agoRemove unused variables from ssl_verify_polarssl.c's x509_get_serial()
Steffan Karger [Sun, 12 Jan 2014 19:39:31 +0000 (20:39 +0100)] 
Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1389555572-6210-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8222
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a85a6fafacba186ae2fc495d32e159ea9a57e0e)

9 years agoPreparing for release v2.3.9 (ChangeLog, version.m4) v2.3.9
Gert Doering [Tue, 15 Dec 2015 17:01:43 +0000 (18:01 +0100)] 
Preparing for release v2.3.9 (ChangeLog, version.m4)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoUpdates to Changes.rst
Samuli Seppänen [Tue, 15 Dec 2015 15:00:26 +0000 (17:00 +0200)] 
Updates to Changes.rst

This patch is for the release/2.3 branch

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450191626-24633-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10816
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoFix VS2013 compilation
Lev Stipakov [Tue, 15 Dec 2015 08:18:22 +0000 (10:18 +0200)] 
Fix VS2013 compilation

Update toolset, define __attribute__.

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450167502-13471-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10809
Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoMake "block-outside-dns" option platform agnostic
Fish [Mon, 14 Dec 2015 20:41:35 +0000 (12:41 -0800)] 
Make "block-outside-dns" option platform agnostic

Make the "block-outside-dns" option agnostic of Windows versions by
dynamically loading WFP-related functions. Cross-compiled on Linux and
tested on Windows XP/10.

v2: move MinGW definitions to win32_wfp.h and add attribution.

v3: keep #ifdef WIN32 in init.c (do not break non-windows platforms).

v4: Also make MSVC happy.

Tested-by: ValdikSS <iam@valdikss.org.ru>
Tested-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450125695-36596-1-git-send-email-fish.thss@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10795

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoPass adapter index to up/down scripts
Lev Stipakov [Sat, 12 Dec 2015 12:34:20 +0000 (14:34 +0200)] 
Pass adapter index to up/down scripts

Trac #637

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449923660-27363-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10762
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9dff2c1f106865a72a1d505076751dde170e88dc)

9 years agoAdd Windows DNS Leak fix using WFP ('block-outside-dns')
ValdikSS [Thu, 10 Dec 2015 20:51:35 +0000 (23:51 +0300)] 
Add Windows DNS Leak fix using WFP ('block-outside-dns')

This option blocks all out-of-tunnel communication on TCP/UDP port 53
(except for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.

The 2.3 version of this patch is only active if compiling for Vista+
(_WIN32_WINNT >= 0x0600) as XP does not have the necessary includes
and libraries.

Reviewed-by: Selva Nair <selva.nair@gmail.com>
Reviewed-by: Lev Stipakov <lstipakov@gmail.com>
Reviewed-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449780695-3879-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10743

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoUse adapter index for add/delete_route_ipv6
Lev Stipakov [Fri, 11 Dec 2015 23:10:30 +0000 (01:10 +0200)] 
Use adapter index for add/delete_route_ipv6

Trac #637

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449875430-15579-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10760

Signed-off-by: Gert Doering <gert@greenie.muc.de>
9 years agoDetect config lines that are too long and give a warning/error
Arne Schwabe [Thu, 10 Dec 2015 12:37:10 +0000 (13:37 +0100)] 
Detect config lines that are too long and give a warning/error

Trac #631

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449751030-10703-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10723

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4baec3ee10b8d6826d5f076a9832a92a5cfe3676)

9 years agoFix isatty() check for good.
Gert Doering [Wed, 9 Dec 2015 20:03:55 +0000 (21:03 +0100)] 
Fix isatty() check for good.

Commit 079e5b9c13 introduced a check to see if we --daemon'ized before
trying to ask for a password (which would then fail with a non-intuitive
error), breaking querying systemd under certain conditions.

Move check from get_user_pass_cr() to get_console_input() and make it
"full featured" by not only checking isatty() for stdin/stderr but also
trying to open /dev/tty in case we still have a controlling tty - which
is what getpass() does under the hood, so if either of this works, we're
fine.

Trac #618 and #630

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1449691435-5928-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10709
(cherry picked from commit 015fe7177181fb4944ddf33debcfcd20c62ba55a)

9 years agoAlso remove second instance of enable-password-save in the man page
Arne Schwabe [Sun, 29 Nov 2015 19:38:21 +0000 (20:38 +0100)] 
Also remove second instance of enable-password-save in the man page

Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1448825901-12294-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10671

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 80442aeed408f26700ea7570ced2409e7dd3e98b)

9 years agoReflect enable-password-save change in documentation
Arne Schwabe [Sun, 29 Nov 2015 18:52:24 +0000 (19:52 +0100)] 
Reflect enable-password-save change in documentation

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448823144-1497-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10665

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1e9c1f09cba95ebf72083c746cf847056a61c761)

9 years agoRemove --enable-password-save option
Arne Schwabe [Sun, 29 Nov 2015 14:55:59 +0000 (15:55 +0100)] 
Remove --enable-password-save option

This options is enabled in virtually all distributions and gives no real
security benefit.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448808959-10565-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10661

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9ffd00e7541d83571b9eec087c6b3545ff68441f)

9 years agoput virtual IPv6 addresses into env
Heiko Hund [Wed, 25 Nov 2015 16:46:49 +0000 (17:46 +0100)] 
put virtual IPv6 addresses into env

Add missing environment variables for IPv6 virtual addresses:

  * ifconfig_pool_local_ip6
  * ifconfig_pool_remote_ip6
  * ifconfig_pool_ip6_netbits

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448470009-5243-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10613
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a8f8b9267183c3cfc065f344d61effe6c55c3da6)

9 years agoUnbreak read username password from management
Selva Nair [Fri, 27 Nov 2015 02:20:53 +0000 (21:20 -0500)] 
Unbreak read username password from management

Commit 6e9373c846.. introduced a bug by which auth-user-pass
or need-ok input falls back to read-from-stdin after successfully
reading from management or console. Fix by treating stdin as the last
option for input.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448590853-26862-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10630
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cdd69bb7f1c207fb5a9648f36440d7c6e2dcaa76)

9 years agoFix rand_bytes return value checking
Steffan Karger [Sat, 28 Nov 2015 10:38:25 +0000 (11:38 +0100)] 
Fix rand_bytes return value checking

This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team.  Sebastian noticed we do not check the return
value of rand_bytes() in prng_bytes(), which we really should.

Failing to check the return value occurs if no prng is used (i.e. in
static key mode, or when explicitly disabled using --prng none).
prng_bytes() is used for generating IVs, session IDs and filenames.

The impact of failing to check the return value seems very limited:

Not generating random file names or session IDs could cause collisions in
(temporary) file names and/or session IDs.  These in turn could cause
availability issues, but would not result in a breach in confidentiality
and/or integrity.

Our CBC mode protocol uses a packet id (timestamp + packet counter in
static key mode, or just the packet counter in TLS mode) at the start of
each packet (by default, but can be disabled using --no-iv and
--no-replay). Because the timestamp and packet counter are not
controllable by an attacker, it is not clear how predictable or even
repeating IVs could be used to mount an attack.  (Note that the fact that
*I* can't find or come up with an attack is not a very strong argument,
this remains somewhat worrisome.)

CFB and OFB modes are not affected, because they do not rely on the prng
for IVS.

Finally, RAND_bytes() actually failing is quite unlikely, as that would
result in all sorts of other problems we should have heard about.

Of course, we still really should fix this, so this patch adds return
value checking of rand_bytes() inside prng_bytes().  The ASSERT() might be
a bit crude, so a follow-up patch that adds a return value to prng_bytes()
and proper return value checking probably makes sense.  But at least this
is a quick and simple fix for the issue at hand.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10636
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5a73356ae5d0bf94ec81a33c7dcda6a41651ca6c)

9 years agoopenssl: properly check return value of RAND_bytes()
Steffan Karger [Sat, 28 Nov 2015 10:38:24 +0000 (11:38 +0100)] 
openssl: properly check return value of RAND_bytes()

This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team.  Sebastian noticed we do not check the return
value of RAND_bytes() correctly.

The RAND_bytes() man page first says "RAND_bytes() returns 1 on success,
0 otherwise.", but then a bit later "Both functions return -1 if they are
not supported by the current RAND method.".  This second case was not
covered by our return value checking.

Note that if RAND_bytes() would return -1, it would *always* return -1 and
fail to generate random.

Also note that if RAND_bytes() would return -1, it would do so too in the
openssl internal ssl funtions.  The openssl internal function do check the
return value properly, and connection setup would fail all together.  If
that would be at least somewhat common, we would have received a *lot* of
bug reports.  In other words, the error affects static key setups only,
and seems highly unlikely to occur in actual setups.

Only builds using OpenSSL as the crypto backend are affected.

This patch:
1. Changes the behaviour of rand_bytes() in openssl builds to match what
   the doxygen claims (and polarssl builds already do).
2. Adds error reporting for RAND_bytes() failures.

Note: crypto_msg() was changed to msg() for 2.3

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10637
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 756602e7da11362f25be04743cd09f798b6f528a)

9 years agoAvoid partial authentication state when using --disabled in CCD configs
David Sommerseth [Wed, 11 Nov 2015 13:01:39 +0000 (14:01 +0100)] 
Avoid partial authentication state when using --disabled in CCD configs

If an openvpn server is configured with --client-config-dir and a client
configuration file contains 'disabled', it is supposed to tell the client
it is not authorized to use the service.

This patch will ensure that the internal state in this scenario is a
complete CAS_FAILED state, and not CAS_PARTIAL if other authorization
steps passed.

Trac: #521
Tested-by: Eric Crist <ecrist@secure-computing.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447246899-22769-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10486
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c2d790ad8f10029e95aecb0d39377ef06ea8b2a)

9 years agoremove unused gc_arena in FreeBSD close_tun()
Gert Doering [Tue, 24 Nov 2015 13:09:10 +0000 (14:09 +0100)] 
remove unused gc_arena in FreeBSD close_tun()

not used, and a small mem leak on every tunnel close...

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1448370550-23897-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10581
(cherry picked from commit cef57449b98c38deb35e885bd8958fe09f6a2b02)

9 years agoFix memory leak in add_option() by simplifying get_ipv6_addr
Steffan Karger [Mon, 23 Nov 2015 20:58:55 +0000 (21:58 +0100)] 
Fix memory leak in add_option() by simplifying get_ipv6_addr

If get_ipv6_addr() would fail *after* allocating memory for ipv6_local,
add_option() would fail to free that memory.

The fix here is to remove the allocation from get_ipv6_addr(), and create
a separate function for the strip-and-allocate, such that failures are
easier to handle.

v2 - remove free(options->ifconfig_ipv6_local), since that is now handled
     by a garbage collector.

Memory leak found by coverity (in 2011!).

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448312335-25908-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10573
Signed-off-by: Gert Doering <gert@greenie.muc.de>