Allow learning iroutes with network made up of all 0s (only if netbits < 8)
It is plausible for a user to be willing to add a route for a network
made up of all 0s via a VPN client (i.e. 0.0.0.0/1), therefore such
iroute should be supported.
As of now the option parsing code will accept such iroute, but
the learning routine will (silently) reject it after a sanity check.
Such check prevents routes with network made up of all 0s to be
learnt at all..
Change the sanity check so that it will reject iroutes to network
made up of 0s only when netbits is greater than 7.
The reason for choosing 7 is because anything within 0.0.0.0/8 is not
really routable among networks.
While at it, make the sanity check louder so that it can print the
reason why a route is being rejected.
Trac: #726 Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20171206154356.30764-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16044.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit a19c56db9bd42b7b8c4a8f353f7db92781397cec)
reload HTTP proxy credentials when moving to the next connection profile
The HTTP proxy credentials are stored in a static variable that is
possibly initialized before each connection attempt.
However, the variable is never "released" therefore get_user_pass()
refuses to overwrite its content and leaves it as it is.
Consequently, if the user config contains multiple connection profiles
with different http-proxy, each having its own credentials, only the
first user/pass couple is loaded and the others are all ignored.
This leads to connection failures because the proper credentials are
not associated with the right proxy server.
The root of the misbehaviour seems to be located in the fact that,
despite the argument force passed to get_user_pass_http() being true,
no action is taken to release the static object containing the
credentials.
Fix the misbehaviour by releasing the http-proxy credential object
when the reload is "forced".
Trac: #836 Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan@karger.me> Tested-by: David Sommerseth <davids@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20171204044907.32261-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16007.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 86b58ceb29cf1cc3acf32e2ff370d9a4af68c051)
Simon Rozman [Sun, 3 Dec 2017 21:16:54 +0000 (22:16 +0100)]
openvpnserv: Add support for multi-instances
While openvpn.exe can run multiple concurrent processes, openvpnserv.exe
is usually only one single globally unique running process.
This patch extends openvpnserv.exe to support multiple service instances
in parallel allowing side-by-side OpenVPN installations.
Alternate instances must be installed as `SERVICE_WIN32_OWN_PROCESS`
(Type 0x10) and must use the newly introduced service command line
parameter:
-instance <name> <id>
<name> can be `automatic` or `interactive`.
- The service settings will be loaded from `HKLM\Software\OpenVPN<id>`
registry key.
- The automatic service will use `openvpn<id>_exit_1` exit event.
- The interactive service will accept requests on
`\\.\pipe\openvpn<id>\service` named pipe, and run IPC with
openvpn.exe on `\\.\pipe\openvpn<id>\service_<pid>`.
This patch preserves backward compatibility, by defaulting to
`SERVICE_WIN32_SHARE_PROCESS` and `<empty string>` as service ID.
Steffan Karger [Fri, 24 Nov 2017 13:58:23 +0000 (14:58 +0100)]
Use P_DATA_V2 for server->client packets too
P_DATA_V2 introduced the peer-id. This allows clients to float, but as a
side-effect 32-bit aligns the encrypted data. That alignment improves
performance particularly on cheaper/older CPUs. So although servers don't
actually have a peer-id, still use the V2 packet format (with a zero-id)
for server->client traffic too.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1511531903-19349-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1511531903-19349-1-git-send-email-steffan.karger@fox-it.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3b9cce657b0ba876c56ee6f14664a8a77f5b82d5)
Steffan Karger [Sun, 12 Nov 2017 16:36:36 +0000 (17:36 +0100)]
Add --tls-cert-profile option.
This allows the user to specify what certificate crypto algorithms to
support. The supported profiles are 'preferred', 'legacy' (default) and
'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2e33@fox-it.com>
(https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14214.
html).
This fully implements the feature for mbed TLS builds, because for mbed it
is both more easy to implement and the most relevant because mbed TLS 2+
is by default somewhat restrictive by requiring 2048-bit+ for RSA keys.
For OpenSSL, this implements an approximation based on security levels, as
discussed at the hackathon in Karlsruhe.
This patch uses 'legacy' as the default profile following discussion on
the openvpn-devel mailing list. This way this patch can be applied to
both the release/2.4 and master branches. I'll send a follow-up patch for
the master branch to change the default to 'preferred' later.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20171112163636.17434-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15848.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit aba758740d26224b7b3957df221def7ab80c5802)
Gert Doering [Sat, 11 Nov 2017 14:22:30 +0000 (15:22 +0100)]
Remove warning on pushed tun-ipv6 option.
tun-ipv6 is a no-op nowadays, and we print a warning to let users know -
which is not helpful for server-pushed tun-ipv6 (which might be the
result of --server-ipv6 automatically pushing this). So, remove the
warning if parsing pushed options.
Also, remove the VERIFY_PERMISSION() call here which has side effects
on the "which class of options got pushed, do we need to act on them
later on?" flag set.
v2: use existing pull_mode flag
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20171111142230.3288-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20171111142230.3288-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a216d9dba558281d4b6a04124912081a79fcb88)
Simon Rozman [Fri, 13 Oct 2017 09:50:08 +0000 (11:50 +0200)]
Uniform swprintf() across MinGW and MSVC compilers
Legacy _snwprintf() and snwprintf() functions replaced with ISO C
swprintf().
Assigning _snwprintf() return value to unused variable was also removed
at one occasion. Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20171013095008.8288-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15633.html
Simon Rozman [Wed, 11 Oct 2017 13:45:30 +0000 (15:45 +0200)]
Document ">PASSWORD:Auth-Token" real-time message
Authentication tokens are security enhancement eliminating client
need to cache passwords, and are indispensable at two factor
authentication methods, such as HOTP or TOTP.
The ">PASSWORD:Auth-Token" message was not mentioned anywhere in
the OpenVPN Management Interface Notes. This patch adds a simple use
case example, while the more detailed feature description remains
explained in the OpenVPN manual. Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20171011134530.6676-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15599.html
Simon Rozman [Thu, 12 Oct 2017 10:34:48 +0000 (12:34 +0200)]
Fix local #include to use quoted form
.h include files from the same folder or addressed relatively to the
same folder should be #included using quoted form in MSVC. The angled
form is reserved for include files from folders specified using /I
path.
Using angled form, MSVC fails to locate local #include file, unless
current folder is added to the include search path: /I . Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20171012103448.7632-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15622.html
time_t is only specified as an integer type per POSIX. To reliably
print it, better cast it to "long long", which is at least 64 bits wide
and can represent values beyond 2038.
Printing as a "long" could cause problems on ILP32 systems using a 64
bits time_t (eg OpenBSD/armv7).
James Bottomley [Sun, 29 Oct 2017 15:34:48 +0000 (15:34 +0000)]
autoconf: Fix engine checks for openssl 1.1
In openssl 1.1, ENGINE_cleanup became a #define instead of a function
(because it's no longer needed as engines are self cleaning). Update
the autoconf.ac script to check for ENGINE_cleanup as a declaration to
avoid falsely undefinig HAVE_OPENSSL_ENGINE in openssl 1.1+
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1509291288.3116.14.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15676.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6b5dbf6c8da0ff82fa1dca4eb4665be0a4fe31d3)
Selva Nair [Fri, 20 Oct 2017 17:25:56 +0000 (13:25 -0400)]
Avoid illegal memory access when malformed data is read from the pipe
- If only 1 byte is read from the interactive service client pipe, that
evaluates to zero wide characters and subsequent check for NUL
termination in the data buffer segfaults.
Fix: reject clients that send less than a complete wide character.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1508520356-18277-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15657.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f20808c8f37301c43d822f6a22d30b3587abc57)
Simon Rozman [Thu, 12 Oct 2017 08:07:20 +0000 (10:07 +0200)]
Simplify iphlpapi.dll API calls
Dynamically locating API function addresses at run-time using
GetProcAddress() was a leftover from the early days of the interactive
service development. It was required before `NTDDI_VERSION` was raised
from Windows XP to Windows Vista.
After NTDDI_VERSION API level was raised to NTDDI_VISTA, the direct
calling of Vista introduced API functions is possible and much
simpler.
This patch simplifies the code while in the same time it removes
controversial function type definitions that caused interactive service
not to compile on MSVC. Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20171012080720.7764-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15614.html
lz4: Fix broken builds when pkg-config is not present but system library is
In commit f91e4863bc1382 we fixed an issue where LZ4_LIBS could be
overwritten in some situations. But on systems where lz4 is installed on
the system but is lacking pkg-config information, the linker will not know
about the lz4 library when completing the build.
This fixes the issue by explicitly setting LZ4_LIBS to contain -llz4
if pkg-config test was run and failed verifying the installed lz4 version
number. This also ensures that LZ4_LIBS will not be overwritten if it
has been provided on the ./configure command line.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171002190732.12531-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15549.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e5b279f1b62e75569ee8d988b55e6ee0dc93464e)
Older LZ4 library versions used a version number > 100 and not the
current x.y.z versioning scheme. This results in version 122 being
numberically higher than the check we have liblz4 > 1.7.1. And
since that old version (122) does not have the LZ4_compress_default(),
the building explodes later on.
This patch enhances the version check to also ensure the version
number is lower than 100. In addition the function checking we
had was not triggered if system library was found via pkg-config,
so this have now been reworked to really check if we have at least
two of the most important LZ4 functions - as long as a system
library have been found or been accepted via the LZ4_{CFLAGS,LIBS}
variables.
There are more ways to check for functions in autoconf. I opted
for AC_CHECK_LIB() instead of AC_CHECK_FUNC{,S}() as the latter
ones does not test if a function exists in a specific library. This
have the downside of needing to tests instead of AC_CHECK_FUNCS()
which could test for more functions in one go. We also do not
overwrite the LZ4_LIBS variable on success, as that could change
already set library paths (-L)
Finally, a stupid typo got fixed as well.
Trac: 939 Signed-off-by: David Sommerseth <davids@openvpn.net> Tested-by: Richard Bonhomme <fragmentux@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171002161812.9376-1-davids@openvpn.net>
URL: https://www.mail-archive.com/search?l=mid&q=20171002161812.9376-1-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f91e4863bc138213a07a2cf53ad71d8a4532abef)
Commit 3d6a4cded2b20fb81 introduced checking for "too many parameters"
at option processing, and neglected to take "ipv6only" as possible
(and optional) argument to "--bind" into account.
Trac: #938
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170928031620.22331-1-hashiz@meridiani.jp>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15522.html
We are using a deprecated function, LZ4_compress_limitedOutput(), which
will be removed with time. The correct function to use is
LZ4_compress_default(). Both function takes the same number of
arguments and data types, so the change is minimal.
This patch will also enforce the system LZ4 library to be at least v1.7.1.
If the system library is not found or it is older, it will be build using
the bundled LZ4 library. The version number requirement is based on the
LZ4 version we ship.
The changes in configure.ac for the version check is modelled around the
same approach we use for OpenSSL. Plus it does a few minor reformats and
improvements to comply with more recommend autoconf coding style.
This patch is a result of the discussions in this mail thread:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14135.html
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170907172004.22534-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15396.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5f6225c32e41a922069964d9d59c2fcd6589f74c)
Steffan Karger [Tue, 15 Aug 2017 08:04:33 +0000 (10:04 +0200)]
Fix bounds check in read_key()
The bounds check in read_key() was performed after using the value, instead
of before. If 'key-method 1' is used, this allowed an attacker to send a
malformed packet to trigger a stack buffer overflow.
Fix this by moving the input validation to before the writes.
Note that 'key-method 1' has been replaced by 'key method 2' as the default
in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
and marked for removal in 2.5. This should limit the amount of users
impacted by this issue.
CVE: 2017-12166 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 3b1a61e9fb27213c46f76312f4065816bee8ed01)
systemd: Enable systemd's auto-restart feature for server profiles
Systemd supervises services it has started and can act upon unexpected
scenarios. This change will restart OpenVPN after 5 seconds if the OpenVPN
process exits unexpectedly.
The on-failure mode is the recommended mode by upstream systemd.
This change have been tested on a test server for some month, and it
works indeed as intended when provoking the OpenVPN process to stop.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170906235202.26551-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15370.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit a4686e99b047081f0ef6f7945450183088464aa5)
tcp-server: ensure AF family is propagated to child context
Commit 23d61c56 introduced the AF_UNSPEC socket family
to be used when we don't know the actual one until the local
socket binding is performed.
In such case AF_UNSPEC is stored in the `ce.af` member of
the `c->options` object, indicating that the family has to be
determined at runtime.
However, the determined value is never propagated back to the
`options` object, which remains AF_UNSPEC and that is
later used to initialize the TCP children contexts (UDP
children contexts are unaffected).
This unexpected setting can trigger weird behaviours, like
the one reported in ticket #933.
In this case the value AF_UNSPEC in combination with the
changes implemented in 2bed089d are leading to a TCP
server quitting with M_FATAL upon client connection.
Note that the misbehaviour described in #933 can only be
triggered when running a TCP server with mtu-disc set
in the config (no matter the value).
Fix this inconsistency by always propagating the AF
family from the top to the child context when running
in TCP server mode.
As a direct consequence, this patch fixes Trac #933.
Trac: 933 Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170907095530.15972-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15380.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 682e7feac3bd57e6ce7e60504cb4da5c894d0e18)
systemd: Ensure systemd shuts down OpenVPN in a proper way
By default, when systemd is stopping OpenVPN it will send the SIGTERM
to all processes within the same process control-group. This can come
as a surprise to plug-ins which may have fork()ed out child processes.
So we tell systemd to only send the SIGTERM signal to the main OpenVPN
process and let OpenVPN take care of the shutdown process on its own.
If the main OpenVPN process does not stop within 90 seconds (unless
changed), it will send SIGKILL to all remaining processes within
the same process control-group.
This issue have been reported in both Debian and Fedora.
Trac: 581
Message-Id: <20170906234705.26202-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html Signed-off-by: David Sommerseth <davids@openvpn.net>
[DS: Applied lazy-ack policy]
(cherry picked from commit 29446a18e1f2b52d20f359253b085e96fe458367)
OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
* safe bet to say that server admins are better at updating their configs
than client users are and if client do want to restrict their ciphers,
they should simply evict the ciphers they don't want from their cipher
suite
* mbed TLS and OpenSSL behave more similar with the
SSL_OP_CIPHER_SERVER_PREFERENCE flag
Gert van Dijk [Sun, 27 Aug 2017 16:15:15 +0000 (18:15 +0200)]
Warn that DH config option is only meaningful in a tls-server context
If specified in a tls-client context, don't try to open the file as it's
not used. Worse even, if 'none' was specified to disable explicitly, it
complained that the file 'none' could not be found.
[DS: On-the-fly update - Prefixed the message with 'WARNING: ']
Signed-off-by: Gert van Dijk <gert@gertvandijk.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170827161515.2424-1-gert@gertvandijk.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15332.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 47a0a80b7718fe88451c82bdfe838e5a6e3c4248)
!A || (A && B) is equivalent to the simpler !A || B
therefore it is preferable to use the second version as
it is simpler to parse while reading the code.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170824075547.29844-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15313.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 10ae9ed5fe7f09c7edb5af266149a9b5e9bcbaa4)
David Sommerseth [Tue, 22 Aug 2017 11:47:15 +0000 (13:47 +0200)]
docs: Replace all PolarSSL references to mbed TLS
There were references in our documentation to the now deprecated PolarSSL
library, which have changed name upstream to mbed TLS.
In addition, where appropriate, the documentation now considers only
mbed TLS 2.0 and newer. This is in accordance with the requirements
./configure sets.
[DS: On-the-fly change - Updated Makefile.am to use README.mbedtls
instead of README.polarssl. This ensures make dist and buildbots
won't explode]
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170822114715.14225-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15309.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit ed0e79938e801ec656d70cf02bcea4cdd0b79532)
Steffan Karger [Sun, 20 Aug 2017 09:19:04 +0000 (11:19 +0200)]
travis: reorder matrix to speed up build
The OSX and mingw builds are much slower than the other jobs. Our free
travis account can only use 4 build executors in parallel. Run the slow
builds earlier, so that when one or more of these finish, the free build
executors will start building the configure variants in parallel with the
slow ones. (Instead of doing the slow ones last, which results in using
only 1-2 executors during the end stage.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1503220744-5569-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15302.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e0a6afa12ea14685d0497ab27453ccc2b09e6e1f)
Steffan Karger [Wed, 16 Aug 2017 17:04:50 +0000 (19:04 +0200)]
tls-crypt: don't leak memory for incorrect tls-crypt messages
If tls_crypt_unwrap() failed, we would jump to cleanup and forget to free
the buffer. Instead, allocate the buffer through gc, which is free'd in
the cleanup section.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170816170450.10415-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15282.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit fca89379c53fe2c145db96a5bcd32327c4bcfa78)
Steffan Karger [Tue, 8 Aug 2017 15:55:41 +0000 (17:55 +0200)]
Add coverity static analysis to Travis CI config
Enable coverity analysis for the release/2.4 branch.
We can only do a limited number of coverity scans per week with our FOSS
account, but since we only occasionally push commits, that should work out
fine. But this limit is the reason we don't use the standard travis addon,
because that would cause the coverity script to run on all of our matrix
builds. That would cause us to reach our limit faster, and waste travis'
resources.
Since our FOSS coverity account doesn't handle multiple branches very well,
we have to pick one branch to run coverity on. I think it's best to use
the most recent stable branch for that (i.e. for now, release/2.4).
Though for ease of maintenance, it's probably best to apply the patch to
both master and release/2.4.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1502207741-31750-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15176.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 4a05f15c9aafe314ae4d3642813ebf234c09276e)
crypto: create function to initialize encrypt and decrypt key
Instead of always initialize the encrypt and decrypt keys separately,
implement an helper function init_key_ctx_bi() that takes care of
both of them for us.
Reduces code duplication and improves readability.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20170707044704.7239-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15011.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 974513ea64020c956b531b1cabd76fdbac6655d8)
David Sommerseth [Tue, 15 Aug 2017 20:53:01 +0000 (22:53 +0200)]
Use consistent version references
A simple clean-up where the version references have been unified
all those places I could find now. The versioning scheme used is:
* OpenVPN 2.x
* v2.x
We want to avoid:
* 2.x (2.4 can be just an ordindary decimal number,
OID reference, a version number or anything else)
* OpenVPN v2.x (OpenVPN indicates we're talking about a version)
In addition, several places where it made sense I tried to ensure
the first version reference uses "OpenVPN 2.x" and the following
references in the same section/paragraph uses "v2.x", to set the
context for the version reference.
In Changes.rst modified paragraphs exceeding 80 chars lines where
reformatted as well.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170815205301.14542-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15260.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 500854c3fc956b274790991e4d6771ad9bf6f641)
David Sommerseth [Tue, 15 Aug 2017 21:54:51 +0000 (23:54 +0200)]
Highlight deprecated features
We have quite a list of deprecated options currently. Ensure this
is highlighted both in documentation and code.
This patch builds on the wiki page [1] enlisting all deprecated features
and their status. There are also some options not listed here, as
there exists patches in release/2.4 which awaits an update for git master.
Steffan Karger [Tue, 15 Aug 2017 15:39:46 +0000 (17:39 +0200)]
Move run_up_down() to init.c
This function is only used in init.c, and is not easy to fit into a
specific category because it both runs scripts and plugin hooks. Making
it static in init.c is probably the best place for this function.
(I think we should find a better place for everything currently in misc.c,
and get rid of it all together. This patch is part of that effort.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1502811586-19578-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15256.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 4a9d1d70d5b0ff04dbf26ba7e679733a54c694b6)
When setting the SOCKS proxy through the management interface, the
socks_proxy_port pointer would be set to a value that's no longer valid
by the time it's used by do_preresolve_host.
Signed-off-by: Thomas Veerman <thomas.veerman@wanwire.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170707195941.61773-1-thomas.veerman@wanwire.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15018.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit aa9d3a5bdc5a1b395d37fbb8abb3ed6166856a1a)
Following the removal of --no-iv, and as suggested by both recent audits
(and done by OpenVPN-NL for 7 years now), it's time to get rid of the
--no-replay option.
The only valid use case I can imagine is to slightly reduce the per-packet
overhead for setups that do not use any authentication mechanism, but I
do not believe that warrants keeping an option around that generally
reduces security and makes our code more complex.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170701112208.18803-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15003.html Signed-off-by: David Sommerseth <davids@openvpn.net>
The --keysize option can only be used with already deprecated ciphers,
such as CAST5, RC2 or BF. Deviating from the default keysize is
generally not a good idea (see man page text), and otherwise only
complicates our code.
Since we will also remove the support for weak ciphers (ciphers with
cipher block length less than 128 bits) in OpenVPN 2.6 as well, we
start the deprecation of this option instantly.
[DS: Slightly amended the patch, referencing OpenVPN 2.6 and added
a few more details to Changes.rst and the commit message]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170701112951.19119-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15004.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit ad178f01444d61e48fca83c4f0bc5d82270cee87)
David Sommerseth [Mon, 14 Aug 2017 13:19:37 +0000 (15:19 +0200)]
sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
As we did in 2d032c7f for the ASN1_STRING_to_UTF8() calls in the core code,
we should also free(buf) if the function returns 0.
[DS: On-the-fly merge conflict fix:
There was a conflict against the OpenSSL 0.9.6b workaround in v2.4.
Since we no longer support anything older than OpenSSL 0.9.8 in
release/2.4, whack that workaround and be more consistent with git
master those two places]
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1501238302-16714-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15161.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit c43045ca0590364552fbd060cc65ee1c50a4866a)
Move create_temp_file() out of #ifdef ENABLE_CRYPTO
By using get_random() instead of prng_bytes(), we no longer have to place
create_temp_file() inside #ifdef ENABLE_CRYPTO.
The resulting filename now has 62 bits of entropy (2 * [0-INT_MAX])
instead of the previous 128 bits, but that should be plenty. Assuming an
int is 32 bits, we would need about 2**31 (2147483648) files to have a
(roughly) 0.5 chance of failing in one of the 6 attempts we do.
(This is preparing to move the function out of misc.c, where I'd prefer to
not have to add a #include "crypto.h".)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170725210234.5673-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15146.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit cd5a74d0d7c6347b31e261e98ca8984819e594df)
If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error. To prevent that, always set keysize=0 for NCP'd
ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 956bb1c32fa40ee184919b3ce569c90643a01b5b)
Functions used only in the file where they are
defined and not exported in any header, should
always defined as static in order to make the scope
clear to the compiler and the developers.
Add the static attribute where missing.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170811090744.31750-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15202.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 72bcdfdc19243c1ed6cb8568f62f0c35e8b70f5f)
In the attempt of adhering to the C99 standard as much as possible,
ensure that all the function declarations with no parameter contain
the "void" keyword[1].
OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
In tls_ctx_load_ecdh_params() the SSL_CTX_get0_privatekey() function
is invoked only when "OPENSSL_VERSION_NUMBER >= 0x10002000L" and
curve_name is NULL.
However, under the very same conditions the code flow will
lead to an earlier return, thus never reaching the invocation of
SSL_CTX_get0_privatekey().
Restructure the surrounding code in order to make the if/else
block a bit easier to read and get rid of the unreachable
invocation.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170809074237.31291-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15186.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5b004f99d069fe0238aacbb0b3288872a4d7ae17)
David Sommerseth [Tue, 25 Jul 2017 15:07:23 +0000 (17:07 +0200)]
cleanup: Move init_random_seed() to where it is being used
The init_random_seed() function is only used by the init_static() in
init.c. As this function was pretty basic and it is only being called
once, it was merged into init_static() instead of keeping it as a separate
function.
(I agree that calling functions often makes the code more readable, but
I would rather see that as a part of cleaning up the whole init_static()
function - in fact when moving all "unit tests" in init_static() to cmocka,
it will not be too bad in the end.)
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170725150723.14919-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15136.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e74e3a4db891b3ace0a96461c597d86e87be06f0)
David Sommerseth [Tue, 25 Jul 2017 13:03:14 +0000 (15:03 +0200)]
contrib: Remove keychain-mcd code
After the security audits performed by Cryptography Engineering the
spring of 2017 [1], there were several concerns about the contrib code
for the macOS keychain support. After more careful review of this
code base, it was considered to be in such a bad shape that it will
need a massive overhaul. There were more issues than what the security
audit revealed.
It was attempted several times to get in touch with the contributor
of this code; with no response at all [2]. There has however
been some discussions with the Tunnelblick project [3]. There is one
person there willing to go through this and improve the situation.
The main Tunnelblick maintainer is also willing to include the improved
code to their project instead of having this as a contrib code in
the upstream OpenVPN project.
So this patch just removes the code which we will no longer
ship as part of OpenVPN - and the Tunnelblick project will take
over the responsibility for this code base on their own. And since
this code base is purely macOS specific, this seems to be a far
better place for this code to reside.
Signed-off-by: David Sommerseth <davids@openvpn.net>
[1]
<http://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineer
Audits#OVPN-04-1:PossibleNULLpointerderefenceincontribkeychain-mcdcert_data
.c>
[2]
<https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14559.
html>
[3] <https://github.com/Tunnelblick/Tunnelblick/pull/369> Acked-by: Jonathan K. Bullard <jkbullard@gmail.com>
Message-Id: <20170725130314.12919-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15130.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 59e7e9fce8de6ea90d13baeaede83adc0b594e22)
Arne Schwabe [Sun, 23 Jul 2017 16:45:36 +0000 (18:45 +0200)]
Print ec bit details, refuse management-external-key if key is not RSA
V2: Print also curve details, add missing ifdef
V3: Goto err instead of using M_FATAL, format fixes, use
EC_GROUP_get_curve_name + OBJ_nid2sn instead of ECPKParameters_print, add
compat headers for 1.0.2
V4: Formatting changes and change M_ERR to M_WARN
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1500828336-30314-1-git-send-email-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15124.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit bb23eca847c8edac9c3979b7f35468b74db00459)
Several binary buffers in the ntlm component are stored
as char *, however this generates a lot of warnings, because
hashing functions expect something unsigned.
Convert binary buffers to uint8_t *, while use explicit cast
for buffers that are really carrying a string inside.
This commit removes several warnings from ntlm.c that you can
catch with "-Wall -std=c99".
[DS: Done minor typo-fixes in commit message at commit time]
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170710043441.24770-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15032.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e7e4070cb7b90f4836b65c53360166e11fc3f383)
management: preserve wait_for_push field when asking for user/pass
With the introduction of the wait_for_push field in the auth_user_pass
structure, we have to make sure that such field is not accidentally
erased when the management asks the user for user/pass.
Erasing such field would mess up the logic introduced by
("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
Thanks to David Sommerseth for the preliminary analysis and debugging.
Reported-by: Steven Haigh <netwiz@crc.id.au> Signed-off-by: Antonio Quartulli <a@unstable.cc> Tested-by: Steven Haigh <netwiz@crc.id.au> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170707140108.31612-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 3322c558fa742cb823fa919f682486973abc4f8e)
- fix typ0 in message: NLSMG -> NLMSG
- use strerror() to print a human readable message
- don't print error message if error is ENETUNREACH: it means no route
found
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170720082338.1302-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15101.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 20d98427ef37e3b748dbcca2174cd243dcc963dc)
openvpn_sleep() is basically "service the management interface for x
seconds, then return". Therefore, manage.c is a more suitable location
than the random collection of unrelated stuff called misc.c.
(I think we should find a better place for everything currently in misc.c,
and get rid of it all together. This patch is part of that effort.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1500566435-29920-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15109.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 45b2af9c7719d9a40c6c2b9d0693e4db0d917a04)
This function was only called in string format functions, which already
copy the contents, so all this ever did was adding redundant malloc() and
free() calls.
Also, this wasn't as thread-safe as it claims: another thread could still
change the string value between the strerror() and buf_printf() calls. So,
instead of a not needed false sense of thread-safeness, just be honest and
use strerror() directly.
(I think we should find a better place for everything currently in misc.c,
and get rid of it all together. In this case, the better place is
/dev/null. This patch is part of that effort.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1500550740-24773-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15105.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fd2a29ab2668fea9c0ac972d5ec69f00232c88b6)
The argument passed to my_strupr() is converted to an upper case
string by means of toupper(). The latter expects a single signed int
as argument, therefore it makes sense to have my_strupr() take a
signed argument too and avoid an explicit and an implicit cast.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170710043441.24770-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15031.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1cdfc9302aad8570360d278aded5fb9f110ca2b6)
when passing the M_ERRNO flag to msg(), the latter will already
print the errno message (in a form of a string and number) for us,
hence there is no need to explicitly print it a second time.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170713080527.13299-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15057.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e441d861881669c97906652c3278cc9a6c69a417)
David Sommerseth [Wed, 28 Jun 2017 19:15:38 +0000 (21:15 +0200)]
doc: The CRL processing is not a deprecated feature
The note related to the CRL processing was somehow put into
the deprecated section. This is quite confusing.
Since this is a fairly important change, and there have been
a noticable amount of supports questions related to OpenVPN
not starting due to CRL errors, I put this into the
"New features" section labelled as an improvement. Otherwise
I fear this would drown in the list of "User-visible Changes"
later on.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170628191538.9135-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14985.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f9ebfe1b5a011e55fb87a5026b1897c8ffb8f75e)
Steffan Karger [Tue, 27 Jun 2017 22:20:29 +0000 (00:20 +0200)]
Undo cipher push in client options state if cipher is rejected
Because of the way we re-use the options parser for both config files and
pushed options, we always update the local options state when we accept an
option. This resulted in a pushed cipher being rejected the first time it
was pushed, but being accepted the second time.
This patch is a minimal way to resolve this issue in the master and
release/2.4 branches. I'll send a more invasive patch for master, to
reset the entire options state on reconnects, later.
Trac: #906
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170627222029.26623-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14984.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3be9a1c1cd75627c30dca05bed28c84ad4dc1d37)
Emmanuel Deloget [Thu, 29 Jun 2017 14:21:19 +0000 (16:21 +0200)]
OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
For unknown reason, the writer of the compat layer seemed to think that
this function was only present in OpenSSL 1.1. This is not the case at
all, since it has been introduced in OpenSSL before version 0.9.8.
Thus, there is no need to add this function to the compat layer, and it
can be safely removed.
Emmanuel Deloget [Thu, 29 Jun 2017 14:21:18 +0000 (16:21 +0200)]
OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
For unknown reason, the writer of the compat layer seemed to think that
this function was only present in OpenSSL 1.1. This is not the case at
all, since it has been introduced in OpenSSL before version 0.9.8.
Thus, there is no need to add this function to the compat layer, and it
can be safely removed.
Ilya Shipitsin [Sat, 25 Feb 2017 18:00:04 +0000 (23:00 +0500)]
travis-ci: add 3 missing patches from master to release/2.4
travis-ci: add 'make distcheck' to test scenario, V2
in rare cases openvpn is built from tarball, it happens during "installer
build" process. "make distcheck" helps to prevent problems during such builds.
V2: limit "make distcheck" to one build configuration
Inspired by
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13032.html
build options are taken from regular windows installer builds
Steffan Karger [Wed, 21 Jun 2017 21:10:43 +0000 (23:10 +0200)]
Move adjust_power_of_2() to integer.h
misc.c is a mess of incoherent functions, and is therefore included by
virtually all our source files. That makes testing harder than it should
be. As a first step of cleaning up misc.c, move adjust_power_of_2() to
integer.h, which is a more suitable place for a function like this.
This allows us to remove the duplicate implementation from test_argv.c.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20170621211043.6490-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14940.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9fc0e963c757ffec3cc9fbf797fb7609f409c370)
Arne Schwabe [Mon, 26 Jun 2017 11:13:26 +0000 (13:13 +0200)]
Set tls-cipher restriction before loading certificates
OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but
only if the cipher list is set before loading the certificates. This patch
changes the order of loading.
Emmanuel Deloget [Mon, 19 Jun 2017 15:35:13 +0000 (17:35 +0200)]
OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
HMAC_CTX_init() has been removed from OpenSSL 1.1. Both this function
and function HMAC_CTX_cleanup() has been replaced by HMAC_CTX_reset().
Commit aba98e9050eb54d72d921e70bcd422cb892b9c6c introduced support for
HMAC_CTX_init() for OpenSSL 1.1+ while other functions were mimicking
the OpenSSL 1.1 interface for earlier version. This is clearly not a
good idea -- a better approach would be to provide the new interface for
pre-1.1 versions in order to have the dependant code use only one
interface version. To implement that, we remove HMAC_CTX_init() from our
compatibility layer and implement HMAC_CTX_reset() in terms of a cleanup
followed by an init (as the regular HMAC_CTX_reset() function does in
OpenSSL 1.1. This change has a consequence on HMAC_CTX_free() which now
need to cleanup() the HMAC context before freeing it.
Gert Doering [Tue, 13 Jun 2017 20:08:32 +0000 (22:08 +0200)]
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(),
and change the ASSERT() check in mss_fixup_dowork() into a simple
"return" (= the TCP header will simply not be inspected further).
CVE-2017-7508 has been assigned due to the serious nature of the
bug: it can be used to remotely shutdown an openvpn server or
client, if IPv6 and --mssfix are enabled and the IPv6 networks used
inside the VPN are known.
Found by Guido Vranken <guidovranken@gmail.com>.
v2: style changes
CVE: 2017-7508 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170613200832.15027-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20170613200832.15027-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3f47077a7756de5929094569421a95aa66f2022)
Guido Vranken [Fri, 19 May 2017 12:04:25 +0000 (14:04 +0200)]
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Pre-authentication remote crash/information disclosure for clients
If clients use a HTTP proxy with NTLM authentication (i.e.
"--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
a man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password.
If the proxy password is not reused, this is unlikely to compromise
the security of the OpenVPN tunnel itself. Clients who do not use
the --http-proxy option with ntlm2 authentication are not affected.
CVE: 2017-7520 Signed-off-by: Guido Vranken <guidovranken@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
Steffan Karger [Mon, 19 Jun 2017 09:28:40 +0000 (11:28 +0200)]
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
We didn't check the return value of ASN1_STRING_to_UTF8() in
extract_x509_extension(). Ignoring such a failure could result in buf
being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused
remotely if the peer can make the local process run out of memory.
The problem can only be triggered for configurations that use the
--x509-alt-username option with an x509 extension (i.e. the option
parameter starts with "ext:").
This issue was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.
Extensive testing by Guido Vranken gives confidence that this function
is very unlikely to fail in real-world usage (using subjectAltName or
issuerAltName extensions) for other reasons than memory exhaustion.
CVE: 2017-7521 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Guido Vranken <guidovranken@gmail.com>
Message-Id: <1497864520-12219-6-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-6-git-send-email-steffan.karger@fox-it.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b)
projects / thirdparty / openvpn.git / log
