Gert Doering [Sun, 13 Apr 2014 11:12:02 +0000 (13:12 +0200)]
IPv6 address/route delete fix for Win8
Use "store=active" for IPv6 address and route deletion - seems to be
required on Windows 8 and up, and not doing it will break OpenVPN
reconnection (old addresses are not properly deleted, thus address can
not be configured on connect).
Yawning Angel [Mon, 10 Mar 2014 03:47:58 +0000 (03:47 +0000)]
Fix SOCKSv5 method selection
So, RFC 1928 doesn't say anything about the METHODS field in the Method
Selection message being ordered in terms of preference or anything, and
the server is free to pick any of the METHODS offered by the client.
Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
and USERNAME/PASSWORD set is broken on two fronts:
* If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
due to the credentials being missing, it shouldn't offer it to the
server.
* If the OpenVPN client has credentials, then it should always attempt to
authenticate. This is a security product. "You can misconfigure it and
it will work" is not acceptable. Setting a username/password when the
SOCKS server doesn't require/support that as an option is the user not
configuring it correctly, and should be treated as such.
Also verify that the SOCKS server returned the auth that was requested.
URL: https://github.com/OpenVPN/openvpn/pull/14
Fix trac #377, trac #148 Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140413130102.GR16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8488
Arne Schwabe [Mon, 7 Apr 2014 20:12:05 +0000 (22:12 +0200)]
Work around Solaris getaddrinfo() returing ai_protocol=0
Create_socket() and sub-functions assume that the ai_protocol value
returned by getaddrinfo() is IPPROTO_UDP or IPPROTO_TCP. On Solaris,
it is "0", because Solaris's socket() call will then "select the right
protocol" - but it breaks our code. So remove ASSERT()s on ai_protocol,
and also accept properly set ai_socktype (SOCK_DGRAM/SOCK_STREAM) values
if ai_protocol is not set.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140407201711.GN16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8428
Gert Doering [Sun, 30 Mar 2014 12:09:36 +0000 (14:09 +0200)]
Fix crash when using --inetd.
Change "local" argument to socket_do_listen() to avoid calling
"local->ai_addr" in the caller for the "do_listen == FALSE" case,
in which case it could be NULL.
Also, ensure "ai" is always initialized in socket_listen_accept() for
the "!remote_dynamic" case - otherwise it will sometimes(!) crash in
addrlist_match() later on.
Get rid of spurious operator precedence warning concerning
GETADDR_CACHE_MASK.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1396181376-32022-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8412
Steffan Karger [Sun, 23 Mar 2014 13:07:47 +0000 (14:07 +0100)]
configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL
SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption".
This is something we do not want nor need, but could potentially be used
for a future attack. OpenVPN 2.4 requires the flag to be set and will fail
configure if the flag is not present. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxJh17KYmVU1BVa5kp4iJsUJT+xnXp0rVU_3g3c5hPnqDQ@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8389
Steffan Karger [Sat, 1 Mar 2014 14:36:15 +0000 (15:36 +0100)]
Disable unsupported TLS cipher modes by default, cleans --show-tls output.
This explicitly disables a number of tls ciphers that OpenVPN has currently
no support for. OpenSSL will automatically detect this during negotiation,
but --show-tls would erroneously show a number of unsupported ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 23 Mar 2014 13:53:01 +0000 (14:53 +0100)]
Bump minimum OpenSSL version to 0.9.8
OpenSSL 0.9.7 and older are considered obsolete (see
http://www.openssl.org/news/news.html). This patch updates configure.ac to
require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are
now no longer needed.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 21 Mar 2014 13:18:36 +0000 (14:18 +0100)]
Workaround broken Android 4.4 VpnService API for persist-tun mode
In Android 4.4 it is not possible to open a new tun device and then close
the old tun device without breaking the whole VPNService stack until the
device is rebooted.
Add new management method to ask the UI what method should be taken to
ensure the optimal solution for the situation. Then do open-before-close
or close-before-open inside open_tun() as requested.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1395407925-25518-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8373
Arne Schwabe [Fri, 21 Mar 2014 13:18:34 +0000 (14:18 +0100)]
Fix connecting to localhost on Android
Do not protect the link socket when connecting to localhost. Also only
call the protect function on valid socket Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1395407925-25518-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8375
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
Heiko Hund [Tue, 18 Feb 2014 17:59:55 +0000 (18:59 +0100)]
grow route lists dynamically
This removes the need for the --max-routes option. Instead of
allocating a fixed size array for the route(-option)s they are
managed in linked lists instead.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1392746395-19246-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8295 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 13 Jan 2014 21:54:34 +0000 (22:54 +0100)]
Replace copied structure elements with including <net/route.h>
The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies
of structures from <net/route.h> (struct rt_msghdr in particular).
OpenBSD changed some structure elements, making OpenVPN incompatible,
depending on the specific OpenBSD version. Clean up: remove copied
definitions, replace by including <net/route.h> directly - this could
not be done originally due to a conflict with "struct route" in OpenVPN
and <net/route.h>, cleaned up by the previous commit.
Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles
with no warnings, and "openvpn --show-gateway" works, which is the only
part of the code that uses the structures in question).
Fix trac #340
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
Gert Doering [Fri, 10 Jan 2014 16:25:42 +0000 (17:25 +0100)]
Cleanup ir6->netbits handling.
Get rid of all "if (ir6->netbits>=0)" checks, as those are always true
(unlike ir->netbits for IPv4, we don't do the special case for "if it's
a host, put -1 in there" for IPv6).
Merge mroute_helper_{add,del}_iroute and mroute_helper_{add,del}_iroute6
into unified mroute_helper_{add,del}_iroute46() function as they did the
same thing anyway, just with slightly different parameters.
Make Arne happy.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389371142-26705-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8198
Gert Doering [Sun, 17 Nov 2013 14:30:20 +0000 (15:30 +0100)]
Make code and documentation for --remote-random-hostname consistent.
Documentation examples, description and code were disagreeing on what
this option actually does. Now they will all agree that it will
*prepend* a random-byte string to the hostname name before resolving
to work around DNS caching (needs a "*" wildcard record in the zone).
Fix trac #143
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
Jens Wagner [Tue, 7 Jan 2014 21:07:54 +0000 (22:07 +0100)]
Fix spurious ignoring of pushed config options (trac#349).
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 1 Jan 2014 21:57:59 +0000 (22:57 +0100)]
Provide LZ4 sources in src/compat/ and use if no system lz4 library found.
Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as
src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4)
if autoconf cannot find lz4.h or -llz4 in the system.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1388613479-22377-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8154
Gert Doering [Wed, 1 Jan 2014 21:57:58 +0000 (22:57 +0100)]
Implement LZ4 compression.
Implement LZ4 compression, similar to the existing snappy / push-peer-info
model: a LZ4 capable client will send IV_LZ4=1 to the server, and the
algorithm is selected by pushing "compress lz4" back.
LZ4 does not compress as well as LZO or Snappy, but needs far less CPU
and is much faster, thus better suited for mobile devices. See
https://code.google.com/p/lz4/ for more details.
LZ4 include and library path can be specified by specifying LZ4_LIBS=...
and LZ4_CFLAGS=... on the configure command line.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1388613479-22377-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8153
Steffan Karger [Wed, 1 Jan 2014 20:10:26 +0000 (21:10 +0100)]
Disable export ciphers by default for OpenSSL builds.
Export ciphers are deliberately weak ciphers, and not fully supported by
OpenVPN since ephemeral RSA support has been removed a few commits ago.
This commit removes them from the default cipher list to avoid confusion.
PolarSSL does not support export ciphers, so no action required there.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-7-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8146 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 1 Jan 2014 20:10:24 +0000 (21:10 +0100)]
Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.
This code would not really generate ephemeral keys every time it is called,
but a single key that would be reused during process lifetime and returned
each time the function was called; probably not what users would expect.
TLS allowes ephemeral keys to be used only when no other key exchange, such
as (ephemeral) Diffie-Hellman, is performed. The end result is that it was
only used by a number of (weak) export ciphers, which could give users a
false sense of security.
So, instead of fixing a weak cipher mode, we'll just remove support for it
completely. Plenty of better alternatives are available in TLS.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8152 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 1 Jan 2014 20:10:22 +0000 (21:10 +0100)]
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 1 Jan 2014 20:10:21 +0000 (21:10 +0100)]
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8148 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 17 Dec 2013 10:22:47 +0000 (11:22 +0100)]
Add warning for using connection block variables after connection blocks
In 2.3 some options that were allowed only in global config before have
been moved to connection blocks. This changes the behaviour if the
variables were defined after connection block. This patch adds a warning
to catch these mistakes.
Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE]
for connection blocks Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8117
David Sommerseth [Mon, 25 Nov 2013 12:32:58 +0000 (13:32 +0100)]
Fix file checks when --chroot is being used
Commit 0f2bc0dd92f43c9 started to introduce some file sanity
checking before OpenVPN started to avoid harder to explain issues
due to missing files or directories later on. But that commit
did not consider --chroot at all. Which would basically cause
OpenVPN to complain on non-missing files, because it would not
consider that the files where inside a chroot.
This patch is based on the thoughts in a patch by Josh Cepek [1],
but trying to simplify it at bit.
Gert Doering [Sat, 30 Nov 2013 21:38:28 +0000 (22:38 +0100)]
Fix IPv6_V6ONLY logic.
The "ipv6only" setsockopt logic introduced by 8832c6c4cf was inverted,
fix. Also add a msg() to show what value is set, as that makes strange
v4/v6 connectivity problems much easier to spot.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385847508-32248-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8079
Arne Schwabe [Mon, 25 Nov 2013 12:31:18 +0000 (13:31 +0100)]
Implement listing on IPv4/IPv6 dual socket on all platform
With this patch OpenVPN will listen on Ipv4 as well as IPv6 when an IPv6
socket is used. Using bind ipv6only will disable this behavior Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385382680-5912-7-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8052
Arne Schwabe [Mon, 25 Nov 2013 12:31:17 +0000 (13:31 +0100)]
Implement dual stack client support for OpenVPN
This patch contains a number of changes. I did not further spit this since some changes make only sense being changed together.
Always use connection_list, simplifies the reconnection logic.
Change meaning of --connect-retry-max and --connect-retry to be used
all connections. This now allows OpenVPN to quit after n unsuccessful
udp connection attempts
Remove the tcp reconnection logic. Failing a TCP connection will now
cause a USR1 like a UDP connection. Also extend sig->source from bool to
int to specify signal source. This allows a finer grained reconnection
logic if necessary in the future.
Dual-Stack support: if an address resolves to multiple records each
address is tried in sequential order. Then proceed to next connection
entry. Introduce the field current_remote to represent the current
connecting remote. Also change some fields to struct addrinfo* form
openvn_addr to store multiple addresses needed for the dual stack support.
Change meaning from udp and tcp to allow both IPv4 and IPv6. Introducue
new udp4 and tcp4 to force IPv4.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385382680-5912-6-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8058
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Message-ID: <20131129194258.GL161@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8071
Arne Schwabe [Mon, 25 Nov 2013 12:31:15 +0000 (13:31 +0100)]
change the type of 'remote' to addrinfo*, and rename to 'remote_list'.
Warning: this is work in progress, preparing for the full dual-stack
client patch. With this commit in place, connecting via "--proto udp" or
"--proto tcp-client" to a host that has IPv4+IPv6 in place, on an OS that
will prefer IPv6 to IPv4 will always fail. The remote_list will have IPv6
in it's first entry, while the socket will try to do AF_INET, and that
will not work. This will be fixed by the upcoming change to handle
multiple remote IP addresses (as returned by getaddrinfo()) as multiple
<connection> blocks, with appropriate retry and AF selection logic.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385382680-5912-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8053
Arne Schwabe [Mon, 25 Nov 2013 12:31:14 +0000 (13:31 +0100)]
Remove the ip-remote-hint option.
The ip-remote-hint option overrides the remote hostname of every
remote/connection entry unless management-query-remote is also defined and
the management interfaces overrides the option with remote MOD.
The remote name is even overridden when when management interface issues
remote ACCEPT after being presented with the non overridden remote.
Overriding all remote options can also be done by management-query-remote
and issuing remote MOD or by changing alll remote statements in the
configuration.
Also: remove unused variable newcycle
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385382680-5912-3-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8057 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 25 Nov 2013 12:31:13 +0000 (13:31 +0100)]
Change proto_remote() function to return a constant string
Instead of using the implicit protocol string that is returned by the
proto/af to names function return a constant string. The strings have
become part of the wire protocl and we do not want them to change if
the printing of proto/af changes.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385382680-5912-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8055
Arne Schwabe [Mon, 25 Nov 2013 12:31:12 +0000 (13:31 +0100)]
Split link_socket_init_phase1 and link_socket_init_phase2 into
smaller more managable/readable functions. No functional changes
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385382680-5912-1-git-send-email-arne@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 24 Nov 2013 16:13:04 +0000 (17:13 +0100)]
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
"ip -6 route show" prints stuff like "rtt 38ms rttvar 38ms cwnd 10", which
sometimes changes while an OpenVPN test is running, resulting in spurious
failures in the "ifconfig/route must be restored identically after
OpenVPN ends" test in t_client.sh. Not all fields are there all the time,
so use "sed" to get rid of whatever is printed this time.
Only relevant for "make check" on linux builds with "--enable-iproute2".
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385309584-23209-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8047
Arne Schwabe [Thu, 21 Nov 2013 20:08:07 +0000 (21:08 +0100)]
Fix two instances of asserting AF_INET
The http-proxy and socks-proxy work fine with IPv6 but assert having IPv4 Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385064495-25877-6-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8010
Joachim Schipper [Thu, 19 Sep 2013 10:47:28 +0000 (12:47 +0200)]
--management-external-key for PolarSSL
Add --management-external-key support, compatible with the OpenSSL
implementation. Needs the flexibility of ssl_set_own_cert_alt(), which
is new in PolarSSL-1.2.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7886 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Joachim Schipper [Thu, 19 Sep 2013 10:47:27 +0000 (12:47 +0200)]
Refactor tls_ctx_use_external_private_key()
OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the
context's certificate chain was stored on return, used by
tls_ctx_use_external_private_key() only and free()d immediately thereafter.
PolarSSL also supported this output parameter, but returned a pointer to
the
context's certificate chain (rather than to a copy of the certificate, as
OpenSSL does) - which meant that we would have to #ifdef the free().
PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot
store a
pointer to (instead of a copy of) the cert.
So remove the output parameter from tls_ctx_load_cert_file() and
incorporate
the needed functionality directly into tls_ctx_use_external_private_key()
(which is straightforward for both OpenSSL and PolarSSL, as long as you
don't
try to support both at once.)
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7888 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Setting es->gc=NULL causes env_set_add_nolock() / remove_env_item() to
free() allocated and no longer used strings in the es, while an active
gc would leave them for cleanup with gc_free() at client disconnect time.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/buffer.c Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <20131023162618.GP161@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7939
It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Gert Doering [Fri, 15 Nov 2013 14:39:20 +0000 (15:39 +0100)]
Fix argument type warning introduced by http extra proxy header patch.
d0cb816cf8be68359617b61a55799f6330901f6a introduced add_proxy_headers(),
passing "port" as "const char *" - but it should be an "int". As port
is not yet actually used inside add_proxy_headers(), it's just a warning.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384526517-6020-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7973
Arne Schwabe [Fri, 31 May 2013 12:59:35 +0000 (14:59 +0200)]
Add reporting of UI version to basic push-peer-info set.
If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the
server.
Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>",
for example "de.blinkt.openvpn 0.5.47" for the ICS Android version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7646 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 25 Oct 2013 08:02:23 +0000 (10:02 +0200)]
Implement custom HTTP header for http-proxy, and always send user-agent:
There are some patched OpenVPN versions out there without source code
(e.g. NDMVPN) that support adding custom http header.
This patch adds custom header to OpenVPN and supports the syntax that the
"in the wild" variants use.
Patch v3 also prints all custom headers with other http options in --verb 5
Patch v4 does clean up the add_proxy_header function Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382688143-17247-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7946
Josh Cepek [Thu, 14 Nov 2013 18:02:59 +0000 (12:02 -0600)]
Require a 1.2.x PolarSSL version
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
Steffan Karger [Tue, 22 Oct 2013 12:45:17 +0000 (14:45 +0200)]
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 15 Oct 2013 09:23:42 +0000 (11:23 +0200)]
Support non-ASCII TAP adapter names on Windows
Currently the TAP adapter name is fetched as an OEM string, which
is problematic if it contains non-ASCII characters and is to used
with netsh. The logfile also contains these non UTF-8 characters.
This patch fetches the name from the registry as UCS-2 and converts
it right into UTF-8 before it's used.
Josh Cepek [Wed, 21 Aug 2013 21:20:30 +0000 (16:20 -0500)]
Correct error text when no Windows TAP device is present
Starting with the 2.3-series, the TAP-Windows driver/utilities and
OpenVPN are separately installed components. The error message given to
users without available TAP devices uses the pre-2.3 path that does not
exist. The path should be listed under the TAP-Windows program group
that the tap-windows project installer uses.
Resolves bug #320
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <kv4ece$s8s$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Always load intermediate certificates from a PKCS#12 file
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
James Yonan [Sun, 28 Jul 2013 22:05:35 +0000 (16:05 -0600)]
MSVC fixes
Fixes to allow compilation with Microsoft Visual Studio 2008
* Fixed several instances of declarations after statements.
* In socket.c, fixed issue where uninitialized value (err)
is being passed to to gai_strerror.
* ssl.c is trying to access multi_output_peer_info_env
function in multi.c, causing an undefined symbol warning
at compile time. ssl.c is strictly a client of multi.c
(but not the other way around), therefore ssl.c does not
include multi.h and should not depend on multi.h API. To
fix, moved validate_peer_info_line and multi_output_peer_info_env
from multi.c to misc.c.
* MSVC doesn't support %z as a printf format specifier for size_t
* MSVC doesn't support a const variable being used to dimension
an array.
* Explicitly cast the third parameter to setsockopt to
const void * Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1375049135-21444-1-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7777
James Yonan [Tue, 11 Jun 2013 06:25:05 +0000 (00:25 -0600)]
Added "setenv opt" directive prefix. If present, and if the
directive that follows is recognized, it will be processed
as if the "setenv opt" prefix was absent. If present and if
the directive that follows is not recognized, the directive
will be ignored rather than cause a fatal error.
For example, suppose you are distributing a client
configuration file and want to set the minimum TLS version
that the client requires from the server to 1.2.
By using the following directive,
setenv opt tls-version-min 1.2 or-highest
only newer clients that understand the tls-version-min directive
would process it, while older clients would ignore it.
James Yonan [Tue, 11 Jun 2013 04:59:30 +0000 (22:59 -0600)]
TLS version negotiation
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
projects / thirdparty / openvpn.git / log
