Steffan Karger [Thu, 11 May 2017 09:00:57 +0000 (11:00 +0200)]
Don't assert out on receiving too-large control packets (CVE-2017-7478)
Commit 358f513c changed the maximum size of accepted control channel
packets. This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability. The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).
To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.
CVE: 2017-7478 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494493257-8125-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494493257-8125-1-git-send-email-steffan.karger@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Tue, 9 May 2017 19:30:07 +0000 (21:30 +0200)]
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys. Until the
packet ID would roll over and we would ASSERT() out.
Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability. An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)*2^32 bytes, or approx. 196 GB).
This is a fix for finding 5.2 from the OSTIF / Quarkslab audit.
CVE: 2017-7479 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494358209-4568-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494358209-4568-1-git-send-email-steffan.karger@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Wed, 10 May 2017 20:56:15 +0000 (22:56 +0200)]
Introduce and use secure_memzero() to erase secrets
This is a cherry-pick of commit 009521ac (master).
As described in trac #751, and shortly after reported by Zhaomo Yang, of
the University of California, San Diego, we use memset() (often through
the CLEAR() macro) to erase secrets after use. In some cases however, the
compiler might optimize these calls away.
This patch replaces these memset() calls on secrets by calls to a new
secure_memzero() function, that will not be optimized away.
Since we use CLEAR() a LOT of times, I'm not changing that to use
secure_memzero() to prevent performance impact. I did annotate the macro
to point people at secure_memzero().
This patch also replaces some CLEAR() or memset() calls with a zero-
initialization using "= { 0 }" if that has the same effect.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494449775-22199-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14628.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Tue, 9 May 2017 19:10:36 +0000 (21:10 +0200)]
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
The functions packet_id_alloc_outgoing() and packet_id_write() were
always called in tandem. Instead of forcing the caller to allocate a
packet_id_net to do so, merge the two functions. This simplifies the API
and reduces the chance on mistakes in the future.
This patch adds unit tests to verify the behaviour of packet_id_write().
Verifying that we assert out correctly required the change to mock_msg.c.
This patch was cherry-picked from a87e1431 (master).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494357036-3529-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494357036-3529-1-git-send-email-steffan.karger@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Mon, 10 Apr 2017 22:28:28 +0000 (00:28 +0200)]
Make --cipher/--auth none more explicit on the risks
The warning provided to --cipher and --auth using the 'none' setting may
not have been too clearly understandable to non-developers or people not
fully understanding encryption and cryptography. This tries to improve
that.
While at it, also break up the long source lines.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170410222828.23612-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14436.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 7a1b6a0dd706a81897457b0456a951c0b30bbcfb)
David Sommerseth [Fri, 20 Jan 2017 21:04:57 +0000 (22:04 +0100)]
git: Merge .gitignore files into a single file
We already track a lot of files over the whole directory structure
in the main .gitignore file. But a few additional ones had been
added into some of the subdirectories.
This unifies all these files into a master file for the whole project,
making it easier to know where to look at and edit if changes needs
to be done.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170120210457.3383-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13916.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit d14b3c60c7796736e07bc3cddb0ab3a58475793e)
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
This fixes a regression in commit 8e95e20913:
on amd64, an implicit declaration of ERR_error_string leads to segfaults
if the returned pointer does not fit in an 'int'.
David Sommerseth [Wed, 21 Dec 2016 20:54:50 +0000 (21:54 +0100)]
docs: Further improve --reneg-bytes and SWEET32 information
There are still some support tickets related to SWEET32 and
our defult enforced --reneg-bytes 64 when using weaker ciphers
(less than 128-bits cipher blocks). Try to clarify this even
more.
Also fix a few mistakes, saying less than 128-bits and not 128-bits
and less.
David Sommerseth [Mon, 19 Dec 2016 18:52:12 +0000 (19:52 +0100)]
dev-tools: Added script for updating copyright years in files
Very simple tool which modifies the Copyright lines in all git checked-in
files with an updated year. Lines only listing a single year (2016) will
be modified to list a range instead.
Only the Copyright lines owners of specific owners will be modified. The
script will need to be slightly updated to cover more owners. See the
UPDATE_COPYRIGHT_LINES line in the script for the currently set owners.
v2 - On-the-fly-commit-update: use vendor/ instead of cmocka and
add @sophos.com to the list of copyright holders to update
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482173532-25132-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13645.html
(cherry picked from commit da8f11f895bb78174d4412d82a6992c398da495a)
Selva Nair [Wed, 30 Nov 2016 01:48:55 +0000 (20:48 -0500)]
Map restart signals from event loop to SIGTERM during exit-notification wait
Commit 63b3e000c9.. fixed SIGTERM getting lost during exit notification
by ignoring any restart signals triggered during this interval. However,
as reported in Trac 777, this could result in repeated triggering of
restart signals when the event loop cannot continue without restart due
to IO errors or timeout.
Avoid by converting soft SIGUSR1 and SIGHUP signals received during
exit-notify wait period to SIGTERM.
Selva Nair [Wed, 30 Nov 2016 01:53:14 +0000 (20:53 -0500)]
When parsing '--setenv opt xx ..' make sure a third parameter is present
When no parameters are present, set it to "setenv opt" to trigger a
descriptive error message. And, thus get rid of the pesky NULL pointer
dereferencing.
Trac: #779
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480470794-6349-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 997795353916ffcb413a2da02dc7f210fd621954)
Steffan Karger [Mon, 28 Nov 2016 16:55:07 +0000 (17:55 +0100)]
Clean up format_hex_ex()
Cherry-pick of commit 29404010 from master, slightly reworked to match the
2.3 codebase (no flags inside space_break here), and pulled in the new
static_assert() fallback we also have in master now.
Fix a potential null-pointer dereference, and make the code a bit more
readable while doing so.
The NULL dereference could not be triggered, because the current code
never called format_hex_ex() with maxouput == 0 and separator == NULL.
But it's nicer to not depend on that.
Our use of int vs size_t for lengths needs some attention too, but I'm
not pulling that into this patch. Instead I decided to just make the
(previously existing) assumption that INT_MAX <= SIZE_MAX explicit by
adding a static_assert().
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480352107-19652-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13269.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 17 Sep 2016 13:20:15 +0000 (16:20 +0300)]
Document the --auth-token option
This isn't an option to be used directly in any configuration files,
but to be used via --client-connect scripts or --plugin making use of
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2.
[v2 - Added lacking .B styling of options
- Clarified the token life time ]
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474118415-14666-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f8a367f7c51af5482013fa3d783cade376b047ed)
Currently each instance of openvpn adds WFP filters into an independent
sublayer. As a block in one sublayer can over-ride a permit in another,
this causes all DNS traffic to block when --block-outside-dns is used
in multiple tunnels.
Fix using a common sublayer for adding firewall rules (filters) from all
instances of openvpn and interactive service.
- The sublayer is added in a persistent session so that it could be
accessed from multiple sessions.
- The sublayer is identified by a fixed UUID defined in block_dns.c
- Permit filters for tun/tap interfaces are added with explicitly higher
priority than filters that block all DNS traffic. This is not strictly
necessary as WFP assigns higher priority to specific filters over generic
ones, but it may be safer not to rely on that feature.
- All filters are added in dynamic sessions as before. They get
automatically removed when the process exits. The sublayer will,
however, persist until reboot.
Resolves Trac 718
- While at it also make sure the WFP session is closed on error in
win_wfp_block_dns().
- Also fix the function prototype typedefs in win32_wfp.h for
run-time-resolved fwpm functions
Tested on Windows 7, 10
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474085439-28766-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12466.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 9 Nov 2016 20:19:32 +0000 (21:19 +0100)]
Repair topology subnet on OpenBSD
Turns out that "topology subnet" never worked totally right on
OpenBSD - the "netmask" parameter to ifconfig is ignored, and one
needs to add a subnet route (and this issue is hidden if an
encompassing route is pushed, like, by using --redirect-gateway).
While add it, apply the hack used for FreeBSD where "an arbitrary
address from the subnet" is used to set the "remote" end of the
tunnel, and point the route to that - so if OpenBSD decides to
change their kernel routing structure the same way, our code still
works (copying from commit 433b3813d8c38b4, trac #425 and commit 60fd44e501f2002, trac #481).
Tested on OpenBSD 6.0 and 4.9
Trac: #710 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161109201932.80991-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12983.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 7f444dee52321c0f0294e99695150a7f69522715)
Gert Doering [Tue, 8 Nov 2016 12:45:06 +0000 (13:45 +0100)]
Repair topology subnet on FreeBSD 11
We used to add "route for this subnet" by using our own address as
the gateway address, which used to mean "connected to the interface,
no gateway". FreeBSD commit 293159 changed the kernel side of that
assumption so "my address" is now always bound to "lo0" - thus, our
subnet route also ended up pointing to "lo0", breaking connectivity
for all hosts in the subnet except the one we used as "remote".
commit 60fd44e501f200 already introduced a "remote address" we use
for the "ifconfig tunX <us> <remote>" part - extend that to be used
as gateway address for the "tunX subnet" as well, and things will
work more robustly.
Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server)
(this particular issue is not present before 11.0, but "adding the
subnet route" never worked right, not even in 7.4 - 11.0 just made
the problem manifest more clearly)
Lev Stipakov [Thu, 3 Nov 2016 21:28:23 +0000 (23:28 +0200)]
Drop recursively routed packets
v4:
- Account for IP header offset in TAP mode
- Correct handle of non-IP protocols in TAP mode
v3: Use better way of figuring out IP proto version which
does not break TAP mode. Add an option to allow recursive
routing, could be useful when packets sent by openvpn itself
are not subject to the routing tables that would move packets
into the tunnel.
v2: better method naming
On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.
As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.
To prevent that, drop packets which have gateway IP as
destination address.
Tested on Win7/10, OS X, Linux.
Trac #642
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478208503-25929-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12894.html
Steffan Karger [Fri, 28 Oct 2016 12:10:07 +0000 (14:10 +0200)]
Limit --reneg-bytes to 64MB when using small block ciphers
Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks. The 64 MB value has been selected with the researchers who
published the SWEET32 paper.
Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.
Furthermore, in contrast with the patch for master, this will not limit
--reneg-bytes on the client side. This allows server administrators to
revert to the old behaviour, or increase --reneg-bytes to something they
believe is workable, without having to change client configs. (The master
branch provides cipher negotiation as a real solution, so we can be
stricter there.)
v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
language in warning message, add URL to man page, and only limit at the
server side.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477656607-7440-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12799.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Gert Doering [Sun, 9 Oct 2016 10:09:29 +0000 (12:09 +0200)]
Fix --multihome for IPv6 on 64bit BSD systems.
The old code only worked if "struct openvpn*pktinfo" happened to use
the same structure packing as the CMSG_SPACE() / CMSG_LEN() macros
(which are part of the official API, see RFC 2292).
Get rid of "struct openvpn_*_pktinfo" definitions, replace them by
an opaque buffer sized large enough to fit IPv4 and IPv6 packet info
messages, as defined by CMSG_SPACE(sizeof(struct ...)).
On 32 bit platforms, the net result is the same. On 64 bit platforms,
the new buffer is bigger than openvpn_pktinfo was, fixing an overflow
with ipi6_ifindex corruption on reception, and EINVAL on sendmsg().
The IPv4 related changes are only side effects of using the new buffer.
Note: --multihome for IPv4 on NetBSD is still broken and non-fixable(!)
as NetBSD lacks the necessary kernel code for the sendmsg() side.
Verified that "--multihome works as well as before" on FreeBSD 7.4/amd64,
NetBSD 5.1/amd64, OpenBSD 4.9/i386, Linux/x86_64, Linux/i386,
OpenSolaris 10 (--multihome needs -D_XPG4_2, see trac #750)
See also: ip(4), ip6(4), recv(2)
Trac #634, #327, #28
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161009100929.46472-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12626.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3fb246e38fc670c7dfff8ce4521c75c95c766c9e)
Gert Doering [Tue, 4 Oct 2016 11:38:54 +0000 (13:38 +0200)]
add POSTINIT_CMD_suf to t_client.sh and sample config
We have pre-init and cleanup commands, but some test cases might need
or want to run a shell script after openvpn has initialized, but before
executing any tests (ifconfig comparison and ping).
Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161004113854.42470-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bae1ad7005fd9a1fadeed56370a9ac5422a33fee)
As reported in trac #732, the man page text for --cipher is no longer
accurate. Update the text to represent current knowledge, about NCP and
SWEET32.
This does not hint at changing the default cipher, because we did not make
a decision on that yet. If we do change the default cipher, we'll have to
update the text to reflect that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 2 Oct 2016 13:19:23 +0000 (15:19 +0200)]
make t_client robust against sudoers misconfiguration
Instead of testing (and priming) sudo with "true", prime with
"kill -0 $$" (just test signalling ourselves). If this fails,
we won't be able to kill the openvpn process we're going to
start later on -> thus, SKIP on failure.
This helps with misconfigured setups (especially on the buildbots)
that can correctly start openvpn but then not stop it later on -
leaving openvpn processes dangling around, requiring manual
intervention.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161002131923.36681-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8ca29af7c6d4759ce019ec9d0cd3eae4511a6804)
Samuli Seppänen [Mon, 3 Oct 2016 10:51:27 +0000 (13:51 +0300)]
Automatically cache expected IPs for t_client.sh on the first run
Previously one had to manually define correct values for the
EXPECT_IFCONFIG* variables based on what IPv4 and IPv6 addresses
the test VPN server handed out.
This was a tedious process especially with large number of tests,
as the IPs changed for every test client and for every test. With this
patch t_client.sh figures out the correct IP addresses using an
--up script and caches them to a separate file for later use.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1475491887-740-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df0b00c253e41cce9567be79dbd3faa14c60473b)
Arne Schwabe [Thu, 14 Jul 2016 11:25:19 +0000 (13:25 +0200)]
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
Debian also incorrectly changes that the default for route parameters can
be specified by using "nil" instead of "default. The confusion is probably
coming from show_opt printing "nil" instead of "default". Change show_opt
to show "default (not set)" instead of "nil"
Original author: Alberto Gonzalez Iniesta <agi@inittab.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1468495519-25102-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1468495519-25102-1-git-send-email-arne@rfc2549.org
David Sommerseth [Sat, 17 Sep 2016 11:18:05 +0000 (14:18 +0300)]
t_client.sh: Improve detection if the OpenVPN process did start during tests
This will check the OpenVPN log file if the process initialized
successfully.
It will check the log file for 30 seconds before aborting the test run.
This also has the advantage of starting the testing quicker if the
initialization goes faster than 10 seconds (which was the old sleep time).
The umask is also set to a more permissive mode to ensure the test
script is capable of reading the OpenVPN PID file, as that will be
created by root.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111085-10678-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3712322ee1219e55640f2f4e5f822799edacd7cc)
David Sommerseth [Sat, 17 Sep 2016 10:50:33 +0000 (13:50 +0300)]
t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
David Sommerseth [Sat, 17 Sep 2016 09:20:26 +0000 (12:20 +0300)]
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
This resolves an issue where $! returns the PID of the sudo process instead
of the PID of OpenVPN and when sudo does not properly propagate signales
down to OpenVPN.
Trac: #738 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474104026-20615-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0926ebfe55347843af701216be9598827a1367a)
In the release/2.3 branch we support gnu89, basically to keep
pre-2015 MSVC happy. Old gcc (<5) defaulted to gnu89. But
gcc 5+ and clang default to gnu11/c11. This patch makes our
gnu89 support explicit, such these newer compilers will also
point out gnu89 violations to developers.
v2: only set -std=gnu89 if no -std flag is present in $CFLAGS
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1474040436-9855-1-git-send-email-steffan@karger.me
URL: http://www.mail-archive.com/search?l=mid&q=1474040436-9855-1-git-send-email-steffan@karger.me Signed-off-by: David Sommerseth <davids@openvpn.net>
Gert Doering [Tue, 13 Sep 2016 20:04:58 +0000 (22:04 +0200)]
Do not abort t_client run if OpenVPN instance does not start.
Basically, an oversight - if one test instance does not start at all
(due to "tap driver not loaded") the whole script would exit, instead
of logging the failing instance and proceeding to the next test run.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160913200458.9906-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160913200458.9906-1-gert@greenie.muc.de Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit a7b02f7f660707f765881f35867b4d23d89b390f)
Lev Stipakov [Mon, 4 Jan 2016 12:43:44 +0000 (14:43 +0200)]
Drop recursively routed packets
v2: better method naming
On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.
As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.
To prevent that, drop packets which have gateway IP as
destination address.
Tested on Win7/10, OS X.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Trac: 642 Tested-by: ValdikSS <iam@valdikss.org.ru> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451911424-12970-1-git-send-email-lstipakov@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/34737757/ Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e9d64bc03742c96a3d7fe2a473c43d40e5ba2001)
Steffan Karger [Tue, 16 Aug 2016 14:46:01 +0000 (16:46 +0200)]
Discourage using 64-bit block ciphers
As discussed with the development team, we should start moving away from
ciphers with a small block size. For OpenVPN in particular this means
moving away from 64-bit block ciphers, towards 128-bit block ciphers.
This patch makes a start with that by moving ciphers with a block
size < 128 bits to the bottom of the --show-ciphers output, and printing
a warning in the connection phase if such a cipher is used.
While touching this function, improve the output of --show-ciphers by
ordering the output alphabetically, and changing the output format
slightly.
[DS: Fixed C89 issues in patch, moving 'int nid' and 'size_t i' declaration
to begining of function instead of in the for-loops. This is also
required to not break building on stricter compiler setups where C99
must be enabled explicitly ]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1471358761-8828-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00030.html
CVE: 2016-6329 Signed-off-by: David Sommerseth <davids@openvpn.net>
As reported in trac #699, OpenVPN crashes when an "--cipher none" option
is followed by "--cipher" (without arguments). Fix the crash, and print a
warning to indicate that using --cipher of --auth without an argument is
deprecated.
This is a (partly) backport of the patch I sent for the master branch
yesterday.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1469541433-1671-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12107 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Jun 2016 02:34:49 +0000 (22:34 -0400)]
Promptly close the netcmd_semaphore handle after use
If more than one openvpn processes are running and one aborts
without releasing the semaphore, subsequent processes fail to get
a lock for the semaphore. This may be avoided by not keeping open
handles to the semaphore so that Windows can destroy it when no
open handles remain.
See also: http://article.gmane.org/gmane.network.openvpn.devel/11913
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465871689-13533-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11919 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6aa4c9091300f62fae0bf7a9198de0edd2d8b7c7)
Steffan Karger [Wed, 8 Jun 2016 12:20:39 +0000 (14:20 +0200)]
Don't limit max incoming message size based on c2->frame
"Be conservative in what you send, be liberal in what you accept"
When receiving packets, the real limitation of how much data we can accept
is the size of our internal buffers, not the maximum size we expect
incoming packets to have.
I ran into this while working on cipher negotiation, which will need
separate bookkeeping for the required internal buffer size, and the
link/tun MTU. Basing this code on the buffer size instead of c2->frame
makes that easier. A nice side-effect of this change is that it
simplifies the code.
This should also reduce the impact of using asymmetric tun/link MTU's,
such as in trac ticket #647.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465388443-15484-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11850 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3c1b19e04745177185decd14da82c71458442b82) Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/socket.c
Selva Nair [Tue, 7 Jun 2016 04:44:20 +0000 (00:44 -0400)]
Ignore SIGUSR1/SIGHUP during exit notification
This allows exit notification to complete and finally trigger SIGTERM.
The current practice of allowing a restart in this state clears
the exit notification timer data and thus loses the SIGTERM.
Trac #687
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465274660-11009-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11814 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 63b3e000c9141f4ca03a374354da26334257bc18)
It seems it was a conflict in vendor/Makefile.am's distdir target,
confusing autotools so it wouldn't actually parse that directory
properly. The result was that 'make distcheck' would fail and
tarballs created would just ship with an empty vendor/ directory.
Also remove the 'foreign' AUTOMAKE_OPTIONS flag, as we don't use
that many places at all. Things work well without this flag.
The comment had to be moved to a single line, otherwise the
white spaces between the end of the variable assignment and the
hash character got added to the variable.
[v3 - Further improve white space issues, now 'make clean'
should work too]
[v2 - Fix white space issues in path variables]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464976163-6162-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11778
(cherry picked from commit 41ab12f06253cadc34fc47da865178de3db0bbdc)
David Sommerseth [Tue, 31 May 2016 10:28:46 +0000 (12:28 +0200)]
Only build and run cmocka unit tests if its submodule is initialized
Commit 40cb4cfc5d01110 added infrastructure to write unit tests using
cmocka. This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.
The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated. As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional. If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.
[v2 - Also check if cmake is available, as cmocka depends on that
to be built ]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
(cherry picked from commit 45f6e7991cfa3bb8a44f981b6cf1e794d617d51e)
Jeffrey Cutter [Fri, 20 May 2016 09:25:10 +0000 (12:25 +0300)]
Update contrib/pull-resolv-conf/client.up for no DOMAIN
When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.
Jens Neuhalfen [Wed, 25 May 2016 17:57:56 +0000 (19:57 +0200)]
Add a test for auth-pam searchandreplace
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.
Add a minimal test for searchandreplace as a proof of concept.
[ Modified during commit: Enhanced documentation of functions in utils.h
to comply with doxygen standards ]
Jens Neuhalfen [Wed, 25 May 2016 17:57:55 +0000 (19:57 +0200)]
Add unit testing support via cmocka
cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.
cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).
cmocka is build during 'make check' and installed in vendor/dist/.
Josh Cepek [Mon, 18 Aug 2014 10:51:01 +0000 (05:51 -0500)]
Push an IPv6 CIDR mask used by the server, not the pool's size
Correctly handle CIDR masks when pushing clients addressing from an IPv6
pool. This change ignores the incorrectly used `bits` argument to the
--ifconfig-ipv6-pool option.
The code to save any provided CIDR mask after the pool IP is left in;
this may someday become useful when we move to allow IPv6 pools without
relying on an IPv4 pool assignment.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53F1DA95.7020701@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8990 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c4ed931a70502a351ff1089aa1bfb8001586f788)
Selva Nair [Sat, 14 May 2016 00:31:23 +0000 (20:31 -0400)]
Make error non-fatal while deleting address using netsh
During windows power events such as sleep or suspend, the TUN/TAP
I/O aborts and openvpn signals SIGHUP so as to automatically reconnect
on resume (since commit ea66a2b5cdb2..). During the SIGHUP processing
operations such as address and route deletion are expected to fail. Such
failures should be treated as non-fatal to allow for this automatic
recovery logic to work. Currently, when the address deletion is handled
by netsh, errors are treated as M_FATAL. This patch changes the error
level to M_WARN.
Resolves Trac #71 (comments 37 to 43)
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463185884-4355-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11655 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 13 May 2016 06:54:52 +0000 (08:54 +0200)]
Fix polarssl / mbedtls builds
Commit 8a399cd3 hardened the OpenSSL default cipher list,
but also introduced a change in shared code that causes
polarssl / mbedtls builds to break when no --tls-cipher is
specified.
This fix is backported code from the master branch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Thu, 3 Mar 2016 07:48:12 +0000 (00:48 -0700)]
Fixed port-share bug with DoS potential
Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.
The issue is that the port-share code calls openvpn_connect()
which in turn calls select(). When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.
The fix is to use poll() (if available) instead of select().
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 007738e9d6030c8989713543e4f7308ff57be30f)
This fixes some formatting issues, and updates the text for the cipher list
restriction to match the restrictions of 2.3 (rather than those of master
wrt 2.3).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1461003958-14726-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11467 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sun, 20 Dec 2015 19:12:53 +0000 (14:12 -0500)]
Support reading the challenge-response from console
Trying to keep the footrpint small, this patch adds to the
convoluted code-flow in get_user_pass_cr(). Cleanup left for later.
-----8<-----
Currently prompting for a response to static-challenge
gets skipped when the username and passowrd are read
from a file. Further, dynamic challenge gets wrongly handled
as if its a username/password request.
The Fix:
- Add yet another flag in get_user_pass_cr() to
set when prompting of response from console is needed.
- In receive_auth_failed(), the challenge text received
from server _always_ copied to the auth_challenge
buffer: this is needed to trigger prompting from console
when required.
- Also show the challenge text instead of an opaque
"Response:" at the prompt.
While at it, also remove the special treatment of authfile ==
"management" in get_user_pass_cr(). The feature implied by that
test does not exist.
Tested:
- username and optionally password from file, rest from console
- the above with a static challenge
- the above with a dynamic challenge
- all of the above with systemd in place of console
- all from management with and without static/dynamic
challenge.
Thanks to Wayne Davison <wayne@opencoder.net> for pointing out the
issue with challenge-response, and an initial patch.
In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers. Let's follow this example in OpenVPN and
also restrict the default list of negotiable TLS ciphers in 2.3.x.
This disables the following:
* Export ciphers (these are broken on purpose...)
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
The LOW suite will be completely removed from OpenSSL in 1.1.0,
the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that are not supported by OpenVPN anyway (cleans up the list)
Note that users are able to override this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.
v2: add Changes.rst entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917412-29741-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11455 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make intend of the validation clear when validating utun parameter in
open_darwin_utun. The program logic remains unchanged.
Fixes the following compiler warning on Mac OS X:
tun.c:2847:19: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (dev_node && !strcmp ("utun", dev_node)==0)
^ ~~
tun.c:2847:19: note: add parentheses after the '!' to evaluate the
comparison first
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2847:19: note: add parentheses around left hand side expression to
silence this warning
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2849:11: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^ ~~
tun.c:2849:11: note: add parentheses after the '!' to evaluate the
comparison first
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
tun.c:2849:11: note: add parentheses around left hand side expression to
silence this warning
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <3365AB24-33FD-4D9D-A57C-BF9240DC3D69@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6be0f0015d7485f0bf3c14a3a381a6f6496270a5)
Steffan Karger [Sun, 27 Mar 2016 14:18:16 +0000 (16:18 +0200)]
Replace MSG_TEST() macro for static inline msg_test()
Using a static inline function instead of a macro has the advantages that
(1) 'flags' is not evaluated twice and (2) coverity will stop complaining
that 'Macro compares unsigned to 0 (NO_EFFECT)' each time we use flags
with loglevel 0 (e.g. M_FATAL or M_WARN).
This has a performance impact when compiler optimizations are fully
disabled ('-O0'), but should otherwise be as fast as using a macro.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459088296-5046-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bbde0a766c69f573746461415c6f5cd289272fff)
Steffan Karger [Sun, 27 Mar 2016 15:22:10 +0000 (17:22 +0200)]
Fix memory leak in argv_extract_cmd_name()
Reported by coverity (in 2009!):
1648 static char *
1649 argv_extract_cmd_name (const char *path)
1650 {
1. Condition path, taking true branch
1651 if (path)
1652 {
1653 char *path_cp = string_alloc(path, NULL); /* POSIX basename()
implementaions may modify its arguments */
1654 const char *bn = basename (path_cp);
2. Condition bn, taking true branch
1655 if (bn)
1656 {
3. alloc_fn: Storage is returned from allocation function
string_alloc. [show details]
4. var_assign: Assigning: ret = storage returned from
string_alloc(bn, NULL).
1657 char *ret = string_alloc (bn, NULL);
5. noescape: Resource ret is not freed or pointed-to in strrchr.
1658 char *dot = strrchr (ret, '.');
6. Condition dot, taking false branch
1659 if (dot)
1660 *dot = '\0';
1661 free(path_cp);
7. Condition ret[0] != 0, taking false branch
1662 if (ret[0] != '\0')
1663 return ret;
CID 27023 (#2-1 of 2): Resource leak (RESOURCE_LEAK)8.
leaked_storage: Variable ret going out of scope leaks the storage it
points to.
1664 }
1665 }
1666 return NULL;
1667 }
This function is only used by argv_printf_arglist(), and in a very specific
case, so it might be that this leak can not even occur. But coverity is
clearly right that this is a bug, so let's just fix it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459092130-19905-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be16d5f6b050248f503455e4a0e8f3aaaa38bdc7)
On many platforms (not Windows, for once), FD_SET() can write outside the
given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do
that, add an ASSERT() to error out with a clear error message when this
does happen.
This patch was inspired by remarks about FD_SET() from Sebastian Krahmer
of the SuSE Security Team.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456996968-29472-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11285 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94)
ValdikSS [Fri, 15 Jan 2016 23:35:38 +0000 (02:35 +0300)]
Update --block-outside-dns to work on Windows Vista
Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.
Leonardo Basilio [Wed, 10 Feb 2016 10:19:39 +0000 (11:19 +0100)]
Correctly report TCP connection timeout on windows.
On nonblocking TCP connects, we set status = ETIMEOUT on failure.
On windows, depending on which header files are included, ETIMEOUT
is defined differently, and this leads to incomprehensible error
messages - so, always use WSAETIMEDOUT here.
Trac #651
Signed-off-by: Leonardo Basilio <leobasilio@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CACqLfMnBXwSY=MXyc7B1oMKwYE2Z_49G3mpkEPxbSAuG61tgZA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11085 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f5229e41d134b659e502bb2597c711aedaf8096)
ValdikSS [Sat, 9 Jan 2016 15:53:45 +0000 (18:53 +0300)]
Clarify mssfix documentation
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1452354825-5096-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10969
Steffan Karger [Wed, 13 Jan 2016 16:09:08 +0000 (17:09 +0100)]
socks.c: fix check on get_user_pass() return value(s)
My compiler rightfully complains that the checks on creds.username and
creds.password always evaluate to true, so remove those checks.
Judging from the code, they were meant to check the returned values by
get_user_pass(). So instead of these non-functioning checks, just check
the return value of get_user_pass().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452701348-9577-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10993 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 982ab2364a68f2fca0cb9219b31bdabcd5aa4b49)
Steffan Karger [Thu, 7 Jan 2016 19:52:44 +0000 (20:52 +0100)]
Update manpage: OpenSSL might also need /dev/urandom inside chroot
As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot. This depends on OS, OS version and ssl library
configuration. Update the manpage to better explain this.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0609eb477bdcd7b23bd8072f69714592323cab2e)
Steffan Karger [Thu, 7 Jan 2016 13:01:30 +0000 (14:01 +0100)]
polarssl: improve logging
Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.
This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).
Use the new polar_log_err() and polar_ok() functions to provide more
log/debug output for polarssl errors.
This is commit is a combined cherry-pick of commits 6ef5df14, d17d362d, aa416be9, and 3a39bf7d from the master branch, adjusted to the
release/2.3 branch.
v2 - use static inline instead of macro for optimization, and include
'enable polarssl debug logging'.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452171690-26822-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10952 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 6 Jan 2016 20:51:04 +0000 (21:51 +0100)]
openssl: improve logging
This improves OpenSSL logging and removes OpenSSL-specific error
printing code from error.c. The crypto_msg() functions provide
convenience wrappers, specific to OpenSSL. Instead of passing the
magical 'M_SSLERR' flag to msg(), a developer now just calls
crypto_msg() to get OpenSSL errors dumped to log.
This is commit is a combined cherry-pick of commits e795d6ba and 98ea2ec5 from the master branch, adjusted to the release/2.3 branch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452113464-28062-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10944 Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
