However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
Gert Doering [Mon, 13 Jan 2014 21:54:34 +0000 (22:54 +0100)]
Replace copied structure elements with including <net/route.h>
The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies
of structures from <net/route.h> (struct rt_msghdr in particular).
OpenBSD changed some structure elements, making OpenVPN incompatible,
depending on the specific OpenBSD version. Clean up: remove copied
definitions, replace by including <net/route.h> directly - this could
not be done originally due to a conflict with "struct route" in OpenVPN
and <net/route.h>, cleaned up by the previous commit.
Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles
with no warnings, and "openvpn --show-gateway" works, which is the only
part of the code that uses the structures in question).
Fix trac #340
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
(cherry picked from commit 615fb9ef36310f85fd6171301128a12740444455)
Gert Doering [Sun, 17 Nov 2013 14:30:20 +0000 (15:30 +0100)]
Make code and documentation for --remote-random-hostname consistent.
Documentation examples, description and code were disagreeing on what
this option actually does. Now they will all agree that it will
*prepend* a random-byte string to the hostname name before resolving
to work around DNS caching (needs a "*" wildcard record in the zone).
Fix trac #143
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
(cherry picked from commit 7de8f3f322c1a1c13022a0243267624930dac5c9)
Jens Wagner [Tue, 7 Jan 2014 21:07:54 +0000 (22:07 +0100)]
Fix spurious ignoring of pushed config options (trac#349).
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1aac9a0b7a4046822a0134cd8693a828f2e16576)
Steffan Karger [Wed, 1 Jan 2014 20:10:22 +0000 (21:10 +0100)]
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 441be9f4f91a16218d40b401384ead51b5aac0cc)
Steffan Karger [Wed, 1 Jan 2014 20:10:21 +0000 (21:10 +0100)]
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8148 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dd3e319c1d66c7da51b8555d745a1139e0b322f2)
Steffan Karger [Sun, 15 Dec 2013 18:34:27 +0000 (19:34 +0100)]
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
This patch moves from using the deprecated RSA_generate_key() to the 'new'
RSA_generate_key_ex() to generate ephemeral RSA keys. This patch does
not change OpenVPN's behaviour.
One note on the implementation though; the code generates one ephemeral
RSA key that is used during the entire lifetime of an OpenVPN process.
If OpenSSL requests a new (ephemeral) key, it will keep on returning the
same (usually rather small) key. Not the best solution.
To actually run this code, I had to force usage by selecting the
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher. That generated a 512-bit
ephemeral RSA key, and uses the outdated DES encryption protocol.
Using this mode could lead to a false sense of security. Then again, one
should be using (Ephemeral) Diffie-Hellman anyway, and OpenVPN requires
a tls-server to supply dh parameters. A user would need to deliberately
choose a weak tls-cipher like TLS-RSA-EXPORT-WITH-DES40-CBC-SHA, which
would be aligning a gun with his foot anyway. If one would decide this
implementation is not good enough anymore, I'd suggest to just strip out
support for this completely.
Code has been tested using the TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher
which uses this to create ephemeral RSA keys.
Arne Schwabe [Tue, 17 Dec 2013 10:22:47 +0000 (11:22 +0100)]
Add warning for using connection block variables after connection blocks
In 2.3 some options that were allowed only in global config before have
been moved to connection blocks. This changes the behaviour if the
variables were defined after connection block. This patch adds a warning
to catch these mistakes.
Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE]
for connection blocks Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8117
David Sommerseth [Mon, 25 Nov 2013 12:32:58 +0000 (13:32 +0100)]
Fix file checks when --chroot is being used
Commit 0f2bc0dd92f43c9 started to introduce some file sanity
checking before OpenVPN started to avoid harder to explain issues
due to missing files or directories later on. But that commit
did not consider --chroot at all. Which would basically cause
OpenVPN to complain on non-missing files, because it would not
consider that the files where inside a chroot.
This patch is based on the thoughts in a patch by Josh Cepek [1],
but trying to simplify it at bit.
Gert Doering [Sun, 24 Nov 2013 16:13:04 +0000 (17:13 +0100)]
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
"ip -6 route show" prints stuff like "rtt 38ms rttvar 38ms cwnd 10", which
sometimes changes while an OpenVPN test is running, resulting in spurious
failures in the "ifconfig/route must be restored identically after
OpenVPN ends" test in t_client.sh. Not all fields are there all the time,
so use "sed" to get rid of whatever is printed this time.
Only relevant for "make check" on linux builds with "--enable-iproute2".
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385309584-23209-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8047
(cherry picked from commit 8c19087034cb1076874075b9e2896ea3f7be59cf)
Joachim Schipper [Thu, 19 Sep 2013 10:47:28 +0000 (12:47 +0200)]
--management-external-key for PolarSSL
Add --management-external-key support, compatible with the OpenSSL
implementation. Needs the flexibility of ssl_set_own_cert_alt(), which
is new in PolarSSL-1.2.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7886 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38ace48c6820c611e689bc69b0cf5380bf7a8891)
Joachim Schipper [Thu, 19 Sep 2013 10:47:27 +0000 (12:47 +0200)]
Refactor tls_ctx_use_external_private_key()
OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the
context's certificate chain was stored on return, used by
tls_ctx_use_external_private_key() only and free()d immediately thereafter.
PolarSSL also supported this output parameter, but returned a pointer to
the
context's certificate chain (rather than to a copy of the certificate, as
OpenSSL does) - which meant that we would have to #ifdef the free().
PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot
store a
pointer to (instead of a copy of) the cert.
So remove the output parameter from tls_ctx_load_cert_file() and
incorporate
the needed functionality directly into tls_ctx_use_external_private_key()
(which is straightforward for both OpenSSL and PolarSSL, as long as you
don't
try to support both at once.)
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7888 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3b2d487bc5089c8c0cf65df8e6cc2232d84b05b)
Setting es->gc=NULL causes env_set_add_nolock() / remove_env_item() to
free() allocated and no longer used strings in the es, while an active
gc would leave them for cleanup with gc_free() at client disconnect time.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/buffer.c Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <20131023162618.GP161@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7939
(cherry picked from commit 4368147972d61b598bbcd5d2904d891130d5e517)
It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Arne Schwabe [Fri, 31 May 2013 12:59:35 +0000 (14:59 +0200)]
Add reporting of UI version to basic push-peer-info set.
If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the
server.
Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>",
for example "de.blinkt.openvpn 0.5.47" for the ICS Android version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7646 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f3a2cd255a3bc73a546a5e2d09fa30a16cce0d7d)
Josh Cepek [Thu, 14 Nov 2013 18:02:59 +0000 (12:02 -0600)]
Require a 1.2.x PolarSSL version
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
Steffan Karger [Tue, 22 Oct 2013 12:45:17 +0000 (14:45 +0200)]
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 92d21e3fed33aad966b7b0ca6568e0cda8c7a8b5)
Heiko Hund [Tue, 15 Oct 2013 09:23:42 +0000 (11:23 +0200)]
Support non-ASCII TAP adapter names on Windows
Currently the TAP adapter name is fetched as an OEM string, which
is problematic if it contains non-ASCII characters and is to used
with netsh. The logfile also contains these non UTF-8 characters.
This patch fetches the name from the registry as UCS-2 and converts
it right into UTF-8 before it's used.
Josh Cepek [Wed, 21 Aug 2013 21:20:30 +0000 (16:20 -0500)]
Correct error text when no Windows TAP device is present
Starting with the 2.3-series, the TAP-Windows driver/utilities and
OpenVPN are separately installed components. The error message given to
users without available TAP devices uses the pre-2.3 path that does not
exist. The path should be listed under the TAP-Windows program group
that the tap-windows project installer uses.
Resolves bug #320
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <kv4ece$s8s$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2d34628af995676c8ecddb953897c334b96a6a6b)
Always load intermediate certificates from a PKCS#12 file
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
James Yonan [Tue, 11 Jun 2013 06:25:05 +0000 (00:25 -0600)]
Added "setenv opt" directive prefix. If present, and if the
directive that follows is recognized, it will be processed
as if the "setenv opt" prefix was absent. If present and if
the directive that follows is not recognized, the directive
will be ignored rather than cause a fatal error.
For example, suppose you are distributing a client
configuration file and want to set the minimum TLS version
that the client requires from the server to 1.2.
By using the following directive,
setenv opt tls-version-min 1.2 or-highest
only newer clients that understand the tls-version-min directive
would process it, while older clients would ignore it.
James Yonan [Tue, 11 Jun 2013 04:59:30 +0000 (22:59 -0600)]
TLS version negotiation
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
plugin: Extend the plug-in v3 API to identify the SSL implementation used
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 587df08abda3c8f1f85ccdba4d8b82a736c11e2d)
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e3d388652f59fd2ddd9c7f470f7ef62ee6b35595)
Arne Schwabe [Fri, 21 Jun 2013 10:48:28 +0000 (12:48 +0200)]
Add support of utun devices under Mac OS X
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fbc04bedbcce02fc625357b7475ddbc7164cabbf)
Arne Schwabe [Thu, 30 May 2013 21:02:17 +0000 (23:02 +0200)]
Move checking of script file access into set_user_script
At the moment script are only checked if P2MP_SERVER is defined. For
CLIENT_ONLY openvpn script were never checked. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7635
Arne Schwabe [Thu, 30 May 2013 20:26:43 +0000 (22:26 +0200)]
Move settings of user script into set_user_script function
This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all
script options are available by setting options->user_script_used Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7634
Arne Schwabe [Thu, 30 May 2013 13:27:08 +0000 (15:27 +0200)]
Only print script warnings when a script is used. Remove stray mention of script-security system.
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7625
Gert Doering [Thu, 30 May 2013 11:31:24 +0000 (13:31 +0200)]
Fix problem with UDP tunneling due to mishandled pktinfo structures.
In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and
ipv6 are going out of scope before actually calling sendmsg(), so depending
on compiler optimization, garbage is passed to sendmsg() - fix by using
"union openvpn_pktinfo" and having that in scope all the time.
Problem reported and patch provided by "danta" in trac#297
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: https://community.openvpn.net/openvpn/ticket/297
Message-ID: <20130530184427.GP20843@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
(cherry picked from commit 8c431f960357d776cfd0961192214ad1b0942bfb)
James Yonan [Mon, 20 May 2013 10:13:21 +0000 (12:13 +0200)]
Always push basic set of peer info values to server.
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
v3: undo extra whitespace changes in v1 and v2
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
(cherry picked from commit 598e03f0e7bce434e501a9895819f2af0714d5f6)
Josh Cepek [Thu, 16 May 2013 14:09:23 +0000 (09:09 -0500)]
Fix Windows script execution when called from script hooks
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Gert Doering [Fri, 3 May 2013 19:13:24 +0000 (21:13 +0200)]
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation"). For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.
Fix trac#281 and trac#258.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1367608404-2257-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7581
(cherry picked from commit eb95f367348f4c2aae301cfa7c3adc8e0f2e711e)
This fixes an issue where a segfault happens in pf_cn_test() if no
packet filtering rules have been parsed. See the trac ticket for
more details.
Trac: 163 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 31e5f34f3c6cf3aa6f120d22c415ac74a5ba1639)
Gert Doering [Tue, 26 Mar 2013 16:09:35 +0000 (17:09 +0100)]
Fix directly connected routes for "topology subnet" on Solaris.
This basically brings back the previously-working metric setting for
directly connected routes (add a "0" to the "route add" command) on
Solaris/OpenSolaris. It was working in f0eac1a59790, and got broken
by the route.c/route.h refactoring in 576dc96ca1ef1 - the patch
un-does that change to the TARGET_SOLARIS code, plus adds some more
descriptive comments.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1364314175-20758-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7460
(cherry picked from commit 792e8956b999b6932d472e4ab592bff160e52888)
Gert Doering [Sat, 23 Mar 2013 09:28:48 +0000 (10:28 +0100)]
Add MIN() compatibility macro
commit 3b23b18dddb8f8f4a introduced usage of MIN(), and not all platforms
have the macro in "readily usable" system header files, most notably it's
missing on OpenSolaris and Android. Add macro if not defined yet.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130323112234.GM17727@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7450
(cherry picked from commit 15ca5c297b556fbbfdee6152af26ee158222614f)
Steffan Karger [Fri, 22 Mar 2013 08:54:24 +0000 (09:54 +0100)]
Switch to IANA names for TLS ciphers.
Added translation table and functions to translate between TLS OpenSSL
and IANA (IETF) cipher suite names. The previously used OpenSSL names
are still accepted, but a deprecation warning is issued.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-6-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7439 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3b23b18dddb8f8f4a6ac6959b844b63356b59e87)
Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c
to translate between OpenVPN(/OpenSSL) and PolarSSL data channel
cipher algorithm names. OpenSSL does not require any translating,
PolarSSL does for a small number of algorithms. This improves on
config file compatibility between the OpenSSL and PolarSSL builds.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-5-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7435 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f499b921344272eec6405955b9bad2f162f7a2f9)
Steffan Karger [Fri, 22 Mar 2013 08:54:22 +0000 (09:54 +0100)]
Improve verify_callback messages
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons
that the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7437 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d572959d35e8920efb8d95d253ededee5d8a34bd)
Instead of logging the fact that an error occured, log the error code and
description (when available in the PolarSSL build).
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0219f115f3a2711d5c51457d6e97d6930916653b)
Steffan Karger [Fri, 22 Mar 2013 08:54:20 +0000 (09:54 +0100)]
PolarSSL-1.2 support
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com>
Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7436 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4a56d19fc3aa59d0eebd99f102ecaaa3665c5088)
Josh Cepek [Wed, 20 Mar 2013 18:22:25 +0000 (13:22 -0500)]
(updated) [PATCH] Warn when using verb levels >=7 without debug
On 3/20/2013 11:42, Arne Schwabe wrote:
> ACK. But I would change "debug verb" to "debug verbosity" and I think
> there should be no comma before "but"
This text change makes sense: I've adjusted it to read "NOTE: debug
verbosity..." and saved another byte removing the comma.
Updated patch attached.
--
Josh
>From d41a0237220f2fea6647a508a2ab07263e0f160b Mon Sep 17 00:00:00 2001
From: Josh Cepek <josh.cepek@usa.net>
Date: Tue, 19 Mar 2013 22:52:12 -0500
Subject: [PATCH] Warn when using verb levels >=7 without debug
This patch adds a log warning when using --verb levels at 7 or higher
when running on builds lacking debug support. Since official builds are
now built with enable_debug=no, this warning will help developers
identify why expected debug messages may not be present in log output.
The test and message output code is omitted when built with
enable_debug=yes or enable_small=yes.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <kicup2$gfv$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7425 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 58fbb8046b203ca23708c1765ee84330d8809266)
Josh Cepek [Thu, 21 Feb 2013 15:50:38 +0000 (09:50 -0600)]
Fix parameter listing in non-debug builds at verb 4
When built with enable_debug=no, the parameter output expected at --verb
4 is not printed due to use of #ifdef ENABLE_DEBUG in the responsible
code sections. This appears to be a mistake when looking at the
configure help text for enable_small and enable_debug.
This change keys the relevant code off of enable_small instead,
including the parameter listing when enale_small=no (the
configure-script default.) Most of this code is in options.c, with some
callers present in plugin.c/h and route.c/h. No function code is
changed, just the #ifdef values to use the small feature instead of
debug.
This means builds no longer need enable_debug=yes in order to get the
expected log output at verb 4.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <437RBuq1U8032S07.1361465626@web07.cms.usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c61d0dd339084175f6911d8b713faaf4967ca03)
Gert Doering [Mon, 11 Mar 2013 20:03:20 +0000 (21:03 +0100)]
Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
Return value of mbuf_len() wrong - it's returning a length value, not
a yes/no value - so when the queue length approached 65 (full!), it
still only returned "1", leading to MBUF overflow later on. Change
from "bool" to "unsigned int", misbehaviour gone...
This fixes OpenVPN trac ticket #263.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Peter Caprioli <petercap@kth.se>
Message-Id: <20130312100706.GN953@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7396 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0eb398501fab9c016b9b6008682c43873c4a6188)
Heiko Hund [Fri, 22 Feb 2013 09:44:21 +0000 (10:44 +0100)]
make --tls-remote compatible with pre 2.3 configs
In openvpn 2.3.0 the semantics of the --tls-remote option changed.
That broke more configurations than anticipated. To not break
configurations that use --tls-remote with a legacy OpenSSL style DN
anymore, it is now detected when such a DN is configured. When
necessary the --compat-names option is then automatically enabled.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1361526263-1740-3-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7366 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ad532bba896875e56488e69ec16212a77787c57b)
Fix corner case in NTLM authentication (trac #172)
The problem is located in the file proxy.c within
"establish_http_proxy_passthru": To keep buffers small long
base64-encoded NTLM-Strings are truncated.
But the truncating is done on a wrong place: base 64 strings can be
cut every 4 chars. the buffer is 128 bytes - including the terminating
\0, so the usable data is only 127 bytes. And decoding a 127 char
base64 string fails... this is why the ntlm authentication fails in
certain cases (long strings)...
Christian Hesse [Tue, 8 Jan 2013 08:39:12 +0000 (09:39 +0100)]
fix build with automake 1.13(.1)
AM_CONFIG_HEADER has been deprecated for some time, finally it is removed
on automake 1.13. The attached patch replaces it with AC_CONFIG_HEADERS and
fixes build process with latest automake.
Heiko Hund [Mon, 4 Feb 2013 11:39:25 +0000 (11:39 +0000)]
Ignore UTF-8 byte order mark
Currently openvpn exits when reading configuration from a file
that has an UTF-8 byte order mark (EF BB BF) at its start.
While it is useless to put a BOM into UTF-8 encoded files, the
Unicode standard [1] permits it (on page 36):
"Use of a BOM is neither required nor recommended for UTF-8,
but may be encountered in contexts where UTF-8 data is converted
from other encoding forms that use a BOM or where the BOM is
used as a UTF-8 signature."
Notepad.exe, the default text editor on Windows, always puts the BOM
into UTF-8 encoded files when saving them. Others may do as well.
Just ignoring the UTF-8 BOM will make config files with UTF-8 BOM
readable.
Samuli Seppänen [Fri, 25 Jan 2013 09:59:34 +0000 (11:59 +0200)]
Cleaned up and updated INSTALL
- Changed "Supported platforms" to reflect current support status of the
mentioned operatingsystems
- Removed mentions of the obsolete Python and domake-win buildsystems
- Added mention of official Debian/RPM packages
- Added links to the Wiki
- Added mention of the new openvpn-build cross-compile environment
- Added PolarSSL to and removed pthreads from the "Optional" section
- Added mention of t_client.sh test framework
- Removed some very old (pre-2005) nuggets of (obsolete) information
- Other minor cleanups
- Some reorganization
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359107974-1481-1-git-send-email-samuli@openvpn.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7303 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 607a678d371c56d368319b0a7a1bb147008d5822)
Matthias Andree [Sat, 12 Jan 2013 12:41:17 +0000 (13:41 +0100)]
Enable TCP_NODELAY configuration on FreeBSD.
The missing #include <netinet/tcp.h> causes a defined(TCP_NODELAY) to
fail. I have added the patch to the FreeBSD ports OpenVPN 2.2.2 and
2.3.0, and confirmed (with strings ... | grep) that the TCP_NODELAY code
is now part of the executable on amd64, and results in this log output:
Sat Jan 12 13:39:18 2013 Listening for incoming TCP connection on [undef]
Sat Jan 12 13:39:18 2013 Socket flags: TCP_NODELAY=1 succeeded
Obtained from: https://community.openvpn.net/openvpn/ticket/158
Credits to: M. Nottebrock
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1357994477-29981-1-git-send-email-matthias.andree@gmx.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7230 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e86f688757529f8b33f9e6b49e31ba8d8564c5e)
Arne Schwabe [Sun, 3 Feb 2013 11:12:31 +0000 (12:12 +0100)]
Remove dead code path and putenv functionality
The construct_name_value function call will always fail so this code path
is never used. Since we now always have a valid environment in
static_context->c2.es it is better to have a ASSERT(es) than to call this
code patch.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359889951-3369-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7323 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 25 Jan 2013 11:39:14 +0000 (12:39 +0100)]
Update README.IPv6 to match what is in 2.3.0
IPv6 is no longer provided by external patches - all has been
integrated. Document that fact, point at the new configuration options,
and at potential caveats.
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359113954-25768-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7305 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c2f4c1918202f4395438663804b0806c93790501)
Heiko Hund [Fri, 1 Feb 2013 14:19:14 +0000 (15:19 +0100)]
close more file descriptors on exec
Don't inherit the --status and --ifconfig-pool-persist, and on Linux
the epoll(7), file descriptors to scripts and other processes that
may be forked by plugins.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359728354-9405-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7312 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 09ee4192b1d16bbd7c3c138cc2d46760a11797bf)
Gert Doering [Tue, 25 Dec 2012 12:41:50 +0000 (13:41 +0100)]
Fix client crash on double PUSH_REPLY.
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).
Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e)
Gert Doering [Sun, 16 Dec 2012 21:15:20 +0000 (22:15 +0100)]
Fix option inconsistency warnings about "proto" and "tun-ipv6"
"tun-ipv6" is only sent in option string if running in point-to-point
mode (= not --server and not --client or --pull), because in those
scenarios it's usually pushed by the server, and the client does not
yet have it when comparing options -> needless warning.
Completely ignore "proto" values when comparing option strings - this
is in preparation for removing proto from the option string in a future
release, and to avoid warnings when 2.3 talks to this future release.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1355692520-24362-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7194 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 3b860cf27b9374f6ebe67ff21011661f8ec391c6)
projects / thirdparty / openvpn.git / log
