Emilien Mantel [Thu, 17 Jun 2010 19:38:59 +0000 (21:38 +0200)]
Choose a different field in X509 to be username
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David's patch replaced openvpn_execve() with openvpn_run_script() in two places,
but didn't adjust the return value handling. openvpn_run_script() returns true
or false, while openvpn_execve() returns the program's exit code.
Without the fix, the --tls-verify script and the --auth-user-pass-verify
script fail to run. (I noticed the latter, but haven't actually tested the
former.)
The return value handling is fine for the other places where
openvpn_run_script() is used, because those places previously used
openvpn_execve_check() (notice the "_check" suffix).
Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 29 Apr 2010 21:35:45 +0000 (23:35 +0200)]
Revamped the script-security warning logging (version 2)
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem. This general warning should now only appear once, and only when
--script-security is not set, 0 or 1. In all other cases this warning should
not appear.
In addition, this warning will come close to the script-hook which most probably
will fail. It will also give a little bit more concrete hint on which script-hook
which failed. If --script-security is 2 or 3, only the execve failure itself will
be shown. This message will on the other hand be shown repeatedly.
This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function. It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead. Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Thu, 22 Apr 2010 21:01:31 +0000 (23:01 +0200)]
Fix dependency checking for configure.h (v2)
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking. This patch corrects this and
fixes an issue when creating configure.h via make distcheck.
This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.
Add comile time information/settings from ./configure to --version
This patch will create ./configure.h which will contain two new #define
strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and
DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the
complete ./configure line which was used when configuring the package
for building.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Wil Cooley [Tue, 2 Mar 2010 20:54:15 +0000 (21:54 +0100)]
pkitool lacks expected option "--help"
The pkitool script lacks the "--help" parameter to actually display the
usage statement; most people are conditioned to try that before running the
command without options. This patch adds that and "--version" to display
just the program name and version.
Karl O. Pinc [Tue, 2 Mar 2010 20:41:06 +0000 (21:41 +0100)]
Several updates to openvpn.8 (man page updates)
This is a collection of 4 patches sent to the -devel mailing list:
* [PATCH] Frob the openvpn(8) man page tls-verify section to clarify
* [PATCH] More improvments to openvpn(8) --tls-verify
* [PATCH] Yet another tweak of openvpn(8) --tls-verify
* [PATCH] Final frobbing of openvpn(8) --tls-verify
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 15 Feb 2010 22:15:44 +0000 (23:15 +0100)]
Reworked the eurephia patch for inclusion to the openvpn-testing tree
Addedd configure option (--disable-eurephia) to disable the code which the
eurephia plug-in depends on.
It was chosen to use --disable-eurephia, as this patch is not much intrusive. It
just enables a SHA1 fingerprint environment variable for each certificate being
used for the connection.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Thu, 21 Oct 2010 08:35:29 +0000 (10:35 +0200)]
Fix problem with special case route targets ('remote_host')
The init_route() function will leave &netlist untouched for
get_special_addr() routes ("remote_host" being one of them).
netlist is on stack, contains random garbage, and netlist.len
will not be 0 - thus, random stack data is copied from
netlist.data[] until the route_list is full.
This issue has been reported several places lately:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600166
http://thread.gmane.org/gmane.network.openvpn.devel/4083
https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8168
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 17 Sep 2010 15:10:25 +0000 (17:10 +0200)]
Fixed compiler warnings reported on Ubuntu 10.04
The warnings reported where:
--------------------------------------------------------
misc.c:158: warning: ignoring return value of ‘nice’, declared with attribute warn_unused_result
options.c:4033: warning: format not a string literal and no format arguments
options.c:4043: warning: format not a string literal and no format arguments
options.c:4053: warning: format not a string literal and no format arguments
push.c:182: warning: format not a string literal and no format arguments
push.c:199: warning: format not a string literal and no format arguments
push.c:235: warning: format not a string literal and no format arguments
status.c:171: warning: ignoring return value of ‘ftruncate’, declared with attribute warn_unused_result
--------------------------------------------------------
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Peter Stuge <peter@stuge.se>
Gert Doering [Tue, 10 Aug 2010 10:39:28 +0000 (12:39 +0200)]
Build t_client.sh by configure at run-time.
This is now built using "configure", knows how to find "ip", "ifconfig" and "netstat" (configure
does the work :-) ), *and* has been tested on Solaris (works!).
extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh"
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Gert Doering [Sun, 8 Aug 2010 19:24:30 +0000 (21:24 +0200)]
full "VPN client connect" test framework for OpenVPN
Run from "make check" if "t_client.rc" is found in workdir or srcdir
(copy t_client.rc-sample, fill in specifics for your test server)
How does it work?
- you run "sudo make check" (needs root access to configure tun if!)
- t_client.sh reads t_client.rc from current dir or ${srcdir}
- t_client.rc defines a number of "test suffixes" to run (could be
"1" "2" "3" or "p2m", "p2p", "special" or whatever you like), and
for each suffix, there's config variables to specify
- how to call OpenVPN
- which hosts to ping for IPv4 and IPv6 when OpenVPN is up
(and actually before starting OpenVPN - to make the test more
meaningful, I have decided that the test hosts must not ping
before the tests starts)
- which addresses must show up in the output of "ifconfig" after
OpenVPN has started
- all variables except OPENVPN_CONF_<x> are optional
(this should all be fairly obvious from looking at t_client.rc-sample)
- the script wants to connect to a well-defined OpenVPN server that
will assign well-known IPv4 (and IPv6) addresses, have well-defined
pingable addresse, etc. - so you need to setup the test server before
the script is useful for you. (Whether you use certificates or
username/password is up to you, you could even mix and match - run
one test with certs, and one with user/pass against different target
ports... :-) )
[we *could* run a "reference server" somewhere and ship a sample
t_client.rc + cert so that users could use this right away, but I
do not currently have the resources to run such a public server]
- whatever the script does is logged to a newly created directory
below the current directory (openvpn output, ifconfig+route before
starting OpenVPN, while running it, after ending it)
- important: at least on NetBSD and OpenBSD, the script will print
one failure, because the tun0 interface created is not destroyed
after openvpn ends. For OpenBSD, I have changed close_tun() to
do so ("ifconfig tun0 destroy"), for NetBSD I have not yet changed
anything - but I strongly believe that the output of "ifconfig+route"
should be reverted to exactly how it looked like before OpenVPN
was started, so I consider this a bug in the NetBSD-specific bits
of OpenVPN (and will look into this).
- the test framework has been tested on Linux, NetBSD and OpenBSD.
It *should* work fine on FreeBSD and Solaris.
It works on MacOS X (but the output looks funny, because /bin/sh
does not implement "echo -e" - need to add configure trickery)
It will *not* work on Windows yet - I haven't looked into what's
needed to make it work (background processes and signals in mingw
bash?), maybe it's as easy as adding the necessary "ipconfig" and
"netsh" commands to print interface + routing config...
- I have only tested "connect via IPv4 transport, use IPv4+IPv6 payload",
but the framework is generic enough that "connect via IPv6 transport"
should work just fine (just setup OPENVPN_CONF_x accordingly in the
t_client.rc).
- this is neither finished nor pretty, but it helps me a *lot* in
quickly testing whether I broke anything when fiddling system-dependent
code (tun.c, route.c) across multiple build hosts - so I hope this
is going to be fairly useful to Samuli and the buildbot :-)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
When compiling against OpenSSL v1.0.0, the following compiler warnings
appears.
ssl.c: In function ‘verify_callback’:
ssl.c:944: warning: passing argument 1 of ‘sk_num’ from incompatible
pointer type
/usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509_REVOKED *’
ssl.c:947: warning: passing argument 1 of ‘sk_value’ from incompatible
pointer type
/usr/include/openssl/stack.h:80: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509_REVOKED *’
ssl.c: In function ‘init_ssl’:
ssl.c:1565: warning: passing argument 1 of ‘sk_num’ from incompatible
pointer type
/usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509 *’
ssl.c: In function ‘print_details’:
ssl.c:1766: warning: assignment discards qualifiers from pointer target type
Gert Doering [Fri, 9 Jul 2010 08:24:46 +0000 (10:24 +0200)]
Fix compile problems on NetBSD and OpenBSD
Configure will not find <net/if.h> due to missing <sys/types.h> in the test program,
and thus, tun.c will fail to compile with missing symbol IFF_MULTICAST.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
This is a fix for trac ticket #20,
<https://community.openvpn.net/openvpn/ticket/20>
which was started in the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&aid=2078470&group_id=48978&atid=454719>
The implemented solution is to give a warning for each of the different script hooks
available. The last configured script will override any earlier configured scripts,
to ensure that the command line can override the configuration file.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Davide Brini [Sun, 2 May 2010 09:07:38 +0000 (11:07 +0200)]
Exclude ping and control packets from activity
Problem: using --ping and --inactive together partially defeats the
point of using --inactive as periodic ping packets are counted as
activity. Here is the original discussion:
It turns out that "activity" is detected and recorded in two places
in the code, both in forward.c: in process_outgoing_tun() for received
packets, after they've been decrypted and sent to the TUN device; and
in process_outgoing_link(), after they've been encrypted and written
to the network socket.
In the first case we can be sure that packets that get so far are
really due to user activity, whereas in the second case there can be
non-user packets (like OpenVPN's internal ping packets, and TLS control
packets), and those should not be counted as activity as they are not
coming from the user.
So a need arises to detect those control packets and not count them as
activity for the purposes of --inactive. Unfortunately, at that stage
packets are already compressed and encrypted, so it's not possible to
look into them to see what they are. However, there seems to be a
convention in the code that packets whose buffer length in the context_2
structure is 0 should be ignored for certain purposes. TLS control
packets follow that convention already, so this patch makes a small
change in the code that generates the ping packets to set their buffer
length to 0 as well.
Finally, the call to register_activity() in process_outgoing_link() is
made conditional to the buffer length being > 0.
According to my tests, now --inactive behaves correctly according to
the configured parameters (time or time+bytes) even when --ping is
being used.
forward.c:
Call register_activity() in process_outgoing_link() only if the
packet is not a ping or TLS control packet.
openvpn.8:
Updated the description of --inactive to describe the new semantics.
ping.c:
Set c->c2.buf.len = 0 after the ping packet has been generated and
encrypted.
Test routine is described here:
<https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6>
Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
When the client sends PUSH_REQUESTS, it waits until the server sends PUSH_REPLY.
If the server do not have anything to push to the client nothing happens. The
client will then regularly send new PUSH_REQUESTS until it gets an answer, which
results in not completing the connection negotiation.
This patch makes the server send an empty PUSH_REPLY when it has nothing to more
to push to the client.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
chantra [Fri, 11 Jun 2010 14:23:03 +0000 (16:23 +0200)]
Handle non standard subnets in PF grammar
Allow subnets for like 192.168.100.8/28 to be understood. A warning
will be logged when subnet is incorrect and is being corrected to what
is assumed to be correct.
Signed-off-by: chantra <chantra@debuntu.org> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Sun, 16 May 2010 17:42:40 +0000 (19:42 +0200)]
OCSP_check.sh: new check logic
contrib/OCSP_check/OCSP_check.sh:
I discovered that, quite surprisingly, the exit status of "openssl ocsp"
is 0 even if the certificate status is "revoked". This means that the
logic of the script needs to be rewritten so that it parses the output
returned by the query and explicitly looks for a
"0x<serial number>: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
comments.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 26 Apr 2010 07:50:30 +0000 (09:50 +0200)]
Avoid repetition of "this config may cache passwords in memory" (v2)
For OpenVPN clients with long living connections, this message is repeated
everytime the connection is renegotiated. This patch removes this behaviour
and will only show this warning once.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
contrib/OCSP_check/OCSP_check.sh:
New barebone script to demonstrate how to use $tls_serial_{n}
to perform simple OCSP queries using OpenSSL command line
"openssl ocsp". Minimal sanity checks to fail if user tries to
use it without customizing.
openvpn.8:
Added some notes about $tls_serial_{n} format and usage to the
existing description.
ssl.c:
correctly manage and export serial numbers of any size (as
parsed by OpenSSL) into the environment. Set to empty string
in case of errors, as 0 and negative numbers are all possible
(although illegal) certificate serial numbers. Use an OpenSSL
BIO object to do the job. Conforms to coding style guidelines.
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 16 Apr 2010 20:09:48 +0000 (22:09 +0200)]
Renamed all calls to create_temp_filename()
All places where create_temp_filename() was called are now calling
create_temp_file(). Extra checks on the result of create_temp_file()
is added in addition.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 16 Apr 2010 20:02:36 +0000 (22:02 +0200)]
Harden create_temp_filename() (version 2)
By hardening the create_temp_filename() function to check if the generated
filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit
files set before calling the script, it should become even more difficult to
exploit such a scenario.
After a discussion on the mailing list, Fabian Knittel provided an enhanced
version of the inital patch which is added to this patch.
This patch also renames create_temp_filename() to create_temp_file(), as this
patch also creates the temporary file. The function returns the filename of the
created file, or NULL on error.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Jan Brinkmann [Sun, 28 Feb 2010 22:29:29 +0000 (23:29 +0100)]
The man page needs dash escaping in UTF-8 environments
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Daniel Johnson [Tue, 30 Mar 2010 13:54:44 +0000 (15:54 +0200)]
When I began testing OpenVPN v2.1_rc9 I was having trouble authenticating to the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course):
Finally I turned on more verbose logging and found that the plugin did
not recognize "USERNAME" as something to replace, because it expected
the string to be surrounded by whitespace. I wrote the following patch
to correct this. I hope you find it useful,
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
After having disucssed this patch on IRC (#openvpn-discussions)
March 4, 2010, it was decided to accept this patch when not modifying
TARGET_* defines through out the code. Further, in a mail comment
Alon Bar-Lev had some other comments of what would be needed to be done.
Mail reference:
<http://thread.gmane.org/gmane.network.openvpn.devel/3176>
This patch has been tested by bootstrapping the code on a RHEL4.6 box.
with the following autotools packages installed:
autoconf-2.59-5
automake-1.9.2-3
libtool-1.5.6-4.EL4.2
It builds cleanly and 'make check' passes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Jan Brinkmann [Sun, 28 Feb 2010 22:29:29 +0000 (23:29 +0100)]
The man page needs dash escaping in UTF-8 environments
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Dan Nelson [Sun, 28 Feb 2010 21:09:18 +0000 (22:09 +0100)]
bash->bourne script cleanup
Many of the scripts in the openvpn source have their shell set to
/bin/bash, but only two use bash features. The attached patch (against
openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for
better portability. The only scripts that actually require bash are
contrib/pull-resolv-conf/client.{up,down} ; they use the ${!var} variable
indirection feature.
Enrico Scholz [Sun, 28 Feb 2010 13:40:57 +0000 (14:40 +0100)]
Allow 'lport 0' setup for random port binding
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 19 Feb 2010 16:32:56 +0000 (17:32 +0100)]
verb 5 logging wrongly reports received bytes
With --verb 5, openvpn logs a single letter (rwRW) for each package
received or sent. I recently ran into a problem with the tun device on
Linux where the read from that device returned 0. Unfortunately this was
also logged as "r", which made me assume that openvpn had received
something, while it actually hadn't.
(See https://dev.openwrt.org/ticket/6650 for the bug that made me find out
about this problem with openvpn.)
I'm attaching a patch which prevents openvpn from logging "r" or "R" when
it didn't actually read anything. This is against openvpn 2.1-rc20, but
probably still applies to the most recent version.
This patch was received anonymously via the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Karl O. Pinc [Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)]
[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file
This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.
The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.
This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.
One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.
The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.
This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.
It works for me. I've tested it throughly but not
used it extensively in production.
Regards,
Karl <kop@meme.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
James Yonan [Fri, 20 Aug 2010 20:24:42 +0000 (20:24 +0000)]
Attempt to fix issue where domake-win build system was not properly
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
James Yonan [Sun, 15 Aug 2010 21:53:00 +0000 (21:53 +0000)]
Windows security issue:
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:\, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
James Yonan [Tue, 27 Jul 2010 07:10:01 +0000 (07:10 +0000)]
Fixed an issue where application payload transmissions on the
TLS control channel (such as AUTH_FAILED) that occur during
or immediately after a TLS renegotiation might be dropped.
James Yonan [Sat, 10 Jul 2010 03:04:27 +0000 (03:04 +0000)]
Fixed bug in proxy fallback capability where openvpn.exe could
core dump if http-proxy-fallback-disable command was issued in
response to ">PROXY:NEED_NOW management" interface notification.
James Yonan [Thu, 10 Jun 2010 03:17:21 +0000 (03:17 +0000)]
Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
James Yonan [Mon, 24 May 2010 22:51:16 +0000 (22:51 +0000)]
Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
James Yonan [Sat, 6 Mar 2010 15:38:23 +0000 (15:38 +0000)]
Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window
period.
James Yonan [Fri, 26 Feb 2010 10:26:45 +0000 (10:26 +0000)]
Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
james [Tue, 12 Jan 2010 18:26:22 +0000 (18:26 +0000)]
When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
james [Fri, 11 Dec 2009 23:44:34 +0000 (23:44 +0000)]
Fixed some breakage in openvpn.spec (which is required to build an
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).
james [Thu, 10 Dec 2009 23:50:03 +0000 (23:50 +0000)]
Fixed a couple issues in sample plugins auth-pam.c and down-root.c:
1. Fail gracefully rather than segfault if calloc returns NULL.
2. The openvpn_plugin_abort_v1 function can potentially be called
with handle == NULL. Add code to detect this case, and if
so, avoid dereferencing pointers derived from handle.
(Thanks to David Sommerseth for finding this bug).
james [Thu, 19 Nov 2009 16:42:51 +0000 (16:42 +0000)]
Fixed a client-side bug that occurred when the "dhcp-pre-release"
or "dhcp-renew" options were combined with "route-gateway dhcp".
The problem is that the IP Helper functions for DHCP release and
renew are blocking, and so calling them from a single-threaded
client stops tunnel traffic forwarding, and hence breaks
"route-gateway dhcp" which requires an active tunnel. The fix is
to call the IP Helper functions for DHCP release and renew from
another process.
projects / thirdparty / openvpn.git / log
