Steffan Karger [Sat, 28 Nov 2015 10:38:25 +0000 (11:38 +0100)]
Fix rand_bytes return value checking
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of rand_bytes() in prng_bytes(), which we really should.
Failing to check the return value occurs if no prng is used (i.e. in
static key mode, or when explicitly disabled using --prng none).
prng_bytes() is used for generating IVs, session IDs and filenames.
The impact of failing to check the return value seems very limited:
Not generating random file names or session IDs could cause collisions in
(temporary) file names and/or session IDs. These in turn could cause
availability issues, but would not result in a breach in confidentiality
and/or integrity.
Our CBC mode protocol uses a packet id (timestamp + packet counter in
static key mode, or just the packet counter in TLS mode) at the start of
each packet (by default, but can be disabled using --no-iv and
--no-replay). Because the timestamp and packet counter are not
controllable by an attacker, it is not clear how predictable or even
repeating IVs could be used to mount an attack. (Note that the fact that
*I* can't find or come up with an attack is not a very strong argument,
this remains somewhat worrisome.)
CFB and OFB modes are not affected, because they do not rely on the prng
for IVS.
Finally, RAND_bytes() actually failing is quite unlikely, as that would
result in all sorts of other problems we should have heard about.
Of course, we still really should fix this, so this patch adds return
value checking of rand_bytes() inside prng_bytes(). The ASSERT() might be
a bit crude, so a follow-up patch that adds a return value to prng_bytes()
and proper return value checking probably makes sense. But at least this
is a quick and simple fix for the issue at hand.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10636 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 28 Nov 2015 10:38:24 +0000 (11:38 +0100)]
openssl: properly check return value of RAND_bytes()
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of RAND_bytes() correctly.
The RAND_bytes() man page first says "RAND_bytes() returns 1 on success,
0 otherwise.", but then a bit later "Both functions return -1 if they are
not supported by the current RAND method.". This second case was not
covered by our return value checking.
Note that if RAND_bytes() would return -1, it would *always* return -1 and
fail to generate random.
Also note that if RAND_bytes() would return -1, it would do so too in the
openssl internal ssl funtions. The openssl internal function do check the
return value properly, and connection setup would fail all together. If
that would be at least somewhat common, we would have received a *lot* of
bug reports. In other words, the error affects static key setups only,
and seems highly unlikely to occur in actual setups.
Only builds using OpenSSL as the crypto backend are affected.
This patch:
1. Changes the behaviour of rand_bytes() in openssl builds to match what
the doxygen claims (and polarssl builds already do).
2. Adds error reporting for RAND_bytes() failures.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10637 Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 11 Nov 2015 13:01:39 +0000 (14:01 +0100)]
Avoid partial authentication state when using --disabled in CCD configs
If an openvpn server is configured with --client-config-dir and a client
configuration file contains 'disabled', it is supposed to tell the client
it is not authorized to use the service.
This patch will ensure that the internal state in this scenario is a
complete CAS_FAILED state, and not CAS_PARTIAL if other authorization
steps passed.
Trac: #521 Tested-by: Eric Crist <ecrist@secure-computing.net> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447246899-22769-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 23 Nov 2015 20:58:55 +0000 (21:58 +0100)]
Fix memory leak in add_option() by simplifying get_ipv6_addr
If get_ipv6_addr() would fail *after* allocating memory for ipv6_local,
add_option() would fail to free that memory.
The fix here is to remove the allocation from get_ipv6_addr(), and create
a separate function for the strip-and-allocate, such that failures are
easier to handle.
v2 - remove free(options->ifconfig_ipv6_local), since that is now handled
by a garbage collector.
Memory leak found by coverity (in 2011!).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448312335-25908-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10573 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7e618994f3112ff4b29b9f08d087fb558636a6af)
Gert Doering [Mon, 23 Nov 2015 19:47:42 +0000 (20:47 +0100)]
Fix info.af == AF_UNSPEC case for server with --mtu-disc
Commit 2bed089d31a12c2 introduced "AF_UNSPEC" sockets when we do not know
the actual address family yet - for the "bind local" case, getaddrinfo()
will tell us what to do, but that information never made it into
sock->info.af - so, make it. Otherwise, trying to call --mtu-disc
on an OpenVPN server will cause a M_FATAL error in set_mtu_discovery())
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Christian Pellegrin <chripell@google.com>
Message-ID: <20151121200637.GD24952@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10547
Lev Stipakov [Tue, 17 Nov 2015 09:33:47 +0000 (11:33 +0200)]
Notify clients about server's exit/restart
When server exits / restarts (gets SIGUSR1, SIGTERM, SIGHUP, SIGINT) and
explicit-exit-notify is set, server sends RESTART control channel
command to all clients and reschedules received signal in 2 secs.
When client receives RESTART command, it either reconnects to the same
server or advances to the new one, depends on parameter comes with
RESTART command - behavior is controlled by explicit-exit-notify in the
server config.
v4:
- Rebase on top of master
- Remove #ifdef ENABLE_OCC around
connection_entry->explicit_exit_notification
since it is also used outside of OCC context
- Update usage message
v3:
- Use control channel "RESTART" command instead of new OCC code to
notify clients
- Configure on the server side (by value of explicit-exit-notify) if
client should reconnect to the same server or advance to the next one
- Fix compilation when OCC is disabled (--enable-small)
- Update man page
v2:
- Take into use explicit-exit-notify on the server side
- OCC_SHUTTING_DOWN renamed to OCC_SERVER_EXIT
- Code prettifying
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447752827-16720-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10515 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 17 Nov 2015 02:48:09 +0000 (21:48 -0500)]
Handle ctrl-C and ctrl-break events on Windows
v2 changes
- cleaner, hopefully easier to get a code review :)
- handles both console mode and service mode
-- >8 --
Handle ctrl-C or ctrl-Break sent to the console as a SIGTERM.
Depending on the console mode, windows delivers ctrl-C as a
keyboard input or as a signal. We handle both cases. This allows
graceful termination of openvpn from programs such as nssm.
Works in both console mode and service mode.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447728489-14991-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10513 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 21 Nov 2015 11:41:00 +0000 (12:41 +0100)]
polarssl: don't use deprecated functions anymore
A number of functions were deprecated in polarssl 1.3.11. Stop using
these, and use their alternatives instead.
This enables (and also almost forces) us to move the pkcs11 and external
key logic from the per-connection setup (key_state_ssl_init()) to the
per-instance setup (tls_ctx_use_{pkcs11,external_private_key}()).
Note that tls_ctx_use_external_private_key() is now placed right below
external_pkcs1_sign() and external_key_len(), instead of right above,
because it now needs to be aware of those static functions.
Steffan Karger [Sat, 21 Nov 2015 10:22:04 +0000 (11:22 +0100)]
polarssl: also allocate PKCS#11 certificate object on demand
Commit 444a93ea changed certificate allocation to be postponed until
actual usage to fix --client-cert-not-required / --verify-client-cert
for PolarSSL builds. However, I forgot to allocate when using pkcs11
(because that code does not use the tls_ctx_load_cert_file() function).
And while we're at it, use ALLOC_OBJ_CLEAR() instead of malloc + manual
check.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448101324-20310-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10543 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michal Ludvig [Sun, 11 Oct 2015 08:44:20 +0000 (10:44 +0200)]
Support for username-only auth file.
Make OpenVPN read the username from the auth file
parameter of --auth-user-pass and prompt for a
password if it's not in the file.
Rationale: Prior to this change OpenVPN either
required both username and password present in the
auth file or prompted for both on the console.
Unlike passwords usernames usually don't change and
can therefore be "hardcoded" in the config.
Signed-off-by: Michal Ludvig <mludvig@logix.net.nz>
Reviewed and updated to current master.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444553060-15946-1-git-send-email-dejong@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10255
Lev Stipakov [Wed, 11 Nov 2015 11:48:07 +0000 (13:48 +0200)]
Use adapter index instead of name for windows IPv6 interface config
Some windows machines get weird issues with netsh when using
adapter name on "netsh.exe interface ipv6 set address" command.
Changed logic to get adapter index and use it instead of adapter
name for netsh set address command.
v2:
* Remove netsh call which uses adapter name. After thoughtful testing
turns out that "adapter name" code branch is never used.
v3:
* Use interface=<idx> syntax.
* Add forward declaration of get_adapter_index_flexible to get
rid of warning.
* NOTE: temp variable is needed because argv_printf() does not
handle combined strings like "interface=%lu" today
Signed-off-by: Olli Mannisto <olmannisto@gmail.com> Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447242487-30243-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10484 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 5 Nov 2015 21:03:01 +0000 (22:03 +0100)]
Add macro to ensure we exit on fatal errors
Also prevents false positives in static analysis tools.
(Note that the current x_msg() code does properly exit, this is just a way
to make it trivial to see we will not return from msg() on fatal errors,
even for static analysis tools.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446757381-27863-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 6 Nov 2015 07:42:39 +0000 (08:42 +0100)]
Fix (potential) memory leak in init_route_list()
init_route() can allocate memory in netlist, but fail in many more ways
than just fail to allocate. Thus, always check and clean up netlist if
needed, instead of just when init_route() succeeds.
This fix is for master only. The release/2.3 branch cleans up netlist
immediately, and needs a different patch for a similar problem.
Found using coverity.
v2: initialize netlist to NULL
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446795759-3288-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10443 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 15 Oct 2015 22:43:15 +0000 (00:43 +0200)]
polarssl: add --verify-client-cert optional support
This adds support for the --verify-client-cert optional option in PolarSSL
builds, as was earlier added for OpenSSL builds by Jan-Just Keijser.
This patch also adds an additional sanity check that this option may only
be used in combination with some other authentication method, and changes
the warning message about this option to be displayed only once on startup,
instead of for each connecting client.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1444948995-18720-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10288 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 4 Nov 2015 18:59:38 +0000 (13:59 -0500)]
Fix termination when windows suspends/sleeps
When TUN/TAP I/O operation is aborted, restart with a SIGHUP instead of
terminate. The abort error from TAP is often triggered by system suspend
which is fully recoverable on resume. Catastrophic events will get caught
later during the restart. This solves the abnormal termination during
suspend/resume.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446663578-14471-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10438 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 15 Oct 2015 22:43:14 +0000 (00:43 +0200)]
polarssl: fix --client-cert-not-required
PolarSSL 1.3 determines whether to use a client key/cert based on the
private key and/or certificate structs being allocated or not. We
previously would always allocate the structs in
tls_ctx_{client,server}_new(), which made polarssl clients without a
client key/cert (can also be mgmt-external-key or pkcs11) fail to connect.
Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2
does not contain the 'pk' abtraction layer and therefore behaves slightly
different.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444948995-18720-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10287 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 21 Oct 2015 07:13:26 +0000 (10:13 +0300)]
Replace variable length array with malloc
Commit
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff73 4f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013
still requires
size of array to be compiler time constant. As a fix, use malloc/free.
v2:
Replace OPENSSL_malloc with gc_malloc
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445411606-13369-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10344 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 20 Oct 2015 22:38:26 +0000 (00:38 +0200)]
Fix memory leak in auth-pam plugin
As it says on the tin. aresp would not be free'd nor returned by
my_conv() on errors. Note that we never reach this code if allocation
of aresp failed.
Found with the Clang static analyzer.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1445380706-20864-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10338 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 21 Oct 2015 08:08:06 +0000 (10:08 +0200)]
hardening: add insurance to exit on a failed ASSERT()
The code behind our ASSERT() macro is pretty complex. Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call. As was suggested by Sebastian Krahmer
of the SuSE security team.
To make sure they that tools like clang static analyzer and coverity
understand that assert_failed() will not return, add an
__attribute__((__noreturn__)) annotation.
v2: use __attribute__ instead of inline to convince static analysers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445414886-11052-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lukasz Kutyla [Sat, 17 Oct 2015 19:15:15 +0000 (21:15 +0200)]
Fix privilege drop if first connection attempt fails
OpenVPN does not drop privileges (UID/GID/chroot) as requested according
to the configuration file and/or passed arguments if the first connection
attempt is not established successfully, this also includes applying
SELinux context.
Signals and restarts are processed after "context.first_time" is set to
"false", which results in omitting entire privilege dropping block in
"do_uid_gid_chroot()" when successful connection is finally made
(everything is initialized correctly and said function is called), since
"context.first_time" is used as block entry condition.
We modify "do_uid_gid_chroot()" in such a way that allows us to drop
privileges even when first connection attempt was unsuccessful.
Lev Stipakov [Sat, 10 Oct 2015 16:04:25 +0000 (19:04 +0300)]
Send push reply right after async auth complete
v3:
* better comments
* better variable naming
* include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined
v2:
More careful inotify_watchers handling
* Ensure that same multi_instance is added only once
* Ensure that multi_instance is always removed
v1:
This feature speeds up connection establishment in cases when async
authentication result is not ready when first push request arrives. At
the moment server sends push reply only when it receives next push
request, which comes 5 seconds later.
Implementation overview.
Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if
system supports inotify.
Add inotify descriptor to an event loop. Add inotify watch for a
authentication control file. Store mapping between watch descriptor and
multi_instance in a dictionary. When file is closed, inotify fires an
event and we continue with connection establishment - call client-
connect etc and send push reply.
Inotify watch descriptor got automatically deleted after file is closed
or when file is removed. We catch that event and remove it from the
dictionary.
Feature is easily tested with sample "defer" plugin and following settings:
Gert Doering [Sat, 10 Oct 2015 16:34:49 +0000 (18:34 +0200)]
Remove support for snappy compression.
LZ4 is using less CPU at similar performance, and it is easier to
build and support for binary installs (as it does not require C++
and a C++ runtime). Since it was never supported in any formally
released OpenVPN version, just drop it again.
This leaves in the compression opcode for Snappy for documentation
purposes.
trac #617
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444494889-28925-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10251
Socket configuration of MTU discovery was done unconditionally at IP level,
which has no effect for other protocols. This fixes the issue of OpenVPN
sending fragmented tcp6/udp6 packets even when 'mtu-disc yes' option is
passed.
Patch V2 (by Arne Schwabe): Rebase to current master and have
separate #ifdefs for IPv4 an IPv6
Signed-off-by: Julien Muchembled <jm@nexedi.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444470291-2980-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10229 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 2 Mar 2015 17:58:31 +0000 (19:58 +0200)]
Fast recovery when host is in unreachable network
When client connects to the server which is in unreachable network (for
example hostname got resolved into ipv6 address and client has no ipv6),
throw SIGUSR1 and connect to the next server without waiting 60 seconds
for "TLS key negotiation failed". Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1425319111-21291-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9498
Daniel Kubec [Sat, 4 Apr 2015 22:10:37 +0000 (00:10 +0200)]
sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in
A simple plug-in with a corresponding HTTP server and client which can authenticate
an HTTP user based on the authentication already done via an established OpenVPN
connection
[DS: Renamed the module at commit time from sso to keyingmaterialexporter to
avoid confusion with other Single-Sign-On solutions. Updated documentation
and commits accordingly. Added --pull to the client config]
Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
Daniel Kubec [Thu, 12 Mar 2015 14:14:20 +0000 (15:14 +0100)]
Added support for TLS Keying Material Exporters [RFC-5705]
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel. This exported keying material can then be
used for a variety of purposes.
[DS: Updated man page to document both upper and lower length boundaries]
Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com Acked-by: David Sommerseth <davids@redhat.com>
Steffan Karger [Tue, 6 Oct 2015 18:38:27 +0000 (20:38 +0200)]
openssl: be less verbose about cipher translation errors
Translation errors are usually not a real problem, since we don't maintain
the complete list of ciphers OpenSSL supports. So, be less verbose if we
can not find a translation.
Also, add 'translations' for commonly used negated cipher suites to
suppress messages about those completely.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444156707-14087-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10198 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 8 Mar 2015 10:20:04 +0000 (11:20 +0100)]
polarssl: add easy logging for PolarSSL errors
Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.
This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425810005-11893-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9528 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 2 Oct 2015 11:46:41 +0000 (14:46 +0300)]
This fixes MSVS 2013 compilation.
* Tools version changed to 12
* Added comp.c/h and compat.c/h to project files
* Workaround for missing __attribute__ support
Also, as a preparation for MSVS2015, ensured that snprintf is not defined
for that VS version. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1443786401-30416-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10174
Gert Doering [Fri, 11 Sep 2015 15:33:47 +0000 (17:33 +0200)]
get_default_gateway_ipv6(): Win32 implementation using GetBestRoute2()
To get access to that functionality, bump Windows API level for MinGW
compilation from NTDDI_WINXP/_WIN32_WINNT_WINXP to ..._VISTA, and
shuffle around WIN32 includes a bit in syshead.h
MinGW 32 seems to be broken regarding MIB_TCP_STATE enum, so add typedef
for that - surrounding #ifdefs found by googling do not work yet -> TODO!
Extend add_route_ipv6() and delete_route_ipv6() to handle routes not on
the tap adapter but on ifindex-addressed interfaces ("interface=nn"),
and while at it, fix deletion of IPv6 routes with gateway address.
NOTE: this breaks Windows XP compatibility as GetBestRoute2() is not
available there, so even when not using IPv6, the binary will not run.
(Lightly) tested on Win7/64.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1441985627-14822-11-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10085
Gert Doering [Tue, 22 Sep 2015 20:31:24 +0000 (22:31 +0200)]
Add custom check for inet_pton()/inet_ntop() on MinGW/WIN32
More recent MinGW versions have these functions (if compiling at
_VISTA level or higher), but the normal AC_CHECK_FUNCS() check does
not find them because the necessary header file is not #include'd and
the libws2_32 not linked - and our compat functions are incompatible
with the definitions in <ws2tcpip.h>, so compilation fails.
Fix with a custom AC_LINK_IFELSE()/AC_LANG_PROGRAM() construct.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Tested-by: Heiko Hund <heiko.hund@sophos.com> Tested-by: Samuli Seppänen <samuli@openvpn.net> Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442953884-54602-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10165
ms_error_text() may return NULL, and it is unclear (or, at least
undocumented) whether the OpenSSL ERR code (and our code using the ERR
code) can deal with esd->string being NULL. So, just to be sure, check
that ms_error_text() succeeded before passing the result to
ERR_load_strings().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <561130FC.8090008@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10176 Signed-off-by: Gert Doering <gert@greenie.muc.de>
As reported by Bill Parker in trac #600, strdup() return values are not
always correctly checked for failed allocations. This patch adds missing
checks by using string_alloc(), which performs the required checks.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <561130FC.8090008@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10176 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 27 Aug 2015 13:00:02 +0000 (15:00 +0200)]
Replace unaligned 16bit access to TCP MSS value with bytewise access
TCP options are not always word-aligned, and accessing a 16bit value
at an odd memory address will cause a "bus error" crash on some
architectures, e.g. Linux/Sparc(64)
Boris Lytochkin [Sun, 20 Sep 2015 14:05:22 +0000 (17:05 +0300)]
Log serial number of revoked certificate
In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is OK, environment variable can be used for
that but once it is revoked, no user scripts are invoked so there is
no way to get serial number: only subject is printed in logs.
So we log certificate serial in case it is revoked.
Gert Doering [Fri, 11 Sep 2015 15:33:46 +0000 (17:33 +0200)]
Fix IPv6 host routes to LAN gateway on OpenSolaris
The tun/tap routes need to be set with "metric 0", while this will
prevent routes to LAN gateways from being installed. So, set metric 0
only if no other interface is requested...
(Note: OpenSolaris can not specify host+interface gateways, so we just
use the GW addresses - it seems to still work for fe80:: addresses,
however it is done internally. NUD maybe?)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-10-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10092
Gert Doering [Fri, 11 Sep 2015 15:33:45 +0000 (17:33 +0200)]
get_default_gateway_ipv6(): *BSD / MacOS / Solaris PF_ROUTE implementation
As for IPv4, a common implementation for all (supported) BSD families
and Solaris. Supporting the latter requires separate implementations
for IPv4 and IPv6, unfortunately, so it's quite a bit of duplicate
code.
Further, extend add_route_ipv6() and delete_route_ipv6() to handle
link-local gateway addresses that require "gateway + interface" in
scoped notation ("fe80::1%em0").
Tested on FreeBSD 7.4/amd64, 9.3/sparc64, 10.0/amd64, NetBSD 5.1/amd64,
OpenBSD 4.9/i386, MacOS X 10.5/32 and 10.10/64 and OpenSolaris 10.11/i386.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-9-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10082
Gert Doering [Fri, 11 Sep 2015 15:33:44 +0000 (17:33 +0200)]
Implement '--redirect-gateway ipv6'
Add "ipv6" and "!ipv4" sub-options to "--redirect-gateway" option.
This is done in the same way as in the OpenVPN 3 code base, so
"--redirect-gateway ipv6" will redirect both IPv4 and IPv6 - if you
want v6-only, use "--redirect-gateway ipv6 !ipv4".
The actual implementation is much simpler than for IPv4 - we just
add a few extra routes to the route_ipv6_option_list and leave it to
init_route_ipv6_list() to figure out whether there is an overlap with
IPv6 transport, and if yes, insert a host route to the VPN server
via the current IPv6 default gateway.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-8-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10086
Gert Doering [Fri, 11 Sep 2015 15:33:43 +0000 (17:33 +0200)]
Implement handling of overlapping IPv6 routes with IPv6 remote VPN server address
- socket.[ch]: add link_socket_current_remote_ipv6() helper to extract
current address of remote VPN server (if IPv6, NULL otherwise), IPv6
equivalent to link_socket_current_remote()
- init.c: pass remote VPN server address to init_route_ipv6_list()
(link_socket_current_remote_ipv6())
- route.h: add route_ipv6_gateway_info to route_ipv6_list, and reorder
structures so that this actually compiles. Add iface/adapter_index
to struct route_ipv6 (for non-tun/tap routes).
- route.[ch]: add "const" to *dest argument to get_default_gateway_ipv6()
- route.c: add route_ipv6_match_host() helper to check whether an IPv6
address is matched by a given "route_ipv6" IPv6 route)
- route.c: init_route_ipv6_list()
- call get_default_gateway_ipv6()
- check to-be-installed IPv6 routes against VPN server address (if IPv6)
- if an overlap is seen, add a host route for the VPN server address
via the just-discovered gateway to the list of IPv6 routes to be
installed (rl6->routes_ipv6)
- warn if overlap is detected but platform code has not been able to
discover IPv6 default gateway
- route.c: add_route_ipv6() / delete_route_ipv6(): set "device" to
"external default gateway interface" (r6->iface) instead of TUN/TAP
device (if set), which nicely enables arbitrary gateway/interface
combinations for Linux
- ssl.c: add "IV_RGI6=1" to push-peer-info data to let server know we can
handle pushed IPv6 routes that overlap with server IPv6 address
- tun.c: when adding/removing on-link routes, CLEAR(r6) first to
ensure new struct route_ipv6 members are cleared
Tested on Linux with iproute2 and /bin/route, on eth and tun routes.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-7-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10089
Gert Doering [Wed, 1 Jul 2015 15:40:39 +0000 (17:40 +0200)]
Make client delay less before sending PUSH_REQUEST
Speed up PUSH_REQUEST handling on the client side by reducing
the amount of dependent 1s-coarse-timers to "just one".
After "TLS is up!", one timer needs to fire to wakeup
"check_connection_established_dowork()", and that one used to
setup another 1s timer before sending PUSH_REQUEST - which is
just dead time where we sit idly... So, fire immediately.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20150701154039.GG382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9851
Arne Schwabe [Tue, 15 Sep 2015 09:23:33 +0000 (11:23 +0200)]
Remove #ifdefs for client nat support.
The client-nat feature was always unconditionally enabled Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1442309019-7586-3-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10109
Gert Doering [Fri, 11 Sep 2015 15:33:41 +0000 (17:33 +0200)]
Create basic infrastructure for IPv6 default gateway handling / redirection.
- introduce get_default_gateway_ipv6() and add stub functions with the
implementation plan to the 4 major code blocks here (Windows,
Linux/Android, *BSD and Solaris, "others")
- add &rgi6 to print_default_gateway(), and teach it to print v4, v6
or both, depending on the calling environment
- unlike IPv4 (today), get_default_gateway_ipv6() is passed the actual
target IPv6 address of the server we're looking for, so we can handle
more complicated routing setups ("default to eth0, vpn server to ppp0")
correctly
- consequently, --show-gateway has an optional parameter now, the
IPv6 address to look up (for debugging)
- document --show-gateway and the extra option in openvpn.8
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-5-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10087
Gert Doering [Fri, 11 Sep 2015 15:33:39 +0000 (17:33 +0200)]
refactor struct route_ipv6_list, bring in line with struct route_list again
adjust "struct route_ipv6_list" (and all users) to reflect changes
to "struct route_list" done in commit 7fb0e07e, namely:
- new member "rl6->iflags" (RL_* flags)
- new member "rl6->spec_flags" (RTSA_* flags)
- new member "rl6->remote_host_ipv6" (--remote address we're talking to)
- "rl6->routes_added"
--> "rl6->iflags & RL_ROUTES_ADDED"
- "rl6->did_redirect_default_gateway"
--> "rl6->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY"
- "rl6->did_local"
--> "rl6->iflags & RL_DID_LOCAL"
- "rl6->remote_endpoint_defined"
--> "rl6->spec_flags & RTSA_REMOTE_ENDPOINT"
- "rl6->default_metric_defined"
--> "rl6->spec_flags & RTSA_DEFAULT_METRIC"
deviating from IPv4 route_list, there is no "route_special_addr spec"
sub-struct, because it's not considered useful (rl->spec.flags becomes
rl6->spec_flags, the IPv6 equivalent of everything else in rl->spec just
lives inside struct route_ipv6_list)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1441985627-14822-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10084
Gert Doering [Tue, 4 Aug 2015 12:53:16 +0000 (14:53 +0200)]
Un-break --auth-user-pass on windows
Commit b131c7b974d9d4d3f0 introduced a check to create a meaningful
warning if we try to read a password after daemon()izing (by checking
whether stdin or stderr is connected to a tty). For some reason this
breaks on Windows builds if run under GUI control - but since Windows
doesn't have this particular daemon() issue anyway, just #ifndef WIN32
the offending code.
Sebastian Krahmer from the SuSE security team reported that the buffer
overflow check in openvpn_decrypt() was too strict according to the
cipher update function contract:
"The amount of data written depends on the block alignment of the
encrypted data: as a result the amount of data written may be anything
from zero bytes to (inl + cipher_block_size - 1) so outl should contain
sufficient room."
This stems from the way CBC mode works, which caches input and 'flushes'
it block-wise to the output buffer. We do allocate enough space for this
extra block in the output buffer for CBC mode, but not for CFB/OFB modes.
This patch:
* updates the overflow check to also verify that the extra block required
according to the function contract is available.
* uses buf_inc_len() to double-check for overflows during en/decryption.
* also reserves the extra block for non-CBC cipher modes.
In practice, I could not find a way in which this would fail. The plaintext
is never longer than the ciphertext, and the implementations of CBC/OFB/CBC
for AES and BF in both OpenSSL and PolarSSL/mbed TLS do not use the buffer
beyond the plaintext length when decrypting. However, some funky OpenSSL
engine I did not check *might* use the buffer space required by the
function contract. So we should still make sure we have enough room
anyway.
v2 - always ASSERT() on buf_inc_len(). It is a double-check so should
really not fail, but if it fails there has been a buffer overflow.
At that point the best thing we can do is assert out. (The primary
check *is* handled gracefully, and just drops the packet.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1438165826-32762-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9974 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 27 Jul 2015 15:33:11 +0000 (17:33 +0200)]
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
The check does only for strlen(line) space and buf_printf will only use at
most space -1 and not print the final character ('\n') in this corner.
Since a missing \n only breaks certificates at the start and end marker,
missing line breaks otherwise do not trigger this error.
reintroduce md5_digest wrapper struct to fix gcc warnings
I was wrong to assume that adding the const qualifier to the pointer-to-
fixed-size-array contruction used in options_hash_changed_or_zero() was
allowed. GCC actually warns about this, but I was using clang and clang
seems to be fine with the contruction. To make GCC happy too, reintroduce
the md5_digest wrapped struct, and use that when passing around the digest.
This reverts the "struct md5_digest" parts of 827de237860813d2859a, but
keeps the rest.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1437910039-30101-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9949 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits da9b292733e929a2900dc32d37f0424c3d588366 and 315f6fbc7f657a7f1127628bd714f468709d5185 broke the use case where we are
asking password from the management client. The password is always asked
before daemonization. With this fix we avoid this and ask it via management
interface in the same spot as before the mentioned commits. Tested on Linux.
v2: This patch was first submitted by Christian Pellegrin (from Google),
and reworked by Steffan Karger (from the OpenVPN team) to also work for
setups with --management-query-passwords but without --auth-user-pass.
Signed-off-by: Steffan Karger <steffan@karger.me> Signed-off-by: Christian Pellegrin <chripell@google.com> Tested-by: Christian Pellegrin <chripell@google.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55A6C46C.5080601@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9927 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Geboski [Tue, 8 Jan 2013 22:52:57 +0000 (17:52 -0500)]
Fix --askpass not allowing for password input via stdin
This resolves --askpass treating stdin as a file during the file access
check. In turn, this leads to openvpn failing to start if this option is
set to stdin.
By default, --askpass reads the certificate's password from stdin rather
than a file. Without passing the CHKACC_ACPTSTDIN flag to
check_file_access(), stdin is marked as being a nonexistent file.
Trac #248
Signed-off-by: James Geboski <jgeboski@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <55A41225.2020705@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9918 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 13 Jul 2015 19:10:07 +0000 (21:10 +0200)]
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
With the --daemon / SSL init reordering in da9b292733, we fail if we
daemonize first and then try to ask for a private key passphrase (or,
for that matter, username+password if --auth-nocache is set) - but
no meaningful error message was printed, instead depending on operating
system and library versions, either we looped around "ssl init failed"
or died with an unspecified "fatal error".
So: check if get_user_pass_cr() is called in a context that needs
"from_stdin", but both stdin and stderr are not connected to a tty
device (which getpass() needs). In that case, print a meaningful
error message pointing to --askpass, and die.
fix regression: query password before becoming daemon
The init sequence was changed to daemonize before the crypto init to fix
issues on FreeBSD some commits ago. This introduced a regression where
we would no longer query for passwords before daemonizing, as described
in trac #574 and #576.
This commit restores the correct order, and adds a bit of const
correctness since we're touching this now code anyway.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1436477759-5884-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9901 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Steffan Karger <steffan@karger.me> Tested-by: Fish Wang <fish.thss@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxKrPXnc1+PPH4dQV1OksY_0t3ewqRnqVrjhZL+i2Pbkmw@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9859 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 30 Jun 2015 19:44:56 +0000 (21:44 +0200)]
Increase control channel packet size for faster handshakes
Instead of limiting the control channel TCP/UDP packet payload size at
'100 bytes + real control channel overhead' (~140 bytes ethernet payload),
increase the max TCP/UDP payload size to '1250 bytes - calculated overhead'
(~1210 bytes ethernet payload).
Note that this patch does *not* yield an optimal solution, but it is a
simple and rather safe change that will improve connection setup times
significantly.
v2: use the mininum value of --link-mtu and 1250 to give the user a way to
reduce control packet size if really needed.
trac #545
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435693496-10931-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9841 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Holger Kummert [Thu, 25 Jun 2015 16:01:20 +0000 (18:01 +0200)]
Del ipv6 addr on close of linux tun interface
When a linux tun interface is closed (e.g. on disconnect)
an optional ipv6 addr that was previously set is deleted now.
Without this patch a later reconnect could fail with
'Linux ip -6 addr add failed: external program exited with error status: 2'
and openvpn would exit.
This is mainly relevant for persistant tun devices (staying around
after openvpn exits) but can also happen at reconnect.
If addresses are *supposed* to stay around on openvpn exit, run
openvpn with --ifconfig-noexec and configure IPv4/IPv6 addresses
manually before openvpn starts (or using an --up script).
Trac #141
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435248080-12670-1-git-send-email-Holger.Kummert@Sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9810
Throw an error if an option has extra parameters; previously they
were silently ignored (see also trac #557)
This feature was discussed on the openvpn-devel mailing list
(http://thread.gmane.org/gmane.network.openvpn.devel/9599).
The (modified) message "Unrecognized option or missing or extra
parameter(s)" is used except for a few options:
* The --help option: An extra parameter for --help generates a
specific error message after showing the syntax message. This
is done to help a user who tries "--help tls-cipher" or similar,
hoping to get more information about the "tls-cipher" option.
* The --dhcp-option option: It has its own similar message, into
which " or extra" has been inserted.
* Ten options such as --up that accept a command (instead of a
path) already detect extra parameters and generate specific
error messages that mention double-quoting commands which
contain embedded spaces.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAEsd45RvRfmqetu-EoFjSdyBk5F9X1K5muPGu-+_+30TMNOU_A@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9783
URL: https://community.openvpn.net/openvpn/ticket/557
Steffan Karger [Thu, 18 Jun 2015 22:08:45 +0000 (00:08 +0200)]
write pid file immediately after daemonizing
Since we split daemonizing from changing directory in commit da9b292
(f025de005d719201a69ad0313d545a1ddd244752 in release/2.3), we can
now simply write the pid file immediately after daemonizing.
This not only fixes the bug reported in trac #563, but also further
simplifies the code.
trac #563
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1434665325-3225-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9793 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 26 Apr 2015 18:03:58 +0000 (20:03 +0200)]
Fix FreeBSD ifconfig for topology subnet tunnels.
For "topology subnet", we only pretend to have a subnet and keep
using the tun if in point-to-point mode - but for that to fully
work, the "remote" address needs to be different from the "local"
address. So just arbitrarily construct one from the on-link
subnet - base+1, if "that is not us", base+2, otherwise.
Fix trac #481
See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194745
Signed-off-by: Gert Doering <gert@greenie.muc.de> Tested-By: Anton Sayetsky <vsasjason@gmail.com> Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430071438-31675-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9606
Gert Doering [Sun, 31 May 2015 13:59:09 +0000 (15:59 +0200)]
Move res_init() call to inner openvpn_getaddrinfo() loop
A non-working nameserver in /etc/resolv.conf could lead to endless
loops inside openvpn_getaddrinfo(), because many systems will only
pick up changes to resolv.conf if res_init() is called again.
To reproduce, run openvpn with --resolv-retry infinite (2.3) or
--resolv-retry "a high number" (master) on a BSD system. Linux
glibc seems to stat() resolv.conf on calls to getaddrinfo() and
pick up changes automatically.
Trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433080749-6892-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9763
Guy Yur [Mon, 1 Jun 2015 19:51:13 +0000 (21:51 +0200)]
Fix --redirect-private in --dev tap mode.
When specifying redirect-private option and not specifying route-gateway
or ifconfig options, OpenVPN fails to add the route to the remote host
with the following message:
NOTE: unable to redirect default gateway -- VPN gateway parameter
(--route-gateway or --ifconfig) is missing
In redirect_default_route_to_vpn() the check for remote endpoint happens
even though it is not used by redirect-private - make check conditional
on RG_REROUTE_GW (= --redirect-gateway).
Trac #261
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20150531120327.GE382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9761 Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
