Steffan Karger [Tue, 1 Nov 2016 19:06:47 +0000 (20:06 +0100)]
Restore pre-NCP cipher options on SIGUSR1
As reported by debbie10t on the openvpn-devel list (Message-ID:
<326b8ff7-39a6-1974-c0b0-82fd2abdc7b7@gmail.com>), an NCP client will
attempt to reconnect with the previously pushed cipher, instead of the
cipher from the config file, after a sigusr1 restart. This can be a
problem when the server is reconfigured (as debbie10t explainted), or when
roaming to a differently-configured server. Fix this by restoring the
cipher options from the config file after a sigusr1 restart.
This makes the cipher options behaviour different from other pushable
options, because those are also cached until a sighup restart. We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.
v2: also cache and restore keysize, as that parameter is relevant too.
v3: inherit cached cipher options from parent context.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478027207-28651-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12869.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Tue, 8 Nov 2016 20:07:43 +0000 (21:07 +0100)]
Fix missing return value checks in multi_process_float()
Fix the missing return value checks on hash_remove() and hash_add() by
replacing the calls with an single hash_add() call with the replace
parameters set to true so that is can't fail. Then just ASSERT() that
this is indeed the case.
This also replaces the other add/remove combinations with a single
add-replace, because that should be slightly faster (and this is in the
'hot path').
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1478635663-5837-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12968.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Tue, 8 Nov 2016 21:28:27 +0000 (22:28 +0100)]
Remove unneeded check for extra_certs_file_inline
As with all the file/file_inline variable, the _inline variable is only
relevant if the file variable is equal to INLINE_FILE_TAG. The
tls_ctx_load_extra_certs() function nicely follows this mantra.
Removing this unneeded check silences a coverity 'dereference after null
check' warning (tls_ctx_load_extra_certs() always dereferences
options->extra_cert_file, and the check implies it might be null). In
reality, this cannot occur, because if options->extra_cert_file_inline is
non-null, so is options->extra_cert_file. Still, coverity is correct this
this check is a bit weird, so let's fix it and make coverity happy.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1478640507-14415-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12978.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Fri, 28 Oct 2016 15:54:47 +0000 (17:54 +0200)]
Refactor CRL handling
This patch refactors the CRL handling to rely more on the implementation
of the crypto library. It will insert the CRL at the correct time to keep
it up to date, but all additional verification logic is removed from
ssl_verify_<backend>.c. "Less code of our own, less bugs of our own."
In practice, this means extra checks will be performed on the CRL, such as
checking it validBefore and validAfter fields.
This patch was originally written by Ivo Manca, and then molded by Steffan
before sending to the list. All bugs are Steffan's fault.
Thanks also go to Antonio Quartulli for useful feedback. He'll send
follow-up patches to improve CRL handling performance.
Signed-off-by: Ivo Manca <ivo.manca@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1477670087-30063-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12809.html Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Mon, 14 Nov 2016 11:20:08 +0000 (12:20 +0100)]
systemd: Improve the systemd unit files
There are several changes which allows systemd to take care of several
aspects of hardening the execution of OpenVPN.
- Let systemd take care of the process tracking directly, instead
of doing that via PID files
- Make systemd prepare proper runtime directories for the OpenVPN
process.
- Let systemd do the chdir() before starting OpenVPN. This allows
us to avoid using the --cd option when executing openvpn.
- CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise
the root user would not be allowed to access files/directories
not owned by root. This will change in the future, when we
find better ways to avoid calling chroot() in OpenVPN and
rather let systemd prepare a more isolated namespace.
- Client configurations are now started with --nobind and
the OpenVPN client process have lost the CAP_NET_BIND_SERVICE
capability which allows binding to port < 1024.
- Documentation URL now points at the OpenVPN 2.4 man page URL
The majority of these changes have been proposed by Elias Probst
(eliasp) in the GitHub PR #22.
v3 - Add ExecPreStart= to check if OpenVPN configuration contains
'daemon'. That can break the process tracking as we now use
Type=simple (default)
v2 - Change RuntimeDirectory= to a profile specific (client, server)
directory to avoid clashing with older distro unit files
Commit note: As this is not a critical security change, we apply this
without any formal ACKs. It has been thoroghly tested by
several users. See mailing list for details.
Contribution-by: Elias Probst <mail@eliasprobst.eu> Signed-off-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html
Gert Doering [Sun, 13 Nov 2016 19:52:28 +0000 (20:52 +0100)]
Replace WIN32 by _WIN32
With c99, "WIN32" is no longer automatically defined when (cross-)building
for Windows, and proper compilation relies on including <windefs.h>,
before checking the macro. "_WIN32" is the official define that is
guaranteed to be defined by the compiler itself, no includes are needed.
So, mechanically change all occurrances of "WIN32" to "_WIN32".
While at it, get rid of unused WIN32_0_1 #define in syshead.h
See also:
http://nadeausoftware.com/articles/2012/01/c_c_tip_how_use_compiler_predefi
ned_macros_detect_operating_system#WindowsCygwinnonPOSIXandMinGW
Trac #746
v2: rebased to master, merge the console[_builtin].c changes
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161113195228.74090-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13035.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 14 Nov 2016 20:06:07 +0000 (21:06 +0100)]
Deprecate key-method 1
Key method 2 has been the default since OpenVPN 2.0, and is both more
functional and secure. Also, key method 1 was only ever supported for
peer-to-peer connections (i.e. not for client-server).
Let's get rid of some legacy and phase out key method 1.
v2: add Changes.rst entry, and update man page
[ DS: Slightly modified patch, rewored the warning message and the
Changes.rst note to encourage not to set --key-method at all ]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479153967-6788-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13054.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Sun, 13 Nov 2016 14:02:31 +0000 (15:02 +0100)]
Move private file access checks to options_postprocess_filechecks()
This removes the dependency of crypto.c on misc.c, which makes testing
(stuff that needs) crypto.c functionality easier.
Apart from that, testing file access really belongs in
options_postprocess_filechecks(), and moving it there enables us to
perform the same check for other private files too.
v2: change indenting, remove remaining warn_if_group_others_accessible()
calls and move function to options.c.
[ DS: This patch is a slightly modified version of the one sent to the
mailing list. It removes all references to --tls-crypt, so it
can be applied eariler to the tree as it contains a good clean-up
as well ]
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479045751-22297-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13019.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Mon, 14 Nov 2016 19:43:23 +0000 (20:43 +0100)]
Make argv unit tests obey {MBEDTLS, OPENSSL}_{LIBS, CFLAGS}
Fixes builds that use MBEDTLS_CFLAGS and friends to tell the build where
the header files and libraries are. Also alphabetically orders some of
the listed files in relates Makefile.am files.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479152603-5103-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13050.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 28 Oct 2016 16:42:37 +0000 (18:42 +0200)]
put argv_* functions into own file, add unit tests
misc.c is too crowded with different things to perform any
sane unit testing due to its dependencies. So, in order to re-write
the #ifdef'ed tests for the argv_* family of functions into unit
tests I moved them into a dedicated file.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: <1477672963-5724-2-git-send-email-heiko.hund@sophos.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12811.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 8 Nov 2016 20:18:20 +0000 (21:18 +0100)]
Add missing includes in error.h
error.h depends on these, but is apparently never used by files that do
not include them. When implementing the --tls-crypt unit tests, I ran
into this.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1478636302-9678-4-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12972.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 8 Nov 2016 20:18:18 +0000 (21:18 +0100)]
Refactor static/tls-auth key loading
Remove duplicate code, in preparation for adding --tls-crypt, which
otherwise would have to duplicate this code again.
This should be equivalent to the old code, except for two things:
* The log lines for static key initialization change slightly, from
"Static Encrypt/Decrypt" to "Incoming/Outgoing Static Key Encryption"
* We also 'check and fix highly unlikely key problems' for tls-auth
keys (boils down to a sanity-check for an all-zero key).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1478636302-9678-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12969.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 13 Nov 2016 19:36:45 +0000 (20:36 +0100)]
Fix compilation on MinGW with -std=c99
commit 9223336a88bc moved the CFLAGS="-std=c99" bit in configure.ac
before the "socklen_t" test, which relies on #ifdef WIN32 to decide
whether to include <ws2tcpip.h> or <sys/socket.h> - which is no longer
defined then, and things explode in interesting ways.
Change to _WIN32, which is the "always defined on all compilers" define
for this.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161113193645.73523-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13032.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 13 Nov 2016 18:03:23 +0000 (19:03 +0100)]
Fix builds on compilers without anonymous union support
The "Don't dereference type-punned pointers" patch introduced an anonymous
union, which older compilers do not support (or refuse to support when
-std=c99 is defined). Add a configure check, and some wrapper defines to
repair builds on those compilers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479060203-4472-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1479060203-4472-1-git-send-email-steffan@karger.me Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently each instance of openvpn adds WFP filters into an independent
sublayer. As a block in one sublayer can over-ride a permit in another,
this causes all DNS traffic to block when --block-outside-dns is used
in multiple tunnels.
Fix using a common sublayer for adding firewall rules (filters) from all
instances of openvpn and interactive service.
- The sublayer is added in a persistent session so that it could be
accessed from multiple sessions.
- The sublayer is identified by a fixed UUID defined in block_dns.c
shared between openvpn.exe and openvpnserv.exe.
- Permit filters for tun/tap interfaces are added with higher priority
than filters that block all DNS traffic. This is not strictly
necessary as WFP assigns higher priority to specific filters over generic
ones, but it may be safer not to rely on that feature.
- All filters are added in dynamic sessions as before. They get
automatically removed when the process exits. The sublayer will,
however, persist until reboot.
Resolves Trac 718
Tested on Windows 7, 10 with/without interactive service
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474085439-28766-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12465.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 13 Nov 2016 13:17:27 +0000 (14:17 +0100)]
Don't deference type-punned pointers
Dereferencing type-punned pointers is undefined behaviour according to the
C standard. We should either obey the standard, or ensure that all
supported compilers deal with dereferencing type-punned pointers as we
want them to. I think just obeying the standard is the easiest solution.
See e.g. http://blog.regehr.org/archives/959.
This commit refactors the offending code to use unions or memcpy() to
comply to strict aliasing rules.
Note that this also slightly changes mroute_addr_mask_host_bits(), to
behave as it was probably intended to: only mask the address part, not
also the port part of IPv6 adresses if MR_WITH_PORT is used (ie ma->len
is sizeof(struct in6_addr)+2).
v2: fix all strict aliasing occurrences, not just those in mroute.h
v3: add missing ntohs() in mroute_addr_print_ex()
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479043047-25883-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13017.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 11 Nov 2016 13:30:07 +0000 (14:30 +0100)]
console: Fix compiler warning
Building with -O2, the compiler warned about query_user_SINGLE() being
declared and not used in console.c. This function, defined in console.h,
should have been declared as 'static inline'. This also removes that
warning.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478871007-25998-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13005.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 9 Nov 2016 20:19:32 +0000 (21:19 +0100)]
Repair topology subnet on OpenBSD
Turns out that "topology subnet" never worked totally right on
OpenBSD - the "netmask" parameter to ifconfig is ignored, and one
needs to add a subnet route (and this issue is hidden if an
encompassing route is pushed, like, by using --redirect-gateway).
While add it, apply the hack used for FreeBSD where "an arbitrary
address from the subnet" is used to set the "remote" end of the
tunnel, and point the route to that - so if OpenBSD decides to
change their kernel routing structure the same way, our code still
works (copying from commit 433b3813d8c38b4, trac #425 and commit 60fd44e501f2002, trac #481).
Tested on OpenBSD 6.0 and 4.9
Trac: #710 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161109201932.80991-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12983.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Gert Doering [Tue, 8 Nov 2016 12:45:06 +0000 (13:45 +0100)]
Repair topology subnet on FreeBSD 11
We used to add "route for this subnet" by using our own address as
the gateway address, which used to mean "connected to the interface,
no gateway". FreeBSD commit 293159 changed the kernel side of that
assumption so "my address" is now always bound to "lo0" - thus, our
subnet route also ended up pointing to "lo0", breaking connectivity
for all hosts in the subnet except the one we used as "remote".
commit 60fd44e501f200 already introduced a "remote address" we use
for the "ifconfig tunX <us> <remote>" part - extend that to be used
as gateway address for the "tunX subnet" as well, and things will
work more robustly.
Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server)
(this particular issue is not present before 11.0, but "adding the
subnet route" never worked right, not even in 7.4 - 11.0 just made
the problem manifest more clearly)
Samuli Seppänen [Wed, 9 Nov 2016 12:42:05 +0000 (14:42 +0200)]
Fix a logic problem in handling of --up scripts in t_client.sh
Previously the $up variable was never reset after being set. This mean that
"--up update_t_client_ips.sh" was appended to all subsequent openvpn
command-lines, even if cached IPs existed.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478695325-18038-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12979.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Samuli Seppänen [Tue, 8 Nov 2016 14:06:03 +0000 (16:06 +0200)]
Prevent generation of duplicate EXPECT_IFCONFIG entries
Previously, if t_client.rc did not source t_client_ips.rc,
update_t_client_ips.sh would add (the same) EXPECT_IFCONFIG entries to
t_client_ips.rc on every run. This patch makes update_t_client_ips.sh
check if
the entry exists before trying to add it.
v2: prevent partial matches of the EXCEPT_IFCONFIG variable name
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478613963-28077-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12965.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 8 Nov 2016 09:44:02 +0000 (10:44 +0100)]
Fix potential division by zero in shaper_reset()
shaper_reset() is only ever called with "bytes_per_second" set to
a non-zero value - so the whole check "is it zero? if not, use
constrain_int() to make sure it is within bounds" is not needed ->
reduce check to just constrain_int() so even if somebody would
call shaper_reset(..., 0) it would not lead to a div-by-zero.
Found by Coverity.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1478598242-23514-1-git-send-email-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12942.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 8 Nov 2016 08:39:23 +0000 (09:39 +0100)]
check c->c2.link_socket before calling do_init_route_ipv6_list()
There was an asymmetry in checks before calling do_init_route*_list(),
checking c2.link_socket for IPv4 but not for IPv6 - mainly an oversight
from the time when do_init_route_ipv6_list() did not yet look at the
remote address to determine v6-over-v6 overlaps (2.3 code).
c2.link_socket should never be NULL here, so remove the "silently not
call stuff" condition and replace with ASSERT(c2.link_socket) so we
will notice if the assumption is ever wrong.
Tested in client UDP/TCP mode and server UDP/TCP/P2P and --inetd mode.
Found by Coverity.
While at it, remove "fatal" argument to do_init_route*_list(), which
was "false" in all cases (single invocation each), and remove the
error exit code related to it.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1478594363-12752-1-git-send-email-gert@greenie.muc.de>
URL: http://www.mail-archive.com/search?l=mid&q=1478594363-12752-1-git-send-email-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 7 Nov 2016 21:44:02 +0000 (22:44 +0100)]
clean up *sig_info handling in link_socket_init_phase2()
The code was a mix of "assume that it is not NULL" and "check that
it is not NULL before using" - it cannot be NULL (due to the single
call graph, referencing c->sig with the global context), but for
good measure, add an ASSERT() upon function entry and get rid of
all the individual checks.
Found by Coverity.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1478555042-31299-1-git-send-email-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 7 Nov 2016 10:50:52 +0000 (11:50 +0100)]
openvpn version line: remove [IPv6], add [AEAD] if available
Printing [IPv6] is no longer relevant information, as IPv6 support
is always build in. So, "2.4 = has IPv6, always".
[AEAD] is relevant information, as the underlying SSL library might
be too old to have support for it (OpenSSL 0.9.x) and this eases
figuring out why NCP is not upgrading a connection to AES-256-GCM.
Trac #762
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1478515852-17381-1-git-send-email-gert@greenie.muc.de>
URL: http://www.mail-archive.com/search?l=mid&q=1478515852-17381-1-git-send-email-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 3 Nov 2016 21:28:23 +0000 (23:28 +0200)]
Drop recursively routed packets
v4:
- Account for IP header offset in TAP mode
- Correct handle of non-IP protocols in TAP mode
v3: Use better way of figuring out IP proto version which
does not break TAP mode. Add an option to allow recursive
routing, could be useful when packets sent by openvpn itself
are not subject to the routing tables that would move packets
into the tunnel.
v2: better method naming
On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.
As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.
To prevent that, drop packets which have gateway IP as
destination address.
Tested on Win7/10, OS X, Linux.
Trac #642
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478208503-25929-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12894.html
David Sommerseth [Mon, 31 Oct 2016 23:07:09 +0000 (00:07 +0100)]
Fix builds with --disable-crypto
When building with --disable-crypto the P2MP_SERVER is not defined,
thus breaking one place where the struct options auth_token_generate
was provided with a default value.
Also remove a lot of compiler warnings from ssl_backend.h due to
various undefined structs when doing the same build type.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1477955229-20164-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12857.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 28 Oct 2016 19:48:44 +0000 (21:48 +0200)]
auth-gen-token: Authenticate generated auth-tokens when client re-authenticates
On a server with --auth-gen-token enabled, the server will have created
a random token and pushed it to the client. When the client needs to
renegotiate the connection or otherwise reconnect, it will at this point
use the auth-token as password.
Here we check if we have a token generated and that it has been pushed
to the client, if so, then we check if the token matches the locally
stored token. If everything matches, we're done and the connection
is still authenticated.
If the auth-token authentication fails, we delete our local copy of
the token and changes the connection to not being authenticated. From
this moment of, the client needs to do a full reconnect providing
the users password again.
This token authentication also considers the token lifetime, if that
have been set via --auth-gen-token. If the token have expired, the
client is rejected and needs to do a full reconnect with a new
authentication using the users password.
v2 - Rename auth_generate_token to auth_token_generate
- Wrap lines exceeding 80 chars
- Improved several comments (rephrasing, grammar)
David Sommerseth [Fri, 28 Oct 2016 19:48:42 +0000 (21:48 +0200)]
auth-gen-token: Generate an auth-token per client
When --auth-gen-token is used a random token key is generated for
each client after a successful user/password authentication. This
token is expected to be returned in the password field on the
following authentications.
The token is 256 bits long and BASE64 encoded before it is stored.
David Sommerseth [Fri, 28 Oct 2016 19:48:40 +0000 (21:48 +0200)]
auth-gen-token: Add --auth-gen-token option
This sets the flag if the OpenVPN server should create authentication
tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.
If an OpenVPN server is running without this option, it should behave
as before. Next patches will implement the auth-token generation and
passing it on to the clients.
The --auth-gen-token can be given an optional integer argument which
defines the lifetime of generated tokens. The lifetime argument
must be given in number of seconds.
v2 - Update Changes.rst
- Improve man page in regards to lifetime argument
- Rename struct member auth_generate_token to auth_token_generate
to have a consistent naming scheme
Steffan Karger [Fri, 28 Oct 2016 11:57:01 +0000 (13:57 +0200)]
Limit --reneg-bytes to 64MB when using small block ciphers
Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks. The 64 MB value has been selected with the researchers who
published the SWEET32 paper.
Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.
v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
language in warning message, and add URL to man page.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477655821-6711-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12798.html Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Thu, 27 Oct 2016 16:49:41 +0000 (18:49 +0200)]
Remove last rest of INSTALL-win32.txt references
Commit 04341beb1d8e0fad3425bfec5f281fe431895cd6 removed the
INSTALL-win32.txt file. But there were crucial parts left in
Makefile.am which broke building OpenVPN. In addition, removed
other references in INSTALL and README to the same file to be
complete.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1477586981-5047-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1477586981-5047-1-git-send-email-davids@openvpn.net
Samuli Seppänen [Tue, 25 Oct 2016 11:55:39 +0000 (14:55 +0300)]
Remove INSTALL-win32.txt that is now hosted in openvpn-build
The contents of INSTALL-win32.txt mostly just describe how to use
OpenVPN-GUI,
OpenVPN Windows services and openvpn-build. These are only loosely coupled
with
OpenVPN, and may change independently of it. Thus hosting the file in
openvpn-build (which brings all of these components together) makes most
sense.
URL: https://github.com/OpenVPN/openvpn-build/pull/35
URL: https://github.com/OpenVPN/openvpn-build/pull/38 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477396539-1293-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12771.html Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Thu, 27 Oct 2016 14:37:39 +0000 (16:37 +0200)]
cleanup: Remove NOP code sections in ssl.c:tls_process()
In tls_process() there is an if (true) {} block, which is completely
unneeded. Even though compilers will optimize this away, it clutters
the code.
Also removed two #if 0 blocks within the same scope which is truly
only used for really low-level debugging. The last of these blocks
even includes some #ifdef nesting, making the code somewhat more
unstructured. It is hard to see any argument why to presever these
blocks s the information they provide won't normally be that useful.
It is aimed at very special corner case debugging.
This patch seems bigger than it really is, due to the needed
re-indenting when removing the if(true) scope.
Steffan Karger [Wed, 19 Oct 2016 19:24:20 +0000 (21:24 +0200)]
Fix use-after-free bug in prepare_push_reply()
This was introduced by commit dfd3513e, which changes the push_cipher
memory allocation from the options gc to a temporary gc. For the
ciphername in the options structure, which has to be available longer,
change this back to using the options gc.
Apologies for not spotting this during patch review.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1476905060-29896-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1476905060-29896-1-git-send-email-steffan@karger.me Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Tue, 18 Oct 2016 11:46:04 +0000 (13:46 +0200)]
Update .mailmap to unify and clean up odd names and e-mail addresses
To make the best use of this, have a look at the --use-mailmap option.
In particular git-log and git-shortlog makes use of it. Also search
for mailmap in the git-log man page, for more ways to use this
remapping (format strings to --pretty).
Otherwise, to make use of the mailmap remapping by default do:
Heiko Hund [Fri, 24 Jun 2016 16:01:41 +0000 (18:01 +0200)]
Windows: do_ifconfig() after open_tun()
When you had multiple TAP adapters and IPv6 configured you got an error
message about "you must also specify --dev-node" and openvpn exited.
Very inconvenient especially since this is only due to the fact that
Windows tries to set the adapter address before it is opened; for no
good reason.
This patch changes the order to IFCONFIG_AFTER_TUN_OPEN, moves some
initialization code to init_tun, where it belongs, and removes duplicate
code that is now no longer needed.
v2: do not use "%lu" in argv_printf(), crashes non-iservice usage
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Heiko Hund <heiko.hund@sophos.com>
Message-Id: <20161009152550.GQ78279@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12631.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 13 Oct 2016 16:54:16 +0000 (18:54 +0200)]
Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
This option was useful when IPv6 tun support was non standard and was an
internal/user specified flag that tracked the Ipv6 capability of the tun
device.
All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so
not putting tun-ipv6 does not forbid ipv6 addresses.
This commit also clean up a bit of the ipv6 related tun.c. Changes for
most platforms are minimal.
For linux a bit more cleanup is done:
- Remove compatibility defines that were added 2008
- Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun
setups (Android also always IFF_NO_PI works fine with Ipv6).
This commit also remove a non ipv6 fallback for tap driver from OpenVPN
2.2-beta or earlier and only warns.
Patch V2: Integrate Gert's comments
Patch V3: Remove tun_ipv4 option. It only used for MTU discovery and there
it was wrong since it should on the transport protocol if at all
Patch V4: Completely remove support for NetBSD <= 4.0 and remove
NETBSD_MULTI_AF defines
Patch V5: Assume generic OS in tun.c is also IPv6 capable. Add changes to
man page. Fix typos/change message as suggest by David.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1476377656-3150-1-git-send-email-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12695.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Wed, 12 Oct 2016 07:32:49 +0000 (09:32 +0200)]
Check --ncp-ciphers list on startup
Currently, if --ncp-ciphers contains an invalid cipher, OpenVPN will only
error out when that cipher is selected by negotiation. That's not very
friendly to the user, so check the list on startup, and give a clear error
message immediately.
This patches changes the cipher_kt_get() to let the caller decide what
action to take if no valid cipher was found. This enables us to print all
invalid ciphers in the list, instead of just the first invalid cipher.
This should fix trac #737.
v2: improve tls_check_ncp_cipher_list() with Selva's review suggestions.
Arne Schwabe [Wed, 12 Oct 2016 10:47:07 +0000 (12:47 +0200)]
Change the hold command to communicate the time that OpenVPN would wait to the UI.
Before the connect-retry change to do exponential backup this was not
necessary since the time was fixed. With the exponential backoff the
UI needs either to implement its own exponential backoff mechanism
or needs a way of knowing the value of OpenVPN internal mechansim.
Patch V2: Fixed typos noticed by Selva
[DS: Fixed a couple of whitespace errors in management_hold() at commit time]
Lev Stipakov [Tue, 11 Oct 2016 08:03:50 +0000 (11:03 +0300)]
Use separate list for per-client push options
v4:
- fix whitespaces, wrap long lines
v3:
- rebase on master
v2:
- Also move ifconfig and ipv6-ifconfig to separate options list
Move client-specific push options (currently peer-id and cipher) to
separate list, which is deallocated after push_reply
has been send. This makes sure that options fit into buf,
not duplicated nor leak memory on renegotiation.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1476173030-2171-1-git-send-email-lstipakov@gmail.com>
URL: http://www.mail-archive.com/search?l=mid&q=1476173030-2171-1-git-send-email-lstipakov@gmail.com Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Thu, 11 Aug 2016 14:33:55 +0000 (16:33 +0200)]
systemd: Do not mask usernames when querying for it via systemd-ask-password
In systemd after version 216, systemd-ask-password will support --echo
which
will avoid masking the user input. As OpenVPN uses this mechanism
collecting
usernames when systemd is available, this will avoid the input of
usernames to
be masked.
This patch also adds the --icon argument, which is aimed at graphical
inputs.
For example when OpenVPN is started at system boot-time using a graphical
boot
interface such as Plymouth.
[v2 - Avoid pkg.m4 hacks and use pkgconfig/autoconf methods to flag
if systemd is recent enough for --echo support]
[v3 - Avoid the dynamic list, use a static list of QUERY_USER_NUMSLOTS
- The list of query_user data is now a global variable
- Replaced query_user_init() with query_user_clear()
- Make query_user_add() a void function
- Rebased against master/600dd9a16fc61 ]
[v2 - Removed the QUERY_USER_FOREACH macro
- Avoided using underscore prefix in function names
- Make query_user_init() do M_FATAL and become a void function
instead of returning false in these unlikely situations ]
As reported by Lev Stipakov, starting from 3a5a46cf we add peer-id and
cipher values to context->options->push_list instead of adding those
directly to buf. Since push_list is preserved over sigusr1 restarts,
we add duplicate values for peer-id and cipher.
Fixed by removing the previous values from the list before adding new ones.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <CAA1Abx+1GQKipc1O1D2BXjDgrtDAFTa5GB2GUZKrT+-J-QsuNA@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12642.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 9 Oct 2016 10:09:29 +0000 (12:09 +0200)]
Fix --multihome for IPv6 on 64bit BSD systems.
The old code only worked if "struct openvpn*pktinfo" happened to use
the same structure packing as the CMSG_SPACE() / CMSG_LEN() macros
(which are part of the official API, see RFC 2292).
Get rid of "struct openvpn_*_pktinfo" definitions, replace them by
an opaque buffer sized large enough to fit IPv4 and IPv6 packet info
messages, as defined by CMSG_SPACE(sizeof(struct ...)).
On 32 bit platforms, the net result is the same. On 64 bit platforms,
the new buffer is bigger than openvpn_pktinfo was, fixing an overflow
with ipi6_ifindex corruption on reception, and EINVAL on sendmsg().
The IPv4 related changes are only side effects of using the new buffer.
Note: --multihome for IPv4 on NetBSD is still broken and non-fixable(!)
as NetBSD lacks the necessary kernel code for the sendmsg() side.
Verified that "--multihome works as well as before" on FreeBSD 7.4/amd64,
NetBSD 5.1/amd64, OpenBSD 4.9/i386, Linux/x86_64, Linux/i386,
OpenSolaris 10 (--multihome needs -D_XPG4_2, see trac #750)
See also: ip(4), ip6(4), recv(2)
Trac #634, #327, #28
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161009100929.46472-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12626.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 4 Oct 2016 11:38:54 +0000 (13:38 +0200)]
add POSTINIT_CMD_suf to t_client.sh and sample config
We have pre-init and cleanup commands, but some test cases might need
or want to run a shell script after openvpn has initialized, but before
executing any tests (ifconfig comparison and ping).
Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161004113854.42470-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
As reported in trac #732, the man page text for --cipher is no longer
accurate. Update the text to represent current knowledge, about NCP and
SWEET32.
This does not hint at changing the default cipher, because we did not make
a decision on that yet. If we do change the default cipher, we'll have to
update the text to reflect that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1473605431-20842-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12439.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 2 Oct 2016 13:19:23 +0000 (15:19 +0200)]
make t_client robust against sudoers misconfiguration
Instead of testing (and priming) sudo with "true", prime with
"kill -0 $$" (just test signalling ourselves). If this fails,
we won't be able to kill the openvpn process we're going to
start later on -> thus, SKIP on failure.
This helps with misconfigured setups (especially on the buildbots)
that can correctly start openvpn but then not stop it later on -
leaving openvpn processes dangling around, requiring manual
intervention.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161002131923.36681-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Samuli Seppänen [Mon, 3 Oct 2016 10:51:27 +0000 (13:51 +0300)]
Automatically cache expected IPs for t_client.sh on the first run
Previously one had to manually define correct values for the
EXPECT_IFCONFIG* variables based on what IPv4 and IPv6 addresses
the test VPN server handed out.
This was a tedious process especially with large number of tests,
as the IPs changed for every test client and for every test. With this
patch t_client.sh figures out the correct IP addresses using an
--up script and caches them to a separate file for later use.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1475491887-740-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make sure options->ciphername and options->authname are always defined
The NCP code does a strcmp(options->ciphername, ...) without first checking
whether options->ciphername is NULL. This could cause a crash when using
"--cipher none". This patch fixes that problem by ensuring that
options->ciphername (and options->authname) are never NULL. Ensuring that
options->ciphername is never null prevents us from having to write null
checks everywhere.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1475055231-1778-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12576.html
enable "--disable-crypto" build configuration for travis
Previously, 'make test' failed for --disable-crypto builds. Since
that is now fixed, we should no longer accept --disable-crypto builds
to fail 'make test' on travis.
Arne Schwabe [Thu, 14 Jul 2016 11:25:19 +0000 (13:25 +0200)]
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
Debian also incorrectly changes that the default for route parameters can
be specified by using "nil" instead of "default. The confusion is probably
coming from show_opt printing "nil" instead of "default". Change show_opt
to show "default (not set)" instead of "nil"
Original author: Alberto Gonzalez Iniesta <agi@inittab.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1468495519-25102-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1468495519-25102-1-git-send-email-arne@rfc2549.org
Lev Stipakov [Sun, 18 Sep 2016 06:51:36 +0000 (09:51 +0300)]
Support for disabled peer-id
v5:
* Few more nickpicks
v4:
* replace magic number with define
* show user a decimal value instead of hex
v3:
* move assert outside of loop
* add max-clients value check to options
v2:
* Add round brackets for clarity
* Rephrase comment
Support for disabled peer-id
When peer-id value is 0xFFFFFF, server should ignore it and treat packet
in a same way as P_DATA_V1. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1474181496-24846-1-git-send-email-lstipakov@gmail.com>
URL: http://www.mail-archive.com/search?l=mid&q=1474181496-24846-1-git-send-email-lstipakov@gmail.com
Steffan Karger [Thu, 5 May 2016 20:14:07 +0000 (22:14 +0200)]
Add SHA256 fingerprint support
Add SHA256 fingerprint support for both the normal exported fingerprints
(tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track.
Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint
internally, in cert_hash_remember() / cert_hash_compare(). And instead of
updating an #if 0'd code block that has been disabled since 2009, just
remove that.
This should take care of trac #675.
v2: update openvpn.8 accordingly
[ DS: This commit squashes in the clean-up cert_hash_remember scoping patch,
as it is highly related and tied to this primary patch ]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1462479247-21854-1-git-send-email-steffan@karger.me
Message-Id: 1474055635-7427-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg11859.html
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12464.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Sat, 17 Sep 2016 11:16:46 +0000 (13:16 +0200)]
Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set
On OS X openssl/x509.h is not in the standard include path and the
files still try to include since the includes only depend on on
ENABLE_CRYPTO_OPENSSL.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111006-16401-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1474111006-16401-1-git-send-email-arne@rfc2549.org
David Sommerseth [Sat, 17 Sep 2016 11:18:05 +0000 (14:18 +0300)]
t_client.sh: Improve detection if the OpenVPN process did start during tests
This will check the OpenVPN log file if the process initialized
successfully.
It will check the log file for 30 seconds before aborting the test run.
This also has the advantage of starting the testing quicker if the
initialization goes faster than 10 seconds (which was the old sleep time).
The umask is also set to a more permissive mode to ensure the test
script is capable of reading the OpenVPN PID file, as that will be
created by root.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111085-10678-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 17 Sep 2016 10:50:33 +0000 (13:50 +0300)]
t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
[ v3 - Kick out bashism - '&>' redirect ]
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474109433-4710-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 17 Sep 2016 09:20:26 +0000 (12:20 +0300)]
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
This resolves an issue where $! returns the PID of the sudo process instead
of the PID of OpenVPN and when sudo does not properly propagate signales
down to OpenVPN.
Trac: #738 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474104026-20615-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 13 Sep 2016 20:04:58 +0000 (22:04 +0200)]
Do not abort t_client run if OpenVPN instance does not start.
Basically, an oversight - if one test instance does not start at all
(due to "tap driver not loaded") the whole script would exit, instead
of logging the failing instance and proceeding to the next test run.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160913200458.9906-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160913200458.9906-1-gert@greenie.muc.de Signed-off-by: David Sommerseth <davids@openvpn.net>
Previously, we would use the compiler's default C version, which defaults
to gnu89 for GCC < 5, gnu11 for GCC > 5, and c11 for clang, but might even
differ per distro.
One of the reasons to accept the gnu89 default of GCC < 4.9, was that MSVC
didn't support c99. But in MSVC 2015, MS finanally fixed that.
Having to support c89 in the codebase occasionally forces us to write less
readable code, for example by forcing all declaration to be at the starting
of a block (which includes 'for loop initial declarations').
Let's be clear about what standard we obey, and stop punishing ourselves
with c89/gnu89. Let's switch the master branch to c99.
v2: don't try to detect pedantic mode based on __STRICT_ANSI__, since that
will be defined when using -std=c99.
v3: only set -std=c99 if there is no -std= already present in CFLAGS
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1472760870-11769-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00194.html Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Thu, 25 Aug 2016 20:42:03 +0000 (22:42 +0200)]
Fix client connection instant timeout
Commit b3e975824ea9ebae8dbea5b451c8d02525c83ffe moved the finalizing of
TCP/UDP sockets before the UID/GID where dropped. But this did not
factor that the timeout code had been revamped [1] in the mean time.
This ensures the timout initialization is done before the the socket
finalizing has been completed.
Gert Doering [Mon, 22 Aug 2016 20:24:47 +0000 (22:24 +0200)]
Fix problems with NCP and --inetd.
NCP only works with --pull or --mode server, leading to breakage
in --inetd mode (because that has --tls-server, but not --mode server,
but clients can still ask for PUSH_REQUEST).
Fix by turning off o->ncp_enable unless (pull or mode server), and
double-fix by logging an appropriate message and refusing to change
ciphers if the server has already set up its keys.
v2: wrap long msg() text lines
Trac: 715 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: 1471897487-8354-1-git-send-email-gert@greenie.muc.de
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00060.html Signed-off-by: David Sommerseth <davids@openvpn.net>
projects / thirdparty / openvpn.git / log
