Steffan Karger [Tue, 2 Dec 2014 20:42:00 +0000 (21:42 +0100)]
Really fix '--cipher none' regression
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98156e90e1e83133a6a6a020db8e7333ada6156b)
David Sommerseth [Mon, 24 Nov 2014 18:09:38 +0000 (19:09 +0100)]
autotools: Fix wrong ./configure help screen default values
enable_crypto_ofb_cfb is "yes" by default, so the --help screen
should show --disable-ofb-cfb and not --enable-ofb-cfb.
enable_small and enable_password_save are both "no" by default, so
the --help screen should state "default: no". Now it says "yes" as
default, but is really disabled in the reality.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416852578-7581-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9278 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 104360b4f40a4ba29987d9478aed70450fec75a2)
Steffan Karger [Thu, 20 Nov 2014 12:43:05 +0000 (13:43 +0100)]
Drop too-short control channel packets instead of asserting out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
Gert Doering [Sun, 23 Nov 2014 19:17:30 +0000 (20:17 +0100)]
Add client-only support for peer-id.
This is a reduced version of the peer-id patch from Lev Stipakov
implementing only the client side bits - send IV_PROTO=2, accept
"peer-id <n>" as pushed option, support P_DATA_V2 packets.
v2: remove addition of "struct tls_multi;" to options.h, not needed
David Sommerseth [Thu, 13 Nov 2014 14:43:37 +0000 (15:43 +0100)]
systemd: Reworked the systemd unit file to handle server and client configs better
Systemd can delay starting a service if the network isn't fully available
yet. This feature is useful in client configurations, where OpenVPN will
not be started before the client can reach the Internet. It is the network
service manager which tells systemd if the system is "online" or not.
For server configurations, the OpenVPN should be able to be started,
regardless if the system is "online" or not. This is also the old
behaviour of most of the old init.d script and the last systemd unit file.
This patch splits the previous systemd unit file into to two files. One
which is aimed at clients (openvpn-client@.service) and one for server
configurations (openvpn-server@.service). These files will also pick
the configurations from different sub-directories. The unit file for
openvpn-client@ will use /etc/openvpn/client and the server unit file
will use /etc/openvpn/server. This also ensures that config files
are not started in the wrong manner.
The arguments given to the openvpn binary have also shifted order,
to ensure that some of them cannot be overridden by the config file,
such as --daemon and --writepid. For server configurations a
--status file is also added with the status format set to 2. This
can be overridden by the configuration file.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9222 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049)
Steffan Karger [Wed, 22 Oct 2014 22:14:29 +0000 (00:14 +0200)]
Modernize sample keys and sample configs
I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).
Changes:
* Add script to generate fresh test/sample keys
(but keep sample keys in git for simple testing)
* Switch from 1024 to 4096 bits RSA CA
* Switch from 1024 to 2048 bits client/server RSA keys
* Switch from 1024 to 2048 bits Diffie-Hellman parameters
* Generate EC client and server cert, but sign with RSA CA
(lets us test EC <-> RSA interoperability)
* Remove 3DES cipher from 'sample' config
* Add 'remote-cert-tls server' to client config
* Update config files to deprecate nsCertType in favour of the
keyUsage and extendedKeyUsage extensions.
* Make naming more consistent
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54721611.4020103@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9271 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 8 Nov 2014 10:15:08 +0000 (11:15 +0100)]
Fix assertion error when using --cipher none
Some commits ago, the cipher mode checks were cleaned up to
remove code duplication (and fix the issue in #471), but broke
'--cipher none' (reported in #473). This commit fixes that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <545DED2C.5070002@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9217 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4e93e6dc88f4d904a4f2eb90140472a8d8fd68d0)
Steffan Karger [Sat, 25 Oct 2014 09:47:49 +0000 (11:47 +0200)]
ssl_polarssl.c: fix includes and make casts explicit
The master branch already has a commit doing almost the same
(9048d50), but since the API for polarssl 1.2 is different, this
could not be cherry-picked back to the 2.3 branch.
This commit:
* adds a number of missing #includes.
* makes a number of implicit casts explicit, to silence gcc
-Wall and clang warnings that hide real problems.
* changes the type of sha256_hash[] to match what polarssl expects.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414230469-2670-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9194 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix regression with password protected private keys (polarssl)
Between versions 1.2.7 and 1.2.8, polarssl changed the errors
returned by the X509 parsing functions, which broke the OpenVPN
implementation for password protected private keys in polarssl
builds. This patch fixes that by checking for the new errors in
OpenVPN.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5432E951.6020405@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
TDivine [Wed, 22 Oct 2014 07:07:39 +0000 (10:07 +0300)]
Fix "code=995" bug with windows NDIS6 tap driver.
Modification to address bug where OpenVPN enters state where it is
unresponsive and cannot be terminated. Log output is continuous spew
of "code=995" errors.
Revised fix for code=995 sped bug.
Adding new tap adapters while connected:
https://community.openvpn.net/openvpn/ticket/430
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-2-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9165 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-3-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9167 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7aa178381241ae015273914065471e0d271ee1c3)
Samuel Thibault [Thu, 9 Oct 2014 21:40:49 +0000 (23:40 +0200)]
Ensure that client-connect files are always deleted
On a long-running, busy server using either a plug-in which hooks into
OPENVPN_PLUGIN_CLIENT_CONNECT or a configuration using --client-connect
a lot of unused files will be lingering and potentially filling up
the file system with temporary files if the plug-in or --client-connect
script fails.
This patch ensures that these files are always removed in the end,
regardless if the plug-in or script succeeds or fails.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20141012195919.GU3738@type
URL: http://thread.gmane.org/gmane.network.openvpn.devel/9104/focus=9118
(cherry picked from commit 7da9d40243e0743e2d050ceb6ae34e467dd58973)
David Sommerseth [Thu, 16 Oct 2014 15:17:34 +0000 (17:17 +0200)]
systemd: Use systemd functions to consider systemd availability
* OpenVPN 2.3.x backport note
This patch is the result of merging two commits from master, both
ensuring that systemd and the needed utilities are available.
Commit f33ee6bcb12fdc3869b17b7c528a209f16581e2e:
This is another systemd implementation clean-up. It was found that
SELinux will block OpenVPN from checking /sys/fs/cgroups. As OpenVPN
only checked /sys/fs/cgroups and /sys/fs/cgroups/systemd to see if
systemd was available or not, it was considered better to query
systemd directly to see whether or not to query for usernames and
passwords via systemd.
This patch has been compile tested on Fedora 19 and Fedora 21 alpha and
function tested on Fedora 19.
v2 - Use PKG_CHECK_MODULES() + check for libsystemd before
libystemd-daemon. systemd >= 209 use a unified library
It was discovered that the child processes openvpn fork()ed would
be lingering around until openvpn stopped. This was due to the lack
of a wait() call.
This patch also cleans up a few minor white-space issues in the same
code segment.
[v2 proper initialisation of status variable]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1409930731-15263-2-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9021
(cherry picked from commit d886d468849051af525bb8ff1b9080f6c934e3ab)
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Currently, when compiling with --enable-iproute2 , OpenVPN does not
create a correct route when the user is connected to the Internet
without a gateway (e.g. via ppp). This patch implements the
corresponding FIXME.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54259015.2030005@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9056 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit baa195b9884e276c4fd3dc0c9e8a84b89ea71cfb)
ocsp_check - double check if ocsp didn't report any errors in execution
in case the reposnses are too old, ocsp tool can return text like this:
Response verify OK
ca/cert.pem: WARNING: Status times invalid. 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT
light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055
ocsp_check - signature verification and cert staus results are separate
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.
Otherwise results like:
Response Verify Failure 140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
This Update: Sep 23 12:12:28 2014 GMT
will be accepted as being trustworthy.
Note that "Response verify OK" is printed on stderr, so it can't
be discarded.
Remove quadratic complexity from openvpn_base64_decode()
Every four input characters, openvpn_base64_decode called token_decode,
which in turn called strlen() on the remaining input. This means that
base64 decoding in openvpn had quadratic complexity.
All we really need to know is whether the token is complete, so replace
the check to check just that, and make the complexity linear wrt the
input length.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5408494D.7050407@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9016 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 25e1ec71dd150e803c0a25308c193fea124c7b7a)
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
On modern systems, topology subnet should always be set, but it's
missing in the configuration file.
Add it with a short explanation.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BF9998.5020906@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8878 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c277757fcf7fb4c2713db154439f937d48cfae61)
Arne Schwabe [Sun, 13 Jul 2014 12:28:47 +0000 (14:28 +0200)]
Fix server routes not working in topology subnet with --server [v3]
The IPv4 routing code needs an IPv4 address to point a route to, and
in --topology subnet mode, the *server* did not have one set by default.
So we now just default --route-gateway to the next address right after
the server address - the specific address doesn't matter, as the correct
next-hop will not be resolved by the host OS but by the OpenVPN daemon.
All that is needed is "it's in the subnet routed to the tun interface".
Using the server address itself would work on unix, but doesn't work with
the Windows TAP driver (as it does not spoof ARP responses for itself).
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
(cherry picked from commit 4cc6a2595947a0e2f13b37637899bfc50f8509aa)
Don't exit daemon if opening or parsing the CRL fails.
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Andris Kalnozols [Sat, 28 Jun 2014 17:41:02 +0000 (19:41 +0200)]
Do not upcase x509-username-field for mixed-case arguments.
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d)
Gert Doering [Tue, 8 Jul 2014 07:20:54 +0000 (09:20 +0200)]
Call init script helpers with explicit path (./)
The provided OpenVPN init scripts scan /etc/openvpn for *.conf and run
an OpenVPN process for each, and if a .sh script with the same base name
exists, this is run before openvpn. Change from running "$name.sh" to
"./$name.sh" - depending on the shell used, the script won't be found
otherwise, and ensuring that the script isn't searched in $PATH is the
right thing anyway.
Reported in trac #423
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1404804054-32424-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8858
(cherry picked from commit cf31d5f32197159691fa9e3e4afcfc35307702d6)
Gert Doering [Tue, 8 Jul 2014 14:45:58 +0000 (16:45 +0200)]
Fix t_lpback.sh platform-dependent failures
commit e97aa06dc058 introduced "full openvpn cipher testing", but fails
on OpenSSL 0.9.8 with DES-CFB1 (skip), on NetBSD for RC5-* (needs extra
library, libcrypto_rc5.a) and on Solaris for POSIXly "tail" (rewrite).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1404830758-7927-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8861
(cherry picked from commit bbae238d5084012525a61a0e3ab947c414a555ae)
Steffan Karger [Sun, 8 Jun 2014 16:16:13 +0000 (18:16 +0200)]
Add proper check for crypto modes (CBC or OFB/CFB)
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a4b27b6481c7496f2a8705c993edfe150a3541cb)
Steffan Karger [Sun, 8 Jun 2014 16:16:12 +0000 (18:16 +0200)]
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c353af2f474f79bfd7b2b67ecc02e91152500209)
Heiko Hund [Thu, 16 Aug 2012 08:38:50 +0000 (10:38 +0200)]
refine assertion to allow other modes than CBC
cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.
There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.
James Bekkema [Thu, 26 Jun 2014 11:40:39 +0000 (21:40 +1000)]
Fix socket-flag/TCP_NODELAY on Mac OS X
Hi All,
OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt
TCP_NODELAY=1 failed (No kernel support) when attempting to use the
TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there,
however the required header file where TCP_NODELAY is defined is not being
included. This patch simply alters syshead.h to include <netinet/tcp.h> on
Darwin platforms.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8809
Steffan Karger [Tue, 24 Jun 2014 20:03:25 +0000 (22:03 +0200)]
Update README.polarssl
PolarSSL support has been extended and adjusted, but README.polarssl was
not accordingly adjusted. This updates README.polarssl to the current state
of affairs for OpenVPN 2.3.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403640206-7024-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8804 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix bug that incorrectly refuses oid representation eku's in polar builds
The return value of x509_get_numeric_string() was interpreted incorrectly
by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the
usage of oid represenation in --remote-cert-eku options.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8627 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e238b806f5f3843b80d5b1b2b269679210faa7f6)
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure
the expected files and directories is in place. However, with
--client-config-dir and --ccd-exclusive, things are slightly different.
In both cases it is perfectly fine that files does not exists, and we
cannot know any file names beforehand due to these filenames being based
upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory
because the directory permissions are too restrictive, have wrong
ownership (triggered by the usage of --user/--group) or other security
mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a
client config file has been prepared. And if not, it continues without
trying to read it. So, if the privileges of the running OpenVPN process
is not allowed to open and read an existing file, OpenVPN will treat this
as a non-existing file without saying anything. This is clearly wrong.
So this patch adds an warning message in the OpenVPN log if it could
not open the file due to lack of permissions.
This will work fine on all *nix based OSes. Windows however reports
'no such file or directory' (errno=2/-ENOENT) even on privilege access
errors when the directory this file resides is too restrictive. But there
is no easy way to work around that. However, I believe that the initial
sanity checking at startup will catch that one, as it will check if the
directories it needs exists.
This patch has only gone through simple basic testing, with both too few
privileges and with proper privileges to the CCD directory. With wrong
privileges, the following error can be found if CN=Test client
Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file
'/etc/clients/Test client': Permission denied (errno=13)
[v2 - use openvpn_errno() instead of errno, for better platform support]
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8688 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4978dadaed4ecf1b9dd256f57c6a5c895691580b)
Gert Doering [Fri, 6 Jun 2014 18:43:55 +0000 (20:43 +0200)]
Drop incoming fe80:: packets silently now.
IPv6 has the concept of "link local" addresses, fe80::<host id>, which
normally are present on every link, and are used for stuff like DHCPv6,
neighbor discovery, etc.
OpenVPN point-to-multipoint mode currently does neither configure them on
tun interfaces, nor are they handled in a meaningful way if a client OS
always has them (like Windows or Solaris) - so the log fills with many
lines of "MULTI: bad source address from client [fe80::...]", serving
no useful purpose.
This patch just recognizes IPv6 LL packets and silently drops them.
Further patches can build on this and add full link-local support, which
would require address learning (as the addresse are based on host IDs, not
assigned by the server).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
(cherry picked from commit 70f1864188ad00451683cabf51e56b7730250c40)
Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
This changes the representation of the tls_serial_{n} environment variable
from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.
Because hex representation for serials makes sense too, and to ease
transition for PolarSSL users, added tls_serial_hex_{n} that exports the
serial in hex represenation for both crypto library backends.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <535EB49E.5090809@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8664 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Mon, 28 Apr 2014 20:52:11 +0000 (22:52 +0200)]
When tls-version-min is unspecified, revert to original versioning approach.
For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.
For PolarSSL, this means to implicitly control the TLS version via allowed
ciphersuites.
Point out off-by-default-now setting in the openvpn(8) man page.
This patch is only included in the release/2.3 branch, because it's a
stopgap measure. 2.4 will have it on-by-default, when the remaining
handshake problems are fully debugged and solved.
Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <535EC5FE.6060302@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8665 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 29 Apr 2014 21:09:39 +0000 (23:09 +0200)]
Conditionalize calls to print_default_gateway on !ENABLE_SMALL
Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but
the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the
combination "configure --enable-small --enable-debug" didn't work. Fix.
Fix trac #397
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
(cherry picked from commit c29e08a2f33234fb705a8323c0d9e1e07b0773fd)
Dmitrij Tejblum [Sat, 8 Feb 2014 15:33:49 +0000 (19:33 +0400)]
Fix is_ipv6 in case of tap interface.
While checking a packet on a TAP interface, is_ipv_X() in proto.c
insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if
the protocol is IPv6. So the protocol never match, and, thus,
mssfix doesn't work for IPv6 on TAP interface. Fix that.
Signed-off-by: Dmitrij Tejblum <dt@yandex.ru> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8259 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit db037c20086587a609ef33127c15de080270f2cb)
Fix build system to accept non-system crypto library locations for plugins.
Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
the plugins. However, all plugins include openvpn-plugin.h, which need
crypto/ssl headers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8576 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ea31bc680fc83946b2cc8d0c93544a1ab2a01d63)
Gert Doering [Sat, 26 Apr 2014 11:30:54 +0000 (13:30 +0200)]
More IPv6-related updates to the openvpn man page.
Point to correct kernel version for --multihome and IPv4-mapped
addresses (3.15, Tore Anderson).
Remove old reference to http://www.greenie.net/ from the IPv6 section,
as the code and documentation in here is more current than on that site.
Some more additions and clarifications.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Tore Anderson <tore@fud.no>
Message-Id: <1398511854-3609-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8642
(cherry picked from commit 2a97e69e71d4afb9c32268890e13db19cb73196b)
Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
hash was cast from char * to unsigned char * at the return of the function.
This patch removes the implicit cast by declaring hash as unsigned char * .
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d4309c21d9cde43c777985e373242afa78afefa1)
Gert Doering [Sun, 19 Jan 2014 20:51:37 +0000 (21:51 +0100)]
Repair --multihome on FreeBSD for IPv4 sockets.
The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR
case was sending a too-large control message (sizeof openvpn_pktinfo,
which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo,
leading to sendmsg() refusing to send the packet.
Use RFC 2292 macros for alignment + size calculation.
Fix trac#327
Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
(cherry picked from commit 661d914c8732a208580b1eab167255c85da162c9)
Arne Schwabe [Fri, 28 Mar 2014 10:07:01 +0000 (11:07 +0100)]
Fix man page and OSCP script: tls_serial_{n} is decimal
Commit 7d5e26cbb53 fixed extracting serial but did not change the format,
which always has been decimal. This patch fixes the manpage and
OSCP.sh script to conform with the implementation. Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8409
Gert Doering [Sun, 20 Apr 2014 18:41:01 +0000 (20:41 +0200)]
Minor t_client.sh cleanups
- remove built tests/t_client.sh script on "make clean"
- ignore Linux iproute2 "ssthresh <n>" output that sometimes shows up
in "ip -6 route show" and breaks before/after comparison
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1398019261-30180-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8557
(cherry picked from commit 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce)
Gert Doering [Sun, 13 Apr 2014 11:12:02 +0000 (13:12 +0200)]
IPv6 address/route delete fix for Win8
Use "store=active" for IPv6 address and route deletion - seems to be
required on Windows 8 and up, and not doing it will break OpenVPN
reconnection (old addresses are not properly deleted, thus address can
not be configured on connect).
Reported-by: Cedric <cedric+openvpn@bgtn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net>
Message-Id: <20140413170648.GU16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
(cherry picked from commit 4b4fac9184fcea1eab4f4223309211780cee188a)
Yawning Angel [Mon, 10 Mar 2014 03:47:58 +0000 (03:47 +0000)]
Fix SOCKSv5 method selection
So, RFC 1928 doesn't say anything about the METHODS field in the Method
Selection message being ordered in terms of preference or anything, and
the server is free to pick any of the METHODS offered by the client.
Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
and USERNAME/PASSWORD set is broken on two fronts:
* If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
due to the credentials being missing, it shouldn't offer it to the
server.
* If the OpenVPN client has credentials, then it should always attempt to
authenticate. This is a security product. "You can misconfigure it and
it will work" is not acceptable. Setting a username/password when the
SOCKS server doesn't require/support that as an option is the user not
configuring it correctly, and should be treated as such.
Also verify that the SOCKS server returned the auth that was requested.
URL: https://github.com/OpenVPN/openvpn/pull/14
Fix trac #377, trac #148 Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140413130102.GR16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8488
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-By: Arne Schwabe <arne@rfc2549.org>
(cherry picked from commit a95358af543b9106f4ef481e4556d1d03459d058)
Gert Doering [Sun, 23 Mar 2014 12:19:08 +0000 (13:19 +0100)]
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
058e889d introduced using SSL_OP_NO_TICKET, leading to build failures on
systems that could build 2.3.2 fine. Inside the 2.3 release train, we
do not want to change requirements, so for those build environments, ignore
missing SSL_OP_NO_TICKET. 2.4 will require more recent OpenSSL, though.
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
Gert Doering [Mon, 13 Jan 2014 21:54:34 +0000 (22:54 +0100)]
Replace copied structure elements with including <net/route.h>
The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies
of structures from <net/route.h> (struct rt_msghdr in particular).
OpenBSD changed some structure elements, making OpenVPN incompatible,
depending on the specific OpenBSD version. Clean up: remove copied
definitions, replace by including <net/route.h> directly - this could
not be done originally due to a conflict with "struct route" in OpenVPN
and <net/route.h>, cleaned up by the previous commit.
Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles
with no warnings, and "openvpn --show-gateway" works, which is the only
part of the code that uses the structures in question).
Fix trac #340
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
(cherry picked from commit 615fb9ef36310f85fd6171301128a12740444455)
Gert Doering [Sun, 17 Nov 2013 14:30:20 +0000 (15:30 +0100)]
Make code and documentation for --remote-random-hostname consistent.
Documentation examples, description and code were disagreeing on what
this option actually does. Now they will all agree that it will
*prepend* a random-byte string to the hostname name before resolving
to work around DNS caching (needs a "*" wildcard record in the zone).
Fix trac #143
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
(cherry picked from commit 7de8f3f322c1a1c13022a0243267624930dac5c9)
Jens Wagner [Tue, 7 Jan 2014 21:07:54 +0000 (22:07 +0100)]
Fix spurious ignoring of pushed config options (trac#349).
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1aac9a0b7a4046822a0134cd8693a828f2e16576)
Steffan Karger [Wed, 1 Jan 2014 20:10:22 +0000 (21:10 +0100)]
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 441be9f4f91a16218d40b401384ead51b5aac0cc)
Steffan Karger [Wed, 1 Jan 2014 20:10:21 +0000 (21:10 +0100)]
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8148 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dd3e319c1d66c7da51b8555d745a1139e0b322f2)
Steffan Karger [Sun, 15 Dec 2013 18:34:27 +0000 (19:34 +0100)]
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
This patch moves from using the deprecated RSA_generate_key() to the 'new'
RSA_generate_key_ex() to generate ephemeral RSA keys. This patch does
not change OpenVPN's behaviour.
One note on the implementation though; the code generates one ephemeral
RSA key that is used during the entire lifetime of an OpenVPN process.
If OpenSSL requests a new (ephemeral) key, it will keep on returning the
same (usually rather small) key. Not the best solution.
To actually run this code, I had to force usage by selecting the
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher. That generated a 512-bit
ephemeral RSA key, and uses the outdated DES encryption protocol.
Using this mode could lead to a false sense of security. Then again, one
should be using (Ephemeral) Diffie-Hellman anyway, and OpenVPN requires
a tls-server to supply dh parameters. A user would need to deliberately
choose a weak tls-cipher like TLS-RSA-EXPORT-WITH-DES40-CBC-SHA, which
would be aligning a gun with his foot anyway. If one would decide this
implementation is not good enough anymore, I'd suggest to just strip out
support for this completely.
Code has been tested using the TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher
which uses this to create ephemeral RSA keys.
Arne Schwabe [Tue, 17 Dec 2013 10:22:47 +0000 (11:22 +0100)]
Add warning for using connection block variables after connection blocks
In 2.3 some options that were allowed only in global config before have
been moved to connection blocks. This changes the behaviour if the
variables were defined after connection block. This patch adds a warning
to catch these mistakes.
Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE]
for connection blocks Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8117
David Sommerseth [Mon, 25 Nov 2013 12:32:58 +0000 (13:32 +0100)]
Fix file checks when --chroot is being used
Commit 0f2bc0dd92f43c9 started to introduce some file sanity
checking before OpenVPN started to avoid harder to explain issues
due to missing files or directories later on. But that commit
did not consider --chroot at all. Which would basically cause
OpenVPN to complain on non-missing files, because it would not
consider that the files where inside a chroot.
This patch is based on the thoughts in a patch by Josh Cepek [1],
but trying to simplify it at bit.
Gert Doering [Sun, 24 Nov 2013 16:13:04 +0000 (17:13 +0100)]
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
"ip -6 route show" prints stuff like "rtt 38ms rttvar 38ms cwnd 10", which
sometimes changes while an OpenVPN test is running, resulting in spurious
failures in the "ifconfig/route must be restored identically after
OpenVPN ends" test in t_client.sh. Not all fields are there all the time,
so use "sed" to get rid of whatever is printed this time.
Only relevant for "make check" on linux builds with "--enable-iproute2".
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385309584-23209-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8047
(cherry picked from commit 8c19087034cb1076874075b9e2896ea3f7be59cf)
Joachim Schipper [Thu, 19 Sep 2013 10:47:28 +0000 (12:47 +0200)]
--management-external-key for PolarSSL
Add --management-external-key support, compatible with the OpenSSL
implementation. Needs the flexibility of ssl_set_own_cert_alt(), which
is new in PolarSSL-1.2.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7886 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38ace48c6820c611e689bc69b0cf5380bf7a8891)
Joachim Schipper [Thu, 19 Sep 2013 10:47:27 +0000 (12:47 +0200)]
Refactor tls_ctx_use_external_private_key()
OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the
context's certificate chain was stored on return, used by
tls_ctx_use_external_private_key() only and free()d immediately thereafter.
PolarSSL also supported this output parameter, but returned a pointer to
the
context's certificate chain (rather than to a copy of the certificate, as
OpenSSL does) - which meant that we would have to #ifdef the free().
PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot
store a
pointer to (instead of a copy of) the cert.
So remove the output parameter from tls_ctx_load_cert_file() and
incorporate
the needed functionality directly into tls_ctx_use_external_private_key()
(which is straightforward for both OpenSSL and PolarSSL, as long as you
don't
try to support both at once.)
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7888 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3b2d487bc5089c8c0cf65df8e6cc2232d84b05b)
Setting es->gc=NULL causes env_set_add_nolock() / remove_env_item() to
free() allocated and no longer used strings in the es, while an active
gc would leave them for cleanup with gc_free() at client disconnect time.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/buffer.c Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <20131023162618.GP161@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7939
(cherry picked from commit 4368147972d61b598bbcd5d2904d891130d5e517)
It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
projects / thirdparty / openvpn.git / log
