In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers. Let's follow this example in OpenVPN and
also restrict the default list of negotiable TLS ciphers in 2.3.x.
This disables the following:
* Export ciphers (these are broken on purpose...)
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
The LOW suite will be completely removed from OpenSSL in 1.1.0,
the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that are not supported by OpenVPN anyway (cleans up the list)
Note that users are able to override this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.
v2: add Changes.rst entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917412-29741-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11455 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make intend of the validation clear when validating utun parameter in
open_darwin_utun. The program logic remains unchanged.
Fixes the following compiler warning on Mac OS X:
tun.c:2847:19: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (dev_node && !strcmp ("utun", dev_node)==0)
^ ~~
tun.c:2847:19: note: add parentheses after the '!' to evaluate the
comparison first
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2847:19: note: add parentheses around left hand side expression to
silence this warning
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2849:11: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^ ~~
tun.c:2849:11: note: add parentheses after the '!' to evaluate the
comparison first
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
tun.c:2849:11: note: add parentheses around left hand side expression to
silence this warning
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <3365AB24-33FD-4D9D-A57C-BF9240DC3D69@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6be0f0015d7485f0bf3c14a3a381a6f6496270a5)
Steffan Karger [Sun, 27 Mar 2016 14:18:16 +0000 (16:18 +0200)]
Replace MSG_TEST() macro for static inline msg_test()
Using a static inline function instead of a macro has the advantages that
(1) 'flags' is not evaluated twice and (2) coverity will stop complaining
that 'Macro compares unsigned to 0 (NO_EFFECT)' each time we use flags
with loglevel 0 (e.g. M_FATAL or M_WARN).
This has a performance impact when compiler optimizations are fully
disabled ('-O0'), but should otherwise be as fast as using a macro.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459088296-5046-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bbde0a766c69f573746461415c6f5cd289272fff)
Steffan Karger [Sun, 27 Mar 2016 15:22:10 +0000 (17:22 +0200)]
Fix memory leak in argv_extract_cmd_name()
Reported by coverity (in 2009!):
1648 static char *
1649 argv_extract_cmd_name (const char *path)
1650 {
1. Condition path, taking true branch
1651 if (path)
1652 {
1653 char *path_cp = string_alloc(path, NULL); /* POSIX basename()
implementaions may modify its arguments */
1654 const char *bn = basename (path_cp);
2. Condition bn, taking true branch
1655 if (bn)
1656 {
3. alloc_fn: Storage is returned from allocation function
string_alloc. [show details]
4. var_assign: Assigning: ret = storage returned from
string_alloc(bn, NULL).
1657 char *ret = string_alloc (bn, NULL);
5. noescape: Resource ret is not freed or pointed-to in strrchr.
1658 char *dot = strrchr (ret, '.');
6. Condition dot, taking false branch
1659 if (dot)
1660 *dot = '\0';
1661 free(path_cp);
7. Condition ret[0] != 0, taking false branch
1662 if (ret[0] != '\0')
1663 return ret;
CID 27023 (#2-1 of 2): Resource leak (RESOURCE_LEAK)8.
leaked_storage: Variable ret going out of scope leaks the storage it
points to.
1664 }
1665 }
1666 return NULL;
1667 }
This function is only used by argv_printf_arglist(), and in a very specific
case, so it might be that this leak can not even occur. But coverity is
clearly right that this is a bug, so let's just fix it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459092130-19905-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be16d5f6b050248f503455e4a0e8f3aaaa38bdc7)
On many platforms (not Windows, for once), FD_SET() can write outside the
given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do
that, add an ASSERT() to error out with a clear error message when this
does happen.
This patch was inspired by remarks about FD_SET() from Sebastian Krahmer
of the SuSE Security Team.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456996968-29472-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11285 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94)
ValdikSS [Fri, 15 Jan 2016 23:35:38 +0000 (02:35 +0300)]
Update --block-outside-dns to work on Windows Vista
Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.
Leonardo Basilio [Wed, 10 Feb 2016 10:19:39 +0000 (11:19 +0100)]
Correctly report TCP connection timeout on windows.
On nonblocking TCP connects, we set status = ETIMEOUT on failure.
On windows, depending on which header files are included, ETIMEOUT
is defined differently, and this leads to incomprehensible error
messages - so, always use WSAETIMEDOUT here.
Trac #651
Signed-off-by: Leonardo Basilio <leobasilio@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CACqLfMnBXwSY=MXyc7B1oMKwYE2Z_49G3mpkEPxbSAuG61tgZA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11085 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f5229e41d134b659e502bb2597c711aedaf8096)
ValdikSS [Sat, 9 Jan 2016 15:53:45 +0000 (18:53 +0300)]
Clarify mssfix documentation
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1452354825-5096-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10969
Steffan Karger [Wed, 13 Jan 2016 16:09:08 +0000 (17:09 +0100)]
socks.c: fix check on get_user_pass() return value(s)
My compiler rightfully complains that the checks on creds.username and
creds.password always evaluate to true, so remove those checks.
Judging from the code, they were meant to check the returned values by
get_user_pass(). So instead of these non-functioning checks, just check
the return value of get_user_pass().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452701348-9577-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10993 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 982ab2364a68f2fca0cb9219b31bdabcd5aa4b49)
Steffan Karger [Thu, 7 Jan 2016 19:52:44 +0000 (20:52 +0100)]
Update manpage: OpenSSL might also need /dev/urandom inside chroot
As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot. This depends on OS, OS version and ssl library
configuration. Update the manpage to better explain this.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0609eb477bdcd7b23bd8072f69714592323cab2e)
Steffan Karger [Thu, 7 Jan 2016 13:01:30 +0000 (14:01 +0100)]
polarssl: improve logging
Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.
This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).
Use the new polar_log_err() and polar_ok() functions to provide more
log/debug output for polarssl errors.
This is commit is a combined cherry-pick of commits 6ef5df14, d17d362d, aa416be9, and 3a39bf7d from the master branch, adjusted to the
release/2.3 branch.
v2 - use static inline instead of macro for optimization, and include
'enable polarssl debug logging'.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452171690-26822-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10952 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 6 Jan 2016 20:51:04 +0000 (21:51 +0100)]
openssl: improve logging
This improves OpenSSL logging and removes OpenSSL-specific error
printing code from error.c. The crypto_msg() functions provide
convenience wrappers, specific to OpenSSL. Instead of passing the
magical 'M_SSLERR' flag to msg(), a developer now just calls
crypto_msg() to get OpenSSL errors dumped to log.
This is commit is a combined cherry-pick of commits e795d6ba and 98ea2ec5 from the master branch, adjusted to the release/2.3 branch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452113464-28062-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10944 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 3 Jan 2016 09:47:56 +0000 (10:47 +0100)]
Fix regression in setups without a client certificate
This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert). This bug was
introduced by commit 091edd8e on the master branch, and commit dfd940bb
on the release/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 868d9d01802da9bbbb3a758981f3c7310a905813)
Lev Stipakov [Tue, 29 Dec 2015 20:56:01 +0000 (22:56 +0200)]
Repair IPv6 netsh calls if Win XP is detected
v2:
* Add compat-versionhelpers.h to compat/Makefile.am so that
"make dist" will include it into tarball.
* Indentation
v1:
* Use adapter name instead of index when calling netsh.exe on
WinXP - sadly XP does not support indexes
* Write Windows version to log
* Send it with peer-info as IV_PLAT_VER
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451422561-23635-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10903 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Phillip Smith [Tue, 22 Dec 2015 00:12:26 +0000 (11:12 +1100)]
Use bob.example.com and alice.example.com to improve clarity of documentation
This patch uses generic "bob.example.com" and "alice.example.com"
hostnames to replace the current "may" and "june" examples. Generic
names chosen rather than other names like "server"/"client" or
"head-office"/"remote-office" etc which may create other unintended
or implicit meanings to the reader.
The example.com domain is set aside defined by IANA for use as
documentation examples. Refer to: http://www.iana.org/domains/reserved
Using this well-known domain makes comprehension of documentation easier.
This patch incorporates feedback from Gert Doering and Selva Nair.
Signed-off-by: Phillip Smith <fukawi2@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1450743146-9050-1-git-send-email-fukawi2@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10875 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f7319906a9dff58226821b1686fd80f4e4e3b35)
Steffan Karger [Sun, 20 Dec 2015 21:27:48 +0000 (22:27 +0100)]
cleanup: get rid of httpdigest.c type warnings
When I compile with --enable-strict, I only want to see warnings that are
relevant. So, change httpdigest.c to make the casts explicit.
This commit should not change behaviour.
v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead
of uint8_t.
v3: as further discussed on #openvpn-devel, don't use a 'colon' var, but
just add casts.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450646868-15346-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10871 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0385cd4804c133d48857e4b3fbfe93a75ecc68a5)
Steffan Karger [Sat, 19 Dec 2015 11:39:29 +0000 (12:39 +0100)]
Warn user if their certificate has expired
Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
The SSL_CTX_get0_certificate() function is available in OpenSSL 1.0.2+
only. Older versions seem to not have a useful alternative, and the
certificate reference we need is hidden in an opaque struct. The
remaining option would then be to add extra workaround code for the select
group of people that do use an up-to-date openvpn, but do not update their
openssl. I don't think that's worth it. So just disable the code for
older openssl versions.
(This is a combination of commits 091edd8e and 644f2cdd from the master
branch, adjusted to apply to the release/2.3 branch cleanly)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10855 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 19 Dec 2015 11:39:28 +0000 (12:39 +0100)]
Upgrade OpenVPN 2.3 to PolarSSL 1.3
PolarSSL 1.2 is going end-of-support by 31-12-2015, so we have to move
on. Newer versions of polarssl/mbedtls are already released (2.0-2.2),
but as previously agreed upon, we will just move release/2.3 to polar
1.3, where master has been for a while now.
This commit removes support for PolarSSL 1.2. The mimimum required
version of PolarSSL is now 1.3.8.
This commit is a combination of a number of commits related to upgrading
or fixing polarssl 1.3 support from the master branch, adjusted to apply
to the release/2.3 branch: 03df3a99 Upgrade to PolarSSL 1.3 cc1cee74 Update openvpn-plugin.h for PolarSSL 1.3. 4b9eaa1e Fix regression with password protected private keys (polarssl) d0f26fb5 polarssl: disable 1/n-1 record splitting 444a93ea polarssl: fix --client-cert-not-required 9571010a polarssl: also allocate PKCS#11 certificate object on demand 67a67e39 polarssl: don't use deprecated functions anymore 9d3b7cec polarssl: require >= 1.3.8
This commit was tested using:
* Regular private key file
* Password-protected private key file
* PKCS#11
* --management-external-key
* CRL file (with and w/o revoked cert)
* With and w/o tls-auth
* RSA and ECDSA key/certs
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10856 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fish [Mon, 14 Dec 2015 20:41:35 +0000 (12:41 -0800)]
Make "block-outside-dns" option platform agnostic
Make the "block-outside-dns" option agnostic of Windows versions by
dynamically loading WFP-related functions. Cross-compiled on Linux and
tested on Windows XP/10.
v2: move MinGW definitions to win32_wfp.h and add attribution.
v3: keep #ifdef WIN32 in init.c (do not break non-windows platforms).
v4: Also make MSVC happy.
Tested-by: ValdikSS <iam@valdikss.org.ru> Tested-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450125695-36596-1-git-send-email-fish.thss@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10795
ValdikSS [Thu, 10 Dec 2015 20:51:35 +0000 (23:51 +0300)]
Add Windows DNS Leak fix using WFP ('block-outside-dns')
This option blocks all out-of-tunnel communication on TCP/UDP port 53
(except for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
The 2.3 version of this patch is only active if compiling for Vista+
(_WIN32_WINNT >= 0x0600) as XP does not have the necessary includes
and libraries.
Reviewed-by: Selva Nair <selva.nair@gmail.com> Reviewed-by: Lev Stipakov <lstipakov@gmail.com> Reviewed-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449780695-3879-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10743
Gert Doering [Wed, 9 Dec 2015 20:03:55 +0000 (21:03 +0100)]
Fix isatty() check for good.
Commit 079e5b9c13 introduced a check to see if we --daemon'ized before
trying to ask for a password (which would then fail with a non-intuitive
error), breaking querying systemd under certain conditions.
Move check from get_user_pass_cr() to get_console_input() and make it
"full featured" by not only checking isatty() for stdin/stderr but also
trying to open /dev/tty in case we still have a controlling tty - which
is what getpass() does under the hood, so if either of this works, we're
fine.
Trac #618 and #630
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1449691435-5928-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10709
(cherry picked from commit 015fe7177181fb4944ddf33debcfcd20c62ba55a)
Arne Schwabe [Sun, 29 Nov 2015 14:55:59 +0000 (15:55 +0100)]
Remove --enable-password-save option
This options is enabled in virtually all distributions and gives no real
security benefit. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448808959-10565-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10661
Selva Nair [Fri, 27 Nov 2015 02:20:53 +0000 (21:20 -0500)]
Unbreak read username password from management
Commit 6e9373c846.. introduced a bug by which auth-user-pass
or need-ok input falls back to read-from-stdin after successfully
reading from management or console. Fix by treating stdin as the last
option for input.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448590853-26862-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10630 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cdd69bb7f1c207fb5a9648f36440d7c6e2dcaa76)
Steffan Karger [Sat, 28 Nov 2015 10:38:25 +0000 (11:38 +0100)]
Fix rand_bytes return value checking
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of rand_bytes() in prng_bytes(), which we really should.
Failing to check the return value occurs if no prng is used (i.e. in
static key mode, or when explicitly disabled using --prng none).
prng_bytes() is used for generating IVs, session IDs and filenames.
The impact of failing to check the return value seems very limited:
Not generating random file names or session IDs could cause collisions in
(temporary) file names and/or session IDs. These in turn could cause
availability issues, but would not result in a breach in confidentiality
and/or integrity.
Our CBC mode protocol uses a packet id (timestamp + packet counter in
static key mode, or just the packet counter in TLS mode) at the start of
each packet (by default, but can be disabled using --no-iv and
--no-replay). Because the timestamp and packet counter are not
controllable by an attacker, it is not clear how predictable or even
repeating IVs could be used to mount an attack. (Note that the fact that
*I* can't find or come up with an attack is not a very strong argument,
this remains somewhat worrisome.)
CFB and OFB modes are not affected, because they do not rely on the prng
for IVS.
Finally, RAND_bytes() actually failing is quite unlikely, as that would
result in all sorts of other problems we should have heard about.
Of course, we still really should fix this, so this patch adds return
value checking of rand_bytes() inside prng_bytes(). The ASSERT() might be
a bit crude, so a follow-up patch that adds a return value to prng_bytes()
and proper return value checking probably makes sense. But at least this
is a quick and simple fix for the issue at hand.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10636 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5a73356ae5d0bf94ec81a33c7dcda6a41651ca6c)
Steffan Karger [Sat, 28 Nov 2015 10:38:24 +0000 (11:38 +0100)]
openssl: properly check return value of RAND_bytes()
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of RAND_bytes() correctly.
The RAND_bytes() man page first says "RAND_bytes() returns 1 on success,
0 otherwise.", but then a bit later "Both functions return -1 if they are
not supported by the current RAND method.". This second case was not
covered by our return value checking.
Note that if RAND_bytes() would return -1, it would *always* return -1 and
fail to generate random.
Also note that if RAND_bytes() would return -1, it would do so too in the
openssl internal ssl funtions. The openssl internal function do check the
return value properly, and connection setup would fail all together. If
that would be at least somewhat common, we would have received a *lot* of
bug reports. In other words, the error affects static key setups only,
and seems highly unlikely to occur in actual setups.
Only builds using OpenSSL as the crypto backend are affected.
This patch:
1. Changes the behaviour of rand_bytes() in openssl builds to match what
the doxygen claims (and polarssl builds already do).
2. Adds error reporting for RAND_bytes() failures.
Note: crypto_msg() was changed to msg() for 2.3
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10637 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 756602e7da11362f25be04743cd09f798b6f528a)
David Sommerseth [Wed, 11 Nov 2015 13:01:39 +0000 (14:01 +0100)]
Avoid partial authentication state when using --disabled in CCD configs
If an openvpn server is configured with --client-config-dir and a client
configuration file contains 'disabled', it is supposed to tell the client
it is not authorized to use the service.
This patch will ensure that the internal state in this scenario is a
complete CAS_FAILED state, and not CAS_PARTIAL if other authorization
steps passed.
Trac: #521 Tested-by: Eric Crist <ecrist@secure-computing.net> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447246899-22769-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c2d790ad8f10029e95aecb0d39377ef06ea8b2a)
Steffan Karger [Mon, 23 Nov 2015 20:58:55 +0000 (21:58 +0100)]
Fix memory leak in add_option() by simplifying get_ipv6_addr
If get_ipv6_addr() would fail *after* allocating memory for ipv6_local,
add_option() would fail to free that memory.
The fix here is to remove the allocation from get_ipv6_addr(), and create
a separate function for the strip-and-allocate, such that failures are
easier to handle.
v2 - remove free(options->ifconfig_ipv6_local), since that is now handled
by a garbage collector.
Memory leak found by coverity (in 2011!).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448312335-25908-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10573 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michal Ludvig [Sun, 11 Oct 2015 08:44:20 +0000 (10:44 +0200)]
Support for username-only auth file.
Make OpenVPN read the username from the auth file
parameter of --auth-user-pass and prompt for a
password if it's not in the file.
Rationale: Prior to this change OpenVPN either
required both username and password present in the
auth file or prompted for both on the console.
Unlike passwords usernames usually don't change and
can therefore be "hardcoded" in the config.
Signed-off-by: Michal Ludvig <mludvig@logix.net.nz>
Reviewed and updated to current master.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444553060-15946-1-git-send-email-dejong@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10255
(cherry picked from commit 6e9373c84639382c16d9eb8f1f78f60079bb89df)
Selva Nair [Tue, 17 Nov 2015 02:48:09 +0000 (21:48 -0500)]
Handle ctrl-C and ctrl-break events on Windows
v2 changes
- cleaner, hopefully easier to get a code review :)
- handles both console mode and service mode
-- >8 --
Handle ctrl-C or ctrl-Break sent to the console as a SIGTERM.
Depending on the console mode, windows delivers ctrl-C as a
keyboard input or as a signal. We handle both cases. This allows
graceful termination of openvpn from programs such as nssm.
Works in both console mode and service mode.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447728489-14991-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10513 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 87f1be66e88303c51520925f169dc5a8aa58a7f2)
Lev Stipakov [Wed, 11 Nov 2015 11:48:07 +0000 (13:48 +0200)]
Use adapter index instead of name for windows IPv6 interface config
Some windows machines get weird issues with netsh when using
adapter name on "netsh.exe interface ipv6 set address" command.
Changed logic to get adapter index and use it instead of adapter
name for netsh set address command.
v2:
* Remove netsh call which uses adapter name. After thoughtful testing
turns out that "adapter name" code branch is never used.
v3:
* Use interface=<idx> syntax.
* Add forward declaration of get_adapter_index_flexible to get
rid of warning.
* NOTE: temp variable is needed because argv_printf() does not
handle combined strings like "interface=%lu" today
Signed-off-by: Olli Mannisto <olmannisto@gmail.com> Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447242487-30243-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10484 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit efeaf947c9c5c88d77d16ac4917c1350c447c8dc)
Gert Doering [Tue, 10 Nov 2015 21:58:39 +0000 (22:58 +0100)]
Fix possible heap overflow on read accessing getaddrinfo() result.
The code always tried to copy-out a "struct sockaddr_in6" even for IPv4
results, which reads more bytes than getaddrinfo() is guaranteed to
allocate.
Now, look at ai->ai_family and only copy "struct sockaddr" for IPv4.
Also, reformat this block of code to comply to coding style.
This is a specific 2.3 bug as the code in master (to be 2.4) has been
completely rewritten to properly handle dual-stack and multiple responses
from getaddrinfo() proper.
Bug found by Daniel Hirche using "gcc -fsanitize=address". No possible
exploits are known.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1447192719-31381-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10479
Steffan Karger [Thu, 5 Nov 2015 21:03:01 +0000 (22:03 +0100)]
Add macro to ensure we exit on fatal errors
Also prevents false positives in static analysis tools.
(Note that the current x_msg() code does properly exit, this is just a way
to make it trivial to see we will not return from msg() on fatal errors,
even for static analysis tools.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446757381-27863-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9aebc37c45e440bda5f71b717146b5dc330d5277)
Steffan Karger [Sun, 8 Nov 2015 12:04:27 +0000 (13:04 +0100)]
Fix unintialized variable in plugin_vlog()
Does not seem to be a problem in normal usage, because one of the PLOG_ERR,
PLOG_WARN, PLOG_NOTE or PLOG_DEBUG will be set, and will cause msg_flags
to be initialized. In the worst case, msg_flags might accidentally
end up having M_FATAL set, causing openvpn to exit.
This was previously fixed in the master branch (5ead2ae0), but was not
backported to release/2.3, probably because that commit fixed other parts
of the code too, and those parts are quite different between master and
release/2.3.
Re-discovered by coverity.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446984267-3323-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10450 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 4 Nov 2015 18:59:38 +0000 (13:59 -0500)]
Fix termination when windows suspends/sleeps
When TUN/TAP I/O operation is aborted, restart with a SIGHUP instead of
terminate. The abort error from TAP is often triggered by system suspend
which is fully recoverable on resume. Catastrophic events will get caught
later during the restart. This solves the abnormal termination during
suspend/resume.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446663578-14471-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10438 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ea66a2b5cdb21422139c421b4d3733e1c1c3937e)
Steffan Karger [Thu, 5 Nov 2015 22:17:01 +0000 (23:17 +0100)]
Fix (potential) memory leak in init_route_list()
init_route() can allocate memory in netlist, but fail in many more ways
than just fail to allocate. Thus, always check and clean up netlist if
needed, instead of just when init_route() succeeds.
This fix is for release/2.3 only. The master branch uses a gc to clean
up the netlist, and needs a different patch for a similar problem.
Found using coverity.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1446761821-14013-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10442 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 20 Oct 2015 22:38:26 +0000 (00:38 +0200)]
Fix memory leak in auth-pam plugin
As it says on the tin. aresp would not be free'd nor returned by
my_conv() on errors. Note that we never reach this code if allocation
of aresp failed.
Found with the Clang static analyzer.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1445380706-20864-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10338 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cfc13b38bc6504b9768e4cc43311807d6b074672)
Steffan Karger [Wed, 21 Oct 2015 08:08:06 +0000 (10:08 +0200)]
hardening: add insurance to exit on a failed ASSERT()
The code behind our ASSERT() macro is pretty complex. Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call. As was suggested by Sebastian Krahmer
of the SuSE security team.
To make sure they that tools like clang static analyzer and coverity
understand that assert_failed() will not return, add an
__attribute__((__noreturn__)) annotation.
v2: use __attribute__ instead of inline to convince static analysers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445414886-11052-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8a9e3203bf00605dae000d31095076ae038491c)
Lukasz Kutyla [Sat, 17 Oct 2015 19:15:15 +0000 (21:15 +0200)]
Fix privilege drop if first connection attempt fails
OpenVPN does not drop privileges (UID/GID/chroot) as requested according
to the configuration file and/or passed arguments if the first connection
attempt is not established successfully, this also includes applying
SELinux context.
Signals and restarts are processed after "context.first_time" is set to
"false", which results in omitting entire privilege dropping block in
"do_uid_gid_chroot()" when successful connection is finally made
(everything is initialized correctly and said function is called), since
"context.first_time" is used as block entry condition.
We modify "do_uid_gid_chroot()" in such a way that allows us to drop
privileges even when first connection attempt was unsuccessful.
Steffan Karger [Tue, 30 Jun 2015 19:44:56 +0000 (21:44 +0200)]
Increase control channel packet size for faster handshakes
Instead of limiting the control channel TCP/UDP packet payload size at
'100 bytes + real control channel overhead' (~140 bytes ethernet payload),
increase the max TCP/UDP payload size to '1250 bytes - calculated overhead'
(~1210 bytes ethernet payload).
Note that this patch does *not* yield an optimal solution, but it is a
simple and rather safe change that will improve connection setup times
significantly.
v2: use the mininum value of --link-mtu and 1250 to give the user a way to
reduce control packet size if really needed.
trac #545
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435693496-10931-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9841 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fc91d4b0071178e298052078431fb86f03be84fc)
ms_error_text() may return NULL, and it is unclear (or, at least
undocumented) whether the OpenSSL ERR code (and our code using the ERR
code) can deal with esd->string being NULL. So, just to be sure, check
that ms_error_text() succeeded before passing the result to
ERR_load_strings().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <561130FC.8090008@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10176 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5584b738a332d0abc740d9303c275764c2ca13f1)
As reported by Bill Parker in trac #600, strdup() return values are not
always correctly checked for failed allocations. This patch adds missing
checks by using string_alloc(), which performs the required checks.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <561130FC.8090008@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10176 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ddc7692d245017c71adc40ad5cc195617e39fce0)
Gert Doering [Thu, 27 Aug 2015 13:00:02 +0000 (15:00 +0200)]
Replace unaligned 16bit access to TCP MSS value with bytewise access
TCP options are not always word-aligned, and accessing a 16bit value
at an odd memory address will cause a "bus error" crash on some
architectures, e.g. Linux/Sparc(64)
Trac #497
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1440680402-96548-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10056
(cherry picked from commit 2e2a34181962b33d70c34c28dcb1e1977c2fd54e)
Boris Lytochkin [Sun, 20 Sep 2015 14:05:22 +0000 (17:05 +0300)]
Log serial number of revoked certificate
In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is OK, environment variable can be used for
that but once it is revoked, no user scripts are invoked so there is
no way to get serial number: only subject is printed in logs.
So we log certificate serial in case it is revoked.
Gert Doering [Tue, 4 Aug 2015 12:53:16 +0000 (14:53 +0200)]
Un-break --auth-user-pass on windows
Commit b131c7b974d9d4d3f0 introduced a check to create a meaningful
warning if we try to read a password after daemon()izing (by checking
whether stdin or stderr is connected to a tty). For some reason this
breaks on Windows builds if run under GUI control - but since Windows
doesn't have this particular daemon() issue anyway, just #ifndef WIN32
the offending code.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1438692796-14663-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10000
(cherry picked from commit 0ffd744332f51878c4df430ab14aca3126bdfc8a)
Sebastian Krahmer from the SuSE security team reported that the buffer
overflow check in openvpn_decrypt() was too strict according to the
cipher update function contract:
"The amount of data written depends on the block alignment of the
encrypted data: as a result the amount of data written may be anything
from zero bytes to (inl + cipher_block_size - 1) so outl should contain
sufficient room."
This stems from the way CBC mode works, which caches input and 'flushes'
it block-wise to the output buffer. We do allocate enough space for this
extra block in the output buffer for CBC mode, but not for CFB/OFB modes.
This patch:
* updates the overflow check to also verify that the extra block required
according to the function contract is available.
* uses buf_inc_len() to double-check for overflows during en/decryption.
* also reserves the extra block for non-CBC cipher modes.
In practice, I could not find a way in which this would fail. The plaintext
is never longer than the ciphertext, and the implementations of CBC/OFB/CBC
for AES and BF in both OpenSSL and PolarSSL/mbed TLS do not use the buffer
beyond the plaintext length when decrypting. However, some funky OpenSSL
engine I did not check *might* use the buffer space required by the
function contract. So we should still make sure we have enough room
anyway.
v2 - always ASSERT() on buf_inc_len(). It is a double-check so should
really not fail, but if it fails there has been a buffer overflow.
At that point the best thing we can do is assert out. (The primary
check *is* handled gracefully, and just drops the packet.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1438165826-32762-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9974 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cc377dec820f9e6e7e72981013eb3857aa6ea5ce)
Arne Schwabe [Mon, 27 Jul 2015 15:33:11 +0000 (17:33 +0200)]
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
The check does only for strlen(line) space and buf_printf will only use at
most space -1 and not print the final character ('\n') in this corner.
Since a missing \n only breaks certificates at the start and end marker,
missing line breaks otherwise do not trigger this error.
Commits da9b292733e929a2900dc32d37f0424c3d588366 and 315f6fbc7f657a7f1127628bd714f468709d5185 broke the use case where we are
asking password from the management client. The password is always asked
before daemonization. With this fix we avoid this and ask it via management
interface in the same spot as before the mentioned commits. Tested on Linux.
v2: This patch was first submitted by Christian Pellegrin (from Google),
and reworked by Steffan Karger (from the OpenVPN team) to also work for
setups with --management-query-passwords but without --auth-user-pass.
Signed-off-by: Steffan Karger <steffan@karger.me> Signed-off-by: Christian Pellegrin <chripell@google.com> Tested-by: Christian Pellegrin <chripell@google.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55A6C46C.5080601@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9927 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d4fbe287fc2ddbef05fdfe22adc641859a8a7412)
James Geboski [Tue, 8 Jan 2013 22:52:57 +0000 (17:52 -0500)]
Fix --askpass not allowing for password input via stdin
This resolves --askpass treating stdin as a file during the file access
check. In turn, this leads to openvpn failing to start if this option is
set to stdin.
By default, --askpass reads the certificate's password from stdin rather
than a file. Without passing the CHKACC_ACPTSTDIN flag to
check_file_access(), stdin is marked as being a nonexistent file.
Trac #248
Signed-off-by: James Geboski <jgeboski@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <55A41225.2020705@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9918 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4e1e3ba1d8582a1e95dd6f9564e97c99784959a7)
Gert Doering [Mon, 13 Jul 2015 19:10:07 +0000 (21:10 +0200)]
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
With the --daemon / SSL init reordering in da9b292733, we fail if we
daemonize first and then try to ask for a private key passphrase (or,
for that matter, username+password if --auth-nocache is set) - but
no meaningful error message was printed, instead depending on operating
system and library versions, either we looped around "ssl init failed"
or died with an unspecified "fatal error".
So: check if get_user_pass_cr() is called in a context that needs
"from_stdin", but both stdin and stderr are not connected to a tty
device (which getpass() needs). In that case, print a meaningful
error message pointing to --askpass, and die.
Trac #574 and #576
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1436814607-16707-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9916
(cherry picked from commit 079e5b9c13bf81d7afc6f932b5417d2f08f8e64b)
fix regression: query password before becoming daemon
The init sequence was changed to daemonize before the crypto init to fix
issues on FreeBSD some commits ago. This introduced a regression where
we would no longer query for passwords before daemonizing, as described
in trac #574 and #576.
This commit restores the correct order, and adds a bit of const
correctness since we're touching this now code anyway.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1436477759-5884-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9901 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 315f6fbc7f657a7f1127628bd714f468709d5185)
Signed-off-by: Steffan Karger <steffan@karger.me> Tested-by: Fish Wang <fish.thss@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxKrPXnc1+PPH4dQV1OksY_0t3ewqRnqVrjhZL+i2Pbkmw@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9859 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9884e20810bda737c7708ff587e09cc0bb8475c7)
Holger Kummert [Thu, 25 Jun 2015 16:01:20 +0000 (18:01 +0200)]
Del ipv6 addr on close of linux tun interface
When a linux tun interface is closed (e.g. on disconnect)
an optional ipv6 addr that was previously set is deleted now.
Without this patch a later reconnect could fail with
'Linux ip -6 addr add failed: external program exited with error status: 2'
and openvpn would exit.
This is mainly relevant for persistant tun devices (staying around
after openvpn exits) but can also happen at reconnect.
If addresses are *supposed* to stay around on openvpn exit, run
openvpn with --ifconfig-noexec and configure IPv4/IPv6 addresses
manually before openvpn starts (or using an --up script).
Trac #141
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1435248080-12670-1-git-send-email-Holger.Kummert@Sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9810
Steffan Karger [Thu, 18 Jun 2015 22:08:45 +0000 (00:08 +0200)]
write pid file immediately after daemonizing
Since we split daemonizing from changing directory in commit da9b292
(f025de005d719201a69ad0313d545a1ddd244752 in release/2.3), we can
now simply write the pid file immediately after daemonizing.
This not only fixes the bug reported in trac #563, but also further
simplifies the code.
trac #563
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1434665325-3225-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9793 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 659eae7b79e5565bb0c93f6d6d04e2163fea1141)
Gert Doering [Sun, 26 Apr 2015 18:03:58 +0000 (20:03 +0200)]
Fix FreeBSD ifconfig for topology subnet tunnels.
For "topology subnet", we only pretend to have a subnet and keep
using the tun if in point-to-point mode - but for that to fully
work, the "remote" address needs to be different from the "local"
address. So just arbitrarily construct one from the on-link
subnet - base+1, if "that is not us", base+2, otherwise.
Fix trac #481
See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194745
Signed-off-by: Gert Doering <gert@greenie.muc.de> Tested-By: Anton Sayetsky <vsasjason@gmail.com> Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430071438-31675-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9606
(cherry picked from commit 60fd44e501f2002459a49c6c9bc64370ea26ca87)
Gert Doering [Sun, 31 May 2015 13:59:09 +0000 (15:59 +0200)]
Move res_init() call to inner openvpn_getaddrinfo() loop
A non-working nameserver in /etc/resolv.conf could lead to endless
loops inside openvpn_getaddrinfo(), because many systems will only
pick up changes to resolv.conf if res_init() is called again.
To reproduce, run openvpn with --resolv-retry infinite (2.3) or
--resolv-retry "a high number" (master) on a BSD system. Linux
glibc seems to stat() resolv.conf on calls to getaddrinfo() and
pick up changes automatically.
Trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433080749-6892-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9763
(cherry picked from commit 288a819af7d3a6fab9e0b69ae8dbaac74b36307b)
Guy Yur [Mon, 1 Jun 2015 19:51:13 +0000 (21:51 +0200)]
Fix --redirect-private in --dev tap mode.
When specifying redirect-private option and not specifying route-gateway
or ifconfig options, OpenVPN fails to add the route to the remote host
with the following message:
NOTE: unable to redirect default gateway -- VPN gateway parameter
(--route-gateway or --ifconfig) is missing
In redirect_default_route_to_vpn() the check for remote endpoint happens
even though it is not used by redirect-private - make check conditional
on RG_REROUTE_GW (= --redirect-gateway).
Trac #261
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20150531120327.GE382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9761 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1e2b229e5140b784820906feb8446e47c1ecc62e)
Gert Doering [Mon, 1 Jun 2015 19:04:47 +0000 (21:04 +0200)]
Use configure.ac hack to apply serial_test AM option only if supported.
Inspired by libguestfs' configure.ac hack - test automake version,
and if 1.12 or newer, use m4 magic to pass "serial_tests" option
to AM_INIT_AUTOMAKE().
Gert Doering [Sun, 31 May 2015 20:41:58 +0000 (22:41 +0200)]
On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
A signal (except SIGUSR1) received while waiting for getaddrinfo() is
considered fatal, so openvpn_getaddrinfo() is destroying the returned
information with freeaddrinfo(), but still signalled "success" (0)
to the caller - so if the caller accessed *res before checking
*signal_received, it would access just-free()ed memory, which on some
platforms still worked and on others caused a crash.
Also, ensure that *ai is also NULLed in the caller now.
Trac #276
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433104918-9523-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9764
(cherry picked from commit 5f6c01ea6172ed1d8ed04e31f9f6c3f8e4696109)
Gert Doering [Thu, 28 May 2015 09:11:47 +0000 (11:11 +0200)]
Revert "Enforce "serial-tests" behaviour for tests/Makefile"
This reverts commit c196ea922755bb25f9837080d562ef4d3495999f,
because it breaks "autoreconf -vif" on autoconf versions older
than 1.12 - like, CentOS 6, Debian 7, ...
Gert Doering [Wed, 27 May 2015 18:31:38 +0000 (20:31 +0200)]
Enforce "serial-tests" behaviour for tests/Makefile
Our "make check" testsuite creates quite a bit of output which is
intended to help pinpointing the exact reason for failure - hidden by
default by automake 1.12 and up, which default to "parallel-tests" which
has no benefit for us. So, just set the automake option to revert to
the old behaviour.
See also: https://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html
Trac #427
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Message-ID: <20150524193011.GK382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9738 Acked-by: David Sommerseth <openvpn.list@topphemmelig.net>
(cherry picked from commit fc03ca9d13e35c40bdf1c3c676db2adf48c60223)
But keep the chdir to / at the place where deamon() was before, to preserve
the current behaviour wrt relative paths in the config.
This should fix the issue reported in trac #480, without changing the
behaviour visible to the end user.
Note that by moving the daemon() call to an earlier stage of the init
process, we no longer have to call platform_mlockall() again, or do a
pkcs11_forkFixup().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430144937-4149-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9609 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit da9b292733e929a2900dc32d37f0424c3d588366)
projects / thirdparty / openvpn.git / log
