It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Arne Schwabe [Fri, 31 May 2013 12:59:35 +0000 (14:59 +0200)]
Add reporting of UI version to basic push-peer-info set.
If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the
server.
Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>",
for example "de.blinkt.openvpn 0.5.47" for the ICS Android version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7646 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f3a2cd255a3bc73a546a5e2d09fa30a16cce0d7d)
Josh Cepek [Thu, 14 Nov 2013 18:02:59 +0000 (12:02 -0600)]
Require a 1.2.x PolarSSL version
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
Steffan Karger [Tue, 22 Oct 2013 12:45:17 +0000 (14:45 +0200)]
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 92d21e3fed33aad966b7b0ca6568e0cda8c7a8b5)
Heiko Hund [Tue, 15 Oct 2013 09:23:42 +0000 (11:23 +0200)]
Support non-ASCII TAP adapter names on Windows
Currently the TAP adapter name is fetched as an OEM string, which
is problematic if it contains non-ASCII characters and is to used
with netsh. The logfile also contains these non UTF-8 characters.
This patch fetches the name from the registry as UCS-2 and converts
it right into UTF-8 before it's used.
Josh Cepek [Wed, 21 Aug 2013 21:20:30 +0000 (16:20 -0500)]
Correct error text when no Windows TAP device is present
Starting with the 2.3-series, the TAP-Windows driver/utilities and
OpenVPN are separately installed components. The error message given to
users without available TAP devices uses the pre-2.3 path that does not
exist. The path should be listed under the TAP-Windows program group
that the tap-windows project installer uses.
Resolves bug #320
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <kv4ece$s8s$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2d34628af995676c8ecddb953897c334b96a6a6b)
Always load intermediate certificates from a PKCS#12 file
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
James Yonan [Tue, 11 Jun 2013 06:25:05 +0000 (00:25 -0600)]
Added "setenv opt" directive prefix. If present, and if the
directive that follows is recognized, it will be processed
as if the "setenv opt" prefix was absent. If present and if
the directive that follows is not recognized, the directive
will be ignored rather than cause a fatal error.
For example, suppose you are distributing a client
configuration file and want to set the minimum TLS version
that the client requires from the server to 1.2.
By using the following directive,
setenv opt tls-version-min 1.2 or-highest
only newer clients that understand the tls-version-min directive
would process it, while older clients would ignore it.
James Yonan [Tue, 11 Jun 2013 04:59:30 +0000 (22:59 -0600)]
TLS version negotiation
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
plugin: Extend the plug-in v3 API to identify the SSL implementation used
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 587df08abda3c8f1f85ccdba4d8b82a736c11e2d)
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e3d388652f59fd2ddd9c7f470f7ef62ee6b35595)
Arne Schwabe [Fri, 21 Jun 2013 10:48:28 +0000 (12:48 +0200)]
Add support of utun devices under Mac OS X
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fbc04bedbcce02fc625357b7475ddbc7164cabbf)
Arne Schwabe [Thu, 30 May 2013 21:02:17 +0000 (23:02 +0200)]
Move checking of script file access into set_user_script
At the moment script are only checked if P2MP_SERVER is defined. For
CLIENT_ONLY openvpn script were never checked. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7635
Arne Schwabe [Thu, 30 May 2013 20:26:43 +0000 (22:26 +0200)]
Move settings of user script into set_user_script function
This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all
script options are available by setting options->user_script_used Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7634
Arne Schwabe [Thu, 30 May 2013 13:27:08 +0000 (15:27 +0200)]
Only print script warnings when a script is used. Remove stray mention of script-security system.
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7625
Gert Doering [Thu, 30 May 2013 11:31:24 +0000 (13:31 +0200)]
Fix problem with UDP tunneling due to mishandled pktinfo structures.
In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and
ipv6 are going out of scope before actually calling sendmsg(), so depending
on compiler optimization, garbage is passed to sendmsg() - fix by using
"union openvpn_pktinfo" and having that in scope all the time.
Problem reported and patch provided by "danta" in trac#297
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: https://community.openvpn.net/openvpn/ticket/297
Message-ID: <20130530184427.GP20843@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
(cherry picked from commit 8c431f960357d776cfd0961192214ad1b0942bfb)
James Yonan [Mon, 20 May 2013 10:13:21 +0000 (12:13 +0200)]
Always push basic set of peer info values to server.
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
v3: undo extra whitespace changes in v1 and v2
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
(cherry picked from commit 598e03f0e7bce434e501a9895819f2af0714d5f6)
Josh Cepek [Thu, 16 May 2013 14:09:23 +0000 (09:09 -0500)]
Fix Windows script execution when called from script hooks
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Gert Doering [Fri, 3 May 2013 19:13:24 +0000 (21:13 +0200)]
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation"). For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.
Fix trac#281 and trac#258.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1367608404-2257-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7581
(cherry picked from commit eb95f367348f4c2aae301cfa7c3adc8e0f2e711e)
This fixes an issue where a segfault happens in pf_cn_test() if no
packet filtering rules have been parsed. See the trac ticket for
more details.
Trac: 163 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 31e5f34f3c6cf3aa6f120d22c415ac74a5ba1639)
Gert Doering [Tue, 26 Mar 2013 16:09:35 +0000 (17:09 +0100)]
Fix directly connected routes for "topology subnet" on Solaris.
This basically brings back the previously-working metric setting for
directly connected routes (add a "0" to the "route add" command) on
Solaris/OpenSolaris. It was working in f0eac1a59790, and got broken
by the route.c/route.h refactoring in 576dc96ca1ef1 - the patch
un-does that change to the TARGET_SOLARIS code, plus adds some more
descriptive comments.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1364314175-20758-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7460
(cherry picked from commit 792e8956b999b6932d472e4ab592bff160e52888)
Gert Doering [Sat, 23 Mar 2013 09:28:48 +0000 (10:28 +0100)]
Add MIN() compatibility macro
commit 3b23b18dddb8f8f4a introduced usage of MIN(), and not all platforms
have the macro in "readily usable" system header files, most notably it's
missing on OpenSolaris and Android. Add macro if not defined yet.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20130323112234.GM17727@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7450
(cherry picked from commit 15ca5c297b556fbbfdee6152af26ee158222614f)
Steffan Karger [Fri, 22 Mar 2013 08:54:24 +0000 (09:54 +0100)]
Switch to IANA names for TLS ciphers.
Added translation table and functions to translate between TLS OpenSSL
and IANA (IETF) cipher suite names. The previously used OpenSSL names
are still accepted, but a deprecation warning is issued.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-6-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7439 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3b23b18dddb8f8f4a6ac6959b844b63356b59e87)
Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c
to translate between OpenVPN(/OpenSSL) and PolarSSL data channel
cipher algorithm names. OpenSSL does not require any translating,
PolarSSL does for a small number of algorithms. This improves on
config file compatibility between the OpenSSL and PolarSSL builds.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-5-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7435 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f499b921344272eec6405955b9bad2f162f7a2f9)
Steffan Karger [Fri, 22 Mar 2013 08:54:22 +0000 (09:54 +0100)]
Improve verify_callback messages
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons
that the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7437 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d572959d35e8920efb8d95d253ededee5d8a34bd)
Instead of logging the fact that an error occured, log the error code and
description (when available in the PolarSSL build).
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0219f115f3a2711d5c51457d6e97d6930916653b)
Steffan Karger [Fri, 22 Mar 2013 08:54:20 +0000 (09:54 +0100)]
PolarSSL-1.2 support
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com>
Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7436 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4a56d19fc3aa59d0eebd99f102ecaaa3665c5088)
Josh Cepek [Wed, 20 Mar 2013 18:22:25 +0000 (13:22 -0500)]
(updated) [PATCH] Warn when using verb levels >=7 without debug
On 3/20/2013 11:42, Arne Schwabe wrote:
> ACK. But I would change "debug verb" to "debug verbosity" and I think
> there should be no comma before "but"
This text change makes sense: I've adjusted it to read "NOTE: debug
verbosity..." and saved another byte removing the comma.
Updated patch attached.
--
Josh
>From d41a0237220f2fea6647a508a2ab07263e0f160b Mon Sep 17 00:00:00 2001
From: Josh Cepek <josh.cepek@usa.net>
Date: Tue, 19 Mar 2013 22:52:12 -0500
Subject: [PATCH] Warn when using verb levels >=7 without debug
This patch adds a log warning when using --verb levels at 7 or higher
when running on builds lacking debug support. Since official builds are
now built with enable_debug=no, this warning will help developers
identify why expected debug messages may not be present in log output.
The test and message output code is omitted when built with
enable_debug=yes or enable_small=yes.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <kicup2$gfv$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7425 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 58fbb8046b203ca23708c1765ee84330d8809266)
Josh Cepek [Thu, 21 Feb 2013 15:50:38 +0000 (09:50 -0600)]
Fix parameter listing in non-debug builds at verb 4
When built with enable_debug=no, the parameter output expected at --verb
4 is not printed due to use of #ifdef ENABLE_DEBUG in the responsible
code sections. This appears to be a mistake when looking at the
configure help text for enable_small and enable_debug.
This change keys the relevant code off of enable_small instead,
including the parameter listing when enale_small=no (the
configure-script default.) Most of this code is in options.c, with some
callers present in plugin.c/h and route.c/h. No function code is
changed, just the #ifdef values to use the small feature instead of
debug.
This means builds no longer need enable_debug=yes in order to get the
expected log output at verb 4.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <437RBuq1U8032S07.1361465626@web07.cms.usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c61d0dd339084175f6911d8b713faaf4967ca03)
Gert Doering [Mon, 11 Mar 2013 20:03:20 +0000 (21:03 +0100)]
Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
Return value of mbuf_len() wrong - it's returning a length value, not
a yes/no value - so when the queue length approached 65 (full!), it
still only returned "1", leading to MBUF overflow later on. Change
from "bool" to "unsigned int", misbehaviour gone...
This fixes OpenVPN trac ticket #263.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Peter Caprioli <petercap@kth.se>
Message-Id: <20130312100706.GN953@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7396 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0eb398501fab9c016b9b6008682c43873c4a6188)
Heiko Hund [Fri, 22 Feb 2013 09:44:21 +0000 (10:44 +0100)]
make --tls-remote compatible with pre 2.3 configs
In openvpn 2.3.0 the semantics of the --tls-remote option changed.
That broke more configurations than anticipated. To not break
configurations that use --tls-remote with a legacy OpenSSL style DN
anymore, it is now detected when such a DN is configured. When
necessary the --compat-names option is then automatically enabled.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1361526263-1740-3-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7366 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ad532bba896875e56488e69ec16212a77787c57b)
Fix corner case in NTLM authentication (trac #172)
The problem is located in the file proxy.c within
"establish_http_proxy_passthru": To keep buffers small long
base64-encoded NTLM-Strings are truncated.
But the truncating is done on a wrong place: base 64 strings can be
cut every 4 chars. the buffer is 128 bytes - including the terminating
\0, so the usable data is only 127 bytes. And decoding a 127 char
base64 string fails... this is why the ntlm authentication fails in
certain cases (long strings)...
Christian Hesse [Tue, 8 Jan 2013 08:39:12 +0000 (09:39 +0100)]
fix build with automake 1.13(.1)
AM_CONFIG_HEADER has been deprecated for some time, finally it is removed
on automake 1.13. The attached patch replaces it with AC_CONFIG_HEADERS and
fixes build process with latest automake.
Heiko Hund [Mon, 4 Feb 2013 11:39:25 +0000 (11:39 +0000)]
Ignore UTF-8 byte order mark
Currently openvpn exits when reading configuration from a file
that has an UTF-8 byte order mark (EF BB BF) at its start.
While it is useless to put a BOM into UTF-8 encoded files, the
Unicode standard [1] permits it (on page 36):
"Use of a BOM is neither required nor recommended for UTF-8,
but may be encountered in contexts where UTF-8 data is converted
from other encoding forms that use a BOM or where the BOM is
used as a UTF-8 signature."
Notepad.exe, the default text editor on Windows, always puts the BOM
into UTF-8 encoded files when saving them. Others may do as well.
Just ignoring the UTF-8 BOM will make config files with UTF-8 BOM
readable.
Samuli Seppänen [Fri, 25 Jan 2013 09:59:34 +0000 (11:59 +0200)]
Cleaned up and updated INSTALL
- Changed "Supported platforms" to reflect current support status of the
mentioned operatingsystems
- Removed mentions of the obsolete Python and domake-win buildsystems
- Added mention of official Debian/RPM packages
- Added links to the Wiki
- Added mention of the new openvpn-build cross-compile environment
- Added PolarSSL to and removed pthreads from the "Optional" section
- Added mention of t_client.sh test framework
- Removed some very old (pre-2005) nuggets of (obsolete) information
- Other minor cleanups
- Some reorganization
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359107974-1481-1-git-send-email-samuli@openvpn.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7303 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 607a678d371c56d368319b0a7a1bb147008d5822)
Matthias Andree [Sat, 12 Jan 2013 12:41:17 +0000 (13:41 +0100)]
Enable TCP_NODELAY configuration on FreeBSD.
The missing #include <netinet/tcp.h> causes a defined(TCP_NODELAY) to
fail. I have added the patch to the FreeBSD ports OpenVPN 2.2.2 and
2.3.0, and confirmed (with strings ... | grep) that the TCP_NODELAY code
is now part of the executable on amd64, and results in this log output:
Sat Jan 12 13:39:18 2013 Listening for incoming TCP connection on [undef]
Sat Jan 12 13:39:18 2013 Socket flags: TCP_NODELAY=1 succeeded
Obtained from: https://community.openvpn.net/openvpn/ticket/158
Credits to: M. Nottebrock
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1357994477-29981-1-git-send-email-matthias.andree@gmx.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7230 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e86f688757529f8b33f9e6b49e31ba8d8564c5e)
Arne Schwabe [Sun, 3 Feb 2013 11:12:31 +0000 (12:12 +0100)]
Remove dead code path and putenv functionality
The construct_name_value function call will always fail so this code path
is never used. Since we now always have a valid environment in
static_context->c2.es it is better to have a ASSERT(es) than to call this
code patch.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1359889951-3369-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7323 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 25 Jan 2013 11:39:14 +0000 (12:39 +0100)]
Update README.IPv6 to match what is in 2.3.0
IPv6 is no longer provided by external patches - all has been
integrated. Document that fact, point at the new configuration options,
and at potential caveats.
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359113954-25768-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7305 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c2f4c1918202f4395438663804b0806c93790501)
Heiko Hund [Fri, 1 Feb 2013 14:19:14 +0000 (15:19 +0100)]
close more file descriptors on exec
Don't inherit the --status and --ifconfig-pool-persist, and on Linux
the epoll(7), file descriptors to scripts and other processes that
may be forked by plugins.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359728354-9405-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7312 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 09ee4192b1d16bbd7c3c138cc2d46760a11797bf)
Gert Doering [Tue, 25 Dec 2012 12:41:50 +0000 (13:41 +0100)]
Fix client crash on double PUSH_REPLY.
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).
Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e)
Gert Doering [Sun, 16 Dec 2012 21:15:20 +0000 (22:15 +0100)]
Fix option inconsistency warnings about "proto" and "tun-ipv6"
"tun-ipv6" is only sent in option string if running in point-to-point
mode (= not --server and not --client or --pull), because in those
scenarios it's usually pushed by the server, and the client does not
yet have it when comparing options -> needless warning.
Completely ignore "proto" values when comparing option strings - this
is in preparation for removing proto from the option string in a future
release, and to avoid warnings when 2.3 talks to this future release.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1355692520-24362-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7194 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 3b860cf27b9374f6ebe67ff21011661f8ec391c6)
David Sommerseth [Fri, 16 Nov 2012 11:02:06 +0000 (12:02 +0100)]
Avoid recursion in virtual_output_callback_func()
This solves a SEGV situation when using the management API while OpenVPN
is closing down.
The situation happens when the management socket has closed and OpenVPN
tries to write an error about this to the management socket. What happens
is that
virtual_output_callback_func() is called, which then calls
-> man_output_list_push_finalize()
-> man_output_standalone()
-> man_write() <-- this does the socket write
-> man_io_error()
-> x_msg()
-> virtual_output_print()
-> virtual_output_callback_func() (recursion start)
virtual_output_callback_func() do have a mechanism to avoid recursion,
but that did not keep the recurse counter when
man_output_list_push_finalize()
is called.
This patch just reorganise the recursion block to also keep the counter
while
calling the other functions from virtual_output_callback_func()
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353063726-25113-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7130
(cherry picked from commit b2b66179f6dcc37de9582d5c3044f0357dda3df3)
David Sommerseth [Thu, 29 Nov 2012 13:16:12 +0000 (14:16 +0100)]
The get_default_gateway() function uses warn() instead of msg()
A report on #openvpn pointed out that in his setup three warnings
appeard on the console when starting up.
$ sudo /usr/local/etc/rc.d/openvpn restart
Stopping openvpn.
Waiting for PIDS: 33031.
Starting openvpn.
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
$
This setup is on FreeBSD using jails with strict access to the
routing table.
After looking at the code path, this error was found in the BSD
sections for get_default_gateway(). But it was using the warn()
call instead of msg(M_WARN|M_ERRNO, ...) which causes these
warnings to go to stderr instead of the log file.
The warning string is also slightly modified to better explain
what fails.
Reported-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Tested-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1354194972-5388-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7149
(cherry picked from commit b3f19cc4bec6978a128f5af3ab22d8cfa954b064)
Arne Schwabe [Mon, 26 Nov 2012 14:33:09 +0000 (15:33 +0100)]
Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
When specifying --tls-client --cert ... without a --key (or --pkcs11)
option, OpenVPN should complain:
"You must define private key file (--key)...". Ensure that this
works even when compiling with MANAGMENT_EXTERNAL_KEY.
Also fix the other instance where this logic is broken
Orginal-Patch-by: Found by Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353940389-31075-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7143 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit feca0900dd00577779ab02f2e52b41eb3dab935f)
Arne Schwabe [Mon, 19 Nov 2012 18:12:17 +0000 (19:12 +0100)]
Error message if max-routes used incorrectly
the route/route-ipv6/redirect-gateway options allocate the route structe
with max_routes number of routes. A max-routes after any of this commands
has no effect. This can be problematic
(http://code.google.com/p/ics-openvpn/issues/detail?id=101)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353348737-21920-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7131 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit f83ccec6525179968b68696acb6ccf22182fc6de)
In commit dc7be6d078ba106f9b0de12f3e879c3561c3c537 the string_alloc() call
in pf_init_context() was modified to use the gc_arena object for memory
allocation. What was not taken into consideration was that
pf_destroy_context() was also freeing memory allocated by string_alloc(),
and when pf_init_context() is calling gc_free() a double-free situation
showed up.
Lets remove the explict free, and let gc_free take care of all the memory
handling.
Reported-by: cuzz@163.com Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1352196216-11560-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7124
(cherry picked from commit 1f300fe94f1bd521966bb05dea40edc1fae82b84)
David Sommerseth [Thu, 25 Oct 2012 12:22:30 +0000 (14:22 +0200)]
Remove the support for using system() when executing external programs or scripts
This patch removes the support for the system() call, and enforces the
usage of execve() on the *nix platform and CreateProcessW() on Windows.
This is to enhance the overall security when calling external scripts.
Using system() is prone to shell expansions, which may lead to security
breaches. Which is also why the execve() approach has been the default
since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
re-introduced the system() in Nov. 2008.
After having asked on the mailing list and checked around on the IRC
channels, the genereal consensus is that very few uses system() these
days.
The only annoyance I've been made aware of is that this will now
require adding a full path to the script interpreter together with the
script, and not just put in the script name alone. But to just use the
script name in Windows, you had to configure --script-security with the
'system' flag earlier too. So my conclusion is that it's better to add
a full path to the script interpreter in Windows and raise the overal
security with OpenVPN, than to continue to have a possible potentially
risky OpenVPN configuration just to make life "easier" for Windows
script users.
Removal of the system() call, also solves a nasty bug related to the
usage of putenv() on the *nix platforms.
For more information please see:
http://thread.gmane.org/gmane.network.openvpn.devel/7090
https://community.openvpn.net/openvpn/ticket/228
Trac-ticket: 228 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
(cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2)
Heiko Hund [Mon, 29 Oct 2012 13:16:37 +0000 (14:16 +0100)]
Support UTF-8 --client-config-dir
If a common name (or user name, when used in conjunction with
--username-as-common-name) contains UTF-8 encoded characters their
octets get replaced by underscores. This becomes problematic when
user "Müller" and "Möller" need to have a CCD file and both would
receive options from the file "M__ller". The situation is even
worse for non-latin alphabets, where CCD file names consist of
underscores entirely.
This patch removes that limitation and also allows the file names
to contain any punctuation characters besided the resevered ones.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1351516597-11128-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7110 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 9885f57e3ac8d2e32ba20ca84f6bdd0a1a995eac)
Adriaan de Jong [Wed, 17 Oct 2012 09:39:25 +0000 (11:39 +0200)]
Fixed a bug where PolarSSL gave an error when using an inline file tag.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1350466765-23301-1-git-send-email-dejong@fox-it.com Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 2ebbe4c0b4f0f0b15b4c32180e906a545446c376)
Kenneth Rose [Mon, 1 Oct 2012 18:47:02 +0000 (14:47 -0400)]
Fix v3 plugins to support returning values back to OpenVPN.
There's a small implementation issue with the V3 plugin API
implementation. V3 plugins cannot return data back to OpenVPN using
openvpn_plugin_args_func_return since
openvpn_plugin_args_func_return.return_list is always NULL.
This patch makes the behaviour identical to the V2 API (return_list is
again a proper out parameter).
Signed-off-by: Kenneth Rose <ken+openvpn@surfeasy.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: CAAUdgR8VZjaO0-thFPVoQkbZ1DNG3rx+gtYYLqyfocp3yns==w@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7083 Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit e92255f58bcfaec157c3ef59e01c40cbd04b1d43)
With this option, users can basically undo the changes of the UTF-8
support commit 5e86fd93779482b90a191f929edebe414cd78a4f. It's here for
short term compatibility and should be removed again as soon as possible.
When OpenSSL is used, the subject strings will be in the proprietary
format again. Generally username, X.509 CN, and X.509 subject will again
be subject to '_' replacemant, unless the "no-remapping" flag is
also specified. That flag ensures compatibility with setups using the
--no-name-remapping option, that has been removed in 2.3.
[v2: More comments related to compat_flags() added by DS plus using
COMPAT_FLAG_QUERY expclit]
[v3: Improved the man page entry for --compat-names, after suggestions
from Bernhard R. Link]
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347377664-15462-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7053
Fix reconnect issues when --push and UDP is used on the server
When the server is configured with UDP and --push statements, reconnecting
often fails by the client never receiving PUSH_REPLY. The client sends
PUSH_REQUEST and the server logs these requests but does not send them.
This bug got introduced in commit ff65da3a230b658b2c1d52dc1a48612e80a2eb42
which tries to avoid sending duplicated PUSH messages if the client/server
connection is slow.
This patch keeps this behaviour, but instead of a session wide PUSH_REPLY
block it sets an expiry time for the PUSH_REPLY block. The expiry time
is set to 30 seconds.
Signed-off-by: David Sommerseth <davids@redhat.com> Cc: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1347154246-20143-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7044
Gert Doering [Tue, 11 Sep 2012 11:56:55 +0000 (13:56 +0200)]
make "ipv6 ifconfig" on linux compatible with busybox ifconfig
We used to call "ifconfig tun0 inet6 add...". The "inet6" part is
optional,
and not understood by busybox. So now we call "ifconfig tun0 add ...",
which works on all supported Linux variants.
Tested on Gentoo, RHEL5+, Debian Lenny & up.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347364615-26878-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7052 Signed-off-by: David Sommerseth <davids@redhat.com>
Arne Schwabe [Mon, 10 Sep 2012 14:39:33 +0000 (16:39 +0200)]
Add checks for external-key-managements
Commit 4806cc102655f1a829d656f6deb83e5953c5eab2 fixed only part of the
problem. Since it removed the filename either the magic filename has to be
resurrected or all checks against priv_key_file need to take to check for
MF_EXTERNAL_KEY as well. This patch implements the extra checks
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347287973-12398-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7046 Signed-off-by: David Sommerseth <davids@redhat.com>
Arne Schwabe [Tue, 7 Aug 2012 10:03:57 +0000 (12:03 +0200)]
Merge getaddr_multi and getaddr6 into one function
the getaddr6 and getaddr_mutli functions are duplicates of each other.
Since we always require getaddrinfo to be present both function are merge
into one openvpn_getaddrinfo.
This functions also returns a standard struct addrinfo* so our resolve
interface is closer to the standard unix interface. The getaddr function
is a wrapper which provides backward compatibility for IPv4 addresses.
Ipv6 calls and calls to getaddr_multi are replaced with the new interface.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1344333837-22076-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/6959 Signed-off-by: David Sommerseth <davids@redhat.com>
[DS: Applied proper indenting on the changes wherever needed]
Gert Doering [Thu, 16 Aug 2012 18:09:09 +0000 (20:09 +0200)]
Keep pre-existing tun/tap devices around on *BSD
This amends commit 62c613d46dc49 to check whether a named tun/tap
device ("--dev tunX" instead of "--dev tun") exists before OpenVPN
started - if yes, keep around at program end. If no, destroy.
Also has a spelling fix, and changes clear_tuntap() to be "static"
(only ever called from within tun.c).
Tested on FreeBSD 7.4, FreeBSD 9.0, NetBSD 5.1, OpenBSD 4.9
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric Crist <ecrist@secure-computing.net> Signed-off-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
