Steffan Karger [Fri, 28 Oct 2016 12:10:07 +0000 (14:10 +0200)]
Limit --reneg-bytes to 64MB when using small block ciphers
Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks. The 64 MB value has been selected with the researchers who
published the SWEET32 paper.
Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.
Furthermore, in contrast with the patch for master, this will not limit
--reneg-bytes on the client side. This allows server administrators to
revert to the old behaviour, or increase --reneg-bytes to something they
believe is workable, without having to change client configs. (The master
branch provides cipher negotiation as a real solution, so we can be
stricter there.)
v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
language in warning message, add URL to man page, and only limit at the
server side.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477656607-7440-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12799.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Gert Doering [Sun, 9 Oct 2016 10:09:29 +0000 (12:09 +0200)]
Fix --multihome for IPv6 on 64bit BSD systems.
The old code only worked if "struct openvpn*pktinfo" happened to use
the same structure packing as the CMSG_SPACE() / CMSG_LEN() macros
(which are part of the official API, see RFC 2292).
Get rid of "struct openvpn_*_pktinfo" definitions, replace them by
an opaque buffer sized large enough to fit IPv4 and IPv6 packet info
messages, as defined by CMSG_SPACE(sizeof(struct ...)).
On 32 bit platforms, the net result is the same. On 64 bit platforms,
the new buffer is bigger than openvpn_pktinfo was, fixing an overflow
with ipi6_ifindex corruption on reception, and EINVAL on sendmsg().
The IPv4 related changes are only side effects of using the new buffer.
Note: --multihome for IPv4 on NetBSD is still broken and non-fixable(!)
as NetBSD lacks the necessary kernel code for the sendmsg() side.
Verified that "--multihome works as well as before" on FreeBSD 7.4/amd64,
NetBSD 5.1/amd64, OpenBSD 4.9/i386, Linux/x86_64, Linux/i386,
OpenSolaris 10 (--multihome needs -D_XPG4_2, see trac #750)
See also: ip(4), ip6(4), recv(2)
Trac #634, #327, #28
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161009100929.46472-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12626.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3fb246e38fc670c7dfff8ce4521c75c95c766c9e)
Gert Doering [Tue, 4 Oct 2016 11:38:54 +0000 (13:38 +0200)]
add POSTINIT_CMD_suf to t_client.sh and sample config
We have pre-init and cleanup commands, but some test cases might need
or want to run a shell script after openvpn has initialized, but before
executing any tests (ifconfig comparison and ping).
Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161004113854.42470-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bae1ad7005fd9a1fadeed56370a9ac5422a33fee)
As reported in trac #732, the man page text for --cipher is no longer
accurate. Update the text to represent current knowledge, about NCP and
SWEET32.
This does not hint at changing the default cipher, because we did not make
a decision on that yet. If we do change the default cipher, we'll have to
update the text to reflect that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 2 Oct 2016 13:19:23 +0000 (15:19 +0200)]
make t_client robust against sudoers misconfiguration
Instead of testing (and priming) sudo with "true", prime with
"kill -0 $$" (just test signalling ourselves). If this fails,
we won't be able to kill the openvpn process we're going to
start later on -> thus, SKIP on failure.
This helps with misconfigured setups (especially on the buildbots)
that can correctly start openvpn but then not stop it later on -
leaving openvpn processes dangling around, requiring manual
intervention.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161002131923.36681-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8ca29af7c6d4759ce019ec9d0cd3eae4511a6804)
Samuli Seppänen [Mon, 3 Oct 2016 10:51:27 +0000 (13:51 +0300)]
Automatically cache expected IPs for t_client.sh on the first run
Previously one had to manually define correct values for the
EXPECT_IFCONFIG* variables based on what IPv4 and IPv6 addresses
the test VPN server handed out.
This was a tedious process especially with large number of tests,
as the IPs changed for every test client and for every test. With this
patch t_client.sh figures out the correct IP addresses using an
--up script and caches them to a separate file for later use.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1475491887-740-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df0b00c253e41cce9567be79dbd3faa14c60473b)
Arne Schwabe [Thu, 14 Jul 2016 11:25:19 +0000 (13:25 +0200)]
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
Debian also incorrectly changes that the default for route parameters can
be specified by using "nil" instead of "default. The confusion is probably
coming from show_opt printing "nil" instead of "default". Change show_opt
to show "default (not set)" instead of "nil"
Original author: Alberto Gonzalez Iniesta <agi@inittab.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1468495519-25102-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1468495519-25102-1-git-send-email-arne@rfc2549.org
David Sommerseth [Sat, 17 Sep 2016 11:18:05 +0000 (14:18 +0300)]
t_client.sh: Improve detection if the OpenVPN process did start during tests
This will check the OpenVPN log file if the process initialized
successfully.
It will check the log file for 30 seconds before aborting the test run.
This also has the advantage of starting the testing quicker if the
initialization goes faster than 10 seconds (which was the old sleep time).
The umask is also set to a more permissive mode to ensure the test
script is capable of reading the OpenVPN PID file, as that will be
created by root.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111085-10678-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3712322ee1219e55640f2f4e5f822799edacd7cc)
David Sommerseth [Sat, 17 Sep 2016 10:50:33 +0000 (13:50 +0300)]
t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
David Sommerseth [Sat, 17 Sep 2016 09:20:26 +0000 (12:20 +0300)]
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
This resolves an issue where $! returns the PID of the sudo process instead
of the PID of OpenVPN and when sudo does not properly propagate signales
down to OpenVPN.
Trac: #738 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474104026-20615-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0926ebfe55347843af701216be9598827a1367a)
In the release/2.3 branch we support gnu89, basically to keep
pre-2015 MSVC happy. Old gcc (<5) defaulted to gnu89. But
gcc 5+ and clang default to gnu11/c11. This patch makes our
gnu89 support explicit, such these newer compilers will also
point out gnu89 violations to developers.
v2: only set -std=gnu89 if no -std flag is present in $CFLAGS
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1474040436-9855-1-git-send-email-steffan@karger.me
URL: http://www.mail-archive.com/search?l=mid&q=1474040436-9855-1-git-send-email-steffan@karger.me Signed-off-by: David Sommerseth <davids@openvpn.net>
Gert Doering [Tue, 13 Sep 2016 20:04:58 +0000 (22:04 +0200)]
Do not abort t_client run if OpenVPN instance does not start.
Basically, an oversight - if one test instance does not start at all
(due to "tap driver not loaded") the whole script would exit, instead
of logging the failing instance and proceeding to the next test run.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160913200458.9906-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160913200458.9906-1-gert@greenie.muc.de Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit a7b02f7f660707f765881f35867b4d23d89b390f)
Lev Stipakov [Mon, 4 Jan 2016 12:43:44 +0000 (14:43 +0200)]
Drop recursively routed packets
v2: better method naming
On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.
As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.
To prevent that, drop packets which have gateway IP as
destination address.
Tested on Win7/10, OS X.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Trac: 642 Tested-by: ValdikSS <iam@valdikss.org.ru> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451911424-12970-1-git-send-email-lstipakov@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/34737757/ Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e9d64bc03742c96a3d7fe2a473c43d40e5ba2001)
Steffan Karger [Tue, 16 Aug 2016 14:46:01 +0000 (16:46 +0200)]
Discourage using 64-bit block ciphers
As discussed with the development team, we should start moving away from
ciphers with a small block size. For OpenVPN in particular this means
moving away from 64-bit block ciphers, towards 128-bit block ciphers.
This patch makes a start with that by moving ciphers with a block
size < 128 bits to the bottom of the --show-ciphers output, and printing
a warning in the connection phase if such a cipher is used.
While touching this function, improve the output of --show-ciphers by
ordering the output alphabetically, and changing the output format
slightly.
[DS: Fixed C89 issues in patch, moving 'int nid' and 'size_t i' declaration
to begining of function instead of in the for-loops. This is also
required to not break building on stricter compiler setups where C99
must be enabled explicitly ]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1471358761-8828-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00030.html
CVE: 2016-6329 Signed-off-by: David Sommerseth <davids@openvpn.net>
As reported in trac #699, OpenVPN crashes when an "--cipher none" option
is followed by "--cipher" (without arguments). Fix the crash, and print a
warning to indicate that using --cipher of --auth without an argument is
deprecated.
This is a (partly) backport of the patch I sent for the master branch
yesterday.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1469541433-1671-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12107 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Jun 2016 02:34:49 +0000 (22:34 -0400)]
Promptly close the netcmd_semaphore handle after use
If more than one openvpn processes are running and one aborts
without releasing the semaphore, subsequent processes fail to get
a lock for the semaphore. This may be avoided by not keeping open
handles to the semaphore so that Windows can destroy it when no
open handles remain.
See also: http://article.gmane.org/gmane.network.openvpn.devel/11913
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465871689-13533-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11919 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6aa4c9091300f62fae0bf7a9198de0edd2d8b7c7)
Steffan Karger [Wed, 8 Jun 2016 12:20:39 +0000 (14:20 +0200)]
Don't limit max incoming message size based on c2->frame
"Be conservative in what you send, be liberal in what you accept"
When receiving packets, the real limitation of how much data we can accept
is the size of our internal buffers, not the maximum size we expect
incoming packets to have.
I ran into this while working on cipher negotiation, which will need
separate bookkeeping for the required internal buffer size, and the
link/tun MTU. Basing this code on the buffer size instead of c2->frame
makes that easier. A nice side-effect of this change is that it
simplifies the code.
This should also reduce the impact of using asymmetric tun/link MTU's,
such as in trac ticket #647.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465388443-15484-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11850 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3c1b19e04745177185decd14da82c71458442b82) Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/socket.c
Selva Nair [Tue, 7 Jun 2016 04:44:20 +0000 (00:44 -0400)]
Ignore SIGUSR1/SIGHUP during exit notification
This allows exit notification to complete and finally trigger SIGTERM.
The current practice of allowing a restart in this state clears
the exit notification timer data and thus loses the SIGTERM.
Trac #687
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465274660-11009-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11814 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 63b3e000c9141f4ca03a374354da26334257bc18)
It seems it was a conflict in vendor/Makefile.am's distdir target,
confusing autotools so it wouldn't actually parse that directory
properly. The result was that 'make distcheck' would fail and
tarballs created would just ship with an empty vendor/ directory.
Also remove the 'foreign' AUTOMAKE_OPTIONS flag, as we don't use
that many places at all. Things work well without this flag.
The comment had to be moved to a single line, otherwise the
white spaces between the end of the variable assignment and the
hash character got added to the variable.
[v3 - Further improve white space issues, now 'make clean'
should work too]
[v2 - Fix white space issues in path variables]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464976163-6162-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11778
(cherry picked from commit 41ab12f06253cadc34fc47da865178de3db0bbdc)
David Sommerseth [Tue, 31 May 2016 10:28:46 +0000 (12:28 +0200)]
Only build and run cmocka unit tests if its submodule is initialized
Commit 40cb4cfc5d01110 added infrastructure to write unit tests using
cmocka. This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.
The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated. As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional. If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.
[v2 - Also check if cmake is available, as cmocka depends on that
to be built ]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
(cherry picked from commit 45f6e7991cfa3bb8a44f981b6cf1e794d617d51e)
Jeffrey Cutter [Fri, 20 May 2016 09:25:10 +0000 (12:25 +0300)]
Update contrib/pull-resolv-conf/client.up for no DOMAIN
When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.
Jens Neuhalfen [Wed, 25 May 2016 17:57:56 +0000 (19:57 +0200)]
Add a test for auth-pam searchandreplace
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.
Add a minimal test for searchandreplace as a proof of concept.
[ Modified during commit: Enhanced documentation of functions in utils.h
to comply with doxygen standards ]
Jens Neuhalfen [Wed, 25 May 2016 17:57:55 +0000 (19:57 +0200)]
Add unit testing support via cmocka
cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.
cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).
cmocka is build during 'make check' and installed in vendor/dist/.
Josh Cepek [Mon, 18 Aug 2014 10:51:01 +0000 (05:51 -0500)]
Push an IPv6 CIDR mask used by the server, not the pool's size
Correctly handle CIDR masks when pushing clients addressing from an IPv6
pool. This change ignores the incorrectly used `bits` argument to the
--ifconfig-ipv6-pool option.
The code to save any provided CIDR mask after the pool IP is left in;
this may someday become useful when we move to allow IPv6 pools without
relying on an IPv4 pool assignment.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53F1DA95.7020701@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8990 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c4ed931a70502a351ff1089aa1bfb8001586f788)
Selva Nair [Sat, 14 May 2016 00:31:23 +0000 (20:31 -0400)]
Make error non-fatal while deleting address using netsh
During windows power events such as sleep or suspend, the TUN/TAP
I/O aborts and openvpn signals SIGHUP so as to automatically reconnect
on resume (since commit ea66a2b5cdb2..). During the SIGHUP processing
operations such as address and route deletion are expected to fail. Such
failures should be treated as non-fatal to allow for this automatic
recovery logic to work. Currently, when the address deletion is handled
by netsh, errors are treated as M_FATAL. This patch changes the error
level to M_WARN.
Resolves Trac #71 (comments 37 to 43)
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463185884-4355-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11655 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 13 May 2016 06:54:52 +0000 (08:54 +0200)]
Fix polarssl / mbedtls builds
Commit 8a399cd3 hardened the OpenSSL default cipher list,
but also introduced a change in shared code that causes
polarssl / mbedtls builds to break when no --tls-cipher is
specified.
This fix is backported code from the master branch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Thu, 3 Mar 2016 07:48:12 +0000 (00:48 -0700)]
Fixed port-share bug with DoS potential
Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.
The issue is that the port-share code calls openvpn_connect()
which in turn calls select(). When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.
The fix is to use poll() (if available) instead of select().
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 007738e9d6030c8989713543e4f7308ff57be30f)
This fixes some formatting issues, and updates the text for the cipher list
restriction to match the restrictions of 2.3 (rather than those of master
wrt 2.3).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1461003958-14726-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11467 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sun, 20 Dec 2015 19:12:53 +0000 (14:12 -0500)]
Support reading the challenge-response from console
Trying to keep the footrpint small, this patch adds to the
convoluted code-flow in get_user_pass_cr(). Cleanup left for later.
-----8<-----
Currently prompting for a response to static-challenge
gets skipped when the username and passowrd are read
from a file. Further, dynamic challenge gets wrongly handled
as if its a username/password request.
The Fix:
- Add yet another flag in get_user_pass_cr() to
set when prompting of response from console is needed.
- In receive_auth_failed(), the challenge text received
from server _always_ copied to the auth_challenge
buffer: this is needed to trigger prompting from console
when required.
- Also show the challenge text instead of an opaque
"Response:" at the prompt.
While at it, also remove the special treatment of authfile ==
"management" in get_user_pass_cr(). The feature implied by that
test does not exist.
Tested:
- username and optionally password from file, rest from console
- the above with a static challenge
- the above with a dynamic challenge
- all of the above with systemd in place of console
- all from management with and without static/dynamic
challenge.
Thanks to Wayne Davison <wayne@opencoder.net> for pointing out the
issue with challenge-response, and an initial patch.
In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers. Let's follow this example in OpenVPN and
also restrict the default list of negotiable TLS ciphers in 2.3.x.
This disables the following:
* Export ciphers (these are broken on purpose...)
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
The LOW suite will be completely removed from OpenSSL in 1.1.0,
the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that are not supported by OpenVPN anyway (cleans up the list)
Note that users are able to override this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.
v2: add Changes.rst entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917412-29741-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11455 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make intend of the validation clear when validating utun parameter in
open_darwin_utun. The program logic remains unchanged.
Fixes the following compiler warning on Mac OS X:
tun.c:2847:19: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (dev_node && !strcmp ("utun", dev_node)==0)
^ ~~
tun.c:2847:19: note: add parentheses after the '!' to evaluate the
comparison first
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2847:19: note: add parentheses around left hand side expression to
silence this warning
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2849:11: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^ ~~
tun.c:2849:11: note: add parentheses after the '!' to evaluate the
comparison first
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
tun.c:2849:11: note: add parentheses around left hand side expression to
silence this warning
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <3365AB24-33FD-4D9D-A57C-BF9240DC3D69@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6be0f0015d7485f0bf3c14a3a381a6f6496270a5)
Steffan Karger [Sun, 27 Mar 2016 14:18:16 +0000 (16:18 +0200)]
Replace MSG_TEST() macro for static inline msg_test()
Using a static inline function instead of a macro has the advantages that
(1) 'flags' is not evaluated twice and (2) coverity will stop complaining
that 'Macro compares unsigned to 0 (NO_EFFECT)' each time we use flags
with loglevel 0 (e.g. M_FATAL or M_WARN).
This has a performance impact when compiler optimizations are fully
disabled ('-O0'), but should otherwise be as fast as using a macro.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459088296-5046-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bbde0a766c69f573746461415c6f5cd289272fff)
Steffan Karger [Sun, 27 Mar 2016 15:22:10 +0000 (17:22 +0200)]
Fix memory leak in argv_extract_cmd_name()
Reported by coverity (in 2009!):
1648 static char *
1649 argv_extract_cmd_name (const char *path)
1650 {
1. Condition path, taking true branch
1651 if (path)
1652 {
1653 char *path_cp = string_alloc(path, NULL); /* POSIX basename()
implementaions may modify its arguments */
1654 const char *bn = basename (path_cp);
2. Condition bn, taking true branch
1655 if (bn)
1656 {
3. alloc_fn: Storage is returned from allocation function
string_alloc. [show details]
4. var_assign: Assigning: ret = storage returned from
string_alloc(bn, NULL).
1657 char *ret = string_alloc (bn, NULL);
5. noescape: Resource ret is not freed or pointed-to in strrchr.
1658 char *dot = strrchr (ret, '.');
6. Condition dot, taking false branch
1659 if (dot)
1660 *dot = '\0';
1661 free(path_cp);
7. Condition ret[0] != 0, taking false branch
1662 if (ret[0] != '\0')
1663 return ret;
CID 27023 (#2-1 of 2): Resource leak (RESOURCE_LEAK)8.
leaked_storage: Variable ret going out of scope leaks the storage it
points to.
1664 }
1665 }
1666 return NULL;
1667 }
This function is only used by argv_printf_arglist(), and in a very specific
case, so it might be that this leak can not even occur. But coverity is
clearly right that this is a bug, so let's just fix it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459092130-19905-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be16d5f6b050248f503455e4a0e8f3aaaa38bdc7)
On many platforms (not Windows, for once), FD_SET() can write outside the
given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do
that, add an ASSERT() to error out with a clear error message when this
does happen.
This patch was inspired by remarks about FD_SET() from Sebastian Krahmer
of the SuSE Security Team.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456996968-29472-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11285 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94)
ValdikSS [Fri, 15 Jan 2016 23:35:38 +0000 (02:35 +0300)]
Update --block-outside-dns to work on Windows Vista
Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.
Leonardo Basilio [Wed, 10 Feb 2016 10:19:39 +0000 (11:19 +0100)]
Correctly report TCP connection timeout on windows.
On nonblocking TCP connects, we set status = ETIMEOUT on failure.
On windows, depending on which header files are included, ETIMEOUT
is defined differently, and this leads to incomprehensible error
messages - so, always use WSAETIMEDOUT here.
Trac #651
Signed-off-by: Leonardo Basilio <leobasilio@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CACqLfMnBXwSY=MXyc7B1oMKwYE2Z_49G3mpkEPxbSAuG61tgZA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11085 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f5229e41d134b659e502bb2597c711aedaf8096)
ValdikSS [Sat, 9 Jan 2016 15:53:45 +0000 (18:53 +0300)]
Clarify mssfix documentation
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1452354825-5096-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10969
Steffan Karger [Wed, 13 Jan 2016 16:09:08 +0000 (17:09 +0100)]
socks.c: fix check on get_user_pass() return value(s)
My compiler rightfully complains that the checks on creds.username and
creds.password always evaluate to true, so remove those checks.
Judging from the code, they were meant to check the returned values by
get_user_pass(). So instead of these non-functioning checks, just check
the return value of get_user_pass().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452701348-9577-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10993 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 982ab2364a68f2fca0cb9219b31bdabcd5aa4b49)
Steffan Karger [Thu, 7 Jan 2016 19:52:44 +0000 (20:52 +0100)]
Update manpage: OpenSSL might also need /dev/urandom inside chroot
As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot. This depends on OS, OS version and ssl library
configuration. Update the manpage to better explain this.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0609eb477bdcd7b23bd8072f69714592323cab2e)
Steffan Karger [Thu, 7 Jan 2016 13:01:30 +0000 (14:01 +0100)]
polarssl: improve logging
Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.
This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).
Use the new polar_log_err() and polar_ok() functions to provide more
log/debug output for polarssl errors.
This is commit is a combined cherry-pick of commits 6ef5df14, d17d362d, aa416be9, and 3a39bf7d from the master branch, adjusted to the
release/2.3 branch.
v2 - use static inline instead of macro for optimization, and include
'enable polarssl debug logging'.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452171690-26822-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10952 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 6 Jan 2016 20:51:04 +0000 (21:51 +0100)]
openssl: improve logging
This improves OpenSSL logging and removes OpenSSL-specific error
printing code from error.c. The crypto_msg() functions provide
convenience wrappers, specific to OpenSSL. Instead of passing the
magical 'M_SSLERR' flag to msg(), a developer now just calls
crypto_msg() to get OpenSSL errors dumped to log.
This is commit is a combined cherry-pick of commits e795d6ba and 98ea2ec5 from the master branch, adjusted to the release/2.3 branch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452113464-28062-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10944 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 3 Jan 2016 09:47:56 +0000 (10:47 +0100)]
Fix regression in setups without a client certificate
This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert). This bug was
introduced by commit 091edd8e on the master branch, and commit dfd940bb
on the release/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 868d9d01802da9bbbb3a758981f3c7310a905813)
Lev Stipakov [Tue, 29 Dec 2015 20:56:01 +0000 (22:56 +0200)]
Repair IPv6 netsh calls if Win XP is detected
v2:
* Add compat-versionhelpers.h to compat/Makefile.am so that
"make dist" will include it into tarball.
* Indentation
v1:
* Use adapter name instead of index when calling netsh.exe on
WinXP - sadly XP does not support indexes
* Write Windows version to log
* Send it with peer-info as IV_PLAT_VER
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451422561-23635-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10903 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Phillip Smith [Tue, 22 Dec 2015 00:12:26 +0000 (11:12 +1100)]
Use bob.example.com and alice.example.com to improve clarity of documentation
This patch uses generic "bob.example.com" and "alice.example.com"
hostnames to replace the current "may" and "june" examples. Generic
names chosen rather than other names like "server"/"client" or
"head-office"/"remote-office" etc which may create other unintended
or implicit meanings to the reader.
The example.com domain is set aside defined by IANA for use as
documentation examples. Refer to: http://www.iana.org/domains/reserved
Using this well-known domain makes comprehension of documentation easier.
This patch incorporates feedback from Gert Doering and Selva Nair.
Signed-off-by: Phillip Smith <fukawi2@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1450743146-9050-1-git-send-email-fukawi2@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10875 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f7319906a9dff58226821b1686fd80f4e4e3b35)
Steffan Karger [Sun, 20 Dec 2015 21:27:48 +0000 (22:27 +0100)]
cleanup: get rid of httpdigest.c type warnings
When I compile with --enable-strict, I only want to see warnings that are
relevant. So, change httpdigest.c to make the casts explicit.
This commit should not change behaviour.
v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead
of uint8_t.
v3: as further discussed on #openvpn-devel, don't use a 'colon' var, but
just add casts.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450646868-15346-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10871 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0385cd4804c133d48857e4b3fbfe93a75ecc68a5)
Steffan Karger [Sat, 19 Dec 2015 11:39:29 +0000 (12:39 +0100)]
Warn user if their certificate has expired
Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
The SSL_CTX_get0_certificate() function is available in OpenSSL 1.0.2+
only. Older versions seem to not have a useful alternative, and the
certificate reference we need is hidden in an opaque struct. The
remaining option would then be to add extra workaround code for the select
group of people that do use an up-to-date openvpn, but do not update their
openssl. I don't think that's worth it. So just disable the code for
older openssl versions.
(This is a combination of commits 091edd8e and 644f2cdd from the master
branch, adjusted to apply to the release/2.3 branch cleanly)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10855 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 19 Dec 2015 11:39:28 +0000 (12:39 +0100)]
Upgrade OpenVPN 2.3 to PolarSSL 1.3
PolarSSL 1.2 is going end-of-support by 31-12-2015, so we have to move
on. Newer versions of polarssl/mbedtls are already released (2.0-2.2),
but as previously agreed upon, we will just move release/2.3 to polar
1.3, where master has been for a while now.
This commit removes support for PolarSSL 1.2. The mimimum required
version of PolarSSL is now 1.3.8.
This commit is a combination of a number of commits related to upgrading
or fixing polarssl 1.3 support from the master branch, adjusted to apply
to the release/2.3 branch: 03df3a99 Upgrade to PolarSSL 1.3 cc1cee74 Update openvpn-plugin.h for PolarSSL 1.3. 4b9eaa1e Fix regression with password protected private keys (polarssl) d0f26fb5 polarssl: disable 1/n-1 record splitting 444a93ea polarssl: fix --client-cert-not-required 9571010a polarssl: also allocate PKCS#11 certificate object on demand 67a67e39 polarssl: don't use deprecated functions anymore 9d3b7cec polarssl: require >= 1.3.8
This commit was tested using:
* Regular private key file
* Password-protected private key file
* PKCS#11
* --management-external-key
* CRL file (with and w/o revoked cert)
* With and w/o tls-auth
* RSA and ECDSA key/certs
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10856 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fish [Mon, 14 Dec 2015 20:41:35 +0000 (12:41 -0800)]
Make "block-outside-dns" option platform agnostic
Make the "block-outside-dns" option agnostic of Windows versions by
dynamically loading WFP-related functions. Cross-compiled on Linux and
tested on Windows XP/10.
v2: move MinGW definitions to win32_wfp.h and add attribution.
v3: keep #ifdef WIN32 in init.c (do not break non-windows platforms).
v4: Also make MSVC happy.
Tested-by: ValdikSS <iam@valdikss.org.ru> Tested-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450125695-36596-1-git-send-email-fish.thss@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10795
ValdikSS [Thu, 10 Dec 2015 20:51:35 +0000 (23:51 +0300)]
Add Windows DNS Leak fix using WFP ('block-outside-dns')
This option blocks all out-of-tunnel communication on TCP/UDP port 53
(except for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
The 2.3 version of this patch is only active if compiling for Vista+
(_WIN32_WINNT >= 0x0600) as XP does not have the necessary includes
and libraries.
Reviewed-by: Selva Nair <selva.nair@gmail.com> Reviewed-by: Lev Stipakov <lstipakov@gmail.com> Reviewed-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1449780695-3879-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10743
Gert Doering [Wed, 9 Dec 2015 20:03:55 +0000 (21:03 +0100)]
Fix isatty() check for good.
Commit 079e5b9c13 introduced a check to see if we --daemon'ized before
trying to ask for a password (which would then fail with a non-intuitive
error), breaking querying systemd under certain conditions.
Move check from get_user_pass_cr() to get_console_input() and make it
"full featured" by not only checking isatty() for stdin/stderr but also
trying to open /dev/tty in case we still have a controlling tty - which
is what getpass() does under the hood, so if either of this works, we're
fine.
Trac #618 and #630
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1449691435-5928-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10709
(cherry picked from commit 015fe7177181fb4944ddf33debcfcd20c62ba55a)
Arne Schwabe [Sun, 29 Nov 2015 14:55:59 +0000 (15:55 +0100)]
Remove --enable-password-save option
This options is enabled in virtually all distributions and gives no real
security benefit. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448808959-10565-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10661
Selva Nair [Fri, 27 Nov 2015 02:20:53 +0000 (21:20 -0500)]
Unbreak read username password from management
Commit 6e9373c846.. introduced a bug by which auth-user-pass
or need-ok input falls back to read-from-stdin after successfully
reading from management or console. Fix by treating stdin as the last
option for input.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448590853-26862-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10630 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cdd69bb7f1c207fb5a9648f36440d7c6e2dcaa76)
Steffan Karger [Sat, 28 Nov 2015 10:38:25 +0000 (11:38 +0100)]
Fix rand_bytes return value checking
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of rand_bytes() in prng_bytes(), which we really should.
Failing to check the return value occurs if no prng is used (i.e. in
static key mode, or when explicitly disabled using --prng none).
prng_bytes() is used for generating IVs, session IDs and filenames.
The impact of failing to check the return value seems very limited:
Not generating random file names or session IDs could cause collisions in
(temporary) file names and/or session IDs. These in turn could cause
availability issues, but would not result in a breach in confidentiality
and/or integrity.
Our CBC mode protocol uses a packet id (timestamp + packet counter in
static key mode, or just the packet counter in TLS mode) at the start of
each packet (by default, but can be disabled using --no-iv and
--no-replay). Because the timestamp and packet counter are not
controllable by an attacker, it is not clear how predictable or even
repeating IVs could be used to mount an attack. (Note that the fact that
*I* can't find or come up with an attack is not a very strong argument,
this remains somewhat worrisome.)
CFB and OFB modes are not affected, because they do not rely on the prng
for IVS.
Finally, RAND_bytes() actually failing is quite unlikely, as that would
result in all sorts of other problems we should have heard about.
Of course, we still really should fix this, so this patch adds return
value checking of rand_bytes() inside prng_bytes(). The ASSERT() might be
a bit crude, so a follow-up patch that adds a return value to prng_bytes()
and proper return value checking probably makes sense. But at least this
is a quick and simple fix for the issue at hand.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10636 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5a73356ae5d0bf94ec81a33c7dcda6a41651ca6c)
Steffan Karger [Sat, 28 Nov 2015 10:38:24 +0000 (11:38 +0100)]
openssl: properly check return value of RAND_bytes()
This patch is in response to an off-list report by Sebastian Krahmer of
the SuSE security team. Sebastian noticed we do not check the return
value of RAND_bytes() correctly.
The RAND_bytes() man page first says "RAND_bytes() returns 1 on success,
0 otherwise.", but then a bit later "Both functions return -1 if they are
not supported by the current RAND method.". This second case was not
covered by our return value checking.
Note that if RAND_bytes() would return -1, it would *always* return -1 and
fail to generate random.
Also note that if RAND_bytes() would return -1, it would do so too in the
openssl internal ssl funtions. The openssl internal function do check the
return value properly, and connection setup would fail all together. If
that would be at least somewhat common, we would have received a *lot* of
bug reports. In other words, the error affects static key setups only,
and seems highly unlikely to occur in actual setups.
Only builds using OpenSSL as the crypto backend are affected.
This patch:
1. Changes the behaviour of rand_bytes() in openssl builds to match what
the doxygen claims (and polarssl builds already do).
2. Adds error reporting for RAND_bytes() failures.
Note: crypto_msg() was changed to msg() for 2.3
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448707105-10753-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10637 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 756602e7da11362f25be04743cd09f798b6f528a)
David Sommerseth [Wed, 11 Nov 2015 13:01:39 +0000 (14:01 +0100)]
Avoid partial authentication state when using --disabled in CCD configs
If an openvpn server is configured with --client-config-dir and a client
configuration file contains 'disabled', it is supposed to tell the client
it is not authorized to use the service.
This patch will ensure that the internal state in this scenario is a
complete CAS_FAILED state, and not CAS_PARTIAL if other authorization
steps passed.
Trac: #521 Tested-by: Eric Crist <ecrist@secure-computing.net> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447246899-22769-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c2d790ad8f10029e95aecb0d39377ef06ea8b2a)
Steffan Karger [Mon, 23 Nov 2015 20:58:55 +0000 (21:58 +0100)]
Fix memory leak in add_option() by simplifying get_ipv6_addr
If get_ipv6_addr() would fail *after* allocating memory for ipv6_local,
add_option() would fail to free that memory.
The fix here is to remove the allocation from get_ipv6_addr(), and create
a separate function for the strip-and-allocate, such that failures are
easier to handle.
v2 - remove free(options->ifconfig_ipv6_local), since that is now handled
by a garbage collector.
Memory leak found by coverity (in 2011!).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1448312335-25908-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10573 Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
