James Yonan [Tue, 12 Apr 2011 05:14:34 +0000 (05:14 +0000)]
For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig
command on failure once every second for up to 15 seconds. This
is necessary to work around an issue observed on OSX 10.5 where
the ipconfig command sometimes fails if executed immediately after
the tun device open.
James Yonan [Sat, 2 Apr 2011 08:21:28 +0000 (08:21 +0000)]
Fixed bug that incorrectly placed stricter TCP packet replay rules on
UDP sessions when the client daemon was running in UDP/TCP adaptive
mode, and transitioned from TCP to UDP.
The bug would cause a single dropped packet in UDP mode to trigger a
barrage of packet replay errors followed by a disconnect and
reconnect.
James Yonan [Sun, 27 Mar 2011 09:20:13 +0000 (09:20 +0000)]
Added ./configure --enable-osxipconfig option for Mac OS X which will
enable the use of ipconfig (instead of ifconfig) for configuring the
IP address and netmask of the tun/tap adapter.
James Yonan [Sat, 26 Mar 2011 21:16:40 +0000 (21:16 +0000)]
Added "auth-token" client directive, which is intended to be
pushed by server, and that is used to offer a temporary session
token to clients that can be used in place of a password on
subsequent credential challenges.
This accomplishes the security benefit of preventing caching
of the real password while offering most of the advantages
of password caching, i.e. not forcing the user to re-enter
credentials for every TLS renegotiation or network hiccup.
auth-token does two things:
1. if password caching is enabled, the token replaces the
previous password, and
2. if the management interface is active, the token is output
to it:
>PASSWORD:Auth-Token:<token>
Also made a minor change to HALT/RESTART processing when password
caching is enabled. When client receives a HALT or RESTART message,
and if the message text contains a flags block (i.e. [FFF]:message),
if flag 'P' (preserve auth) is present in flags, don't purge the Auth
password. Otherwise do purge the Auth password.
James Yonan [Fri, 18 Mar 2011 04:51:59 +0000 (04:51 +0000)]
Fixed issue where a client might receive multiple push replies from
a server if it sent multiple push requests due to the server being
slow to respond. This could cause the client to process pushed
options twice, leading to duplicate pushed routes, among other issues.
The fix, implemented server-side, is to reply only once to a push
request even if multiple requests are received.
James Yonan [Thu, 10 Mar 2011 00:04:39 +0000 (00:04 +0000)]
Added --enable-lzo-stub configure option to build an OpenVPN client without LZO, but that has limited interoperability with LZO-enabled servers.
Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when
client was built with --enable-lzo-stub configure option. This tells
the server that the client lacks LZO capabilities, so the server
should turn off LZO compression for this client via "lzo no".
Added "setenv PUSH_PEER_INFO" option having the same effect as
"push-peer-info".
James Yonan [Mon, 14 Feb 2011 03:46:37 +0000 (03:46 +0000)]
Implemented get_default_gateway_mac_addr for Mac OS X (previously,
was only defined for Windows and Linux). This enables OS X to report
the MAC address of the default gateway to the server for ID purposes
when client-side --push-peer-info option is specified.
Also, minor fix to OS X get_default_gateway function:
* include net/route.h directly rather than selectively paste stuff
from it into route.c
James Yonan [Thu, 9 Dec 2010 11:21:04 +0000 (11:21 +0000)]
Added "management-external-key" option. This option can be used
instead of "key" in client mode, and allows the client to run
without the need to load the actual private key. When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:
>RSA_SIGN:[BASE64_DATA]
The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:
rsa-sig
[BASE64_SIG_LINE]
.
.
.
END
This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.
James Yonan [Sun, 24 Oct 2010 09:12:47 +0000 (09:12 +0000)]
Implement challenge/response authentication support in client mode,
where credentials are entered from stdin. This capability is
compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled
by default).
Challenge/response support was previously implemented for creds
that are queried via the management interface. In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.
Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.
James Yonan [Fri, 20 Aug 2010 20:24:42 +0000 (20:24 +0000)]
Attempt to fix issue where domake-win build system was not properly
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
James Yonan [Sun, 15 Aug 2010 21:53:00 +0000 (21:53 +0000)]
Windows security issue:
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:\, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
James Yonan [Tue, 27 Jul 2010 07:10:01 +0000 (07:10 +0000)]
Fixed an issue where application payload transmissions on the
TLS control channel (such as AUTH_FAILED) that occur during
or immediately after a TLS renegotiation might be dropped.
James Yonan [Sat, 10 Jul 2010 03:04:27 +0000 (03:04 +0000)]
Fixed bug in proxy fallback capability where openvpn.exe could
core dump if http-proxy-fallback-disable command was issued in
response to ">PROXY:NEED_NOW management" interface notification.
James Yonan [Thu, 10 Jun 2010 03:17:21 +0000 (03:17 +0000)]
Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
James Yonan [Mon, 24 May 2010 22:51:16 +0000 (22:51 +0000)]
Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
James Yonan [Sat, 6 Mar 2010 15:38:23 +0000 (15:38 +0000)]
Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window
period.
James Yonan [Fri, 26 Feb 2010 10:26:45 +0000 (10:26 +0000)]
Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
james [Tue, 12 Jan 2010 18:26:22 +0000 (18:26 +0000)]
When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
james [Fri, 11 Dec 2009 23:44:34 +0000 (23:44 +0000)]
Fixed some breakage in openvpn.spec (which is required to build an
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).
james [Thu, 10 Dec 2009 23:50:03 +0000 (23:50 +0000)]
Fixed a couple issues in sample plugins auth-pam.c and down-root.c:
1. Fail gracefully rather than segfault if calloc returns NULL.
2. The openvpn_plugin_abort_v1 function can potentially be called
with handle == NULL. Add code to detect this case, and if
so, avoid dereferencing pointers derived from handle.
(Thanks to David Sommerseth for finding this bug).
james [Thu, 19 Nov 2009 16:42:51 +0000 (16:42 +0000)]
Fixed a client-side bug that occurred when the "dhcp-pre-release"
or "dhcp-renew" options were combined with "route-gateway dhcp".
The problem is that the IP Helper functions for DHCP release and
renew are blocking, and so calling them from a single-threaded
client stops tunnel traffic forwarding, and hence breaks
"route-gateway dhcp" which requires an active tunnel. The fix is
to call the IP Helper functions for DHCP release and renew from
another process.
james [Fri, 16 Oct 2009 16:31:01 +0000 (16:31 +0000)]
Added "setenv GENERIC_CONFIG" directive, for generic configs
that cannot directly be used as a config file. The directive
will simply cause OpenVPN to exit with an error if a generic
config file is used.
james [Thu, 1 Oct 2009 21:08:40 +0000 (21:08 +0000)]
client-kill management interface command, when issued on server, will
now send a RESTART message to client.
This feature is intended to make UDP clients respond the same as TCP
clients in the case where the server issues a RESTART message in
order to force the client to reconnect and pull a new options/route
list.
james [Tue, 29 Sep 2009 23:10:14 +0000 (23:10 +0000)]
Added the ability for the server to provide a custom reason string
when an AUTH_FAILED message is returned to the client. This
string can be set by the server-side managment interface and read
by the client-side management interface.
For more info, see management/management-notes.txt, and look for
references to "client-reason-text".
james [Mon, 28 Sep 2009 07:50:30 +0000 (07:50 +0000)]
Fixed a bug introduced in r4436 (2.1_rc17) where using the
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
james [Mon, 28 Sep 2009 07:27:22 +0000 (07:27 +0000)]
Added --server-poll-timeout option : when polling possible remote
servers to connect to in a round-robin fashion, spend no more than
n seconds waiting for a response before trying the next server.
james [Sun, 27 Sep 2009 02:12:15 +0000 (02:12 +0000)]
Eliminated the limitation on the number of options that can be pushed
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
Remember that to make use of this feature to allow many routes to
be pushed to clients, the client config file must specify the
max-routes option, and the number of pushed routes cannot exceed
this limit. Also, both server and client must include this commit.
james [Thu, 17 Sep 2009 23:43:37 +0000 (23:43 +0000)]
The maximum number of "route" directives (specified in the config
file or pulled from a server) can now be configured via the new
"max-routes" directive.
Previously, the limit was set to 100 and fixed by a compile-time
constant. Now the limit is dynamic and can be modified by the
"max-routes" directive. If max-routes is not specified, the default
limit is 100.
Note that this change does not address the maximum size of the
pushed options string sent from server to client, which is still
controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant.
james [Wed, 16 Sep 2009 18:58:49 +0000 (18:58 +0000)]
Modified client to send a PUSH_REQUEST message to server 1 second
after connection initiation rather than 0 seconds after.
Successive PUSH_REQUEST messages after the first will continue to be
sent at 5 second intervals until a response is received. This tends
to speed up the client connection sequence by 4 seconds because the
first PUSH_REQUEST message is usually sent too soon and is dropped,
causing a wait of 5 seconds until the next PUSH_REQUEST message is
sent.
projects / thirdparty / openvpn.git / log
