Gert Doering [Sun, 26 Apr 2015 18:03:58 +0000 (20:03 +0200)]
Fix FreeBSD ifconfig for topology subnet tunnels.
For "topology subnet", we only pretend to have a subnet and keep
using the tun if in point-to-point mode - but for that to fully
work, the "remote" address needs to be different from the "local"
address. So just arbitrarily construct one from the on-link
subnet - base+1, if "that is not us", base+2, otherwise.
Fix trac #481
See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194745
Signed-off-by: Gert Doering <gert@greenie.muc.de> Tested-By: Anton Sayetsky <vsasjason@gmail.com> Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430071438-31675-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9606
(cherry picked from commit 60fd44e501f2002459a49c6c9bc64370ea26ca87)
Gert Doering [Sun, 31 May 2015 13:59:09 +0000 (15:59 +0200)]
Move res_init() call to inner openvpn_getaddrinfo() loop
A non-working nameserver in /etc/resolv.conf could lead to endless
loops inside openvpn_getaddrinfo(), because many systems will only
pick up changes to resolv.conf if res_init() is called again.
To reproduce, run openvpn with --resolv-retry infinite (2.3) or
--resolv-retry "a high number" (master) on a BSD system. Linux
glibc seems to stat() resolv.conf on calls to getaddrinfo() and
pick up changes automatically.
Trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433080749-6892-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9763
(cherry picked from commit 288a819af7d3a6fab9e0b69ae8dbaac74b36307b)
Guy Yur [Mon, 1 Jun 2015 19:51:13 +0000 (21:51 +0200)]
Fix --redirect-private in --dev tap mode.
When specifying redirect-private option and not specifying route-gateway
or ifconfig options, OpenVPN fails to add the route to the remote host
with the following message:
NOTE: unable to redirect default gateway -- VPN gateway parameter
(--route-gateway or --ifconfig) is missing
In redirect_default_route_to_vpn() the check for remote endpoint happens
even though it is not used by redirect-private - make check conditional
on RG_REROUTE_GW (= --redirect-gateway).
Trac #261
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20150531120327.GE382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9761 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1e2b229e5140b784820906feb8446e47c1ecc62e)
Gert Doering [Mon, 1 Jun 2015 19:04:47 +0000 (21:04 +0200)]
Use configure.ac hack to apply serial_test AM option only if supported.
Inspired by libguestfs' configure.ac hack - test automake version,
and if 1.12 or newer, use m4 magic to pass "serial_tests" option
to AM_INIT_AUTOMAKE().
Gert Doering [Sun, 31 May 2015 20:41:58 +0000 (22:41 +0200)]
On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
A signal (except SIGUSR1) received while waiting for getaddrinfo() is
considered fatal, so openvpn_getaddrinfo() is destroying the returned
information with freeaddrinfo(), but still signalled "success" (0)
to the caller - so if the caller accessed *res before checking
*signal_received, it would access just-free()ed memory, which on some
platforms still worked and on others caused a crash.
Also, ensure that *ai is also NULLed in the caller now.
Trac #276
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1433104918-9523-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9764
(cherry picked from commit 5f6c01ea6172ed1d8ed04e31f9f6c3f8e4696109)
Gert Doering [Thu, 28 May 2015 09:11:47 +0000 (11:11 +0200)]
Revert "Enforce "serial-tests" behaviour for tests/Makefile"
This reverts commit c196ea922755bb25f9837080d562ef4d3495999f,
because it breaks "autoreconf -vif" on autoconf versions older
than 1.12 - like, CentOS 6, Debian 7, ...
Gert Doering [Wed, 27 May 2015 18:31:38 +0000 (20:31 +0200)]
Enforce "serial-tests" behaviour for tests/Makefile
Our "make check" testsuite creates quite a bit of output which is
intended to help pinpointing the exact reason for failure - hidden by
default by automake 1.12 and up, which default to "parallel-tests" which
has no benefit for us. So, just set the automake option to revert to
the old behaviour.
See also: https://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html
Trac #427
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Message-ID: <20150524193011.GK382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9738 Acked-by: David Sommerseth <openvpn.list@topphemmelig.net>
(cherry picked from commit fc03ca9d13e35c40bdf1c3c676db2adf48c60223)
But keep the chdir to / at the place where deamon() was before, to preserve
the current behaviour wrt relative paths in the config.
This should fix the issue reported in trac #480, without changing the
behaviour visible to the end user.
Note that by moving the daemon() call to an earlier stage of the init
process, we no longer have to call platform_mlockall() again, or do a
pkcs11_forkFixup().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430144937-4149-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9609 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit da9b292733e929a2900dc32d37f0424c3d588366)
Gert Doering [Sun, 24 May 2015 13:02:34 +0000 (15:02 +0200)]
Disallow usage of --server-poll-timeout in --secret key mode.
The internal machinery wants TLS for this to work, so just add this
to the (long) list of options not allowed unless either --tls-client
or --tls-server is active. For added sanity, add an ASSERT() call
to the place where this combination caused a NULL ptr reference, and
document the restriction.
Fix trac #373
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1432472554-24666-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9736
(cherry picked from commit 6478c1f359e6b0ea2046d9e2801830753e53c06a)
Steffan Karger [Sun, 24 May 2015 09:45:40 +0000 (11:45 +0200)]
Clarify --capath option in manpage
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Attached are patches for the master and release/2.3 branches. The only
difference is that in the master patch, a line referencing the
requirement for OpenSSL 0.9.7 is removed, since master already requires
OpenSSL >= 0.9.8.
Gert Doering [Mon, 27 Apr 2015 19:27:21 +0000 (21:27 +0200)]
assume res_init() is always there.
Previously, the code tried to find res_init(), and on some systems
got it wrong in configure, silently not-using res_init(), leading
to unexpected failures to re-init the resolver.
We know that all supported OSes (except Windows) have res_init(), so
change the call to "#ifndef WIN32", and adjust configure.ac to just
find the library to link (if any). With that, failures to find
res_init() are no longer "hidden" but clearly visible at link time.
AC_SEARCH_LIBS() bits inspired by CUPS' cups_network.m4 (GPLv2)
Fix (part of) trac #523
Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-ACK-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430162841-5840-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9614
(cherry picked from commit 403dc434d245e5df5ae262935aa2e7364547e260)
Steffan Karger [Sat, 23 May 2015 13:02:25 +0000 (15:02 +0200)]
Re-read auth-user-pass file on (re)connect if required
Fixes trac #225 ('--auth-user-pass FILE' and '--auth-nocache' problem).
This patch is based on the changes suggested by ye_olde_iron in the trac
ticket. Also added a note to the manpage to inform people to use
absolute paths when combining --auth-user-pass file and --auth-nocache.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1432386145-15045-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9717 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ac1cb5bfbb9e09e79fd737bc57999d968d77c5ad)
"make check" self-test was broken after commit db950be85d37 due to
do_ifconfig_setenv() not checking whether tt->did_ifconfig_setup
was set (which isn't, for "dev null" type setups)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1432404098-29401-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9718 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 970c4bd2e473f625699bd56db44c1970a9e10ed9)
Felix Janda [Sat, 16 May 2015 13:59:50 +0000 (15:59 +0200)]
Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
Fixes compilation error on linux with musl libc because of
conflicting ethhdr declarations in <netinet/if_ether.h> and
<linux/if_ether.h> which is included from <linux/if_tun.h>
Signed-off-by: Felix Janda <felix.janda@posteo.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20150516134604.GA2302@euler>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9690 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ddb1f20a9ddbb94956c9f7b1115c89543d9b411a)
Steffan Karger [Tue, 5 May 2015 15:47:37 +0000 (17:47 +0200)]
Improve --tls-cipher and --show-tls man page description
As reported in trac tickets #304, #358 and #359 (and possibly more), the
usage and interpretation of --tls-cipher (and --show-tls) is tricky. This
patch extends the man page to explain those a bit better and point out
that --tls-cipher is an expert feature (i.e. easy to get wrong). Also add
a notice to the --show-tls output, referring to the man page explanation.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1430840857-6123-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9651 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f66f907cfc57b89110c08e50c7aab228e090911)
Samuli Seppänen [Tue, 5 May 2015 13:29:49 +0000 (16:29 +0300)]
Properly escape dashes on the man-page
On UTF-8 systems groff interprets unescaped dashes as hyphens and
escaped dashes as minus signs. Unescaped dashes can cause problems
when searching for or copying and pasting options. This patch ensures
that dashes in command-line options are escaped and that everything
else is left unescaped.
Trac: 512
URL: http://thread.gmane.org/gmane.network.openvpn.devel/9569 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430832589-9150-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9648 Signed-off-by: Gert Doering <gert@greenie.muc.de>
As described in trac #484, the current inline file size limit of 10000
bytes is becoming an issue for some users. Since RSA keys and signature
sizes are increasing, we need to adjust our limits. As #484 reports,
10000 can be too small for PKCS#12 files with 4K RSA keys. Instead of
postponing this issue by increasing the static limit, dynamically increase
the buffer size while reading. This keeps the memory usage limited but does
allow for larger inlined files.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430122342-11742-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9607 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e473b7c4ce41a450645e0f89579bc25b4a7f7d49)
Gert Doering [Tue, 28 Apr 2015 10:20:19 +0000 (12:20 +0200)]
explain effect of --topology subnet on --ifconfig
The fact that the second parameter of --ifconfig is no longer
a "remote address" but a "netmask" when using --dev tun and
--topology subnet was not documented clearly enough.
Trac #370
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1430216419-11943-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9616
(cherry picked from commit 3a840739e43acc5ea15814be08debb9dbb7ba67c)
Gert Doering [Tue, 28 Apr 2015 11:04:23 +0000 (13:04 +0200)]
Print helpful error message on --mktun/--rmtun if not available.
OpenVPN only supports --mktun/--rmtun to create/destroy persistant
tunnels on Linux. On BSD OSes, "ifconfig tun0 create" can do the
same job, so we do not actually need to support it - but the previous
error message ("unknown option") wasn't helpful. So always accept
the option now, and on non-supported systems, direct user to manpage.
Trac #85
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1430219063-12291-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9617
(cherry picked from commit 4ad2b65d9deb3197d847d7dcc36715aa5394836f)
Steffan Karger [Tue, 10 Mar 2015 19:26:45 +0000 (20:26 +0100)]
Re-enable TLS version negotiation by default
Re-enable TLS version negotiation by default, so that users
benefit from the stronger and better crypto of TLSv1.1 and
TLSv1.2, without having to add 'tls-version-min' to their
config files.
We tried this before in 2.3.3, but got various reports of people
no longer being able to connect. Back then, we did not have a
way for users to control the TLS version. We now have
--tls-version-min and --tls-version-max, and even automatically
set --tls-version-max to 1.1 if --cryptoapi is used, because
the cryptoapi code is incompatible with TLS 1.2.
To make sure users can fall back to the _exact_ old default
behaviour, not only limit the TLS version to 1.0 if
--tls-version-max 1.0 is set, but also keep using the API calls
TLSv1_{client,server}_method(), instead of the ones that support
negotiation (SSLv23_{client,server}_method()). (Yes, the naming
is awkward, but 'SSLv23' really means 'enable negotiation' in
OpenSSL-API language.
Steffan Karger [Thu, 26 Mar 2015 00:01:29 +0000 (01:01 +0100)]
Remove unneeded parameter 'first_time' from possibly_become_daemon()
The static helper function possibly_become_daemon() is called only once,
by do_init_first_time(), which checks 'first_time' to be true before
calling possibly_become_daemon(). This makes the parameter useless.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576)
Lev Stipakov [Thu, 5 Mar 2015 20:33:56 +0000 (22:33 +0200)]
Fix mssfix default value in connection_list context
Due to this bug, mssfix hasn't been assigned to fragment value
and used default value (1450) instead. As a consequence, TCP packets
get fragmented, which causes performance penalty.
This fix assigns mssfix value to fragment value for connection_entry
inside connection_list instead of connection_entry inside options struct
(which does not work for connection_list case).
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425587636-23338-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9507
Steffan Karger [Thu, 5 Mar 2015 21:37:31 +0000 (22:37 +0100)]
Allow for CN/username of 64 characters (fixes off-by-one)
This is an alternative patch to fix the issue reported in trac #515 by
Jorge Peixoto. Instead of increasing the TLS_USERNAME_LEN define, do +1 at
the relevant places in the code.
Also see Jorge's original patch and the discussion on the maillinglist:
http://thread.gmane.org/gmane.network.openvpn.devel/9438
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54F8CC9B.9040104@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9508 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ecd934b1ef83eec58eb2df5d3a98309ca56d5812)
Gert Doering [Sun, 8 Feb 2015 10:18:45 +0000 (11:18 +0100)]
New approach to handle peer-id related changes to link-mtu (2.3 version)
Instead of statically increasing link-mtu by +3, keep the old value for
OCC compatibility with old servers/clients, and only increase link-mtu
if peer-id option is enabled (right now: is pushed by server).
If link-mtu has been set in the config, keep configured value, and log
warning (because the extra overhead has to decrease tun-mtu).
Reserve extra +3 bytes in frame->extra_link.
v2: use frame->extra_link, not frame->extra_buffer (receive path on server)
introduce frame_add_to_link_mtu() to manipulate frame->link_mtu value
rework comments to make more clear what is happening
Adaption to 2.3: reserve +8 bytes in frame->extra_buffer - if compression
is not enabled, the 2.3 code does not reserve space for compression
overhead (2.4 code does), so the buffer ends up being too small.
+3 is not sufficient because the buffer handling code also does some
alignment tricks...
CBC mode is the only mode that OpenVPN supports that needs padding. So,
only include the worst case padding size in the frame size calculation when
using CBC mode.
While doing so, rewrite crypto_adjust_frame_parameters() to be better
readable, and provide debug output (for high debug levels).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667144-17674-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8952 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 669f898b8fcaf7a8d43825fa0255c2791cc0ef89)
Steffan Karger [Sun, 15 Feb 2015 14:24:26 +0000 (15:24 +0100)]
Disable SSL compression
As reported in trac #502, SSL compression can cause problems in some corner
cases. OpenVPN does not need SSL compression, since the control channel is
low bandwidth. This does not influence the data channel compressen (i.e.
--comp or --comp-lzo).
Even though this has not yet been relevant for OpenVPN (since an attacker
can not easily control contents of control channel messages), SSL
compression has been used in the CRIME and BREACH attacks on TLS. TLS 1.3
will probably even remove support for compression all together, for
exactly this reason.
Since we don't need it, and SSL compression causes issues, let's just
disable it in OpenSSL builds. PolarSSL has no run-time flag to disable
compression, but is by default compiled without compression.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1424010266-5910-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9453 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5d5233778868ddd568140c394adfcfc8e3453245)
Default gateway can't be determined on illumos/Solaris platforms
The logic which is used on BSD is preserved. The only distinction
is that illumos doesn't provide sa_len field in sockaddr structures. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413315802-62359-4-git-send-email-alp@rsu.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9128
Steffan Karger [Sun, 28 Dec 2014 10:25:13 +0000 (11:25 +0100)]
Set tls-version-max to 1.1 if cryptoapicert is used
OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer). Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API. As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so). This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.
This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 04dcb96cc1f525afee3f830248ecaa22d1b4a4c2)
David Woodhouse [Thu, 11 Dec 2014 13:03:35 +0000 (13:03 +0000)]
pkcs11: Load p11-kit-proxy.so module by default
If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342 Signed-off-by: Gert Doering <gert@greenie.muc.de>
The coding style was somewhat chaotic. Cleaning it up using the astyle
tool. The style parameters are coherent to what was agreed upon at the
Munich Hackathon 2014 [1].
astyle --style=allman --indent=spaces=4 -c
Also included a "Local variables" section which some editors may pick
up automatically.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418078751-3614-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9331 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e2e9a69c1ecc7142cc17d665076795215b6a8e9a)
sockets: Remove the limitation of --tcp-nodelay to be server-only
The assert(0) happening if trying to use --tcp-nodelay in a client
config is really not helpful at all. When this assert(0) was removed,
another warning appeared that this could only be used in server
configs. That itself is also quite silly, as clients can choose to
use --socket-flags TCP_NODELAY in the client config instead. This
behaviour does not help the user in any way.
This patch removes the server-only restriction and rather provides
a more helpful warning when using --tcp-nodelay on the client side.
Trac: 489 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418118764-17846-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9334
(cherry picked from commit 706283d3765d1ee62dbd913fbfc191855b92528d)
Steffan Karger [Sun, 7 Dec 2014 18:48:15 +0000 (19:48 +0100)]
Update doxygen (a bit)
This is not a full update, but just updates some data channel-related docs
I came across. Other pages probably need a bit of attention too.
Stuff that was changed:
* Explain data channel crypto format in crypto.h
* Add P_DATA_V1 and P_DATA_V2 packet format spec
* Remove '2.1' from title
* Update some OpenSSL-specific text
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b08c25dbaeffbdd80acc143a931a276163c851a3)
David Sommerseth [Sun, 16 Nov 2014 14:31:02 +0000 (15:31 +0100)]
down-root plugin: Replaced system() calls with execve()
The system() call is prone to shell expansions and provides far more
environments variables to the executable run than what is usually
preferred. By moving over to exevce() shell expansions are far more
difficult to achieve and only the OpenVPN provided environment
variables are available.
This is a response to the patch submitted to openvpn-devel ML:
http://article.gmane.org/gmane.network.openvpn.devel/7919
v2 - Pulling it up again, fixing a few whitespace and spelling issues
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416148262-20978-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9238 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f87b1beccb817e1633bc95bd5dd19deec35c7edc)
Steffan Karger [Tue, 2 Dec 2014 20:42:00 +0000 (21:42 +0100)]
Really fix '--cipher none' regression
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98156e90e1e83133a6a6a020db8e7333ada6156b)
David Sommerseth [Mon, 24 Nov 2014 18:09:38 +0000 (19:09 +0100)]
autotools: Fix wrong ./configure help screen default values
enable_crypto_ofb_cfb is "yes" by default, so the --help screen
should show --disable-ofb-cfb and not --enable-ofb-cfb.
enable_small and enable_password_save are both "no" by default, so
the --help screen should state "default: no". Now it says "yes" as
default, but is really disabled in the reality.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416852578-7581-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9278 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 104360b4f40a4ba29987d9478aed70450fec75a2)
Steffan Karger [Thu, 20 Nov 2014 12:43:05 +0000 (13:43 +0100)]
Drop too-short control channel packets instead of asserting out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
Gert Doering [Sun, 23 Nov 2014 19:17:30 +0000 (20:17 +0100)]
Add client-only support for peer-id.
This is a reduced version of the peer-id patch from Lev Stipakov
implementing only the client side bits - send IV_PROTO=2, accept
"peer-id <n>" as pushed option, support P_DATA_V2 packets.
v2: remove addition of "struct tls_multi;" to options.h, not needed
David Sommerseth [Thu, 13 Nov 2014 14:43:37 +0000 (15:43 +0100)]
systemd: Reworked the systemd unit file to handle server and client configs better
Systemd can delay starting a service if the network isn't fully available
yet. This feature is useful in client configurations, where OpenVPN will
not be started before the client can reach the Internet. It is the network
service manager which tells systemd if the system is "online" or not.
For server configurations, the OpenVPN should be able to be started,
regardless if the system is "online" or not. This is also the old
behaviour of most of the old init.d script and the last systemd unit file.
This patch splits the previous systemd unit file into to two files. One
which is aimed at clients (openvpn-client@.service) and one for server
configurations (openvpn-server@.service). These files will also pick
the configurations from different sub-directories. The unit file for
openvpn-client@ will use /etc/openvpn/client and the server unit file
will use /etc/openvpn/server. This also ensures that config files
are not started in the wrong manner.
The arguments given to the openvpn binary have also shifted order,
to ensure that some of them cannot be overridden by the config file,
such as --daemon and --writepid. For server configurations a
--status file is also added with the status format set to 2. This
can be overridden by the configuration file.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9222 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049)
Steffan Karger [Wed, 22 Oct 2014 22:14:29 +0000 (00:14 +0200)]
Modernize sample keys and sample configs
I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).
Changes:
* Add script to generate fresh test/sample keys
(but keep sample keys in git for simple testing)
* Switch from 1024 to 4096 bits RSA CA
* Switch from 1024 to 2048 bits client/server RSA keys
* Switch from 1024 to 2048 bits Diffie-Hellman parameters
* Generate EC client and server cert, but sign with RSA CA
(lets us test EC <-> RSA interoperability)
* Remove 3DES cipher from 'sample' config
* Add 'remote-cert-tls server' to client config
* Update config files to deprecate nsCertType in favour of the
keyUsage and extendedKeyUsage extensions.
* Make naming more consistent
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54721611.4020103@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9271 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 8 Nov 2014 10:15:08 +0000 (11:15 +0100)]
Fix assertion error when using --cipher none
Some commits ago, the cipher mode checks were cleaned up to
remove code duplication (and fix the issue in #471), but broke
'--cipher none' (reported in #473). This commit fixes that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <545DED2C.5070002@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9217 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4e93e6dc88f4d904a4f2eb90140472a8d8fd68d0)
Steffan Karger [Sat, 25 Oct 2014 09:47:49 +0000 (11:47 +0200)]
ssl_polarssl.c: fix includes and make casts explicit
The master branch already has a commit doing almost the same
(9048d50), but since the API for polarssl 1.2 is different, this
could not be cherry-picked back to the 2.3 branch.
This commit:
* adds a number of missing #includes.
* makes a number of implicit casts explicit, to silence gcc
-Wall and clang warnings that hide real problems.
* changes the type of sha256_hash[] to match what polarssl expects.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414230469-2670-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9194 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix regression with password protected private keys (polarssl)
Between versions 1.2.7 and 1.2.8, polarssl changed the errors
returned by the X509 parsing functions, which broke the OpenVPN
implementation for password protected private keys in polarssl
builds. This patch fixes that by checking for the new errors in
OpenVPN.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5432E951.6020405@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
TDivine [Wed, 22 Oct 2014 07:07:39 +0000 (10:07 +0300)]
Fix "code=995" bug with windows NDIS6 tap driver.
Modification to address bug where OpenVPN enters state where it is
unresponsive and cannot be terminated. Log output is continuous spew
of "code=995" errors.
Revised fix for code=995 sped bug.
Adding new tap adapters while connected:
https://community.openvpn.net/openvpn/ticket/430
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-2-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9165 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-3-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9167 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7aa178381241ae015273914065471e0d271ee1c3)
Samuel Thibault [Thu, 9 Oct 2014 21:40:49 +0000 (23:40 +0200)]
Ensure that client-connect files are always deleted
On a long-running, busy server using either a plug-in which hooks into
OPENVPN_PLUGIN_CLIENT_CONNECT or a configuration using --client-connect
a lot of unused files will be lingering and potentially filling up
the file system with temporary files if the plug-in or --client-connect
script fails.
This patch ensures that these files are always removed in the end,
regardless if the plug-in or script succeeds or fails.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20141012195919.GU3738@type
URL: http://thread.gmane.org/gmane.network.openvpn.devel/9104/focus=9118
(cherry picked from commit 7da9d40243e0743e2d050ceb6ae34e467dd58973)
David Sommerseth [Thu, 16 Oct 2014 15:17:34 +0000 (17:17 +0200)]
systemd: Use systemd functions to consider systemd availability
* OpenVPN 2.3.x backport note
This patch is the result of merging two commits from master, both
ensuring that systemd and the needed utilities are available.
Commit f33ee6bcb12fdc3869b17b7c528a209f16581e2e:
This is another systemd implementation clean-up. It was found that
SELinux will block OpenVPN from checking /sys/fs/cgroups. As OpenVPN
only checked /sys/fs/cgroups and /sys/fs/cgroups/systemd to see if
systemd was available or not, it was considered better to query
systemd directly to see whether or not to query for usernames and
passwords via systemd.
This patch has been compile tested on Fedora 19 and Fedora 21 alpha and
function tested on Fedora 19.
v2 - Use PKG_CHECK_MODULES() + check for libsystemd before
libystemd-daemon. systemd >= 209 use a unified library
It was discovered that the child processes openvpn fork()ed would
be lingering around until openvpn stopped. This was due to the lack
of a wait() call.
This patch also cleans up a few minor white-space issues in the same
code segment.
[v2 proper initialisation of status variable]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1409930731-15263-2-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9021
(cherry picked from commit d886d468849051af525bb8ff1b9080f6c934e3ab)
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Currently, when compiling with --enable-iproute2 , OpenVPN does not
create a correct route when the user is connected to the Internet
without a gateway (e.g. via ppp). This patch implements the
corresponding FIXME.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54259015.2030005@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9056 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit baa195b9884e276c4fd3dc0c9e8a84b89ea71cfb)
ocsp_check - double check if ocsp didn't report any errors in execution
in case the reposnses are too old, ocsp tool can return text like this:
Response verify OK
ca/cert.pem: WARNING: Status times invalid. 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT
light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055
ocsp_check - signature verification and cert staus results are separate
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.
Otherwise results like:
Response Verify Failure 140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
This Update: Sep 23 12:12:28 2014 GMT
will be accepted as being trustworthy.
Note that "Response verify OK" is printed on stderr, so it can't
be discarded.
Remove quadratic complexity from openvpn_base64_decode()
Every four input characters, openvpn_base64_decode called token_decode,
which in turn called strlen() on the remaining input. This means that
base64 decoding in openvpn had quadratic complexity.
All we really need to know is whether the token is complete, so replace
the check to check just that, and make the complexity linear wrt the
input length.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5408494D.7050407@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9016 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 25e1ec71dd150e803c0a25308c193fea124c7b7a)
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
On modern systems, topology subnet should always be set, but it's
missing in the configuration file.
Add it with a short explanation.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BF9998.5020906@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8878 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c277757fcf7fb4c2713db154439f937d48cfae61)
Arne Schwabe [Sun, 13 Jul 2014 12:28:47 +0000 (14:28 +0200)]
Fix server routes not working in topology subnet with --server [v3]
The IPv4 routing code needs an IPv4 address to point a route to, and
in --topology subnet mode, the *server* did not have one set by default.
So we now just default --route-gateway to the next address right after
the server address - the specific address doesn't matter, as the correct
next-hop will not be resolved by the host OS but by the OpenVPN daemon.
All that is needed is "it's in the subnet routed to the tun interface".
Using the server address itself would work on unix, but doesn't work with
the Windows TAP driver (as it does not spoof ARP responses for itself).
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
(cherry picked from commit 4cc6a2595947a0e2f13b37637899bfc50f8509aa)
Don't exit daemon if opening or parsing the CRL fails.
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Andris Kalnozols [Sat, 28 Jun 2014 17:41:02 +0000 (19:41 +0200)]
Do not upcase x509-username-field for mixed-case arguments.
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d)
Gert Doering [Tue, 8 Jul 2014 07:20:54 +0000 (09:20 +0200)]
Call init script helpers with explicit path (./)
The provided OpenVPN init scripts scan /etc/openvpn for *.conf and run
an OpenVPN process for each, and if a .sh script with the same base name
exists, this is run before openvpn. Change from running "$name.sh" to
"./$name.sh" - depending on the shell used, the script won't be found
otherwise, and ensuring that the script isn't searched in $PATH is the
right thing anyway.
Reported in trac #423
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1404804054-32424-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8858
(cherry picked from commit cf31d5f32197159691fa9e3e4afcfc35307702d6)
Gert Doering [Tue, 8 Jul 2014 14:45:58 +0000 (16:45 +0200)]
Fix t_lpback.sh platform-dependent failures
commit e97aa06dc058 introduced "full openvpn cipher testing", but fails
on OpenSSL 0.9.8 with DES-CFB1 (skip), on NetBSD for RC5-* (needs extra
library, libcrypto_rc5.a) and on Solaris for POSIXly "tail" (rewrite).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1404830758-7927-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8861
(cherry picked from commit bbae238d5084012525a61a0e3ab947c414a555ae)
Steffan Karger [Sun, 8 Jun 2014 16:16:13 +0000 (18:16 +0200)]
Add proper check for crypto modes (CBC or OFB/CFB)
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a4b27b6481c7496f2a8705c993edfe150a3541cb)
Steffan Karger [Sun, 8 Jun 2014 16:16:12 +0000 (18:16 +0200)]
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c353af2f474f79bfd7b2b67ecc02e91152500209)
Heiko Hund [Thu, 16 Aug 2012 08:38:50 +0000 (10:38 +0200)]
refine assertion to allow other modes than CBC
cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.
There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.
James Bekkema [Thu, 26 Jun 2014 11:40:39 +0000 (21:40 +1000)]
Fix socket-flag/TCP_NODELAY on Mac OS X
Hi All,
OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt
TCP_NODELAY=1 failed (No kernel support) when attempting to use the
TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there,
however the required header file where TCP_NODELAY is defined is not being
included. This patch simply alters syshead.h to include <netinet/tcp.h> on
Darwin platforms.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8809
Steffan Karger [Tue, 24 Jun 2014 20:03:25 +0000 (22:03 +0200)]
Update README.polarssl
PolarSSL support has been extended and adjusted, but README.polarssl was
not accordingly adjusted. This updates README.polarssl to the current state
of affairs for OpenVPN 2.3.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403640206-7024-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8804 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix bug that incorrectly refuses oid representation eku's in polar builds
The return value of x509_get_numeric_string() was interpreted incorrectly
by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the
usage of oid represenation in --remote-cert-eku options.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8627 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e238b806f5f3843b80d5b1b2b269679210faa7f6)
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure
the expected files and directories is in place. However, with
--client-config-dir and --ccd-exclusive, things are slightly different.
In both cases it is perfectly fine that files does not exists, and we
cannot know any file names beforehand due to these filenames being based
upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory
because the directory permissions are too restrictive, have wrong
ownership (triggered by the usage of --user/--group) or other security
mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a
client config file has been prepared. And if not, it continues without
trying to read it. So, if the privileges of the running OpenVPN process
is not allowed to open and read an existing file, OpenVPN will treat this
as a non-existing file without saying anything. This is clearly wrong.
So this patch adds an warning message in the OpenVPN log if it could
not open the file due to lack of permissions.
This will work fine on all *nix based OSes. Windows however reports
'no such file or directory' (errno=2/-ENOENT) even on privilege access
errors when the directory this file resides is too restrictive. But there
is no easy way to work around that. However, I believe that the initial
sanity checking at startup will catch that one, as it will check if the
directories it needs exists.
This patch has only gone through simple basic testing, with both too few
privileges and with proper privileges to the CCD directory. With wrong
privileges, the following error can be found if CN=Test client
Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file
'/etc/clients/Test client': Permission denied (errno=13)
[v2 - use openvpn_errno() instead of errno, for better platform support]
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8688 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4978dadaed4ecf1b9dd256f57c6a5c895691580b)
Gert Doering [Fri, 6 Jun 2014 18:43:55 +0000 (20:43 +0200)]
Drop incoming fe80:: packets silently now.
IPv6 has the concept of "link local" addresses, fe80::<host id>, which
normally are present on every link, and are used for stuff like DHCPv6,
neighbor discovery, etc.
OpenVPN point-to-multipoint mode currently does neither configure them on
tun interfaces, nor are they handled in a meaningful way if a client OS
always has them (like Windows or Solaris) - so the log fills with many
lines of "MULTI: bad source address from client [fe80::...]", serving
no useful purpose.
This patch just recognizes IPv6 LL packets and silently drops them.
Further patches can build on this and add full link-local support, which
would require address learning (as the addresse are based on host IDs, not
assigned by the server).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
(cherry picked from commit 70f1864188ad00451683cabf51e56b7730250c40)
projects / thirdparty / openvpn.git / log
