Steffan Karger [Sun, 8 Jun 2014 16:16:13 +0000 (18:16 +0200)]
Add proper check for crypto modes (CBC or OFB/CFB)
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a4b27b6481c7496f2a8705c993edfe150a3541cb)
Steffan Karger [Sun, 8 Jun 2014 16:16:12 +0000 (18:16 +0200)]
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c353af2f474f79bfd7b2b67ecc02e91152500209)
Heiko Hund [Thu, 16 Aug 2012 08:38:50 +0000 (10:38 +0200)]
refine assertion to allow other modes than CBC
cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.
There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.
James Bekkema [Thu, 26 Jun 2014 11:40:39 +0000 (21:40 +1000)]
Fix socket-flag/TCP_NODELAY on Mac OS X
Hi All,
OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt
TCP_NODELAY=1 failed (No kernel support) when attempting to use the
TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there,
however the required header file where TCP_NODELAY is defined is not being
included. This patch simply alters syshead.h to include <netinet/tcp.h> on
Darwin platforms.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8809
Steffan Karger [Tue, 24 Jun 2014 20:03:25 +0000 (22:03 +0200)]
Update README.polarssl
PolarSSL support has been extended and adjusted, but README.polarssl was
not accordingly adjusted. This updates README.polarssl to the current state
of affairs for OpenVPN 2.3.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403640206-7024-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8804 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix bug that incorrectly refuses oid representation eku's in polar builds
The return value of x509_get_numeric_string() was interpreted incorrectly
by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the
usage of oid represenation in --remote-cert-eku options.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8627 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e238b806f5f3843b80d5b1b2b269679210faa7f6)
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure
the expected files and directories is in place. However, with
--client-config-dir and --ccd-exclusive, things are slightly different.
In both cases it is perfectly fine that files does not exists, and we
cannot know any file names beforehand due to these filenames being based
upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory
because the directory permissions are too restrictive, have wrong
ownership (triggered by the usage of --user/--group) or other security
mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a
client config file has been prepared. And if not, it continues without
trying to read it. So, if the privileges of the running OpenVPN process
is not allowed to open and read an existing file, OpenVPN will treat this
as a non-existing file without saying anything. This is clearly wrong.
So this patch adds an warning message in the OpenVPN log if it could
not open the file due to lack of permissions.
This will work fine on all *nix based OSes. Windows however reports
'no such file or directory' (errno=2/-ENOENT) even on privilege access
errors when the directory this file resides is too restrictive. But there
is no easy way to work around that. However, I believe that the initial
sanity checking at startup will catch that one, as it will check if the
directories it needs exists.
This patch has only gone through simple basic testing, with both too few
privileges and with proper privileges to the CCD directory. With wrong
privileges, the following error can be found if CN=Test client
Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file
'/etc/clients/Test client': Permission denied (errno=13)
[v2 - use openvpn_errno() instead of errno, for better platform support]
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8688 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4978dadaed4ecf1b9dd256f57c6a5c895691580b)
Gert Doering [Fri, 6 Jun 2014 18:43:55 +0000 (20:43 +0200)]
Drop incoming fe80:: packets silently now.
IPv6 has the concept of "link local" addresses, fe80::<host id>, which
normally are present on every link, and are used for stuff like DHCPv6,
neighbor discovery, etc.
OpenVPN point-to-multipoint mode currently does neither configure them on
tun interfaces, nor are they handled in a meaningful way if a client OS
always has them (like Windows or Solaris) - so the log fills with many
lines of "MULTI: bad source address from client [fe80::...]", serving
no useful purpose.
This patch just recognizes IPv6 LL packets and silently drops them.
Further patches can build on this and add full link-local support, which
would require address learning (as the addresse are based on host IDs, not
assigned by the server).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
(cherry picked from commit 70f1864188ad00451683cabf51e56b7730250c40)
Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
This changes the representation of the tls_serial_{n} environment variable
from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.
Because hex representation for serials makes sense too, and to ease
transition for PolarSSL users, added tls_serial_hex_{n} that exports the
serial in hex represenation for both crypto library backends.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <535EB49E.5090809@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8664 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Mon, 28 Apr 2014 20:52:11 +0000 (22:52 +0200)]
When tls-version-min is unspecified, revert to original versioning approach.
For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.
For PolarSSL, this means to implicitly control the TLS version via allowed
ciphersuites.
Point out off-by-default-now setting in the openvpn(8) man page.
This patch is only included in the release/2.3 branch, because it's a
stopgap measure. 2.4 will have it on-by-default, when the remaining
handshake problems are fully debugged and solved.
Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <535EC5FE.6060302@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8665 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 29 Apr 2014 21:09:39 +0000 (23:09 +0200)]
Conditionalize calls to print_default_gateway on !ENABLE_SMALL
Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but
the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the
combination "configure --enable-small --enable-debug" didn't work. Fix.
Fix trac #397
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
(cherry picked from commit c29e08a2f33234fb705a8323c0d9e1e07b0773fd)
Dmitrij Tejblum [Sat, 8 Feb 2014 15:33:49 +0000 (19:33 +0400)]
Fix is_ipv6 in case of tap interface.
While checking a packet on a TAP interface, is_ipv_X() in proto.c
insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if
the protocol is IPv6. So the protocol never match, and, thus,
mssfix doesn't work for IPv6 on TAP interface. Fix that.
Signed-off-by: Dmitrij Tejblum <dt@yandex.ru> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8259 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit db037c20086587a609ef33127c15de080270f2cb)
Fix build system to accept non-system crypto library locations for plugins.
Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
the plugins. However, all plugins include openvpn-plugin.h, which need
crypto/ssl headers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8576 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ea31bc680fc83946b2cc8d0c93544a1ab2a01d63)
Gert Doering [Sat, 26 Apr 2014 11:30:54 +0000 (13:30 +0200)]
More IPv6-related updates to the openvpn man page.
Point to correct kernel version for --multihome and IPv4-mapped
addresses (3.15, Tore Anderson).
Remove old reference to http://www.greenie.net/ from the IPv6 section,
as the code and documentation in here is more current than on that site.
Some more additions and clarifications.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Tore Anderson <tore@fud.no>
Message-Id: <1398511854-3609-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8642
(cherry picked from commit 2a97e69e71d4afb9c32268890e13db19cb73196b)
Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
hash was cast from char * to unsigned char * at the return of the function.
This patch removes the implicit cast by declaring hash as unsigned char * .
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8647 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d4309c21d9cde43c777985e373242afa78afefa1)
Gert Doering [Sun, 19 Jan 2014 20:51:37 +0000 (21:51 +0100)]
Repair --multihome on FreeBSD for IPv4 sockets.
The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR
case was sending a too-large control message (sizeof openvpn_pktinfo,
which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo,
leading to sendmsg() refusing to send the packet.
Use RFC 2292 macros for alignment + size calculation.
Fix trac#327
Signed-off-by: Gert Doering <gert@greenie.muc.de> Lazy-Ack-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
(cherry picked from commit 661d914c8732a208580b1eab167255c85da162c9)
Arne Schwabe [Fri, 28 Mar 2014 10:07:01 +0000 (11:07 +0100)]
Fix man page and OSCP script: tls_serial_{n} is decimal
Commit 7d5e26cbb53 fixed extracting serial but did not change the format,
which always has been decimal. This patch fixes the manpage and
OSCP.sh script to conform with the implementation. Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8409
Gert Doering [Sun, 20 Apr 2014 18:41:01 +0000 (20:41 +0200)]
Minor t_client.sh cleanups
- remove built tests/t_client.sh script on "make clean"
- ignore Linux iproute2 "ssthresh <n>" output that sometimes shows up
in "ip -6 route show" and breaks before/after comparison
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1398019261-30180-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8557
(cherry picked from commit 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce)
Gert Doering [Sun, 13 Apr 2014 11:12:02 +0000 (13:12 +0200)]
IPv6 address/route delete fix for Win8
Use "store=active" for IPv6 address and route deletion - seems to be
required on Windows 8 and up, and not doing it will break OpenVPN
reconnection (old addresses are not properly deleted, thus address can
not be configured on connect).
Reported-by: Cedric <cedric+openvpn@bgtn.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net>
Message-Id: <20140413170648.GU16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
(cherry picked from commit 4b4fac9184fcea1eab4f4223309211780cee188a)
Yawning Angel [Mon, 10 Mar 2014 03:47:58 +0000 (03:47 +0000)]
Fix SOCKSv5 method selection
So, RFC 1928 doesn't say anything about the METHODS field in the Method
Selection message being ordered in terms of preference or anything, and
the server is free to pick any of the METHODS offered by the client.
Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
and USERNAME/PASSWORD set is broken on two fronts:
* If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
due to the credentials being missing, it shouldn't offer it to the
server.
* If the OpenVPN client has credentials, then it should always attempt to
authenticate. This is a security product. "You can misconfigure it and
it will work" is not acceptable. Setting a username/password when the
SOCKS server doesn't require/support that as an option is the user not
configuring it correctly, and should be treated as such.
Also verify that the SOCKS server returned the auth that was requested.
URL: https://github.com/OpenVPN/openvpn/pull/14
Fix trac #377, trac #148 Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140413130102.GR16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8488
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-By: Arne Schwabe <arne@rfc2549.org>
(cherry picked from commit a95358af543b9106f4ef481e4556d1d03459d058)
Gert Doering [Sun, 23 Mar 2014 12:19:08 +0000 (13:19 +0100)]
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
058e889d introduced using SSL_OP_NO_TICKET, leading to build failures on
systems that could build 2.3.2 fine. Inside the 2.3 release train, we
do not want to change requirements, so for those build environments, ignore
missing SSL_OP_NO_TICKET. 2.4 will require more recent OpenSSL, though.
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
Gert Doering [Mon, 13 Jan 2014 21:54:34 +0000 (22:54 +0100)]
Replace copied structure elements with including <net/route.h>
The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies
of structures from <net/route.h> (struct rt_msghdr in particular).
OpenBSD changed some structure elements, making OpenVPN incompatible,
depending on the specific OpenBSD version. Clean up: remove copied
definitions, replace by including <net/route.h> directly - this could
not be done originally due to a conflict with "struct route" in OpenVPN
and <net/route.h>, cleaned up by the previous commit.
Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles
with no warnings, and "openvpn --show-gateway" works, which is the only
part of the code that uses the structures in question).
Fix trac #340
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
(cherry picked from commit 615fb9ef36310f85fd6171301128a12740444455)
Gert Doering [Sun, 17 Nov 2013 14:30:20 +0000 (15:30 +0100)]
Make code and documentation for --remote-random-hostname consistent.
Documentation examples, description and code were disagreeing on what
this option actually does. Now they will all agree that it will
*prepend* a random-byte string to the hostname name before resolving
to work around DNS caching (needs a "*" wildcard record in the zone).
Fix trac #143
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
(cherry picked from commit 7de8f3f322c1a1c13022a0243267624930dac5c9)
Jens Wagner [Tue, 7 Jan 2014 21:07:54 +0000 (22:07 +0100)]
Fix spurious ignoring of pushed config options (trac#349).
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1aac9a0b7a4046822a0134cd8693a828f2e16576)
Steffan Karger [Wed, 1 Jan 2014 20:10:22 +0000 (21:10 +0100)]
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 441be9f4f91a16218d40b401384ead51b5aac0cc)
Steffan Karger [Wed, 1 Jan 2014 20:10:21 +0000 (21:10 +0100)]
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8148 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dd3e319c1d66c7da51b8555d745a1139e0b322f2)
Steffan Karger [Sun, 15 Dec 2013 18:34:27 +0000 (19:34 +0100)]
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
This patch moves from using the deprecated RSA_generate_key() to the 'new'
RSA_generate_key_ex() to generate ephemeral RSA keys. This patch does
not change OpenVPN's behaviour.
One note on the implementation though; the code generates one ephemeral
RSA key that is used during the entire lifetime of an OpenVPN process.
If OpenSSL requests a new (ephemeral) key, it will keep on returning the
same (usually rather small) key. Not the best solution.
To actually run this code, I had to force usage by selecting the
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher. That generated a 512-bit
ephemeral RSA key, and uses the outdated DES encryption protocol.
Using this mode could lead to a false sense of security. Then again, one
should be using (Ephemeral) Diffie-Hellman anyway, and OpenVPN requires
a tls-server to supply dh parameters. A user would need to deliberately
choose a weak tls-cipher like TLS-RSA-EXPORT-WITH-DES40-CBC-SHA, which
would be aligning a gun with his foot anyway. If one would decide this
implementation is not good enough anymore, I'd suggest to just strip out
support for this completely.
Code has been tested using the TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher
which uses this to create ephemeral RSA keys.
Arne Schwabe [Tue, 17 Dec 2013 10:22:47 +0000 (11:22 +0100)]
Add warning for using connection block variables after connection blocks
In 2.3 some options that were allowed only in global config before have
been moved to connection blocks. This changes the behaviour if the
variables were defined after connection block. This patch adds a warning
to catch these mistakes.
Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE]
for connection blocks Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8117
David Sommerseth [Mon, 25 Nov 2013 12:32:58 +0000 (13:32 +0100)]
Fix file checks when --chroot is being used
Commit 0f2bc0dd92f43c9 started to introduce some file sanity
checking before OpenVPN started to avoid harder to explain issues
due to missing files or directories later on. But that commit
did not consider --chroot at all. Which would basically cause
OpenVPN to complain on non-missing files, because it would not
consider that the files where inside a chroot.
This patch is based on the thoughts in a patch by Josh Cepek [1],
but trying to simplify it at bit.
Gert Doering [Sun, 24 Nov 2013 16:13:04 +0000 (17:13 +0100)]
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
"ip -6 route show" prints stuff like "rtt 38ms rttvar 38ms cwnd 10", which
sometimes changes while an OpenVPN test is running, resulting in spurious
failures in the "ifconfig/route must be restored identically after
OpenVPN ends" test in t_client.sh. Not all fields are there all the time,
so use "sed" to get rid of whatever is printed this time.
Only relevant for "make check" on linux builds with "--enable-iproute2".
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385309584-23209-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8047
(cherry picked from commit 8c19087034cb1076874075b9e2896ea3f7be59cf)
Joachim Schipper [Thu, 19 Sep 2013 10:47:28 +0000 (12:47 +0200)]
--management-external-key for PolarSSL
Add --management-external-key support, compatible with the OpenSSL
implementation. Needs the flexibility of ssl_set_own_cert_alt(), which
is new in PolarSSL-1.2.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7886 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38ace48c6820c611e689bc69b0cf5380bf7a8891)
Joachim Schipper [Thu, 19 Sep 2013 10:47:27 +0000 (12:47 +0200)]
Refactor tls_ctx_use_external_private_key()
OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the
context's certificate chain was stored on return, used by
tls_ctx_use_external_private_key() only and free()d immediately thereafter.
PolarSSL also supported this output parameter, but returned a pointer to
the
context's certificate chain (rather than to a copy of the certificate, as
OpenSSL does) - which meant that we would have to #ifdef the free().
PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot
store a
pointer to (instead of a copy of) the cert.
So remove the output parameter from tls_ctx_load_cert_file() and
incorporate
the needed functionality directly into tls_ctx_use_external_private_key()
(which is straightforward for both OpenSSL and PolarSSL, as long as you
don't
try to support both at once.)
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7888 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3b2d487bc5089c8c0cf65df8e6cc2232d84b05b)
Setting es->gc=NULL causes env_set_add_nolock() / remove_env_item() to
free() allocated and no longer used strings in the es, while an active
gc would leave them for cleanup with gc_free() at client disconnect time.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/buffer.c Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <20131023162618.GP161@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7939
(cherry picked from commit 4368147972d61b598bbcd5d2904d891130d5e517)
It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Arne Schwabe [Fri, 31 May 2013 12:59:35 +0000 (14:59 +0200)]
Add reporting of UI version to basic push-peer-info set.
If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the
server.
Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>",
for example "de.blinkt.openvpn 0.5.47" for the ICS Android version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Yonan <james@openvpn.net>
Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7646 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f3a2cd255a3bc73a546a5e2d09fa30a16cce0d7d)
Josh Cepek [Thu, 14 Nov 2013 18:02:59 +0000 (12:02 -0600)]
Require a 1.2.x PolarSSL version
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
Steffan Karger [Tue, 22 Oct 2013 12:45:17 +0000 (14:45 +0200)]
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 92d21e3fed33aad966b7b0ca6568e0cda8c7a8b5)
Heiko Hund [Tue, 15 Oct 2013 09:23:42 +0000 (11:23 +0200)]
Support non-ASCII TAP adapter names on Windows
Currently the TAP adapter name is fetched as an OEM string, which
is problematic if it contains non-ASCII characters and is to used
with netsh. The logfile also contains these non UTF-8 characters.
This patch fetches the name from the registry as UCS-2 and converts
it right into UTF-8 before it's used.
Josh Cepek [Wed, 21 Aug 2013 21:20:30 +0000 (16:20 -0500)]
Correct error text when no Windows TAP device is present
Starting with the 2.3-series, the TAP-Windows driver/utilities and
OpenVPN are separately installed components. The error message given to
users without available TAP devices uses the pre-2.3 path that does not
exist. The path should be listed under the TAP-Windows program group
that the tap-windows project installer uses.
Resolves bug #320
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <kv4ece$s8s$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2d34628af995676c8ecddb953897c334b96a6a6b)
Always load intermediate certificates from a PKCS#12 file
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
James Yonan [Tue, 11 Jun 2013 06:25:05 +0000 (00:25 -0600)]
Added "setenv opt" directive prefix. If present, and if the
directive that follows is recognized, it will be processed
as if the "setenv opt" prefix was absent. If present and if
the directive that follows is not recognized, the directive
will be ignored rather than cause a fatal error.
For example, suppose you are distributing a client
configuration file and want to set the minimum TLS version
that the client requires from the server to 1.2.
By using the following directive,
setenv opt tls-version-min 1.2 or-highest
only newer clients that understand the tls-version-min directive
would process it, while older clients would ignore it.
James Yonan [Tue, 11 Jun 2013 04:59:30 +0000 (22:59 -0600)]
TLS version negotiation
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
plugin: Extend the plug-in v3 API to identify the SSL implementation used
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 587df08abda3c8f1f85ccdba4d8b82a736c11e2d)
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e3d388652f59fd2ddd9c7f470f7ef62ee6b35595)
Arne Schwabe [Fri, 21 Jun 2013 10:48:28 +0000 (12:48 +0200)]
Add support of utun devices under Mac OS X
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fbc04bedbcce02fc625357b7475ddbc7164cabbf)
Arne Schwabe [Thu, 30 May 2013 21:02:17 +0000 (23:02 +0200)]
Move checking of script file access into set_user_script
At the moment script are only checked if P2MP_SERVER is defined. For
CLIENT_ONLY openvpn script were never checked. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7635
Arne Schwabe [Thu, 30 May 2013 20:26:43 +0000 (22:26 +0200)]
Move settings of user script into set_user_script function
This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all
script options are available by setting options->user_script_used Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7634
Arne Schwabe [Thu, 30 May 2013 13:27:08 +0000 (15:27 +0200)]
Only print script warnings when a script is used. Remove stray mention of script-security system.
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7625
Gert Doering [Thu, 30 May 2013 11:31:24 +0000 (13:31 +0200)]
Fix problem with UDP tunneling due to mishandled pktinfo structures.
In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and
ipv6 are going out of scope before actually calling sendmsg(), so depending
on compiler optimization, garbage is passed to sendmsg() - fix by using
"union openvpn_pktinfo" and having that in scope all the time.
Problem reported and patch provided by "danta" in trac#297
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: https://community.openvpn.net/openvpn/ticket/297
Message-ID: <20130530184427.GP20843@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
(cherry picked from commit 8c431f960357d776cfd0961192214ad1b0942bfb)
James Yonan [Mon, 20 May 2013 10:13:21 +0000 (12:13 +0200)]
Always push basic set of peer info values to server.
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
v3: undo extra whitespace changes in v1 and v2
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
(cherry picked from commit 598e03f0e7bce434e501a9895819f2af0714d5f6)
Josh Cepek [Thu, 16 May 2013 14:09:23 +0000 (09:09 -0500)]
Fix Windows script execution when called from script hooks
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Gert Doering [Fri, 3 May 2013 19:13:24 +0000 (21:13 +0200)]
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation"). For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.
Fix trac#281 and trac#258.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1367608404-2257-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7581
(cherry picked from commit eb95f367348f4c2aae301cfa7c3adc8e0f2e711e)
This fixes an issue where a segfault happens in pf_cn_test() if no
packet filtering rules have been parsed. See the trac ticket for
more details.
Trac: 163 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 31e5f34f3c6cf3aa6f120d22c415ac74a5ba1639)
projects / thirdparty / openvpn.git / log
