David Sommerseth [Fri, 19 Feb 2010 16:32:56 +0000 (17:32 +0100)]
verb 5 logging wrongly reports received bytes
With --verb 5, openvpn logs a single letter (rwRW) for each package
received or sent. I recently ran into a problem with the tun device on
Linux where the read from that device returned 0. Unfortunately this was
also logged as "r", which made me assume that openvpn had received
something, while it actually hadn't.
(See https://dev.openwrt.org/ticket/6650 for the bug that made me find out
about this problem with openvpn.)
I'm attaching a patch which prevents openvpn from logging "r" or "R" when
it didn't actually read anything. This is against openvpn 2.1-rc20, but
probably still applies to the most recent version.
This patch was received anonymously via the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Karl O. Pinc [Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)]
[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file
This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.
The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.
This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.
One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.
The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.
This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.
It works for me. I've tested it throughly but not
used it extensively in production.
Regards,
Karl <kop@meme.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
James Yonan [Fri, 20 Aug 2010 20:24:42 +0000 (20:24 +0000)]
Attempt to fix issue where domake-win build system was not properly
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
James Yonan [Sun, 15 Aug 2010 21:53:00 +0000 (21:53 +0000)]
Windows security issue:
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:\, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
James Yonan [Tue, 27 Jul 2010 07:10:01 +0000 (07:10 +0000)]
Fixed an issue where application payload transmissions on the
TLS control channel (such as AUTH_FAILED) that occur during
or immediately after a TLS renegotiation might be dropped.
James Yonan [Sat, 10 Jul 2010 03:04:27 +0000 (03:04 +0000)]
Fixed bug in proxy fallback capability where openvpn.exe could
core dump if http-proxy-fallback-disable command was issued in
response to ">PROXY:NEED_NOW management" interface notification.
Emilien Mantel [Thu, 17 Jun 2010 19:38:59 +0000 (21:38 +0200)]
Choose a different field in X509 to be username
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
James Yonan [Thu, 10 Jun 2010 03:17:21 +0000 (03:17 +0000)]
Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
James Yonan [Mon, 24 May 2010 22:51:16 +0000 (22:51 +0000)]
Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
David's patch replaced openvpn_execve() with openvpn_run_script() in two places,
but didn't adjust the return value handling. openvpn_run_script() returns true
or false, while openvpn_execve() returns the program's exit code.
Without the fix, the --tls-verify script and the --auth-user-pass-verify
script fail to run. (I noticed the latter, but haven't actually tested the
former.)
The return value handling is fine for the other places where
openvpn_run_script() is used, because those places previously used
openvpn_execve_check() (notice the "_check" suffix).
Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Thu, 29 Apr 2010 21:35:45 +0000 (23:35 +0200)]
Revamped the script-security warning logging (version 2)
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem. This general warning should now only appear once, and only when
--script-security is not set, 0 or 1. In all other cases this warning should
not appear.
In addition, this warning will come close to the script-hook which most probably
will fail. It will also give a little bit more concrete hint on which script-hook
which failed. If --script-security is 2 or 3, only the execve failure itself will
be shown. This message will on the other hand be shown repeatedly.
This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function. It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead. Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
David Sommerseth [Thu, 22 Apr 2010 21:01:31 +0000 (23:01 +0200)]
Fix dependency checking for configure.h (v2)
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking. This patch corrects this and
fixes an issue when creating configure.h via make distcheck.
This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.
Add comile time information/settings from ./configure to --version
This patch will create ./configure.h which will contain two new #define
strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and
DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the
complete ./configure line which was used when configuring the package
for building.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
James Yonan [Sat, 6 Mar 2010 15:38:23 +0000 (15:38 +0000)]
Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window
period.
Wil Cooley [Tue, 2 Mar 2010 20:54:15 +0000 (21:54 +0100)]
pkitool lacks expected option "--help"
The pkitool script lacks the "--help" parameter to actually display the
usage statement; most people are conditioned to try that before running the
command without options. This patch adds that and "--version" to display
just the program name and version.
Karl O. Pinc [Tue, 2 Mar 2010 20:41:06 +0000 (21:41 +0100)]
Several updates to openvpn.8 (man page updates)
This is a collection of 4 patches sent to the -devel mailing list:
* [PATCH] Frob the openvpn(8) man page tls-verify section to clarify
* [PATCH] More improvments to openvpn(8) --tls-verify
* [PATCH] Yet another tweak of openvpn(8) --tls-verify
* [PATCH] Final frobbing of openvpn(8) --tls-verify
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Enrico Scholz [Sun, 28 Feb 2010 13:40:57 +0000 (14:40 +0100)]
Allow 'lport 0' setup for random port binding
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Fri, 26 Feb 2010 10:26:45 +0000 (10:26 +0000)]
Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
james [Fri, 26 Feb 2010 10:26:45 +0000 (10:26 +0000)]
Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
David Sommerseth [Fri, 19 Feb 2010 16:32:56 +0000 (17:32 +0100)]
verb 5 logging wrongly reports received bytes
With --verb 5, openvpn logs a single letter (rwRW) for each package
received or sent. I recently ran into a problem with the tun device on
Linux where the read from that device returned 0. Unfortunately this was
also logged as "r", which made me assume that openvpn had received
something, while it actually hadn't.
(See https://dev.openwrt.org/ticket/6650 for the bug that made me find out
about this problem with openvpn.)
I'm attaching a patch which prevents openvpn from logging "r" or "R" when
it didn't actually read anything. This is against openvpn 2.1-rc20, but
probably still applies to the most recent version.
This patch was received anonymously via the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Karl O. Pinc [Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)]
[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file
This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.
The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.
This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.
One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.
The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.
This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.
It works for me. I've tested it throughly but not
used it extensively in production.
Regards,
Karl <kop@meme.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
David Sommerseth [Thu, 18 Feb 2010 20:20:14 +0000 (21:20 +0100)]
Do not randomize resolving of IP addresses in getaddr()
Based on a discussion on the mailing list and in the IRC meeting Feb 18,
it was decided to remove get_random() from the getaddr() function as that
can conflict with round-robin/randomization done by DNS servers.
This change must be documented in the release notes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
james [Tue, 12 Jan 2010 18:26:22 +0000 (18:26 +0000)]
When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
james [Fri, 11 Dec 2009 23:44:34 +0000 (23:44 +0000)]
Fixed some breakage in openvpn.spec (which is required to build an
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).
james [Thu, 10 Dec 2009 23:50:03 +0000 (23:50 +0000)]
Fixed a couple issues in sample plugins auth-pam.c and down-root.c:
1. Fail gracefully rather than segfault if calloc returns NULL.
2. The openvpn_plugin_abort_v1 function can potentially be called
with handle == NULL. Add code to detect this case, and if
so, avoid dereferencing pointers derived from handle.
(Thanks to David Sommerseth for finding this bug).
james [Thu, 19 Nov 2009 16:42:51 +0000 (16:42 +0000)]
Fixed a client-side bug that occurred when the "dhcp-pre-release"
or "dhcp-renew" options were combined with "route-gateway dhcp".
The problem is that the IP Helper functions for DHCP release and
renew are blocking, and so calling them from a single-threaded
client stops tunnel traffic forwarding, and hence breaks
"route-gateway dhcp" which requires an active tunnel. The fix is
to call the IP Helper functions for DHCP release and renew from
another process.
james [Fri, 16 Oct 2009 16:31:01 +0000 (16:31 +0000)]
Added "setenv GENERIC_CONFIG" directive, for generic configs
that cannot directly be used as a config file. The directive
will simply cause OpenVPN to exit with an error if a generic
config file is used.
james [Thu, 1 Oct 2009 21:08:40 +0000 (21:08 +0000)]
client-kill management interface command, when issued on server, will
now send a RESTART message to client.
This feature is intended to make UDP clients respond the same as TCP
clients in the case where the server issues a RESTART message in
order to force the client to reconnect and pull a new options/route
list.
james [Tue, 29 Sep 2009 23:10:14 +0000 (23:10 +0000)]
Added the ability for the server to provide a custom reason string
when an AUTH_FAILED message is returned to the client. This
string can be set by the server-side managment interface and read
by the client-side management interface.
For more info, see management/management-notes.txt, and look for
references to "client-reason-text".
james [Mon, 28 Sep 2009 07:50:30 +0000 (07:50 +0000)]
Fixed a bug introduced in r4436 (2.1_rc17) where using the
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
james [Mon, 28 Sep 2009 07:27:22 +0000 (07:27 +0000)]
Added --server-poll-timeout option : when polling possible remote
servers to connect to in a round-robin fashion, spend no more than
n seconds waiting for a response before trying the next server.
james [Sun, 27 Sep 2009 02:12:15 +0000 (02:12 +0000)]
Eliminated the limitation on the number of options that can be pushed
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
Remember that to make use of this feature to allow many routes to
be pushed to clients, the client config file must specify the
max-routes option, and the number of pushed routes cannot exceed
this limit. Also, both server and client must include this commit.
james [Thu, 17 Sep 2009 23:43:37 +0000 (23:43 +0000)]
The maximum number of "route" directives (specified in the config
file or pulled from a server) can now be configured via the new
"max-routes" directive.
Previously, the limit was set to 100 and fixed by a compile-time
constant. Now the limit is dynamic and can be modified by the
"max-routes" directive. If max-routes is not specified, the default
limit is 100.
Note that this change does not address the maximum size of the
pushed options string sent from server to client, which is still
controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant.
james [Wed, 16 Sep 2009 18:58:49 +0000 (18:58 +0000)]
Modified client to send a PUSH_REQUEST message to server 1 second
after connection initiation rather than 0 seconds after.
Successive PUSH_REQUEST messages after the first will continue to be
sent at 5 second intervals until a response is received. This tends
to speed up the client connection sequence by 4 seconds because the
first PUSH_REQUEST message is usually sent too soon and is dropped,
causing a wait of 5 seconds until the next PUSH_REQUEST message is
sent.
james [Mon, 22 Jun 2009 20:48:35 +0000 (20:48 +0000)]
In Windows TAP driver, refactor DHCP/ARP packet injection code to
use a DPC (deferred procedure call) to defer packet injection until
IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
in the context of AdapterTransmit. This is an attempt to reduce kernel
stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
observed on Vista. Updated TAP driver version number to 9.6.
james [Mon, 22 Jun 2009 00:44:02 +0000 (00:44 +0000)]
Rename generated tapdrvr.cod to a unique name to avoid the issue where
building for multiple architectures causes the previous tapdrvr.cod to
be overwritten.
projects / thirdparty / openvpn.git / log
