| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
| |
Commit a4b8f653ee5be9c2292c removed the #ifdefs for ENABLE_HTTP_PROXY and
ENABLE_SOCKS, thus making this "if (false) ; else if (...)" construct
superfluous. Spotted by David Sommerseth.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1429649352-21034-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9603
|
|
|
|
|
|
|
|
|
|
|
|
| |
The static helper function possibly_become_daemon() is called only once,
by do_init_first_time(), which checks 'first_time' to be true before
calling possibly_become_daemon(). This makes the parameter useless.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9555
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for using certificates stored in the Mac OSX
Keychain to authenticate with the OpenVPN server. This works with
certificates stored on the computer as well as certificates on hardware
tokens that support Apple's tokend interface. The patch is based on
the Windows Crypto API certificate functionality that currently exists
in OpenVPN.
This patch version implements management client which handles RSA-SIGN
command for RSA offloading. Also it handles new 'NEED-CERTIFICATE'
request to pass a certificate from the keychain to OpenVPN.
OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when
--management-external-cert is used. It is implemented as a multiline
command very similar to an existing 'RSA-SIGN' command.
The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.
v4:
- added '--management-external-cert' argument
- keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed
as cmdline's identity template
- fixed typo in help output option name
- added '--management-external-cert' info in openvpn(8) manpage
- added 'certificate' command documentation into doc/management-notes.txt
v3:
- used new 'NEED-CERTIFICATE' command for certificate data request
instead of 'NEED-OK'
- improved option checking
- improved invalid certificate selection string handling
- added man page for keychain-mcd
- handle INFO, FATAL commands from openvpn and show them to user
* ACK from Arne Schwabe for OpenVPN part
* ACK from James based on Arne's testing
v2 (http://sourceforge.net/p/openvpn/mailman/message/33225603/):
- used management interface to communicate with OpenVPN process
v1 (http://sourceforge.net/p/openvpn/mailman/message/33125844/):
- used RSA_METHOD to extend openvpn itself
Signed-off-by: Vasily Kulikov <segoon@openwall.com>
--
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20150225160718.GA6306@cachalot>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9486
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous Linux/iproute2 code converted binary netmasks to string
representation (print_in_addr_t()), just to immediately scanf() it back
to binary to count bits. netmask_to_netbits2() directly works on the
in_addr_t.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1419713983-16272-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9360
|
|
|
|
|
|
|
|
|
| |
get_ipv6_addr() returns "bool/false", not "int < 0" to signal error.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1425819401-18465-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9532
|
|
|
|
|
|
|
|
|
|
| |
Makes it a lot easier to see which client is floating.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1425745391-8069-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9526
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to this bug, mssfix hasn't been assigned to fragment value
and used default value (1450) instead. As a consequence, TCP packets
get fragmented, which causes performance penalty.
Since dual stack patch (commit 23d61c56b9fd218c39ad151b01b7e2d6690e6093)
OpenVPN uses options->connection_list, even for single remote.
This fix assigns mssfix value to fragment value for connection_entry
inside connection_list instead of connection_entry inside options struct
(which does not work for connection_list case).
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425587636-23338-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9507
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an alternative patch to fix the issue reported in trac #515 by
Jorge Peixoto. Instead of increasing the TLS_USERNAME_LEN define, do +1 at
the relevant places in the code.
Also see Jorge's original patch and the discussion on the maillinglist:
http://thread.gmane.org/gmane.network.openvpn.devel/9438
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54F8CC9B.9040104@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9508
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Just a precaution, this could never fail in the current code since in the
one place this function is called, the cn is already zero-initialized.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425592716-14243-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9511
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now only support OpenSSL 0.9.8+, so we don't have to work around the bug
in 0.9.6b anymore. Also, OBJ_txt2nid() now takes a const char * (instead
of a char *), so we no langer have to cast away const.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425592716-14243-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9512
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425479025-7573-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9502
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CBC mode is the only mode that OpenVPN supports that needs padding. So,
only include the worst case padding size in the frame size calculation when
using CBC mode.
While doing so, rewrite crypto_adjust_frame_parameters() to be better
readable, and provide debug output (for high debug levels).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667144-17674-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8952
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the code would print IPv4-mapped format ("::ffff:1.2.3.4"),
which is technically correct but adds no extra value, and is confusingly
different from the output if using a v4 socket. Print "1.2.3.4" instead,
whatever socket type is used.
Affects client IP address in log file, status output (mroute_addr_print_ex),
and environment (setenv_sockaddr).
The fact that a dual-stack socket was used is still visible in the initial
peer connect message in the log:
'... Peer Connection Initiated with [AF_INET6]::ffff:1.1.3.4:53779'
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1419875325-96015-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9363
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of statically increasing link-mtu by +3, keep the old value for
OCC compatibility with old servers/clients, and only increase link-mtu
if peer-id option is enabled (right now: is pushed by server).
If link-mtu has been set in the config, keep configured value, and log
warning (because the extra overhead has to decrease tun-mtu).
Reserve extra +3 bytes in frame->extra_link.
v2: use frame->extra_link, not frame->extra_buffer (receive path on server)
introduce frame_add_to_link_mtu() to manipulate frame->link_mtu value
rework comments to make more clear what is happening
This reverts commit f95010ad247a8998e0c39e394236251fca316849.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1423390725-13438-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9450
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in trac #502, SSL compression can cause problems in some corner
cases. OpenVPN does not need SSL compression, since the control channel is
low bandwidth. This does not influence the data channel compressen (i.e.
--comp or --comp-lzo).
Even though this has not yet been relevant for OpenVPN (since an attacker
can not easily control contents of control channel messages), SSL
compression has been used in the CRIME and BREACH attacks on TLS. TLS 1.3
will probably even remove support for compression all together, for
exactly this reason.
Since we don't need it, and SSL compression causes issues, let's just
disable it in OpenSSL builds. PolarSSL has no run-time flag to disable
compression, but is by default compiled without compression.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1424010266-5910-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9453
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a warning about a mismatch between a fprintf format string
and an argument type on Darwin-64-bit builds:
%lu specifies type 'unsigned long' but the argument has type
'__darwin_suseconds_t' (aka 'int')
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAEsd45SoC+h5tcDraZcQN_MUYzqWYOVvNpkwMo190DLpB32StQ@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9446
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In certain cases buf.len can be -1, which causes BPTR to return NULL and
NULL pointer dereferencing on the next line.
As a fix, process only packets with non-zero length.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1423226280-9580-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9444
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Data channel packet using P_DATA_V2 will use three bytes extra for the
peer-id. This needs to be accounted for, otherwise OpenVPN will throw
TCP/UDP packet too large on write to [AF_INET]10.1.1.1:1194
warnings.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1422042761-10014-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9418
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Existing check didn't take into account the case when floated client is
lame duck (CN for lame duck is NULL), which allowed lame duck to float
to an address taken by another client.
As a fix we use cert_hash_compare function which, besides fixing
mentioned case, also allows lame duck to float to an address already
taken by the same client.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1420658798-29943-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9386
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As requested on the mailing list and in trac ticket #410, add an option to
disable 'traditional' Diffie Hellman key exchange. People want to be able
to create ecdh-only configurations.
This patch also disables RSA key exchange by default for OpenSSL builds, to
prevent that people who set "--dh none" but have an OpenSSL version that
doesn't support ECDH end up with a less secure connection. Note that users
that specify their own --tls-cipher override these defaults and thus can
still use whatever OpenSSL supports (and might thus end up with less secure
connections).
PolarSSL does not allow to easily disable RSA key exchange during runtime,
but its default compile options do not include RSA key exchange based
cipher suites.
Finally update the manpage to reflect the new behaviour, and while touching
it change the text to motivate users towards a more secure configuration.
v2 - disable RSA key exchange by default
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9376
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2 - don't wrap string for a couple of words, and be more consistent
with wrapping (use curly braces for ifs with wrapping statements)
v3 - change an incorrect crypto_msg() call back to msg()
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A430A2.5000409@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9374
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the --disable-ssl configure option and accompanying ENABLE_SSL
defines in the master/2.4 branch, to reduce the code and testing
complexity a bit.
This does not remove to runtime option to run without SSL, just the compile
time option to not include any SSL-related code.
During the community meeting in November 2014 there were no objections
amongst he developers present. Also, this has been announced on the -users
and -devel mailing lists two weeks ago, without any response whatsoever.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A4248A.1090501@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9371
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Overzealous users using the --tls-cipher option, or users with actual
incompatible crypto libaries often waste quite some time debugging the
'no shared cipher' error from openssl. See e.g. trac ticket #359:
https://community.openvpn.net/openvpn/ticket/359
This change adds a more clear, verb 1 error message reporting the problem
directly to the user, instead of just printing the openssl error.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EB12E.40200@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9209
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This works towards removing OpenSSL-specific error printing code from
error.c. The crypto_msg() functions provide convenience wrappers, specific
to OpenSSL. Instead of passing the magical 'M_SSLERR' flag to msg(), a
developer now just calls crypto_msg() to get OpenSSL errors dumped to log.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414269324-14102-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9199
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
The logic which is used on BSD is preserved. The only distinction
is that illumos doesn't provide sa_len field in sockaddr structures.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413315802-62359-5-git-send-email-alp@rsu.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9129
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer). Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API. As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so). This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.
This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418905506.21260.6.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9355
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a91a06cb291414c9e657377e44f7a57343ae7f5a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The coding style was somewhat chaotic. Cleaning it up using the astyle
tool. The style parameters are coherent to what was agreed upon at the
Munich Hackathon 2014 [1].
astyle --style=allman --indent=spaces=4 -c
Also included a "Local variables" section which some editors may pick
up automatically.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418078751-3614-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9331
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The assert(0) happening if trying to use --tcp-nodelay in a client
config is really not helpful at all. When this assert(0) was removed,
another warning appeared that this could only be used in server
configs. That itself is also quite silly, as clients can choose to
use --socket-flags TCP_NODELAY in the client config instead. This
behaviour does not help the user in any way.
This patch removes the server-only restriction and rather provides
a more helpful warning when using --tcp-nodelay on the client side.
Trac: 489
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418118764-17846-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9334
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed a few compiler warnings:
down-root.c:164:4: warning: implicit declaration of function 'warn'
[-Wimplicit-function-declaration]
down-root.c:239:5: warning: implicit declaration of function 'err'
[-Wimplicit-function-declaration]
down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable]
down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: 1418074541-24987-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9327
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For every float event we generate prefix, which allocates 256 + 64
bytes. That memory is reclaimed when client disconnects, so long lasting
and constantly floating sessions drain memory.
As a fix use preallocated buffer inside multi_instance for storing
multi_prefix.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: 1418057325-13265-1-git-send-email-lstipakov@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9321
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds peer-id to the status output which might help analyze floating
logs. This will change the output of status in the same way commit
662ce6acc065bddf6490b3494725b8b3987b7def did.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418058362-13480-1-git-send-email-lstipakov@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9322
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is not a full update, but just updates some data channel-related docs
I came across. Other pages probably need a bit of attention too.
Stuff that was changed:
* Explain data channel crypto format in crypto.h
* Add P_DATA_V1 and P_DATA_V2 packet format spec
* Remove '2.1' from title
* Update some OpenSSL-specific text
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9318
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9306
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
If down-root fails it will now use warn() to provide some more information
about what went wrong, by retrieving the error message via errno.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416262460-9158-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9247
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system() call is prone to shell expansions and provides far more
environments variables to the executable run than what is usually
preferred. By moving over to exevce() shell expansions are far more
difficult to achieve and only the OpenVPN provided environment
variables are available.
This is a response to the patch submitted to openvpn-devel ML:
http://article.gmane.org/gmane.network.openvpn.devel/7919
v2 - Pulling it up again, fixing a few whitespace and spelling issues
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416148262-20978-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9238
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.
Changes in v7:
A few nitpicks.
Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory
corruption and crash.
Various review fixes.
Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.
If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.
Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.
Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated
client.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416755831-21250-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9270
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Found via cppcheck and compile-tested.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416745303-23641-1-git-send-email-yegorslists@googlemail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9266
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Found via cppcheck and compile-tested.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416687215-26904-1-git-send-email-yegorslists@googlemail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9263
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add missing #define for IPV6_V6ONLY sockopt.
Fix last remaining fallout of dual-stack patch set in connect() call
for "not CONNECT_NONBLOCK" case.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1416257903-24629-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9246
|
|
|
|
|
|
|
|
|
|
| |
Just add a few valid casts that shut up mingw gcc.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416068708-6871-2-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9229
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The local member in struct link_socket_address went away a while ago.
Fixing the code to compile again under Windows. While there, also
fix the code to deal with struct link_socket_info.af == AF_UNSPEC
(The breakage this fixes was introduced by the dual-stack socket
rework, most likely commit 6c5db192c30ff0c6b89e2e0aefec00329de39302)
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416068708-6871-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9228
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some commits ago, the cipher mode checks were cleaned up to
remove code duplication (and fix the issue in #471), but broke
'--cipher none' (reported in #473). This commit fixes that.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <545DED2C.5070002@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9217
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414230851-5350-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9195
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6e469f46e94b2bd0fc1509f2bfbda4d6b5374b14)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Between versions 1.2 and 1.3, polarssl changed the errors
returned by the X509 parsing functions, which broke the OpenVPN
implementation for password protected private keys in polarssl
builds. This patch fixes that by checking for the new errors in
OpenVPN.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5432E951.6020405@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modification to address bug where OpenVPN enters state where it is
unresponsive and cannot be terminated. Log output is continuous spew
of "code=995" errors.
Revised fix for code=995 sped bug.
Adding new tap adapters while connected:
https://community.openvpn.net/openvpn/ticket/430
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-2-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9165
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-3-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9167
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|