The bounds check in read_key() was performed after using the value, instead
of before. If 'key-method 1' is used, this allowed an attacker to send a
malformed packet to trigger a stack buffer overflow.
Fix this by moving the input validation to before the writes.
Note that 'key-method 1' has been replaced by 'key method 2' as the default
in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
and marked for removal in 2.5. This should limit the amount of users
impacted by this issue.
CVE: 2017-12166
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit fce34375295151f548a26c2d0eb30141e427c81a)
Pre-authentication remote crash/information disclosure for clients
If clients use a HTTP proxy with NTLM authentication (i.e.
"--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
a man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password.
If the proxy password is not reused, this is unlikely to compromise
the security of the OpenVPN tunnel itself. Clients who do not use
the --http-proxy option with ntlm2 authentication are not affected.
CVE: 2017-7520
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
(cherry picked from commit f38a4a105979b87ebebe9be1c3d323116d3fb924)
A malformed TCP header could lead to a one-byte overread when
searching for the MSS option (but as far as we know, with no
adverse consequences).
Change outer loop to always ensure there's one extra byte available
in the buffer examined.
Technically, this would cause OpenVPN to ignore the only single-byte
TCP option available, 'NOP', if it ends up being the very last
option in the buffer - so what, it's a NOP anyway, and all we
are interested is MSS, which needs 4 bytes.
(https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml)
Found and reported by Guido Vranken <guidovranken@gmail.com>.
Trac: #745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170618194104.25179-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000)
(cherry picked from commit 4d343fbe9166e14187775567db00c0a91017df83)
Prevents that the client crashes if the peer does not specify
the 'realm' and/or 'nonce' values. These pointers are
dereferenced in DigestCalcHA1() and DigestCalcResponse();
hence, if not set, a null-pointer dereference would occur.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497574736-2092-1-git-send-email-gv@guidovranken.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 14865773ad64d861128bc80ad44c37bdc307c996)
(cherry picked from commit 479b6d13d8c230c11b6315665bf00998a1424eef)
Refactor my_strupr such that it will not check and possibly alter bytes
after the string's null terminator for strings of length 0.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-ELXwXgGtRFou=FY1TAhW4W4BHPZF4=rqSY877njtXNMJg@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14756.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 69162924de3600bfe8ae9708a1d6e3f4515ef995)
(cherry picked from commit 8dd598e89f25074f2d4d23f77cb601cf48a810e3)
Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys. Until the
packet ID would roll over and we would ASSERT() out.
Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability. An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)*2^32 bytes, or approx. 196 GB).
This is a fix for finding 5.2 from the OSTIF / Quarkslab audit.
This patch was cherry-picked from b727643c (release/2.3).
CVE: 2017-7479
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494537221-12050-3-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14645.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The functions packet_id_alloc_outgoing() and packet_id_write() were
always called in tandem. Instead of forcing the caller to allocate a
packet_id_net to do so, merge the two functions. This simplifies the API
and reduces the chance on mistakes in the future.
This patch was cherry-picked from 5d747770 (release/2.3), with the unit
tests removed because release/2.2 does not have unit tests.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494537221-12050-2-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14644.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
So 'make check' works again - the old keys were expired. These are now
the same keys as we use in release/2.3, release/2.4 and master.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494537221-12050-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14643.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This really is a bugfix-only mini release - no new features, just
a few major bugs fixed in the 2.3.x series backported to 2.2.2.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1aac9a0b7a4046822a0134cd8693a828f2e16576)
The problem is located in the file proxy.c within
"establish_http_proxy_passthru": To keep buffers small long
base64-encoded NTLM-Strings are truncated.
But the truncating is done on a wrong place: base 64 strings can be
cut every 4 chars. the buffer is 128 bytes - including the terminating
\0, so the usable data is only 127 bytes. And decoding a 127 char
base64 string fails... this is why the ntlm authentication fails in
certain cases (long strings)...
Acked-by: Joerg Willmann <joe@clnt.de>
URL: https://community.openvpn.net/openvpn/ticket/172
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f8ac53b98ed2513f1d80363b6fd2351f1b4ae511)
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).
Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e)
The missing #include <netinet/tcp.h> causes a defined(TCP_NODELAY) to
fail. I have added the patch to the FreeBSD ports OpenVPN 2.2.2 and
2.3.0, and confirmed (with strings ... | grep) that the TCP_NODELAY code
is now part of the executable on amd64, and results in this log output:
Sat Jan 12 13:39:18 2013 Listening for incoming TCP connection on [undef]
Sat Jan 12 13:39:18 2013 Socket flags: TCP_NODELAY=1 succeeded
Obtained from: https://community.openvpn.net/openvpn/ticket/158
Credits to: M. Nottebrock
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1357994477-29981-1-git-send-email-matthias.andree@gmx.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7230
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e86f688757529f8b33f9e6b49e31ba8d8564c5e)
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c5590a6821e37f3b29735f55eb0c2b9c0924138c)
When using OpenVPN 2.2 on clients and server with Windows based
clients, it will try to push IPv6 packets through the tunnel. This
causes the server log to be filled up with log entries like this:
Wed Jun 29 22:12:51 2011 username/1.2.3.4:56990 Need IPv6 code in mroute_extract_addr_from_packet
This patch modifies this message to state that IPv6 packets are not
tackled in tun mode, and prints it only once.
Trac: 147
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
(driver is known-buggy for small IPv4 packets in tun mode)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry-picked from commit 03ab4ead8295e005f72dbffcffdaa74487d9668c)
(bugfixed tapdrvr.c regarding small IPv4 packets)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1523d1101222340b7ef305020ed7eba0dd1676cf)
minimum-size for IPv6 being applied to IPv4 packets, subsequently
leading to drop of small-sized IPv4 packets.
Bug found & fixed by Christian Niessner.
Signed-off-by: Christian Niessner <bug-report@secadm.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 10b99726a30bb7252cb01806f5f276be7873e84e)
As support for OpenSSL 1.0.0 requires a modified openssl.cnf file, it was
decided to rename openssl.cnf to openssl-1.0.0.cnf for clarity and better
support of different OpenSSL versions. The old openssl.cnf was renamed as
openssl-0.9.8.cnf.
This patch makes sure that all openssl*.cnf files are copied when running 'make
install' in easy-rsa and makes the whichopensslcnf script aware of them as well.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
This patch fixes remaining issues with Trac ticket #125. It does the following:
- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
required by OpenSSL 1.0.0 (at least on Windows)
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
This is required for patch "Fix a build-ca issue on Windows" to work
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 663860ad04dd4190fddbee63e724d3fdceafd937)
When configuring OpenVPN nowadays, the TUN/TAP configuration can
sometimes jump into the Linux 2.2 fallback code paths, which will
also fails. The reason it jumps into fallback mode is that the
tun/tap device already exists or that /dev/net/tun does not exist.
This can be very confusing, as /dev/tunX which the fallback mode tries
to use, does not exist on Linux 2.4 and newer.
Considering that the last Linux 2.2 update was released 25-Feb-2004
and the first Linux 2.4 release came 04-Jan-2001, there are no
reasonable reasons to help users to stay on outdated kernels.
I consider this extra code path just waste of bytes ... so lets make
the world simpler.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ce637abdafdc19547fc97192033a4d1703ecaf23)
Also fixed a typo in the --help screen.
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit ca8af756c52ab7a4aecb857f60d6124e58458f0a)
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 54d40afdfa56f38030d7b440cb379abf9c9ddabc)
pkcs11.c seems to miss some header files which gets implicitly added when
the management interface is enabled.
Signed-off-by: David Sommerseth <davids@redhat.com>
Tested-by: Mr Dash Four <mr.dash.four@googlemail.com>
(cherry picked from commit efcdf594f81a6af34b72285c12bacbce35c14b2d)
The push_peer_info feature depends on the SSL infrastructure and openvpn
will fail to build if ./configure --disable-crypto --disable-ssl is
used. The solution is to not define ENABLE_PUSH_PEER_INFO if we don't
have crypto/ssl.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 21fc2edfc49bcc903d5cfb74c1ba2f41ac8771f0)
I just upgraded to 2.2.0, and my build fails with:
ps.c: In function 'port_share_open':
ps.c:778:7: error: 'management' undeclared (first use in this function)
ps.c:778:7: note: each undeclared identifier is reported only once for
each function it appears in
make[5]: *** [ps.o] Error 1
[Comment by David Sommerseth:
This happens only when building with --enable-small, --disable-management
and --disable-pkcs11
Also changed MANAGEMENT_ENABLED to ENABLE_MANAGEMENT from the original
patch.
]
Mailing-list: http://thread.gmane.org/gmane.network.openvpn.devel/4639
Signed-off-by: Matthew L. Creech <mlcreech@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit ca0ed8458a355aea46d26c209984caaf533784ec)
Some older GCC compilers don't like that variables are declared
in the middle of the code, and expect them on the top in the
block/scope.
Trac-ticket: 99
Signed-off-by: Simon Matter <simon.matter@invoca.ch>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit aa52ca828fc075e010c326e91d2171484a514fde)
The tmp_dir string is required in the options struct regardless of options
so spin it out of #if conditionals.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit b70d99fb617350b252c8bde2f1f2d81d3f5b7955)
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 285252d1a189c331becde940d948d7ca1fe778fd)
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit b63ecceb8b9bc3215866ae622bbd013d029d0b69)
Commit df5a4380c3931520d5fae2b18f0fc2e67a883aae copies this function
from buffer.c to service-win32/openvpnserv.c. Any changes on either
places should be done in both implementations.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 14708eb69e377ae7edcbbdbd2842bcfbc43fb84a)
A quick and dirty compile fix was introduced in commit 77d244050964525417,
and was accepted under the condition that it would be a temporary fix.
As the usage of _snprintf() is realy not ideal on Windows, this patch
uses the same well tested openvpn_snprintf() function from buffer.c.
It was a longer discussion of several possibilities to re-use that code,
but in the end it seemed easier to just copy-paste this function to
openvpnserv.c for now.
The reason for this conclusion was that the function is really simple,
well defined and will most likely not be changed much in the future.
It is also added a comment in openvpnserv.c where this function
has its origins.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit df5a4380c3931520d5fae2b18f0fc2e67a883aae)
This bug was introduced in commit 110e42d199e735ab1a31388c5678f59d0fa9510c.
Trac-ticket: 120
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 6d1d08f6792109a4a4cdd9cd0936fd4338c76fa1)
Since MingW for quite a long time (since 3.2 in 2008?) has defined
'uint32_t' etc. in it's <stdint.h>, we need to guard against defining
them again. Ideally we should figure out in what version of MingW
this happened. But for now:
Signed-off-by: Gisle Vanem <gvanem@broadpark.no>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit 6a8270c29120473570ec6da4003226f36a4b71eb)
The win/config_ti.py build script assumes to find ../tapinstall/7600/sources.in
which does not exists in devcon.exe source code directory. This makes
config_ti.py look for ../tapinstall/7600/sources instead.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
(cherry picked from commit a18752d4febdaa91f87efcc487ac865d6587c527)
In commit 4e1cc5f6dda22e9 the create_temp_filename() function was
reviewed and hardened, which in the end renamed this function to
create_temp_file() in commit 495e3cec5d156.
With these changes it became more evident that OpenVPN needs a directory
where it can create temporary files. The create_temp_file() will create
such files f.ex. if --client-connect or --plugin which makes use of
the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so.
When this happens, OpenVPN will normally create these files in the directory
OpenVPN was started. In many cases, this will fail due to restricted access.
By using --tmp-dir and pointing it to a directory writeable to the user
running OpenVPN, it works again.
This patch makes OpenVPN use a more suitable temproary directory by default,
instead of the current working directory. On non-Windows platforms this
default value is set to '/tmp', but can be modified at compile-time by
running ./configure --with-tmp-dir-path=<TEMP DIR PATH>. On Windows, it
will use GetTempPath() to find temporary paths recommended by the OS. If
this fails, it will fallback to the old behaviour, using the directory
where OpenVPN was started.
In any cases, this default value can be overridden in the configuration
file by using the --tmp-dir option, as before.
To check what the default is at runime, you can see this easily by doing
this:
$ ./openvpn --verb 4 --dev tun | grep tmp_dir
Signed-off-by: David Sommerseth <davids@redhat.com>
Tested-by: Jan Just Keijser <janjust@nikhef.nl>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ca4c6d618d743ec4a3b6f7ef8003d891603ec1a6)
