The bounds check in read_key() was performed after using the value, instead
of before. If 'key-method 1' is used, this allowed an attacker to send a
malformed packet to trigger a stack buffer overflow.
Fix this by moving the input validation to before the writes.
Note that 'key-method 1' has been replaced by 'key method 2' as the default
in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
and marked for removal in 2.5. This should limit the amount of users
impacted by this issue.
CVE: 2017-12166
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
(backport of git master commit 3b1a61e9fb27213c46f76312f4065816bee8ed01)
* safe bet to say that server admins are better at updating their configs
than client users are and if client do want to restrict their ciphers,
they should simply evict the ciphers they don't want from their cipher
suite
* mbed TLS and OpenSSL behave more similar with the
SSL_OP_CIPHER_SERVER_PREFERENCE flag
Signed-off-by: Szilárd Pfeiffer <coroner@pfeifferszilard.hu>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170904081012.1975-1-coroner@pfeifferszilard.hu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15356.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5fd8e94d311825571931414064e4d13ed808f9b5)
This is a manual cherry-pick of commit 2dc33226 of the master branch,
for the release/2.3 branch.
The nsCertType x509 extension is very old, and barely used. We already
have had an alternative for a long time: --remote-cert-tls uses the far
more common keyUsage and extendedKeyUsage extensions instead.
OpenSSL 1.1 no longer exposes an API to (separately) check the nsCertType
x509 extension. Since we want be able to migrate to OpenSSL 1.1, we
should deprecate this option immediately.
Trac: #876
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1502222447-8186-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15180.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
General cleanup help, UTF8 fixes, whitespace and quoting fixes for
ChangeLog and Changes.rst provided by David Sommerseth <davids@openvpn.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(),
and change the ASSERT() check in mss_fixup_dowork() into a simple
"return" (= the TCP header will simply not be inspected further).
CVE-2017-7508 has been assigned due to the serious nature of the
bug: it can be used to remotely shutdown an openvpn server or
client, if IPv6 and --mssfix are enabled and the IPv6 networks used
inside the VPN are known.
Found by Guido Vranken <guidovranken@gmail.com>.
v2: style changes
CVE: 2017-7508
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170613200832.15027-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20170613200832.15027-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3f47077a7756de5929094569421a95aa66f2022)
Pre-authentication remote crash/information disclosure for clients
If clients use a HTTP proxy with NTLM authentication (i.e.
"--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
a man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password.
If the proxy password is not reused, this is unlikely to compromise
the security of the OpenVPN tunnel itself. Clients who do not use
the --http-proxy option with ntlm2 authentication are not affected.
CVE: 2017-7520
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
We didn't check the return value of ASN1_STRING_to_UTF8() in
extract_x509_extension(). Ignoring such a failure could result in buf
being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused
remotely if the peer can make the local process run out of memory.
The problem can only be triggered for configurations that use the
--x509-alt-username option with an x509 extension (i.e. the option
parameter starts with "ext:").
This issue was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.
Extensive testing by Guido Vranken gives confidence that this function
is very unlikely to fail in real-world usage (using subjectAltName or
issuerAltName extensions) for other reasons than memory exhaustion.
CVE: 2017-7521
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Guido Vranken <guidovranken@gmail.com>
Message-Id: <1497864520-12219-6-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-6-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b)
The code never supported all extension types. Make this explicit by only
allowing subjectAltName and issuerAltName (for which the current code does
work).
Using unsupported extension fields would most likely cause OpenVPN to crash
as soon as a client connects. This does not have a real-world security
impact, as such a configuration would not be possible to use in practice.
This bug was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.
Note: small code changes in to avoid "variable declaration in the middle
of a code block" when backporting changes to extract_x509_extension(),
as 2.3 can not assume a C99 compiler.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Guido Vranken <guidovranken@gmail.com>
Message-Id: <1497864520-12219-5-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-5-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d2a19185fd78030ce4a1bba6c9f83e0dac9e15a6)
Several of our OpenSSL-specific certificate-parsing code paths did not
always clear all allocated memory. Since a client can cause a few bytes
of memory to be leaked for each connection attempt, a client can cause a
server to run out of memory and thereby kill the server. That makes this
a (quite inefficient) DoS attack.
When using the --x509-alt-username option on openssl builds with an
extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the
code would not free all allocated memory. Fix this by using the proper
free function.
If ASN1_STRING_to_UTF8() returns 0, it didn't fail and *did* allocate
memory. So also free the returned buffer if it returns 0.
These issues were found, analysed and reported to the OpenVPN team by Guido
Vranken.
CVE: 2017-7521
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Guido Vranken <guidovranken@gmail.com>
Message-Id: <1497864520-12219-4-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-4-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d)
After adding commit 571165360db0392fa83e, it broke builds where
the --disable-crypto was used with ./configure. This was due to
the delayed_auth_pass_purge() which requires the crypto code paths
being called from init.c without the proper #ifdef encapsulation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170619130507.13892-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14883.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5bde5b6d1875fd87b116c943084df0d2f6aee6d0)
This is a backport to release/2.3 of the following commit:
commit 571165360db0392fa83ec8e6f8de145f623c53fe
Author: Antonio Quartulli <a@unstable.cc>
Date: Sat Feb 25 08:40:14 2017 +0800
When the auth-token option is pushed from the server to the client,
the latter has to ignore the auth-nocache directive (if specified).
The password will now be substituted by the unique token, therefore
it can't be wiped out, otherwise the next renegotiation will fail.
Trac: #840
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170225004014.28638-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14194.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-By: Arne Schwabe <arne@rfc2549.org>
Message-Id: <f7ac719e-0b28-4c4d-5e8a-2932827789b6@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14201.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
A malformed TCP header could lead to a one-byte overread when
searching for the MSS option (but as far as we know, with no
adverse consequences).
Change outer loop to always ensure there's one extra byte available
in the buffer examined.
Technically, this would cause OpenVPN to ignore the only single-byte
TCP option available, 'NOP', if it ends up being the very last
option in the buffer - so what, it's a NOP anyway, and all we
are interested is MSS, which needs 4 bytes.
(https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml)
Found and reported by Guido Vranken <guidovranken@gmail.com>.
Trac: #745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170618194104.25179-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000)
Prevents that the client crashes if the peer does not specify
the 'realm' and/or 'nonce' values. These pointers are
dereferenced in DigestCalcHA1() and DigestCalcResponse();
hence, if not set, a null-pointer dereference would occur.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497574736-2092-1-git-send-email-gv@guidovranken.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 14865773ad64d861128bc80ad44c37bdc307c996)
The length check in tls_ctx_restrict_ciphers() did not check for overflow,
which could lead to a stack buffer overflow.
This has no real-world impact, because --tls-cipher can only be specified
by entities that are allowed to supply config settings. Since those
entities can also change --script-security and call scripts and/or
plugins, these users already have code execution at the level of the
openvpn process. In other words: the attacker would not gain any
capabilities. Nevertheless, a nasty bug that we should fix.
This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1495461253-20111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14716.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e6bf7e033d063535a4414a4cf49c8f367ecdbb4f)
Add one element (a terminating NULL pointer) to the array into
which parse_line() stores the arguments. This prevents that options
that traverse this array until a terminator is seen (for instance
options that call no_more_than_n_args) will peek beyond buffer bounds.
In the worst case this might lead to a crash (stack overflow, not
likely in practice).
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EKCLjPpdKUH6cCoqoZDAfekSafpc7Ga55H2_5Hs4rBopg@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14757.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8b03d3d9307b407b0da98ebefb052b1fa87aefe7)
The pointer to the packet content doesn't seem to be word-aligned,
resulting in a SIGBUS when accessing it as a pointer to struct ip that
contains bit fields.
Replace with struct openvpn_iphdr and OPENVPN_IPH_GET_VER, which only
does a one byte access and thus isn't affected by alignement.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <87ink3vpcs.fsf@ritchie.wxcvbn.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14769.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e4e300d6c5ea9c320e62def79e5b70f8e255248)
This patch ensures that if an error occurs while processing
the 'connection' directive of an options specification,
the variable 'struct options sub', which is initialized
with init_options(), is properly freed with uninit_options().
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-E+HdfHNAK=--55054AB374U-Ky4q_-3M114makfPdSnBw@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14764.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d89e14d92623731d2fa6343a11072caab32e13cd)
Refactor my_strupr such that it will not check and possibly alter bytes
after the string's null terminator for strings of length 0.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-ELXwXgGtRFou=FY1TAhW4W4BHPZF4=rqSY877njtXNMJg@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14756.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 69162924de3600bfe8ae9708a1d6e3f4515ef995)
When OpenVPN is started using a non-default routing table on OpenBSD
(e.g., with 'route -T10 exec openvpn ...'), it hangs forever trying to
read its default gateway from a PF_ROUTE socket. This is because
rtm_tableid is not being initialised after bzeroing the rt_msghdr we
write to the socket, so we end up asking the kernel for the default
route in routing table 0.
By default, the OpenBSD kernel will not respond to requests for routing
table 0 from a process running in a different routing table, and even
if it did, it would give us the wrong default gateway.
The solution here is to set rtm_tableid to the value returned by
getrtable(2), which always succeeds and returns the calling process's
current routing table.
This patch makes the test suite (without a t_client.rc) pass when run
in a non-default routing table, where it would fail previously. It has
also been successfully tested in client mode against both git master
and OpenVPN 2.4.1 from ports on an OpenBSD -current system.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170413173129.87367-1-steven@steven-mcdonald.id.au>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14461.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3dd30bfe5fdf9f34afe7f847b4e30156982d9ff0)
When no IPv4 default route exists, the "redirect-gateway" routine
aborts even if the sub-option "local" was specified or if we are
connecting to the remote host using IPv6.
This is not expected because in either case OpenVPN should not
bother checking the existence of the default route as it is not
required at all.
Therefore, skip the IPv4 default route check when "local" is
specified or we are connecting to an IPv6 remote host.
(This is a cherry-pick of 14670a9d654b (master), adapted to 2.3 code)
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170509152422.12606-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14602.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also replace MAX_PATH by _countof(openvpnpath) as the latter
is arguably more robust.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494800196-8144-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14654.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 358f513c changed the maximum size of accepted control channel
packets. This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability. The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).
To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.
CVE: 2017-7478
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494493257-8125-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494493257-8125-1-git-send-email-steffan.karger@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys. Until the
packet ID would roll over and we would ASSERT() out.
Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability. An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)*2^32 bytes, or approx. 196 GB).
This is a fix for finding 5.2 from the OSTIF / Quarkslab audit.
CVE: 2017-7479
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494358209-4568-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494358209-4568-1-git-send-email-steffan.karger@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
This is a cherry-pick of commit 009521ac (master).
As described in trac #751, and shortly after reported by Zhaomo Yang, of
the University of California, San Diego, we use memset() (often through
the CLEAR() macro) to erase secrets after use. In some cases however, the
compiler might optimize these calls away.
This patch replaces these memset() calls on secrets by calls to a new
secure_memzero() function, that will not be optimized away.
Since we use CLEAR() a LOT of times, I'm not changing that to use
secure_memzero() to prevent performance impact. I did annotate the macro
to point people at secure_memzero().
This patch also replaces some CLEAR() or memset() calls with a zero-
initialization using "= { 0 }" if that has the same effect.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494449775-22199-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14628.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
The functions packet_id_alloc_outgoing() and packet_id_write() were
always called in tandem. Instead of forcing the caller to allocate a
packet_id_net to do so, merge the two functions. This simplifies the API
and reduces the chance on mistakes in the future.
This patch adds unit tests to verify the behaviour of packet_id_write().
Verifying that we assert out correctly required the change to mock_msg.c.
This patch was cherry-picked from a87e1431 (master).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494357036-3529-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494357036-3529-1-git-send-email-steffan.karger@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
error.h depends on these, but is apparently never used by files that do
not include them. Cherry-picked from b7e51b13 (master).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494355962-21545-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14612.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
The warning provided to --cipher and --auth using the 'none' setting may
not have been too clearly understandable to non-developers or people not
fully understanding encryption and cryptography. This tries to improve
that.
While at it, also break up the long source lines.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170410222828.23612-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14436.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 7a1b6a0dd706a81897457b0456a951c0b30bbcfb)
We already track a lot of files over the whole directory structure
in the main .gitignore file. But a few additional ones had been
added into some of the subdirectories.
This unifies all these files into a master file for the whole project,
making it easier to know where to look at and edit if changes needs
to be done.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170120210457.3383-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13916.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit d14b3c60c7796736e07bc3cddb0ab3a58475793e)
This fixes a regression in commit 8e95e20913:
on amd64, an implicit declaration of ERR_error_string leads to segfaults
if the returned pointer does not fit in an 'int'.
Trac: #792
Signed-off-by: Julien Muchembled <jm@nexedi.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161216163218.25449-1-jm@nexedi.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13591.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There are still some support tickets related to SWEET32 and
our defult enforced --reneg-bytes 64 when using weaker ciphers
(less than 128-bits cipher blocks). Try to clarify this even
more.
Also fix a few mistakes, saying less than 128-bits and not 128-bits
and less.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482353691-27088-2-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13662.html
Very simple tool which modifies the Copyright lines in all git checked-in
files with an updated year. Lines only listing a single year (2016) will
be modified to list a range instead.
Only the Copyright lines owners of specific owners will be modified. The
script will need to be slightly updated to cover more owners. See the
UPDATE_COPYRIGHT_LINES line in the script for the currently set owners.
v2 - On-the-fly-commit-update: use vendor/ instead of cmocka and
add @sophos.com to the list of copyright holders to update
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482173532-25132-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13645.html
(cherry picked from commit da8f11f895bb78174d4412d82a6992c398da495a)
Also correct the default ifconfig-pool end in docs and comments
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480707729-19578-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13387.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 251cc8f2042cc0cb8281230f7fb33f2cdec5b809)
Commit 63b3e000c9.. fixed SIGTERM getting lost during exit notification
by ignoring any restart signals triggered during this interval. However,
as reported in Trac 777, this could result in repeated triggering of
restart signals when the event loop cannot continue without restart due
to IO errors or timeout.
Avoid by converting soft SIGUSR1 and SIGHUP signals received during
exit-notify wait period to SIGTERM.
cherry-picked from commit f25a0217e35f53c3110ebb226e1d1f3528152cb5
with (c->sig->source == SIG_SOURCE_HARD) changed to c->sig->hard
Trac: #777
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480470535-6287-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13310.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When no parameters are present, set it to "setenv opt" to trigger a
descriptive error message. And, thus get rid of the pesky NULL pointer
dereferencing.
Trac: #779
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480470794-6349-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13311.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 997795353916ffcb413a2da02dc7f210fd621954)
This line has not been touched in a long time... Let's update the
copyright message with recent year.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20161128170820.20371-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13270.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7f7d6b2eb0f69f0e8952028488d7aa02619ad76f)
Cherry-pick of commit 29404010 from master, slightly reworked to match the
2.3 codebase (no flags inside space_break here), and pulled in the new
static_assert() fallback we also have in master now.
Fix a potential null-pointer dereference, and make the code a bit more
readable while doing so.
The NULL dereference could not be triggered, because the current code
never called format_hex_ex() with maxouput == 0 and separator == NULL.
But it's nicer to not depend on that.
Our use of int vs size_t for lengths needs some attention too, but I'm
not pulling that into this patch. Instead I decided to just make the
(previously existing) assumption that INT_MAX <= SIZE_MAX explicit by
adding a static_assert().
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480352107-19652-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13269.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This isn't an option to be used directly in any configuration files,
but to be used via --client-connect scripts or --plugin making use of
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2.
[v2 - Added lacking .B styling of options
- Clarified the token life time ]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474118415-14666-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f8a367f7c51af5482013fa3d783cade376b047ed)
v2: Simplified "add sublayer" code
Currently each instance of openvpn adds WFP filters into an independent
sublayer. As a block in one sublayer can over-ride a permit in another,
this causes all DNS traffic to block when --block-outside-dns is used
in multiple tunnels.
Fix using a common sublayer for adding firewall rules (filters) from all
instances of openvpn and interactive service.
- The sublayer is added in a persistent session so that it could be
accessed from multiple sessions.
- The sublayer is identified by a fixed UUID defined in block_dns.c
- Permit filters for tun/tap interfaces are added with explicitly higher
priority than filters that block all DNS traffic. This is not strictly
necessary as WFP assigns higher priority to specific filters over generic
ones, but it may be safer not to rely on that feature.
- All filters are added in dynamic sessions as before. They get
automatically removed when the process exits. The sublayer will,
however, persist until reboot.
Resolves Trac 718
- While at it also make sure the WFP session is closed on error in
win_wfp_block_dns().
- Also fix the function prototype typedefs in win32_wfp.h for
run-time-resolved fwpm functions
Tested on Windows 7, 10
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474085439-28766-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12466.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Turns out that "topology subnet" never worked totally right on
OpenBSD - the "netmask" parameter to ifconfig is ignored, and one
needs to add a subnet route (and this issue is hidden if an
encompassing route is pushed, like, by using --redirect-gateway).
While add it, apply the hack used for FreeBSD where "an arbitrary
address from the subnet" is used to set the "remote" end of the
tunnel, and point the route to that - so if OpenBSD decides to
change their kernel routing structure the same way, our code still
works (copying from commit 433b3813d8c38b4, trac #425 and commit
60fd44e501f2002, trac #481).
Tested on OpenBSD 6.0 and 4.9
Trac: #710
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161109201932.80991-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12983.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 7f444dee52321c0f0294e99695150a7f69522715)
