Feat deferred client connect 2.4.4 #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479327524-25415-1-git-send-email-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13110.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also ensuring the ChangeLog is completely UTF-8 encoded; discovered one ChangeLog entry had ISO-8859-1 encoding. Signed-off-by: David Sommerseth <davids@openvpn.net>
Some places tabs had snuck in instead of spaces, making the rendering on GitHub odd. Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1479524624-13863-1-git-send-email-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13120.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit c14c4a9e merged the hash_remove() and hash_add() calls in multi_process_float(), but didn't notice that the hash key (mi->real) was updated between these calls. So we now try to remove the *new* address instead of the *old* address from the hash table. This leaks memory and might break stuff when a different client floats to the old address/port of this client. Restore that. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479575566-21198-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13128.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479570660-23630-1-git-send-email-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13125.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we use C99, we are guaranteed to have stdbool.h available Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479569756-23302-1-git-send-email-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- move p2mp only push_option_fmt to p2mp only section to avoid warning that struct push_list being defined in the argument list - incoming_push_message not declared on client without server by putting it into the right define block Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479570164-23522-1-git-send-email-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13124.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 35be7e0 removed most references to compat-stdbool.h but overlooked configure and "make dist" Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com> Message-Id: <1479628060-32673-1-git-send-email-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13135.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This also applies to --ifconfig-noexec. Resolves Trac OpenVPN#723 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479676734-21630-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13143.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This defines a new DHCP suboption "DNS6", but does not actually
implement anything but "document the option and understand it".
If received, it will be put into an "foreign_option_<n>" environment
variable where an --up script or plugin could receive and act upon it.
On non-Windows platforms, all "dhcp-option" sub-options end up there,
so v4 and v6 DNS options will be reflected like this:
foreign_option_1=dhcp-option DNS6 2001:608::2
foreign_option_2=dhcp-option DNS 195.30.0.2
v2: do not set o->dhcp_options if DNS6 is the single dhcp-option seen
(spotted by Selva Nair)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1479746562-751-1-git-send-email-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13174.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v2: On closing tun delete the ipv6 dns addresses (if any were set). Also use "validate=no" only in Windows 7 and higher where it is supported. Its used to skip the time consuming automatic address validation which is on by default on those platforms. Tested on Windows Server 2008 (i686), Win 7 (x64) and Win 10 (x64) TODO: set dns servers using the interactive service Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479784332-21680-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Patch V2: Prefer IPv6 DNS servers Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479814716-20116-1-git-send-email-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13195.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Check return value of buf_init() (found by coverity) * Use the TLS frame to determine the buffer size, as is done for the reliability buffers used for tls-auth. (We previously incorrectly used the TLS *plaintext* buffer size, which is bigger for typical setups with tun-mtu <= 1500. Using the frame to calculate the size saves some bytes for typical setups, and doesn't break setups with big tun-mtu.) * More carefully handle errors in tls_crypt_wrap() - just drop the packet instead of ASSERT()ing out (should not happen in the first place, but this is a bit more friendly if it happens somehow anyway). Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479847286-17518-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13204.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Allows to clone the cmocka submodule from networks where 'anything but web and mail' is firewalled. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479845528-16068-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13203.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This function potentially allocates memory, and can therefor not be run again on an initialized key_ctx_bi. Make this explicit by adding an error if someone tries do to this anyway. While touching the function, cleanup it up a bit to make up for the added lines of code. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479845366-15774-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13202.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This isn't an option to be used directly in any configuration files,
but to be used via --client-connect scripts or --plugin making use of
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2.
[v2 - Added lacking .B styling of options
- Clarified the token life time ]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474118415-14666-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Allows non-NCP peers (<= 2.3, or 2.4+ with --ncp-disable) to specify a --cipher that is different from the one in our config, as long as the new cipher value is allowed (i.e. in --ncp-ciphers at our side). This works both client-to-server and server-to-client. I.e. a 2.4 client with "cipher BF-CBC" and "ncp-ciphers AES-256-GCM:AES-256-CBC" can connect to both a 2.3 server with "cipher BF-CBC" as well as a server with "cipher AES-256-CBC" in its config. The other way around, a 2.3 client with either "cipher BF-CBC" or "cipher AES-256-CBC" can connect to a 2.4 server with e.g. "cipher BF-CBC" and "ncp-ciphers AES-256-GCM:AES-256-CBC" in its config. This patch was inspired by Gert's "Poor man's NCP for 2.3 clients" patch, but takes a different approach to avoid the need for server-side scripts or client-side 'setenv UV_*' tricks. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479936104-4045-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13218.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Originally for "poor man's NCP", I introduced a simpler API for generating data channel keys. That refactoring is no longer needed for that patch, but I believe still worth a patch on it's own. This patch should not change any functionality. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479931325-25919-2-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13216.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Any existing addresses are deleted before adding - On close_tun all addresses are deleted (only if any were added) Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1479958527-29491-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13222.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This also adds a few missing details from Changes.rst Signed-off-by: David Sommerseth <davids@openvpn.net>
Found by the clang static analyzer: the state_change variable is set, but never read afterwards. This code has been like this since 2005, makes sense without setting state_change to true, and has worked fine for the past 11 years. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480344801-27855-1-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This define has been enabled by default since 2005, and was not configurable through ./configure (but just by changing ssl.h). Let's get rid of it. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480344801-27855-2-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13261.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix a potential null-pointer dereference, and make the code a bit more readable while doing so. The NULL dereference could not be triggered, because the current code never called format_hex_ex() with maxouput == 0 and separator == NULL. But it's nicer to not depend on that. Our use of int vs size_t for lengths needs some attention too, but I'm not pulling that into this patch. Instead I decided to just make the (previously existing) assumption that INT_MAX <= SIZE_MAX explicit by adding a static_assert(). Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480343200-25908-1-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13259.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This line has not been touched in a long time... Let's update the copyright message with recent year. Signed-off-by: Christian Hesse <mail@eworm.de> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20161128170820.20371-1-list@eworm.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13270.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Escape backslash characters in windows path names. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com> Message-Id: <1480360012-9479-1-git-send-email-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13274.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
…on wait Commit 63b3e00.. fixed SIGTERM getting lost during exit notification by ignoring any restart signals triggered during this interval. However, as reported in Trac 777, this could result in repeated triggering of restart signals when the event loop cannot continue without restart due to IO errors or timeout. Avoid by converting soft SIGUSR1 and SIGHUP signals received during exit-notify wait period to SIGTERM. Trac OpenVPN#777 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480386424-30876-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13284.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
As described in trac OpenVPN#751, and shortly after reported by Zhaomo Yang, of the University of California, San Diego, we use memset() (often through the CLEAR() macro) to erase secrets after use. In some cases however, the compiler might optimize these calls away. This patch replaces these memset() calls on secrets by calls to a new secure_memzero() function, that will not be optimized away. Since we use CLEAR() a LOT of times, I'm not changing that to use secure_memzero() to prevent performance impact. I did annotate the macro to point people at secure_memzero(). This patch also replaces some CLEAR() or memset() calls with a zero- initialization using "= { 0 }" if that has the same effect, because that better captures the intend of that code. Trac: OpenVPN#751 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480371252-3880-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13278.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When no parameters are present, set it to "setenv opt" to trigger a descriptive error message. And, thus get rid of the pesky NULL pointer dereferencing. Trac: #779 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480470794-6349-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The service deletes all added routes when the client process (openvpn) exits, causing the re-instated default route to disappear. Fix by rewriting "--redirect-gateway" to "--redirect-gateway def1" when routes are set using interactive service. Only the behaviour on Windows with intereactive service is affected. Trac: OpenVPN#778 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1480466372-2396-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13307.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
A simple clean-up where the version references have been unified
all those places I could find now. The versioning scheme used is:
* OpenVPN 2.x
* v2.x
We want to avoid:
* 2.x (2.4 can be just an ordindary decimal number,
OID reference, a version number or anything else)
* OpenVPN v2.x (OpenVPN indicates we're talking about a version)
In addition, several places where it made sense I tried to ensure
the first version reference uses "OpenVPN 2.x" and the following
references in the same section/paragraph uses "v2.x", to set the
context for the version reference.
In Changes.rst modified paragraphs exceeding 80 chars lines where
reformatted as well.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170815205301.14542-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15260.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 500854c)
mroute_extract_addr_ipv4() is able to extract an IPv4 as well as an IPv6. Remove the "v4" suffix from its name to make this behaviour more explicit. Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170724143559.11503-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15129.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 3b38c43)
Instead of always initialize the encrypt and decrypt keys separately, implement an helper function init_key_ctx_bi() that takes care of both of them for us. Reduces code duplication and improves readability. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <a@unstable.cc> Message-Id: <20170707044704.7239-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15011.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 974513e)
Enable coverity analysis for the release/2.4 branch. We can only do a limited number of coverity scans per week with our FOSS account, but since we only occasionally push commits, that should work out fine. But this limit is the reason we don't use the standard travis addon, because that would cause the coverity script to run on all of our matrix builds. That would cause us to reach our limit faster, and waste travis' resources. Since our FOSS coverity account doesn't handle multiple branches very well, we have to pick one branch to run coverity on. I think it's best to use the most recent stable branch for that (i.e. for now, release/2.4). Though for ease of maintenance, it's probably best to apply the patch to both master and release/2.4. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <a@unstable.cc> Message-Id: <1502207741-31750-1-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15176.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 4a05f15)
Although this patch adds more ifdefs, this is an easy fix towards a no-warning-build process. A proper cleanup should be carried out later on route.c. Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Reviewed-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170816125504.21181-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15272.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 22e75ca)
If tls_crypt_unwrap() failed, we would jump to cleanup and forget to free the buffer. Instead, allocate the buffer through gc, which is free'd in the cleanup section. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170816170450.10415-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15282.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit fca8937)
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170819075209.28520-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15293.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 42d9f32)
Correct usage example: --verify-x509-name name-stub- name-prefix
This was to correct "--verfiy-x509-name Server -name-prexif"
to "--verify-x509-name Server- name-prefix"
Escape all dashes (with some exceptions)
[DS: On-the-fly change - Updated copyright year from 2010 to 2017]
Signed-off-by: Richard Bonhomme <fragmentux@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170819203735.8681-1-fragmentux@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15297.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 510c8ad)
The OSX and mingw builds are much slower than the other jobs. Our free travis account can only use 4 build executors in parallel. Run the slow builds earlier, so that when one or more of these finish, the free build executors will start building the configure variants in parallel with the slow ones. (Instead of doing the slow ones last, which results in using only 1-2 executors during the end stage.) Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <a@unstable.cc> Message-Id: <1503220744-5569-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15302.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit e0a6afa)
There were references in our documentation to the now deprecated PolarSSL
library, which have changed name upstream to mbed TLS.
In addition, where appropriate, the documentation now considers only
mbed TLS 2.0 and newer. This is in accordance with the requirements
./configure sets.
[DS: On-the-fly change - Updated Makefile.am to use README.mbedtls
instead of README.polarssl. This ensures make dist and buildbots
won't explode]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170822114715.14225-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15309.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit ed0e799)
!A || (A && B) is equivalent to the simpler !A || B therefore it is preferable to use the second version as it is simpler to parse while reading the code. Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170824075547.29844-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15313.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 10ae9ed)
If specified in a tls-client context, don't try to open the file as it's not used. Worse even, if 'none' was specified to disable explicitly, it complained that the file 'none' could not be found. [DS: On-the-fly update - Prefixed the message with 'WARNING: '] Signed-off-by: Gert van Dijk <gert@gertvandijk.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170827161515.2424-1-gert@gertvandijk.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15332.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 47a0a80)
* safe bet to say that server admins are better at updating their configs than client users are and if client do want to restrict their ciphers, they should simply evict the ciphers they don't want from their cipher suite * mbed TLS and OpenSSL behave more similar with the SSL_OP_CIPHER_SERVER_PREFERENCE flag Signed-off-by: Szilárd Pfeiffer <coroner@pfeifferszilard.hu> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170904081012.1975-1-coroner@pfeifferszilard.hu> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15356.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 5fd8e94)
By default, when systemd is stopping OpenVPN it will send the SIGTERM to all processes within the same process control-group. This can come as a surprise to plug-ins which may have fork()ed out child processes. So we tell systemd to only send the SIGTERM signal to the main OpenVPN process and let OpenVPN take care of the shutdown process on its own. If the main OpenVPN process does not stop within 90 seconds (unless changed), it will send SIGKILL to all remaining processes within the same process control-group. This issue have been reported in both Debian and Fedora. Trac: 581 Message-Id: <20170906234705.26202-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html Signed-off-by: David Sommerseth <davids@openvpn.net> [DS: Applied lazy-ack policy] (cherry picked from commit 29446a1)
Commit 23d61c5 introduced the AF_UNSPEC socket family to be used when we don't know the actual one until the local socket binding is performed. In such case AF_UNSPEC is stored in the `ce.af` member of the `c->options` object, indicating that the family has to be determined at runtime. However, the determined value is never propagated back to the `options` object, which remains AF_UNSPEC and that is later used to initialize the TCP children contexts (UDP children contexts are unaffected). This unexpected setting can trigger weird behaviours, like the one reported in ticket OpenVPN#933. In this case the value AF_UNSPEC in combination with the changes implemented in 2bed089 are leading to a TCP server quitting with M_FATAL upon client connection. Note that the misbehaviour described in OpenVPN#933 can only be triggered when running a TCP server with mtu-disc set in the config (no matter the value). Fix this inconsistency by always propagating the AF family from the top to the child context when running in TCP server mode. As a direct consequence, this patch fixes Trac OpenVPN#933. Trac: 933 Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20170907095530.15972-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15380.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 682e7fe)
Systemd supervises services it has started and can act upon unexpected scenarios. This change will restart OpenVPN after 5 seconds if the OpenVPN process exits unexpectedly. The on-failure mode is the recommended mode by upstream systemd. This change have been tested on a test server for some month, and it works indeed as intended when provoking the OpenVPN process to stop. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170906235202.26551-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15370.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit a4686e9)
The bounds check in read_key() was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. Fix this by moving the input validation to before the writes. Note that 'key-method 1' has been replaced by 'key method 2' as the default in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4 and marked for removal in 2.5. This should limit the amount of users impacted by this issue. CVE: 2017-12166 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com> URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 3b1a61e)
We are using a deprecated function, LZ4_compress_limitedOutput(), which will be removed with time. The correct function to use is LZ4_compress_default(). Both function takes the same number of arguments and data types, so the change is minimal. This patch will also enforce the system LZ4 library to be at least v1.7.1. If the system library is not found or it is older, it will be build using the bundled LZ4 library. The version number requirement is based on the LZ4 version we ship. The changes in configure.ac for the version check is modelled around the same approach we use for OpenSSL. Plus it does a few minor reformats and improvements to comply with more recommend autoconf coding style. This patch is a result of the discussions in this mail thread: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14135.html Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20170907172004.22534-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15396.html Signed-off-by: David Sommerseth <davids@openvpn.net> (cherry picked from commit 5f6225c)
Signed-off-by: David Sommerseth <davids@openvpn.net>
…tions This patch splits up the multi_connection_established() function. Each new helper function does a specific job. Functions that do a similar job receive a similar calling interface. The patch tries not to reindent code, so that the real changes are as clearly visible as possible. (A follow-up patch will only do indentation changes.) Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
This patch adds proper indentation to all new helper functions. No functional changes are performed. Nothing is moved around. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Refactor multi_client_connect_source_ccd(), so that options_server_import() (or the success path in general) is only entered in one place within the function. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
This patch moves multi_client_connect_setenv into multi_client_connect_early_setup and makes sure that every client-connect handling function updates the virtual address selection. Background: This unifies how the client-connect handling functions work. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
…passed-in flag This patch changes the way the client-connect helper functions communicate with the main function. Instead of updating cc_succeeded and cc_succeeded_count, they now return either CC_RET_SUCCEEDED, CC_RET_FAILED or CC_RET_SKIPPED. In addition, the client-connect helpers are now called in completely identical ways. This is in preparation of handling the helpers as simple call-backs. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
…f hooks in a loop This patch changes the calling of the client-connect functions into an array of hooks and a block of code that calls them in a loop. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
…nect This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be exited and re-entered as many times as necessary - without losing the client-connect handling state. The patch also adds the new return value CC_RET_DEFERRED which indicates that the handler couldn't complete immediately, and needs to be called later. At that point multi_connection_established() will exit without indicating completion. Each client-connect handler now has an (optional) additional call-back: The call-back for handling the deferred case. If the main call-back returns CC_RET_DEFERRED, the next call to the handler will be through the deferred call-back. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
…dler This patch introduces the concept of a return value file for the client-connect handlers. (This is very similar to the auth value file used during deferred authentication.) The file name is stored in the client_connect_state struct. In addition, the patch also allows the storage of the client config file name in struct client_connect_state. Both changes are used by the client-connect script handler to support deferred client-connection handling. The deferred return value file (deferred_ret_file) is passed to the actual script via the environment. If the script succeeds and writes the value for deferral into the deferred_ret_file, the handler knows to indicate deferral. Later on, the deferred handler checks whether the value of the deferred_ret_file has been updated to success or failure. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
…handler Uses the infrastructure provided and used in the previous patch to provide deferral support to the v1 client-connect plugin handler as well. Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
Here is your feature rebased against current OpenVPN 2.4.4. File
multi.cis heavily changed by your patchset, so during process of cherry-picking I found taking your version of this file and applying differences in this file between OpenVPN versions 2.3 and 2.4 manually to be an easiest way.Please review if result is sane.