summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff.email>2018-07-29 13:59:08 +0200
committerJörg Frings-Fürst <debian@jff.email>2018-07-29 13:59:08 +0200
commitec0c1de5bfbf202261ca511d372c761b9745935b (patch)
tree3ebf1c9da90db82b07f7785332c9a35cc46aca19
parent3408a277eb3293c0c29d50c66b42727ad31181aa (diff)
parent2c8e4bc4f9ab94e4d0b63341820d471af7c28c6c (diff)
Update upstream source from tag 'upstream/2.4.6'
Update to upstream version '2.4.6' with Debian dir 5e8196d02f26c4d63556a6dd9332ec86b95574cd
-rw-r--r--ChangeLog28
-rw-r--r--Changes.rst26
-rwxr-xr-xconfigure26
-rw-r--r--distro/rpm/openvpn.spec2
-rw-r--r--doc/openvpn.831
-rw-r--r--include/openvpn-plugin.h2
-rw-r--r--src/openvpn/interval.c8
-rw-r--r--src/openvpn/interval.h2
-rw-r--r--src/openvpn/openssl_compat.h4
-rw-r--r--src/openvpn/options.c9
-rw-r--r--src/openvpn/ssl.c3
-rw-r--r--src/openvpn/ssl_mbedtls.c6
-rw-r--r--src/openvpn/ssl_openssl.c4
-rw-r--r--src/openvpn/tun.c6
-rw-r--r--src/openvpnserv/interactive.c23
-rw-r--r--version.m44
16 files changed, 139 insertions, 45 deletions
diff --git a/ChangeLog b/ChangeLog
index 99772a3..2d6f3e5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,33 @@
OpenVPN Change Log
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
-2018.02.28 -- Version 2.4.4
+2018.04.19 -- Version 2.4.6
+David Sommerseth (1):
+ management: Warn if TCP port is used without password
+
+Gert Doering (2):
+ Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
+ Fix potential double-free() in Interactive Service (CVE-2018-9336)
+
+Gert van Dijk (1):
+ manpage: improve description of --status and --status-version
+
+Joost Rijneveld (1):
+ Make return code external tls key match docs
+
+Selva Nair (3):
+ Delete the IPv6 route to the "connected" network on tun close
+ Management: warn about password only when the option is in use
+ Avoid overflow in wakeup time computation
+
+Simon Matter (1):
+ Add missing #ifdef SSL_OP_NO_TLSv1_1/2
+
+Steffan Karger (1):
+ Check for more data in control channel
+
+
+2018.02.28 -- Version 2.4.5
Antonio Quartulli (4):
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
diff --git a/Changes.rst b/Changes.rst
index 4168d62..b8ed5ce 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -320,6 +320,32 @@ Maintainer-visible changes
use -std=gnu99 in CFLAGS. This is known to be needed when doing
i386/i686 builds on RHEL5.
+Version 2.4.6
+=============
+This is primarily a maintenance release with minor bugfixes and improvements,
+and one security relevant fix for the Windows Interactive Service.
+
+User visible changes
+--------------------
+- warn if the management interface is configured with a TCP port and
+ no password is set (because it might be possible to interfere with
+ OpenVPN operation by tricking other programs into connecting to the
+ management interface and inject unwanted commands)
+
+Bug fixes
+---------
+- CVE-2018-9336: fix potential double-free() in the Interactive Service
+ (Windows) on malformed input.
+
+- avoid possible integer overflow in wakeup computation (trac #922)
+
+- improve handling of incoming packet bursts for control channel data
+
+- fix compilation with older OpenSSL versions that were broken in 2.4.5
+
+- Windows + interactive Service: delete the IPv6 route to the "connected"
+ network on tun close
+
Version 2.4.5
=============
diff --git a/configure b/configure
index 39ae612..eb53f8f 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for OpenVPN 2.4.5.
+# Generated by GNU Autoconf 2.69 for OpenVPN 2.4.6.
#
# Report bugs to <openvpn-users@lists.sourceforge.net>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='OpenVPN'
PACKAGE_TARNAME='openvpn'
-PACKAGE_VERSION='2.4.5'
-PACKAGE_STRING='OpenVPN 2.4.5'
+PACKAGE_VERSION='2.4.6'
+PACKAGE_STRING='OpenVPN 2.4.6'
PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
PACKAGE_URL=''
@@ -1465,7 +1465,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenVPN 2.4.5 to adapt to many kinds of systems.
+\`configure' configures OpenVPN 2.4.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1536,7 +1536,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenVPN 2.4.5:";;
+ short | recursive ) echo "Configuration of OpenVPN 2.4.6:";;
esac
cat <<\_ACEOF
@@ -1743,7 +1743,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-OpenVPN configure 2.4.5
+OpenVPN configure 2.4.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2582,7 +2582,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenVPN $as_me 2.4.5, which was
+It was created by OpenVPN $as_me 2.4.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2946,13 +2946,13 @@ if test -z "${htmldir}"; then
fi
-$as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,5,0" >>confdefs.h
+$as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,6,0" >>confdefs.h
OPENVPN_VERSION_MAJOR=2
OPENVPN_VERSION_MINOR=4
-OPENVPN_VERSION_PATCH=.5
+OPENVPN_VERSION_PATCH=.6
$as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
@@ -2961,7 +2961,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
$as_echo "#define OPENVPN_VERSION_MINOR 4" >>confdefs.h
-$as_echo "#define OPENVPN_VERSION_PATCH \".5\"" >>confdefs.h
+$as_echo "#define OPENVPN_VERSION_PATCH \".6\"" >>confdefs.h
ac_aux_dir=
@@ -3485,7 +3485,7 @@ fi
# Define the identity of the package.
PACKAGE='openvpn'
- VERSION='2.4.5'
+ VERSION='2.4.6'
cat >>confdefs.h <<_ACEOF
@@ -18731,7 +18731,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by OpenVPN $as_me 2.4.5, which was
+This file was extended by OpenVPN $as_me 2.4.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -18797,7 +18797,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-OpenVPN config.status 2.4.5
+OpenVPN config.status 2.4.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/distro/rpm/openvpn.spec b/distro/rpm/openvpn.spec
index 08188b3..2e28304 100644
--- a/distro/rpm/openvpn.spec
+++ b/distro/rpm/openvpn.spec
@@ -13,7 +13,7 @@
Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Name: openvpn
-Version: 2.4.5
+Version: 2.4.6
Release: 1
URL: http://openvpn.net/
Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index f8627ab..7512bfb 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2460,12 +2460,37 @@ seconds.
Status can also be written to the syslog by sending a
.B SIGUSR2
signal.
+
+With multi\-client capability enabled on a server, the status file includes a
+list of clients and a routing table. The output format can be controlled by the
+.B \-\-status\-version
+option in that case.
+
+For clients or instances running in point\-to\-point mode, it will contain the
+traffic statistics.
.\"*********************************************************
.TP
.B \-\-status\-version [n]
-Choose the status file format version number. Currently
-.B n
-can be 1, 2, or 3 and defaults to 1.
+Set the status file format version number to
+.B n\fR.
+
+This only affects the status file on servers with multi\-client capability
+enabled.
+
+.B 1
+\-\- traditional format (default). The client list contains the following
+fields comma\-separated: Common Name, Real Address, Bytes Received, Bytes Sent,
+Connected Since.
+.br
+.B 2
+\-\- a more reliable format for external processing. Compared to version 1, the
+client list contains some additional fields: Virtual Address, Virtual IPv6
+Address, Username, Client ID, Peer ID.
+Future versions may extend the number of fields.
+.br
+.B 3
+\-\- identical to 2, but fields are tab\-separated.
+
.\"*********************************************************
.TP
.B \-\-mute n
diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h
index f9e11d3..20526b1 100644
--- a/include/openvpn-plugin.h
+++ b/include/openvpn-plugin.h
@@ -55,7 +55,7 @@ extern "C" {
*/
#define OPENVPN_VERSION_MAJOR 2
#define OPENVPN_VERSION_MINOR 4
-#define OPENVPN_VERSION_PATCH ".5"
+#define OPENVPN_VERSION_PATCH ".6"
/*
* Plug-in types. These types correspond to the set of script callbacks
diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c
index 00ee627..b728560 100644
--- a/src/openvpn/interval.c
+++ b/src/openvpn/interval.c
@@ -51,11 +51,12 @@ event_timeout_trigger(struct event_timeout *et,
if (et->defined)
{
- int wakeup = (int) et->last + et->n - local_now;
+ time_t wakeup = et->last - local_now + et->n;
if (wakeup <= 0)
{
#if INTERVAL_DEBUG
- dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry);
+ dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n,
+ et_const_retry);
#endif
if (et_const_retry < 0)
{
@@ -72,7 +73,8 @@ event_timeout_trigger(struct event_timeout *et,
if (tv && wakeup < tv->tv_sec)
{
#if INTERVAL_DEBUG
- dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", wakeup, et->n, et_const_retry);
+ dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d",
+ (int) wakeup, et->n, et_const_retry);
#endif
tv->tv_sec = wakeup;
tv->tv_usec = 0;
diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h
index 826a08b..5623f3a 100644
--- a/src/openvpn/interval.h
+++ b/src/openvpn/interval.h
@@ -196,7 +196,7 @@ event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
static inline interval_t
event_timeout_remaining(struct event_timeout *et)
{
- return (int) et->last + et->n - now;
+ return (interval_t) (et->last - now + et->n);
}
/*
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index c3152d0..9f53069 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -672,14 +672,18 @@ SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
{
return TLS1_VERSION;
}
+#ifdef SSL_OP_NO_TLSv1_1
if (!(sslopt & SSL_OP_NO_TLSv1_1))
{
return TLS1_1_VERSION;
}
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
if (!(sslopt & SSL_OP_NO_TLSv1_2))
{
return TLS1_2_VERSION;
}
+#endif
return 0;
}
#endif /* SSL_CTX_get_min_proto_version */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3f9164c..d1adfb6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2189,6 +2189,15 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
{
msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
}
+
+ if (options->management_addr
+ && !(options->management_flags & MF_UNIX_SOCK)
+ && (!options->management_user_pass))
+ {
+ msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+ "passwords is STRONGLY discouraged and considered insecure");
+ }
+
#endif
/*
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index effb8b2..ab42f0c 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2946,6 +2946,9 @@ tls_process(struct tls_multi *multi,
{
state_change = true;
dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
+
+ /* More data may be available, wake up again asap to check. */
+ *wakeup = 0;
}
}
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 74b4726..3f579e1 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -630,7 +630,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
if (ctx->crt_chain == NULL)
{
- return 0;
+ return 1;
}
ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context);
@@ -640,10 +640,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key,
NULL, external_pkcs1_sign, external_key_len)))
{
- return 0;
+ return 1;
}
- return 1;
+ return 0;
}
#endif /* ifdef MANAGMENT_EXTERNAL_KEY */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index f23d246..e57b6d2 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1168,7 +1168,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
X509_free(cert);
RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */
- return 1;
+ return 0;
err:
if (cert)
@@ -1187,7 +1187,7 @@ err:
}
}
crypto_msg(M_FATAL, "Cannot enable SSL external private key capability");
- return 0;
+ return 1;
}
#endif /* ifdef MANAGMENT_EXTERNAL_KEY */
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index b071823..0e44e9b 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -6185,6 +6185,9 @@ close_tun(struct tuntap *tt)
{
if (tt->did_ifconfig_ipv6_setup)
{
+ /* remove route pointing to interface */
+ delete_route_connected_v6_net(tt, NULL);
+
if (tt->options.msg_channel)
{
do_address_service(false, AF_INET6, tt);
@@ -6198,9 +6201,6 @@ close_tun(struct tuntap *tt)
const char *ifconfig_ipv6_local;
struct argv argv = argv_new();
- /* remove route pointing to interface */
- delete_route_connected_v6_net(tt, NULL);
-
/* "store=active" is needed in Windows 8(.1) to delete the
* address we added (pointed out by Cedric Tabary).
*/
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 19be0db..9cfc94e 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -453,7 +453,6 @@ static BOOL
GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
size_t len;
- BOOL ret = FALSE;
WCHAR *data = NULL;
DWORD size, bytes, read;
@@ -462,7 +461,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
MsgToEventLog(M_SYSERR, TEXT("PeekNamedPipeAsync failed"));
ReturnLastError(pipe, L"PeekNamedPipeAsync");
- goto out;
+ goto err;
}
size = bytes / sizeof(*data);
@@ -470,7 +469,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte received"));
ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
- goto out;
+ goto err;
}
data = malloc(bytes);
@@ -478,7 +477,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
MsgToEventLog(M_SYSERR, TEXT("malloc failed"));
ReturnLastError(pipe, L"malloc");
- goto out;
+ goto err;
}
read = ReadPipeAsync(pipe, data, bytes, 1, &exit_event);
@@ -486,14 +485,14 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
MsgToEventLog(M_SYSERR, TEXT("ReadPipeAsync failed"));
ReturnLastError(pipe, L"ReadPipeAsync");
- goto out;
+ goto err;
}
if (data[size - 1] != 0)
{
MsgToEventLog(M_ERR, TEXT("Startup data is not NULL terminated"));
ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
- goto out;
+ goto err;
}
sud->directory = data;
@@ -503,7 +502,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
MsgToEventLog(M_ERR, TEXT("Startup data ends at working directory"));
ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
- goto out;
+ goto err;
}
sud->options = sud->directory + len;
@@ -513,16 +512,16 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
{
MsgToEventLog(M_ERR, TEXT("Startup data ends at command line options"));
ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
- goto out;
+ goto err;
}
sud->std_input = sud->options + len;
- data = NULL; /* don't free data */
- ret = TRUE;
+ return TRUE;
-out:
+err:
+ sud->directory = NULL; /* caller must not free() */
free(data);
- return ret;
+ return FALSE;
}
diff --git a/version.m4 b/version.m4
index 7ccc179..fd4f32a 100644
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [4])
-define([PRODUCT_VERSION_PATCH], [.5])
+define([PRODUCT_VERSION_PATCH], [.6])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,4,5,0])
+define([PRODUCT_VERSION_RESOURCE], [2,4,6,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])