From 2c8e4bc4f9ab94e4d0b63341820d471af7c28c6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 29 Jul 2018 13:59:02 +0200 Subject: New upstream version 2.4.6 --- ChangeLog | 28 +++++++++++++++++++++++++++- Changes.rst | 26 ++++++++++++++++++++++++++ configure | 26 +++++++++++++------------- distro/rpm/openvpn.spec | 2 +- doc/openvpn.8 | 31 ++++++++++++++++++++++++++++--- include/openvpn-plugin.h | 2 +- src/openvpn/interval.c | 8 +++++--- src/openvpn/interval.h | 2 +- src/openvpn/openssl_compat.h | 4 ++++ src/openvpn/options.c | 9 +++++++++ src/openvpn/ssl.c | 3 +++ src/openvpn/ssl_mbedtls.c | 6 +++--- src/openvpn/ssl_openssl.c | 4 ++-- src/openvpn/tun.c | 6 +++--- src/openvpnserv/interactive.c | 23 +++++++++++------------ version.m4 | 4 ++-- 16 files changed, 139 insertions(+), 45 deletions(-) diff --git a/ChangeLog b/ChangeLog index 99772a3..2d6f3e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,33 @@ OpenVPN Change Log Copyright (C) 2002-2018 OpenVPN Inc -2018.02.28 -- Version 2.4.4 +2018.04.19 -- Version 2.4.6 +David Sommerseth (1): + management: Warn if TCP port is used without password + +Gert Doering (2): + Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4 + Fix potential double-free() in Interactive Service (CVE-2018-9336) + +Gert van Dijk (1): + manpage: improve description of --status and --status-version + +Joost Rijneveld (1): + Make return code external tls key match docs + +Selva Nair (3): + Delete the IPv6 route to the "connected" network on tun close + Management: warn about password only when the option is in use + Avoid overflow in wakeup time computation + +Simon Matter (1): + Add missing #ifdef SSL_OP_NO_TLSv1_1/2 + +Steffan Karger (1): + Check for more data in control channel + + +2018.02.28 -- Version 2.4.5 Antonio Quartulli (4): reload HTTP proxy credentials when moving to the next connection profile Allow learning iroutes with network made up of all 0s (only if netbits < 8) diff --git a/Changes.rst b/Changes.rst index 4168d62..b8ed5ce 100644 --- a/Changes.rst +++ b/Changes.rst @@ -320,6 +320,32 @@ Maintainer-visible changes use -std=gnu99 in CFLAGS. This is known to be needed when doing i386/i686 builds on RHEL5. +Version 2.4.6 +============= +This is primarily a maintenance release with minor bugfixes and improvements, +and one security relevant fix for the Windows Interactive Service. + +User visible changes +-------------------- +- warn if the management interface is configured with a TCP port and + no password is set (because it might be possible to interfere with + OpenVPN operation by tricking other programs into connecting to the + management interface and inject unwanted commands) + +Bug fixes +--------- +- CVE-2018-9336: fix potential double-free() in the Interactive Service + (Windows) on malformed input. + +- avoid possible integer overflow in wakeup computation (trac #922) + +- improve handling of incoming packet bursts for control channel data + +- fix compilation with older OpenSSL versions that were broken in 2.4.5 + +- Windows + interactive Service: delete the IPv6 route to the "connected" + network on tun close + Version 2.4.5 ============= diff --git a/configure b/configure index 39ae612..eb53f8f 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.4.5. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.4.6. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.4.5' -PACKAGE_STRING='OpenVPN 2.4.5' +PACKAGE_VERSION='2.4.6' +PACKAGE_STRING='OpenVPN 2.4.6' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -1465,7 +1465,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.4.5 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.4.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1536,7 +1536,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.4.5:";; + short | recursive ) echo "Configuration of OpenVPN 2.4.6:";; esac cat <<\_ACEOF @@ -1743,7 +1743,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.4.5 +OpenVPN configure 2.4.6 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2582,7 +2582,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.4.5, which was +It was created by OpenVPN $as_me 2.4.6, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2946,13 +2946,13 @@ if test -z "${htmldir}"; then fi -$as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,5,0" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,6,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=4 -OPENVPN_VERSION_PATCH=.5 +OPENVPN_VERSION_PATCH=.6 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -2961,7 +2961,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h $as_echo "#define OPENVPN_VERSION_MINOR 4" >>confdefs.h -$as_echo "#define OPENVPN_VERSION_PATCH \".5\"" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_PATCH \".6\"" >>confdefs.h ac_aux_dir= @@ -3485,7 +3485,7 @@ fi # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.4.5' + VERSION='2.4.6' cat >>confdefs.h <<_ACEOF @@ -18731,7 +18731,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.4.5, which was +This file was extended by OpenVPN $as_me 2.4.6, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18797,7 +18797,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.4.5 +OpenVPN config.status 2.4.6 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/distro/rpm/openvpn.spec b/distro/rpm/openvpn.spec index 08188b3..2e28304 100644 --- a/distro/rpm/openvpn.spec +++ b/distro/rpm/openvpn.spec @@ -13,7 +13,7 @@ Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: openvpn -Version: 2.4.5 +Version: 2.4.6 Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz diff --git a/doc/openvpn.8 b/doc/openvpn.8 index f8627ab..7512bfb 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2460,12 +2460,37 @@ seconds. Status can also be written to the syslog by sending a .B SIGUSR2 signal. + +With multi\-client capability enabled on a server, the status file includes a +list of clients and a routing table. The output format can be controlled by the +.B \-\-status\-version +option in that case. + +For clients or instances running in point\-to\-point mode, it will contain the +traffic statistics. .\"********************************************************* .TP .B \-\-status\-version [n] -Choose the status file format version number. Currently -.B n -can be 1, 2, or 3 and defaults to 1. +Set the status file format version number to +.B n\fR. + +This only affects the status file on servers with multi\-client capability +enabled. + +.B 1 +\-\- traditional format (default). The client list contains the following +fields comma\-separated: Common Name, Real Address, Bytes Received, Bytes Sent, +Connected Since. +.br +.B 2 +\-\- a more reliable format for external processing. Compared to version 1, the +client list contains some additional fields: Virtual Address, Virtual IPv6 +Address, Username, Client ID, Peer ID. +Future versions may extend the number of fields. +.br +.B 3 +\-\- identical to 2, but fields are tab\-separated. + .\"********************************************************* .TP .B \-\-mute n diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index f9e11d3..20526b1 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -55,7 +55,7 @@ extern "C" { */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 4 -#define OPENVPN_VERSION_PATCH ".5" +#define OPENVPN_VERSION_PATCH ".6" /* * Plug-in types. These types correspond to the set of script callbacks diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c index 00ee627..b728560 100644 --- a/src/openvpn/interval.c +++ b/src/openvpn/interval.c @@ -51,11 +51,12 @@ event_timeout_trigger(struct event_timeout *et, if (et->defined) { - int wakeup = (int) et->last + et->n - local_now; + time_t wakeup = et->last - local_now + et->n; if (wakeup <= 0) { #if INTERVAL_DEBUG - dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry); + dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, + et_const_retry); #endif if (et_const_retry < 0) { @@ -72,7 +73,8 @@ event_timeout_trigger(struct event_timeout *et, if (tv && wakeup < tv->tv_sec) { #if INTERVAL_DEBUG - dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", wakeup, et->n, et_const_retry); + dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", + (int) wakeup, et->n, et_const_retry); #endif tv->tv_sec = wakeup; tv->tv_usec = 0; diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h index 826a08b..5623f3a 100644 --- a/src/openvpn/interval.h +++ b/src/openvpn/interval.h @@ -196,7 +196,7 @@ event_timeout_modify_wakeup(struct event_timeout *et, interval_t n) static inline interval_t event_timeout_remaining(struct event_timeout *et) { - return (int) et->last + et->n - now; + return (interval_t) (et->last - now + et->n); } /* diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c3152d0..9f53069 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -672,14 +672,18 @@ SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { return TLS1_VERSION; } +#ifdef SSL_OP_NO_TLSv1_1 if (!(sslopt & SSL_OP_NO_TLSv1_1)) { return TLS1_1_VERSION; } +#endif +#ifdef SSL_OP_NO_TLSv1_2 if (!(sslopt & SSL_OP_NO_TLSv1_2)) { return TLS1_2_VERSION; } +#endif return 0; } #endif /* SSL_CTX_get_min_proto_version */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3f9164c..d1adfb6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2189,6 +2189,15 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } + + if (options->management_addr + && !(options->management_flags & MF_UNIX_SOCK) + && (!options->management_user_pass)) + { + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " + "passwords is STRONGLY discouraged and considered insecure"); + } + #endif /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index effb8b2..ab42f0c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2946,6 +2946,9 @@ tls_process(struct tls_multi *multi, { state_change = true; dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext"); + + /* More data may be available, wake up again asap to check. */ + *wakeup = 0; } } diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 74b4726..3f579e1 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -630,7 +630,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, if (ctx->crt_chain == NULL) { - return 0; + return 1; } ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context); @@ -640,10 +640,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key, NULL, external_pkcs1_sign, external_key_len))) { - return 0; + return 1; } - return 1; + return 0; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index f23d246..e57b6d2 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1168,7 +1168,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, X509_free(cert); RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ - return 1; + return 0; err: if (cert) @@ -1187,7 +1187,7 @@ err: } } crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); - return 0; + return 1; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index b071823..0e44e9b 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -6185,6 +6185,9 @@ close_tun(struct tuntap *tt) { if (tt->did_ifconfig_ipv6_setup) { + /* remove route pointing to interface */ + delete_route_connected_v6_net(tt, NULL); + if (tt->options.msg_channel) { do_address_service(false, AF_INET6, tt); @@ -6198,9 +6201,6 @@ close_tun(struct tuntap *tt) const char *ifconfig_ipv6_local; struct argv argv = argv_new(); - /* remove route pointing to interface */ - delete_route_connected_v6_net(tt, NULL); - /* "store=active" is needed in Windows 8(.1) to delete the * address we added (pointed out by Cedric Tabary). */ diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 19be0db..9cfc94e 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -453,7 +453,6 @@ static BOOL GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { size_t len; - BOOL ret = FALSE; WCHAR *data = NULL; DWORD size, bytes, read; @@ -462,7 +461,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("PeekNamedPipeAsync failed")); ReturnLastError(pipe, L"PeekNamedPipeAsync"); - goto out; + goto err; } size = bytes / sizeof(*data); @@ -470,7 +469,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte received")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } data = malloc(bytes); @@ -478,7 +477,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("malloc failed")); ReturnLastError(pipe, L"malloc"); - goto out; + goto err; } read = ReadPipeAsync(pipe, data, bytes, 1, &exit_event); @@ -486,14 +485,14 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("ReadPipeAsync failed")); ReturnLastError(pipe, L"ReadPipeAsync"); - goto out; + goto err; } if (data[size - 1] != 0) { MsgToEventLog(M_ERR, TEXT("Startup data is not NULL terminated")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->directory = data; @@ -503,7 +502,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_ERR, TEXT("Startup data ends at working directory")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->options = sud->directory + len; @@ -513,16 +512,16 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_ERR, TEXT("Startup data ends at command line options")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->std_input = sud->options + len; - data = NULL; /* don't free data */ - ret = TRUE; + return TRUE; -out: +err: + sud->directory = NULL; /* caller must not free() */ free(data); - return ret; + return FALSE; } diff --git a/version.m4 b/version.m4 index 7ccc179..fd4f32a 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [4]) -define([PRODUCT_VERSION_PATCH], [.5]) +define([PRODUCT_VERSION_PATCH], [.6]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,4,5,0]) +define([PRODUCT_VERSION_RESOURCE], [2,4,6,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) -- cgit v1.2.3