diff options
| -rw-r--r-- | openvpn/ChangeLog | 27 | ||||
| -rw-r--r-- | openvpn/config.h | 6 | ||||
| -rw-r--r-- | openvpn/doc/openvpn.8 | 56 | ||||
| -rw-r--r-- | openvpn/src/openvpn/misc.c | 21 | ||||
| -rw-r--r-- | openvpn/src/openvpn/misc.h | 6 | ||||
| -rw-r--r-- | openvpn/src/openvpn/openvpn.h | 2 | ||||
| -rw-r--r-- | openvpn/src/openvpn/options.c | 12 | ||||
| -rw-r--r-- | openvpn/src/openvpn/push.c | 7 | ||||
| -rw-r--r-- | openvpn/src/openvpn/ssl_verify.c | 54 | ||||
| -rw-r--r-- | openvpn/src/openvpn/ssl_verify_openssl.c | 12 | ||||
| -rw-r--r-- | openvpn/src/openvpn/tun.c | 2 | ||||
| -rw-r--r-- | openvpn/version.m4 | 2 | 
12 files changed, 189 insertions, 18 deletions
| diff --git a/openvpn/ChangeLog b/openvpn/ChangeLog index 9205528..7b945c8 100644 --- a/openvpn/ChangeLog +++ b/openvpn/ChangeLog @@ -1,6 +1,33 @@  OpenVPN Change Log  Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net> +2012.09.12 -- Version 2.3_beta1 +Arne Schwabe (7): +      Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used +      Merge almost identical create_socket_tcp and create_socket_tcp6 +      Document the inlining of files in openvpn and document key-direction +      Merge getaddr_multi and getaddr6 into one function +      Document --management-client and --management-signal a bit better +      Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen. +      Add checks for external-key-managements + +David Sommerseth (1): +      Fix reconnect issues when --push and UDP is used on the server + +Gert Doering (4): +      Reduce --version string detail about IPv6 to just "[IPv6]". +      Put actual OpenVPN command line on top of corresponding log file. +      Keep pre-existing tun/tap devices around on *BSD +      make "ipv6 ifconfig" on linux compatible with busybox ifconfig + +Heiko Hund (6): +      fix regression with --http-proxy[-*] options +      add x_msg_va() log function +      add API for plug-ins to write to openvpn log +      remove stale _openssl_get_subject() prototype +      remove unused flag SSLF_NO_NAME_REMAPPING +      Add --compat-names option +  2012.07.20 -- Version 2.3_alpha3  Arne Schwabe (1):        Fix compiling with --disable-management diff --git a/openvpn/config.h b/openvpn/config.h index bc262af..e7e54dc 100644 --- a/openvpn/config.h +++ b/openvpn/config.h @@ -450,13 +450,13 @@  #define PACKAGE_NAME "OpenVPN"  /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "OpenVPN 2.3_alpha3" +#define PACKAGE_STRING "OpenVPN 2.3_beta1"  /* Define to the one symbol short name of this package. */  #define PACKAGE_TARNAME "openvpn"  /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.3_alpha1" +#define PACKAGE_VERSION "2.3_beta1"  /* Define to the necessary symbol if this constant uses a non-standard name on     your system. */ @@ -615,4 +615,4 @@  #define HAVE_LZO_LZOUTIL_H 1  #define HAVE_LZO_LZO1X_H 1  #define HAVE_SYS_TIME_H 1 -#define HAVE_TIME_H 1j +#define HAVE_TIME_H 1 diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8 index f586744..da1c0f9 100644 --- a/openvpn/doc/openvpn.8 +++ b/openvpn/doc/openvpn.8 @@ -1584,6 +1584,10 @@ and  .B \-\-ping-restart  in server mode configurations. +The server timeout is set twice the value of the second argument. +This ensures that a timeout is dectected on client side +before the server side drops the connection. +  For example,  .B \-\-keepalive 10 60  expands as follows: @@ -3399,6 +3403,58 @@ the authenticated username as the common name,  rather than the common name from the client cert.  .\"*********************************************************  .TP +.B \-\-compat\-names [no\-remapping] +Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted +like this: +.IP +.B +/C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com +.IP +In addition the old behavivour was to remap any character other than +alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to +underscore ('_').  The X.509 Subject string as returned by the +.B tls_id +environmental variable, could additionally contain colon (':') or equal ('='). +.IP +When using the +.B \-\-compat\-names +option, this old formatting and remapping will be re-enabled again.  This is +purely implemented for compatibility reasons when using older plug-ins or +scripts which does not handle the new formatting or UTF-8 characters. +.IP +In OpenVPN v2.3 the formatting of these fields changed into a more +standardised format.  It now looks like: +.IP +.B +C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com +.IP +The new default format in OpenVPN v2.3 also does not do the character remapping +which happened earlier.  This new format enables proper support for UTF\-8 +characters in the usernames, X.509 Subject fields and Common Name variables and +it complies to the RFC 2253, UTF\-8 String Representation of Distinguished +Names. + +As a backwards compatibility for the removed \-\-no\-name\-remapping feature in +older OpenVPN versions, the +.B no\-remapping +mode flag can be used with the +.B +\-\-compat\-names +option. +When this mode flag is used, the Common Name, Subject, and username strings are +allowed to include any printable character including space, but excluding +control characters such as tab, newline, and carriage-return. It ensures +compatibility with the +.B \-\-no\-name\-remapping +option of OpenVPN versions before v2.3. + +.B Please note: +This option will not be around for a long time.  It is only implemented +to make the transition to the new formatting less intrusive.  It will be +removed either in OpenVPN v2.4 or v2.5.  So please make sure you start +the process to support the new formatting as soon as possible. +.\"********************************************************* +.TP  .B \-\-port-share host port [dir]  When run in TCP server mode, share the OpenVPN port with  another application, such as an HTTPS server.  If OpenVPN diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c index 7f72939..d2882d8 100644 --- a/openvpn/src/openvpn/misc.c +++ b/openvpn/src/openvpn/misc.c @@ -2120,3 +2120,24 @@ sanitize_control_message(const char *src, struct gc_arena *gc)    *dest = '\0';    return ret;  } + +/** + * Will set or query for a global compat flag.  To modify the compat flags + * the COMPAT_FLAG_SET must be bitwise ORed together with the flag to set. + * If no "operator" flag is given it defaults to COMPAT_FLAG_QUERY, + * which returns the flag state. + * + * @param  flag  Flag to be set/queried for bitwise ORed with the operator flag + * @return Returns 0 if the flag is not set, otherwise the 'flag' value is returned + */ +bool +compat_flag (unsigned int flag) +{ +  static unsigned int compat_flags = 0; + +  if (flag & COMPAT_FLAG_SET) +    compat_flags |= (flag >> 1); + +  return (compat_flags & (flag >> 1)); + +} diff --git a/openvpn/src/openvpn/misc.h b/openvpn/src/openvpn/misc.h index d4c8e33..b6da3f4 100644 --- a/openvpn/src/openvpn/misc.h +++ b/openvpn/src/openvpn/misc.h @@ -368,4 +368,10 @@ void argv_printf_cat (struct argv *a, const char *format, ...)  #endif    ; +#define COMPAT_FLAG_QUERY         0       /** compat_flags operator: Query for a flag */ +#define COMPAT_FLAG_SET           (1<<0)  /** compat_flags operator: Set a compat flag */ +#define COMPAT_NAMES              (1<<1)  /** compat flag: --compat-names set */ +#define COMPAT_NO_NAME_REMAPPING  (1<<2)  /** compat flag: --compat-names without char remapping */ +bool compat_flag (unsigned int flag); +  #endif diff --git a/openvpn/src/openvpn/openvpn.h b/openvpn/src/openvpn/openvpn.h index 0732d0f..7abfb08 100644 --- a/openvpn/src/openvpn/openvpn.h +++ b/openvpn/src/openvpn/openvpn.h @@ -448,7 +448,7 @@ struct context_2    /* --ifconfig endpoints to be pushed to client */    bool push_reply_deferred;    bool push_ifconfig_defined; -  bool sent_push_reply; +  time_t sent_push_reply_expiry;    in_addr_t push_ifconfig_local;    in_addr_t push_ifconfig_remote_netmask;  #ifdef ENABLE_CLIENT_NAT diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 36fb4e3..47aaffc 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -2132,6 +2132,9 @@ options_postprocess_verify_ce (const struct options *options, const struct conne        if (options->stale_routes_check_interval)          msg (M_USAGE, "--stale-routes-check requires --mode server"); + +      if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) +        msg (M_USAGE, "--compat-x509-names no-remapping requires --mode server");      }  #endif /* P2MP_SERVER */ @@ -2248,7 +2251,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne  	      const int sum = (options->cert_file != NULL) +  #ifdef MANAGMENT_EXTERNAL_KEY  			((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); -#else  +#else  		    (options->priv_key_file != NULL);  #endif @@ -5550,6 +5553,13 @@ add_option (struct options *options,        VERIFY_PERMISSION (OPT_P_GENERAL);        options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;      } +  else if (streq (p[0], "compat-names")) +    { +      VERIFY_PERMISSION (OPT_P_GENERAL); +      compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); +      if (p[1] && streq (p[1], "no-remapping")) +        compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); +    }    else if (streq (p[0], "opt-verify"))      {        VERIFY_PERMISSION (OPT_P_GENERAL); diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c index 8d7d23a..05a38e0 100644 --- a/openvpn/src/openvpn/push.c +++ b/openvpn/src/openvpn/push.c @@ -416,7 +416,10 @@ process_incoming_push_msg (struct context *c,  	}        else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)  	{ -	  if (c->c2.sent_push_reply) +	  time_t now; + +	  openvpn_time(&now); +	  if (c->c2.sent_push_reply_expiry > now)  	    {  	      ret = PUSH_MSG_ALREADY_REPLIED;  	    } @@ -425,7 +428,7 @@ process_incoming_push_msg (struct context *c,  	      if (send_push_reply (c))  		{  		  ret = PUSH_MSG_REQUEST; -		  c->c2.sent_push_reply = true; +		  c->c2.sent_push_reply_expiry = now + 30;  		}  	    }  	} diff --git a/openvpn/src/openvpn/ssl_verify.c b/openvpn/src/openvpn/ssl_verify.c index 30fb05d..cac46e9 100644 --- a/openvpn/src/openvpn/ssl_verify.c +++ b/openvpn/src/openvpn/ssl_verify.c @@ -49,6 +49,22 @@  /** Maximum length of common name */  #define TLS_USERNAME_LEN 64 +/** Legal characters in an X509 name with --compat-names */ +#define X509_NAME_CHAR_CLASS   (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_COLON|CC_EQUAL) + +/** Legal characters in a common name with --compat-names */ +#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH) + +static void +string_mod_remap_name (char *str, const unsigned int restrictive_flags) +{ +  if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES) +      && !compat_flag (COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) +    string_mod (str, restrictive_flags, 0, '_'); +  else +    string_mod (str, CC_PRINT, CC_CRLF, '_'); +} +  /*   * Export the untrusted IP address and port to the environment   */ @@ -591,7 +607,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep      }    /* enforce character class restrictions in X509 name */ -  string_mod (subject, CC_PRINT, CC_CRLF, '_'); +  string_mod_remap_name (subject, X509_NAME_CHAR_CLASS);    string_replace_leading (subject, '-', '_');    /* extract the username (default is CN) */ @@ -611,7 +627,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep      }    /* enforce character class restrictions in common name */ -  string_mod (common_name, CC_PRINT, CC_CRLF, '_'); +  string_mod_remap_name (common_name, COMMON_NAME_CHAR_CLASS);    /* warn if cert chain is too deep */    if (cert_depth >= MAX_CERT_DEPTH) @@ -1003,7 +1019,7 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up   * Verify the username and password using a plugin   */  static int -verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up) +verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up, const char *raw_username)  {    int retval = OPENVPN_PLUGIN_FUNC_ERROR;    struct key_state *ks = &session->key[KS_PRIMARY]; 	   /* primary key */ @@ -1012,7 +1028,7 @@ verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up    if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))      {        /* set username/password in private env space */ -      setenv_str (session->opt->es, "username", up->username); +      setenv_str (session->opt->es, "username", (raw_username ? raw_username : up->username));        setenv_str (session->opt->es, "password", up->password);        /* setenv incoming cert common name for script */ @@ -1036,6 +1052,8 @@ verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up  #endif        setenv_del (session->opt->es, "password"); +      if (raw_username) +        setenv_str (session->opt->es, "username", up->username);      }    else      { @@ -1056,7 +1074,7 @@ verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up  #define KMDA_DEF     3  static int -verify_user_pass_management (struct tls_session *session, const struct user_pass *up) +verify_user_pass_management (struct tls_session *session, const struct user_pass *up, const char *raw_username)  {    int retval = KMDA_ERROR;    struct key_state *ks = &session->key[KS_PRIMARY]; 	   /* primary key */ @@ -1065,7 +1083,7 @@ verify_user_pass_management (struct tls_session *session, const struct user_pass    if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))      {        /* set username/password in private env space */ -      setenv_str (session->opt->es, "username", up->username); +      setenv_str (session->opt->es, "username", (raw_username ? raw_username : up->username));        setenv_str (session->opt->es, "password", up->password);        /* setenv incoming cert common name for script */ @@ -1078,6 +1096,8 @@ verify_user_pass_management (struct tls_session *session, const struct user_pass  	management_notify_client_needing_auth (management, ks->mda_key_id, session->opt->mda_context, session->opt->es);        setenv_del (session->opt->es, "password"); +      if (raw_username) +        setenv_str (session->opt->es, "username", up->username);        retval = KMDA_SUCCESS;      } @@ -1101,6 +1121,9 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,    bool s2 = true;    struct key_state *ks = &session->key[KS_PRIMARY]; 	   /* primary key */ +  struct gc_arena gc = gc_new (); +  char *raw_username = NULL; +  #ifdef MANAGEMENT_DEF_AUTH    int man_def_auth = KMDA_UNDEF; @@ -1108,17 +1131,28 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,      man_def_auth = KMDA_DEF;  #endif +  /* +   * Preserve the raw username before string_mod remapping, for plugins +   * and management clients when in --compat-names mode +   */ +  if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES)) +    { +      ALLOC_ARRAY_CLEAR_GC (raw_username, char, USER_PASS_LEN, &gc); +      strcpy (raw_username, up->username); +      string_mod (raw_username, CC_PRINT, CC_CRLF, '_'); +    } +    /* enforce character class restrictions in username/password */ -  string_mod (up->username, CC_PRINT, CC_CRLF, '_'); +  string_mod_remap_name (up->username, COMMON_NAME_CHAR_CLASS);    string_mod (up->password, CC_PRINT, CC_CRLF, '_');    /* call plugin(s) and/or script */  #ifdef MANAGEMENT_DEF_AUTH    if (man_def_auth == KMDA_DEF) -    man_def_auth = verify_user_pass_management (session, up); +    man_def_auth = verify_user_pass_management (session, up, raw_username);  #endif    if (plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)) -    s1 = verify_user_pass_plugin (session, up); +    s1 = verify_user_pass_plugin (session, up, raw_username);    if (session->opt->auth_user_pass_verify_script)      s2 = verify_user_pass_script (session, up); @@ -1167,6 +1201,8 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,      {        msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer");      } + +  gc_free (&gc);  }  void diff --git a/openvpn/src/openvpn/ssl_verify_openssl.c b/openvpn/src/openvpn/ssl_verify_openssl.c index f5dce0d..658f5f3 100644 --- a/openvpn/src/openvpn/ssl_verify_openssl.c +++ b/openvpn/src/openvpn/ssl_verify_openssl.c @@ -254,6 +254,18 @@ x509_get_subject (X509 *cert, struct gc_arena *gc)    char *subject = NULL;    int maxlen = 0; +  /* +   * Generate the subject string in OpenSSL proprietary format, +   * when in --compat-names mode +   */ +  if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES)) +    { +      subject = gc_malloc (256, false, gc); +      X509_NAME_oneline (X509_get_subject_name (cert), subject, 256); +      subject[255] = '\0'; +      return subject; +    } +    subject_bio = BIO_new (BIO_s_mem ());    if (subject_bio == NULL)      goto err; diff --git a/openvpn/src/openvpn/tun.c b/openvpn/src/openvpn/tun.c index cd61baf..a56c997 100644 --- a/openvpn/src/openvpn/tun.c +++ b/openvpn/src/openvpn/tun.c @@ -761,7 +761,7 @@ do_ifconfig (struct tuntap *tt,        if ( do_ipv6 )  	{  	  argv_printf (&argv, -			  "%s %s inet6 add %s/%d", +			  "%s %s add %s/%d",  			  IFCONFIG_PATH,  			  actual,  			  ifconfig_ipv6_local, diff --git a/openvpn/version.m4 b/openvpn/version.m4 index f3f4511..161462e 100644 --- a/openvpn/version.m4 +++ b/openvpn/version.m4 @@ -1,7 +1,7 @@  dnl define the OpenVPN version  define([PRODUCT_NAME], [OpenVPN])  define([PRODUCT_TARNAME], [openvpn]) -define([PRODUCT_VERSION], [2.3_alpha3]) +define([PRODUCT_VERSION], [2.3_beta1])  define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])  define([PRODUCT_VERSION_RESOURCE], [2,3,0,0])  dnl define the TAP version | 
