Tags: selvanair/openvpn
Tags
Verify and log the signature returned by cryptoapicert Print the hash data, signature and decrypted signature with --verb 7 Signed-off-by: Selva Nair <[email protected]>
Use lowest metric interface when multiple interfaces match a route
Currently a route addition using IPAPI or service is skipped if the
route gateway is reachable by multiple interfaces. This changes that
to use the interface with lowest metric. Implemented by
(i) Do not over-write the return value with TUN_ADAPTER_INDEX_INVALID in
windows_route_find_if_index() if multiple interfaces match a route.
(ii) Select the interface with lowest metric in adapter_index_of_ip()
instead of the first one found when multiple interfaces match.
Reported by Jan Just Keijser <[email protected]>
v2: - A private get_interface_metric() method and better error reporting
- Revert an unintented edit of route.c (a_index = ...)
- Improve the commit message
Signed-off-by: Selva Nair <[email protected]>
Fix user's group membership check in interactive service to work with… … domains Currently the username unqualified by the domain is used to validate a user which fails for domain users. Instead - the user is authorized if the admin or ovpn_admin group is in the token - else if the user's SID is in the admin or ovpn_admin group The second check is needed to recognize dynamic updates to group membership on the local machine. These checks do no require connection to a domain controller and will work even when user is logged in with cached credentials. Resolves Trac: #810 v2: include the token check as described above Signed-off-by: Selva Nair <[email protected]>
In interactive service fix user's group membership to work with domains Currently the username unqualified by the domain is used to validate a user which fails for domain users. Instead compare the user's SID with SIDs in the Administrtaors group and ovpn_admin_group. This has the advantage that connection to a domain controller is not required and will work even when user has logged in with cached credentials. Limitations: (i) Group membership is not checked recursively (ii) Domain administrators will not be recognized as members of local Administrtaors group. Signed-off-by: Selva Nair <[email protected]>
Fix handling of out of memory error in interactive service Currently realloc failure in UpdateWaitHandles() is handled by triggering exit_event and waiting for all active worker threads to terminate. However, at this point the wait handles array will contain an invalid value (handle of the latest thread that is terminated), causing a cycle of WAIT_FAILED <-> continue and trashing of the eventlog. Fix: - Update the wait handles again after removing the last thread: this should not fail as no extra memory is needed. Do not set the exit event; existing connections are not terminated. - In case of WAIT_FAILED, break out of the while loop and exit instead of continue. This usually happens when one or more handles are invalid, which is hard to recover from. Other changes: - Use minimal initial allocation size so that the realloc code path gets exercised (2 or more connections will cause realloc). - Use a temp variable to check the return value of realloc(). - Initialize handles array pointer to NULL. v2 changes: - Increased initial allocation to 10 (warn: now 10 or more connections needed to exercise the realloc code path). - Moved up the declaration of "LPHANDLE tmp" to please stone-age MSVC. Tested using a dummy realloc that returns NULL. Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://article.gmane.org/gmane.network.openvpn.devel/11708 Signed-off-by: Gert Doering <[email protected]>
Fix handling of out of memory error in interactive service Currently realloc failure in UpdateWaitHandles() is handled by triggering exit_event and waiting for all active worker threads to terminate. However, at this point the wait handles array will contain an invalid value (handle of the latest thread that is terminated), causing a cycle of WAIT_FAILED <-> continue and trashing of the eventlog. Fix: - Update the wait handles again after removing the last thread: this should not fail as no extra memory is needed. Do not set the exit event; existing connections are not terminated. - In case of WAIT_FAILED, break out of the while loop and exit instead of continue. This usually happens when one or more handles are invalid, which is hard to recover from. Other changes: - Use minimal initial allocation size so that the realloc code path gets exercised (2 or more connections will cause realloc). - Use a temp variable to check the return value of realloc(). - Initialize handles array pointer to NULL. v2 changes: - Increased initial allocation to 10 (warn: now 10 or more connections needed to exercise the realloc code path). - Moved up the declaration of "LPHANDLE tmp" to please stone-age MSVC. Tested using a dummy realloc that returns NULL. Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://article.gmane.org/gmane.network.openvpn.devel/11708 Signed-off-by: Gert Doering <[email protected]>
OpenVPN v2.3.10
2016.01.04 -- Version 2.3.10
Gert Doering (1):
Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
Jan Just Keijser (1):
Make certificate expiry warning patch (091edd8) work on OpenSSL 1.0.1 and earlier.
Lev Stipakov (1):
Repair IPv6 netsh calls if Win XP is detected
Phillip Smith (1):
Use bob.example.com and alice.example.com to improve clarity of documentation
Steffan Karger (6):
Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
Upgrade OpenVPN 2.3 to PolarSSL 1.3
Warn user if their certificate has expired
Make assert_failed() print the failed condition
cleanup: get rid of httpdigest.c type warnings
Fix regression in setups without a client certificate
Yegor Yefremov (1):
polarssl: fix unreachable code
OpenVPN v2.3.9
2015.12.16 -- Version 2.3.9
Arne Schwabe (7):
Show extra-certs in current parameters.
Fix commit a3160fc
Do not set the buffer size by default but rely on the operation system default.
Remove --enable-password-save option
Reflect enable-password-save change in documentation
Also remove second instance of enable-password-save in the man page
Detect config lines that are too long and give a warning/error
Boris Lytochkin (1):
Log serial number of revoked certificate
Christos Trochalakis (1):
Adjust server-ipv6 documentation
David Sommerseth (1):
Avoid partial authentication state when using --disabled in CCD configs
Fish (1):
Make "block-outside-dns" option platform agnostic
Gert Doering (8):
Un-break --auth-user-pass on windows
Replace unaligned 16bit access to TCP MSS value with bytewise access
Repair test_local_addr() on WIN32
Fix possible heap overflow on read accessing getaddrinfo() result.
Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
remove unused gc_arena in FreeBSD close_tun()
Fix isatty() check for good.
Preparing for release v2.3.9 (ChangeLog, version.m4)
Heiko Hund (1):
put virtual IPv6 addresses into env
Lev Stipakov (5):
Use adapter index instead of name for windows IPv6 interface config
Client-side part for server restart notification
Use adapter index for add/delete_route_ipv6
Pass adapter index to up/down scripts
Fix VS2013 compilation
Lukasz Kutyla (1):
Fix privilege drop if first connection attempt fails
Michal Ludvig (1):
Support for username-only auth file.
Samuli Seppänen (2):
Add CONTRIBUTING.rst
Updates to Changes.rst
Selva Nair (4):
Fix termination when windows suspends/sleeps
Do not hard-code windows systemroot in env_block
Handle ctrl-C and ctrl-break events on Windows
Unbreak read username password from management
Steffan Karger (11):
Replace strdup() calls for string_alloc() calls
Check return value of ms_error_text()
Increase control channel packet size for faster handshakes
hardening: add insurance to exit on a failed ASSERT()
Fix memory leak in auth-pam plugin
Fix (potential) memory leak in init_route_list()
Fix unintialized variable in plugin_vlog()
Add macro to ensure we exit on fatal errors
Fix memory leak in add_option() by simplifying get_ipv6_addr
openssl: properly check return value of RAND_bytes()
Fix rand_bytes return value checking
ValdikSS (1):
Add Windows DNS Leak fix using WFP ('block-outside-dns')
janjust (1):
Fix "White space before end tags can break the config parser"
OpenVPN v2.3.8
2015.08.03 -- Version 2.3.8
Arne Schwabe (2):
Report missing endtags of inline files as warnings
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
Gert Doering (2):
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
Document --daemon changes and consequences (--askpass, --auth-nocache).
Holger Kummert (1):
Del ipv6 addr on close of linux tun interface
James Geboski (1):
Fix --askpass not allowing for password input via stdin
Steffan Karger (5):
write pid file immediately after daemonizing
Make __func__ work with Visual Studio too
fix regression: query password before becoming daemon
Fix using management interface to get passwords.
Fix overflow check in openvpn_decrypt()
PreviousNext