date:20200210

[Openvpn-devel] OpenVPN 3 Linux client - v8 beta released

2020-02-10 Thread David Sommerseth


Hi,

The OpenVPN 3 Linux v8 beta is now released.

This is available in our git repositories [0] and URLs for source tarballs
are listed later in this e-mail.  We have pre-built binaries for the
following Linux distributions:

* Fedora 30, 31 and Rawhide(via Fedora Copr: x86_64, ppc64le, aarch64)
* RHEL/CentOS 7 and 8  (via Fedora Copr: x86_64, ppc64le, aarch64)
* Debian 9 and 10 (amd64)
* Ubuntu 16.04, 18.04, 19.04 and 19.10 (amd64)

But there is an annoying detail with this release.  Cloudflare is doing
its best to ensure that the .deb package repositories are corrupt, invalid,
missing or not seeing the new files.  I've tried to do the magic steps
required to clean up this, with no results.

So for now, if you want to test it on those distros you need to build it
yourself from source or use Fedora, RHEL or CentOS - where the repos works
perfectly fine.  In the mean time I will try to figure out how to fix this
Cloudflux mess.


A quick-start guide for OpenVPN 3 Linux can be found here:




The highlights of this release includes:

* Improvement: Brand new DNS resolver settings handling.  This is expected
  to avoid several bugs found in the prior releases; from not cleaning
  up correctly to adding duplicated entries for pushed DNS settings.

* Improvement: Refactored the code tied to setting up the direct route for
  the VPN server.

* Improvement: openvpn3-admin log-service --list-subscriptions now adds the
  PID of the process the log subscription is tied to.

* Bugfix: The openvpn3 Python module broke in v7_beta for Ubuntu 16.04 and
  other distributions shipping with Python 3.5 or older.  This has now been
  fixed but it will be required to install the aenum Python module via
  pip3.  This is not needed on distributions with Python 3.6 or newer.

* Bugfix: The openvpn2 interface would not work if the --verb option was
  missing.

* Bugfix: The D-Bus policy was incorrect for the net.openvpn.v3.netcfg
  service, related to the org.freedesktop.DBus.Ping method.

* Bugfix: Corrected a typo in Python constants related to DNS_SERVER_ADDED

* Bugfix: openvpn2 will now warn about ignoring --up and --down options,
  and will silently ignore --down-pre and --script-security.  These are not
  relevant or supported in OpenVPN 3 Linux. Prior versions did not work.

* Build: It now builds with GCC 10

* Build: It should be possible to build openvpn3-linux with no warnings on
  most platforms (gcc-4.8.5 requires -std=c++1y)

* OpenVPN 3 Core: Upgraded to the latest development version, with lots of
  bugfixes and improvements.


[0] 



-- 
kind regards,

David Sommerseth
OpenVPN Inc



 Source tarballs 
* OpenVPN 3 Linux v8 beta

  
  


 SHA256 Checksums ---

74d806d43ed803aece46748292783b17e33c85d6f116a9d0d6b26ebcdae2a557  
openvpn3-linux-8_beta.tar.xz
2a39c897b3f0669ba47af63409b36545fbde32fc9cb5c9cd0146c65fd6d4a651  
openvpn3-linux-8_beta.tar.xz.asc

 git references -
git tag: v8_beta
git commit: ee9ae86605b4985fac94e7c534a0012dc8958f67

 Changes from v7 to v8 --

Arne Schwabe (14):
  contrib: Add cli-netcfg as a CMake build target
  netcfg: Move D-Bus logic returning fd in method call
  netcfg: Use C++ default copy constructor in NetCfgOptions
  Code style fixes
  ovpn3cli: Compile config command with USE_TUN_BUILDER
  netcfg: Declare ~NetCfgProxyException() as an override properly
  netcfg: Move device object creation into a separate method
  netcfg: Factor out notification signals in core-tunbuilder
  netcfg: Implement honouring remove_cmds in core tunbuilder
  contrib: Update CMake file to add missing files
  netcfg/client: Replace add_bypass_route with socket_protect
  netcfg/client: Cleanup tun devices and protected sockets on exit
  build: Update cmake files to include DNS related changes
  netcfg/client: Fix NetCfg::Cleanup() not called from 
openvpn-service-client

David Sommerseth (48):
  netcfg: NetCfgChangeEvent could incorrectly parse GVariant data
  client: Allow non-session manager access to log_level and device_path
  client: Provide more information on non-sessionmgr rejections
  client: Fix incorrect return in the Ready D-Bus method
  docs: Improve documentation
  dbus: Add missing glib2 include file in dbus/exceptions.hpp
  sessionmgr: Don't panic when device_path or device_name is unavailable
  common: Fix lookup functions returning uid/gid -1

[Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store

2020-02-10 Thread selva . nair

From: Selva Nair 

Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.

This makes it possible to update certifiates in store without having
to delete old ones. As a side effect, if only expired certificates are
found, the connection fails.

Also remove some unnecessary casts.

Tested on Windows 10.
Trac #966

Signed-off-by: Selva Nair 
---
v3: nudging again with a rebase to master

 src/openvpn/cryptoapi.c | 41 +
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 2f2eee7..3b70c33 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop, 
HCERTSTORE cert_store)
  * SUBJ:
  * THUMB:, e.g.
  * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+ * The first matching certificate that has not expired is returned.
  */
 const CERT_CONTEXT *rv = NULL;
+DWORD find_type;
+const void *find_param;
+unsigned char hash[255];
+CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
 
 if (!strncmp(cert_prop, "SUBJ:", 5))
 {
 /* skip the tag */
-cert_prop += 5;
-rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | 
PKCS_7_ASN_ENCODING,
-0, CERT_FIND_SUBJECT_STR_A, cert_prop, 
NULL);
-
+find_param = cert_prop + 5;
+find_type = CERT_FIND_SUBJECT_STR_A;
 }
 else if (!strncmp(cert_prop, "THUMB:", 6))
 {
-unsigned char hash[255];
-char *p;
+const char *p;
 int i, x = 0;
-CRYPT_HASH_BLOB blob;
+find_type = CERT_FIND_HASH;
+find_param = 
 
 /* skip the tag */
 cert_prop += 6;
-for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
+for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
 {
 if (*p >= '0' && *p <= '9')
 {
@@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 }
 if (!*++p)  /* unexpected end of string */
 {
-break;
+msg(M_WARN, "WARNING: cryptoapicert: error parsing 
.", cert_prop);
+return NULL;
 }
 if (*p >= '0' && *p <= '9')
 {
@@ -796,10 +800,23 @@ find_certificate_in_store(const char *cert_prop, 
HCERTSTORE cert_store)
 }
 }
 blob.cbData = i;
-blob.pbData = (unsigned char *) 
+}
+while(true)
+{
+int validity = 1;
+/* this frees previous rv, if not NULL */
 rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | 
PKCS_7_ASN_ENCODING,
-0, CERT_FIND_HASH, , NULL);
-
+0, find_type, find_param, rv);
+if (rv)
+{
+validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+}
+if (!rv || validity == 0)
+{
+break;
+}
+msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store 
%s.",
+validity < 0 ? "not yet valid" : "that has expired");
 }
 
 return rv;
-- 
2.1.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2 v3] Allow unicode search string in --cryptoapicert option

2020-02-10 Thread selva . nair

From: Selva Nair 

Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().

Signed-off-by: Selva Nair 
---
v3: nudging again, with a rebase to master

 src/openvpn/cryptoapi.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 3b70c33..acae96f 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -51,6 +51,7 @@
 
 #include "buffer.h"
 #include "openssl_compat.h"
+#include "win32.h"
 
 /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while
  * MinGW32-w64 defines all macros used. This is a hack around that problem.
@@ -746,12 +747,13 @@ find_certificate_in_store(const char *cert_prop, 
HCERTSTORE cert_store)
 const void *find_param;
 unsigned char hash[255];
 CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
+struct gc_arena gc = gc_new();
 
 if (!strncmp(cert_prop, "SUBJ:", 5))
 {
 /* skip the tag */
-find_param = cert_prop + 5;
-find_type = CERT_FIND_SUBJECT_STR_A;
+find_param = wide_string(cert_prop + 5, );
+find_type = CERT_FIND_SUBJECT_STR_W;
 }
 else if (!strncmp(cert_prop, "THUMB:", 6))
 {
@@ -779,7 +781,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 if (!*++p)  /* unexpected end of string */
 {
 msg(M_WARN, "WARNING: cryptoapicert: error parsing 
.", cert_prop);
-return NULL;
+goto out;
 }
 if (*p >= '0' && *p <= '9')
 {
@@ -819,6 +821,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 validity < 0 ? "not yet valid" : "that has expired");
 }
 
+out:
+gc_free();
 return rv;
 }
 
-- 
2.1.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] openssl: alternative names support for --verify-x509-name CN checks

2020-02-10 Thread Mateusz Markowicz via Openvpn-devel

when using "--verify-x509-name [hostname] name" hostname will now be accepted
also when matched against one of the X509v3 Subject Alternative Name IP or DNS
entries (instead of just Subject's CN).

see also: https://github.com/OpenVPN/openvpn/pull/136/

Signed-off-by: Mateusz Markowicz 
---
src/openvpn/options.c|  4 +++
src/openvpn/ssl_verify.c | 18 +++---
src/openvpn/ssl_verify.h |  1 +
src/openvpn/ssl_verify_backend.h |  7 ++
src/openvpn/ssl_verify_mbedtls.c | 11 +
src/openvpn/ssl_verify_openssl.c | 42 
6 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 173a1eea..438dfff0 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8144,6 +8144,10 @@ add_option(struct options *options,
 {
 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
 }
+else if (streq(p[2], "subject-alt-name"))
+{
+type = VERIFY_X509_SAN;
+}
 else
 {
 msg(msglevel, "unknown X.509 name type: %s", p[2]);
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 65188d23..6480b5eb 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -390,15 +390,27 @@ verify_peer_cert(const struct tls_options *opt, 
openvpn_x509_cert_t *peer_cert,
 /* verify X509 name or username against --verify-x509-[user]name */
 if (opt->verify_x509_type != VERIFY_X509_NONE)
 {
-if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
+bool match;
+if (opt->verify_x509_type == VERIFY_X509_SAN)
+{
+bool have_alt_names;
+match = x509v3_is_host_in_alternative_names(peer_cert, 
opt->verify_x509_name, _alt_names)
+|| (!have_alt_names && strcmp(opt->verify_x509_name, 
common_name) == 0);
+}
+else
+{
+match = (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
   && strcmp(opt->verify_x509_name, subject) == 0)
  || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN
  && strcmp(opt->verify_x509_name, common_name) == 0)
  || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX
  && strncmp(opt->verify_x509_name, common_name,
-strlen(opt->verify_x509_name)) == 0) )
+strlen(opt->verify_x509_name)) == 0);
+}
+
+if (match)
 {
-msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
+msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", opt->verify_x509_name);
 }
 else
 {
diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
index c54b89a6..1295e76b 100644
--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
@@ -64,6 +64,7 @@ struct cert_hash_set {
#define VERIFY_X509_SUBJECT_DN  1
#define VERIFY_X509_SUBJECT_RDN 2
#define VERIFY_X509_SUBJECT_RDN_PREFIX  3
+#define VERIFY_X509_SAN 4

#define TLS_AUTHENTICATION_SUCCEEDED  0
#define TLS_AUTHENTICATION_FAILED 1
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index d6b31bfa..927a5a29 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -268,4 +268,11 @@ result_t x509_write_pem(FILE *peercert_file, 
openvpn_x509_cert_t *peercert);
  */
bool tls_verify_crl_missing(const struct tls_options *opt);

+/**
+ * Return true iff {host} was found in {cert} Subject Alternative Names DNS or 
IP entries.
+ * If {has_alt_names} != NULL it'll return true iff Subject Alternative Names 
were defined
+ * for {cert}.
+ */
+bool x509v3_is_host_in_alternative_names(openvpn_x509_cert_t *cert, const char 
*host, bool *has_alt_names);
+
#endif /* SSL_VERIFY_BACKEND_H_ */
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index fd31bbbd..2f2e04be 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -245,6 +245,17 @@ x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena 
*gc)
 return subject;
}

+bool
+x509v3_is_host_in_alternative_names(mbedtls_x509_crt *cert, const char *host, 
bool *has_alt_names)
+{
+msg(M_WARN, "Missing support for subject alternative names in mbedtls.");
+if (has_alt_names != NULL)
+{
+*has_alt_names = false;
+}
+return false;
+}
+
static void
do_setenv_x509(struct env_set *es, const char *name, char *value, int depth)
{
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index ff14db23..bb639abc 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -364,6 +364,48 @@ err:
 return subject;
}

+bool
+x509v3_is_host_in_alternative_names(X509 *cert, const char *host, bool 
*has_alt_names)
+{
+GENERAL_NAMES* altnames = X509_get_ext_d2i(cert,

[Openvpn-devel] [PATCH applied] Re: Swap the order of checks for validating interactive service user

2020-02-10 Thread Gert Doering

Your patch has been applied to the master branch.

I have not tested this in any way, but since Lev has reviewed & tested 
v2 (and found a bug) and reviewed & tested v3, I do not think I would
add much value anyway.

commit c6cc66a13568dd1078bfbeb763998c1b9e2a2999
Author: Selva Nair
Date:   Sun Feb 9 23:33:20 2020 -0500

 Swap the order of checks for validating interactive service user

 Signed-off-by: Selva Nair 
 Acked-by: Lev Stipakov 
 Message-Id: <1581309200-27870-1-git-send-email-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19388.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] Swap the order of checks for validating interactive service user

2020-02-10 Thread Lev Stipakov

Built with MSVC and tested, works as described - membership
check is performed only if options validation fails. Also error message
is sent only when user is not authorized (this got broken in v2).

Acked-by: Lev Stipakov 
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 3 Linux client - v8 beta released

[Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store

[Openvpn-devel] [PATCH 2/2 v3] Allow unicode search string in --cryptoapicert option

[Openvpn-devel] [PATCH] openssl: alternative names support for --verify-x509-name CN checks

[Openvpn-devel] [PATCH applied] Re: Swap the order of checks for validating interactive service user

Re: [Openvpn-devel] [PATCH v3] Swap the order of checks for validating interactive service user

6 matches

Site Navigation

Mail list logo

Footer information