[Openvpn-devel] [S] Change in openvpn[master]: Disable DCO if proxy is set via management
cron2 has uploaded a new patch set (#2) to the change originally created by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/543?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Disable DCO if proxy is set via management .. Disable DCO if proxy is set via management Commit 45a1cb2a ("Disable DCO if proxy is set via management") attempted to disable DCO when proxy is set via management interface. However, at least on Windows this doesn't work, since: - setting tuntap_options->disable_dco to true is not enough to disable DCO - at this point it is a bit too late, since we've already done DCO-specific adjustments Since proxy can be set via management only if --management-query-proxy is specified, the better way is to add a check to dco_check_startup_option(). Github: fixes OpenVPN/openvpn#522 Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20240318181744.20625-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html Signed-off-by: Gert Doering --- M src/openvpn/dco.c M src/openvpn/init.c 2 files changed, 6 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/43/543/2 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index d7c9d48..78243b1 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -387,6 +387,12 @@ return false; } +if (o->management_flags & MF_QUERY_PROXY) +{ +msg(msglevel, "Note: --management-query-proxy disables data channel offload."); +return false; +} + /* now that all options have been confirmed to be supported, check * if DCO is truly available on the system */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6209fa8..f2ce926 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -221,12 +221,6 @@ } else if (p[2] && p[3]) { -if (dco_enabled(&c->options)) -{ -msg(M_INFO, "Proxy set via management, disabling Data Channel Offload."); -c->options.tuntap_options.disable_dco = true; -} - if (streq(p[1], "HTTP")) { struct http_proxy_options *ho; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/543?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8 Gerrit-Change-Number: 543 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Disable DCO if proxy is set via management
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/543?usp=email ) Change subject: Disable DCO if proxy is set via management .. Disable DCO if proxy is set via management Commit 45a1cb2a ("Disable DCO if proxy is set via management") attempted to disable DCO when proxy is set via management interface. However, at least on Windows this doesn't work, since: - setting tuntap_options->disable_dco to true is not enough to disable DCO - at this point it is a bit too late, since we've already done DCO-specific adjustments Since proxy can be set via management only if --management-query-proxy is specified, the better way is to add a check to dco_check_startup_option(). Github: fixes OpenVPN/openvpn#522 Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20240318181744.20625-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html Signed-off-by: Gert Doering --- M src/openvpn/dco.c M src/openvpn/init.c 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index d7c9d48..78243b1 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -387,6 +387,12 @@ return false; } +if (o->management_flags & MF_QUERY_PROXY) +{ +msg(msglevel, "Note: --management-query-proxy disables data channel offload."); +return false; +} + /* now that all options have been confirmed to be supported, check * if DCO is truly available on the system */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6209fa8..f2ce926 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -221,12 +221,6 @@ } else if (p[2] && p[3]) { -if (dco_enabled(&c->options)) -{ -msg(M_INFO, "Proxy set via management, disabling Data Channel Offload."); -c->options.tuntap_options.disable_dco = true; -} - if (streq(p[1], "HTTP")) { struct http_proxy_options *ho; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/543?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8 Gerrit-Change-Number: 543 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Disable DCO if proxy is set via management
Straight and to the point :-) Minimally tested with a linux t_client setup that uses DCO and proxy (but no --managment-query-proxy). Your patch has been applied to the master and release/2.6 branch (bugfix). commit fd6b8395f6cee8a6c28f335ec25ed6db11f7 (master) commit 462fed53c7a5f21c07dafa4910765efe56d7402d (release/2.6) Author: Lev Stipakov Date: Mon Mar 18 19:17:44 2024 +0100 Disable DCO if proxy is set via management Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20240318181744.20625-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
As for the two previous windows/CVE patches, this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v2" version that Heiko and the original reporter saw and ACKed. The patch looks larger than the actual code change, because to do the size check the union typedef needs to move outside the function where it was "local" before. The actual check is very straightforward - "if there is more data in the pipe than can fit into a pipe_message_t, log an error and close this thread" (thus, abandon the process on the other end that pretends to be openvpn.exe but is misbehaving). In itself, this bug is annoying, but can not be directly exploited (because you cannot "just talk to this pipe", but you need to be openvpn.exe from the install directory). Combined with other potential flaws that give an attacker the opportunity to swap the openvpn.exe binary or get a malicious plugin loaded, this could end up being a local privilege escalation to SYSTEM. No exploit is known so far - this was found by code inspection for missing bounds checks. I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master and release/2.6 branch (security relevant bugfix). A direct cherrypick to 2.5 fails due to "sufficiently different code and data structures" so I've asked Lev to send a 2.5 version which I could review-and-ACK then. commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master) commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6) Author: Lev Stipakov Date: Tue Mar 19 17:27:11 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319152803.1801-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
As for the two previous windows/CVE patches, this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v2" version that Heiko and the original reporter saw and ACKed. The patch looks larger than the actual code change, because to do the size check the union typedef needs to move outside the function where it was "local" before. The actual check is very straightforward - "if there is more data in the pipe than can fit into a pipe_message_t, log an error and close this thread" (thus, abandon the process on the other end that pretends to be openvpn.exe but is misbehaving). In itself, this bug is annoying, but can not be directly exploited (because you cannot "just talk to this pipe", but you need to be openvpn.exe from the install directory). Combined with other potential flaws that give an attacker the opportunity to swap the openvpn.exe binary or get a malicious plugin loaded, this could end up being a local privilege escalation to SYSTEM. No exploit is known so far - this was found by code inspection for missing bounds checks. I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master and release/2.6 branch (security relevant bugfix). A direct cherrypick to 2.5 fails due to "sufficiently different code and data structures" so I've asked Lev to send a 2.5 version which I could review-and-ACK then. commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master) commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6) Author: Lev Stipakov Date: Tue Mar 19 17:27:11 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319152803.1801-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: disable remote access to the service pipe
As for the "plugin loading", this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the that Heiko and the original reporter saw and ACKed. It's not very clear if there is a real attack angle here, but generally speaking this is a local process which only the GUI running on the same machine should be speaking to, so we do not want arbitrary machines in the network to be able to connect to its pipe and "try things". I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit 2c1de0f0803360c0a6408f754066bd3a6fb28237 (master) commit a95e665041466ec7d4ca6dbf89d22c7950e9ef26 (release/2.6) commit e0775c042c7908a9b315da8092b436d03abea08a (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 17:16:07 2024 +0200 interactive.c: disable remote access to the service pipe Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319151723.936-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email ) Change subject: GHA: general update March 2024 .. GHA: general update March 2024 - Update to Node 20 versions of actions to avoid warnings - Update to current vcpkg - Update mbedTLS and LibreSSL to latest releases Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml M .github/workflows/coverity-scan.yml 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bc937e5..f771f5a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,7 +13,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y uncrustify - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 with: path: openvpn - name: Show uncrustify version @@ -27,7 +27,7 @@ - name: Show changes on standard output run: git diff working-directory: openvpn - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: uncrustify-changes.patch path: 'openvpn/uncrustify-changes.patch' @@ -49,12 +49,12 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake ninja-build build-essential wget python3-docutils man2html-base - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: Restore from cache and install vcpkg uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48' + vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/mingw/vcpkg.json' - name: Run CMake with vcpkg.json manifest @@ -64,7 +64,7 @@ buildPreset: mingw-${{ matrix.arch }} buildPresetAdditionalArgs: "['--config Debug']" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }} path: | @@ -72,7 +72,7 @@ ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/*.dll !${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/test_*.exe - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }}-tests path: | @@ -91,9 +91,9 @@ name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" steps: - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: Retrieve mingw unittest -uses: actions/download-artifact@v3 +uses: actions/download-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }}-tests path: unittests @@ -159,7 +159,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG} - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -186,7 +186,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -235,7 +235,7 @@ - name: Install dependencies run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf libressl - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -257,7 +257,7 @@ runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: lukka/get-cmake@latest - name: Install rst2html @@ -266,7 +266,7 @@ - name: Restore artifacts, or setup vcpkg (do not install any package) uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2
[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: GHA: general update March 2024 .. GHA: general update March 2024 - Update to Node 20 versions of actions to avoid warnings - Update to current vcpkg - Update mbedTLS and LibreSSL to latest releases Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml M .github/workflows/coverity-scan.yml 2 files changed, 23 insertions(+), 23 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/44/544/2 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bc937e5..f771f5a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,7 +13,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y uncrustify - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 with: path: openvpn - name: Show uncrustify version @@ -27,7 +27,7 @@ - name: Show changes on standard output run: git diff working-directory: openvpn - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: uncrustify-changes.patch path: 'openvpn/uncrustify-changes.patch' @@ -49,12 +49,12 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake ninja-build build-essential wget python3-docutils man2html-base - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: Restore from cache and install vcpkg uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48' + vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/mingw/vcpkg.json' - name: Run CMake with vcpkg.json manifest @@ -64,7 +64,7 @@ buildPreset: mingw-${{ matrix.arch }} buildPresetAdditionalArgs: "['--config Debug']" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }} path: | @@ -72,7 +72,7 @@ ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/*.dll !${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/test_*.exe - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }}-tests path: | @@ -91,9 +91,9 @@ name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" steps: - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: Retrieve mingw unittest -uses: actions/download-artifact@v3 +uses: actions/download-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }}-tests path: unittests @@ -159,7 +159,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG} - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -186,7 +186,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -235,7 +235,7 @@ - name: Install dependencies run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf libressl - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -257,7 +257,7 @@ runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: lukka/get-cmake@latest - name: Install rs
[Openvpn-devel] [PATCH applied] Re: GHA: general update March 2024
Tested on my GH repo. Works (except as noted for ubuntu/ASAN). Your patch has been applied to the master and release/2.6 branch. (Two merge conflicts, one related to "there is no checkout for mingw-unittests in 2.6 (yet)" and one to "no mbedtls3 tests") commit 36ff5cdb45183c13b0cb084b288b237ad55345cd (master) commit 5afc89ab747cfc8ad6b391f17dca61661e9b9df3 (release/2.6) Author: Frank Lichtenheld Date: Tue Mar 19 16:44:56 2024 +0100 GHA: general update March 2024 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: win32: Enforce loading of plugins from a trusted directory
Thanks for that. This patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v4 one" that Selva and the original reporter saw and ACKed. This is related to plugin loading on windows only. We have discussed the topic of "restricting plugin loading on other platforms" but it's more complex to tackle (it starts with "there is no central registry to put restrictions into", but goes on to "on unix, openvpn runs as root anyway, so we expect this to be done by admins who spend some thought on what scripts and plugin they call, and from which paths") - so we haven't done anything there yet. I have test built this on MinGW/Ubuntu, just for completeness, and via GHA. Haven't tested the result myself (no plugin setup on windows). (I do have a few gripes, but these are more cosmetical - like "make get_openvpn_reg_value() static", and "wrap the long if() condition at the '&&', not in the middle of the function call" - but these are all not important for the functionality) Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit aaea545d8a940f761898d736b68bcb067d503b1d (master) commit 05d321ef980734478a86c5241dad7ba26a748a2f (release/2.6) commit 30bddb1a5426523ef1d61c8a5df2c613ba2a47d3 (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 15:53:45 2024 +0200 win32: Enforce loading of plugins from a trusted directory Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240319135355.1279-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] GHA: general update March 2024
- Update to Node 20 versions of actions to avoid warnings - Update to current vcpkg - Update mbedTLS and LibreSSL to latest releases Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/544 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bc937e5..f771f5a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,7 +13,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y uncrustify - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 with: path: openvpn - name: Show uncrustify version @@ -27,7 +27,7 @@ - name: Show changes on standard output run: git diff working-directory: openvpn - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: uncrustify-changes.patch path: 'openvpn/uncrustify-changes.patch' @@ -49,12 +49,12 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake ninja-build build-essential wget python3-docutils man2html-base - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: Restore from cache and install vcpkg uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48' + vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/mingw/vcpkg.json' - name: Run CMake with vcpkg.json manifest @@ -64,7 +64,7 @@ buildPreset: mingw-${{ matrix.arch }} buildPresetAdditionalArgs: "['--config Debug']" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }} path: | @@ -72,7 +72,7 @@ ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/*.dll !${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/test_*.exe - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }}-tests path: | @@ -91,9 +91,9 @@ name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" steps: - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: Retrieve mingw unittest -uses: actions/download-artifact@v3 +uses: actions/download-artifact@v4 with: name: openvpn-mingw-${{ matrix.arch }}-tests path: unittests @@ -159,7 +159,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG} - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -186,7 +186,7 @@ - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -235,7 +235,7 @@ - name: Install dependencies run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf libressl - name: Checkout OpenVPN -uses: actions/checkout@v3 +uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -257,7 +257,7 @@ runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: lukka/get-cmake@latest - name: Install rst2html @@ -266,7 +266,7 @@ - name: Restore artifacts, or setup vcpkg (do not install any package) uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48' + vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/windows/vcpkg.json' - name: Run CMake with vcpkg.json manifest (NO TESTS) @@ -285,7 +285,7 @@ testPreset: win-${{ ma
[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email ) Change subject: GHA: general update March 2024 .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/544?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126 Gerrit-Change-Number: 544 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 19 Mar 2024 15:38:16 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] interactive.c: Fix potential stack overflow issue
When reading message from the pipe, we first peek the pipe to get the size of the message waiting to be read and then read the message. A compromised OpenVPN process could send an excessively large message, which would result in a stack-allocated message buffer overflow. To address this, we terminate the misbehaving process if the peeked message size exceeds the maximum allowable size. CVE: 2024-27459 Microsoft case number: 85932 Reported-by: Vladimir Tokarev Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- v2: added CVE and MSFT case number src/openvpnserv/interactive.c | 35 +-- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 32c8996c..24e3f341 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -106,6 +106,18 @@ typedef struct { struct tun_ring *receive_ring; } ring_buffer_maps_t; +typedef union { +message_header_t header; +address_message_t address; +route_message_t route; +flush_neighbors_message_t flush_neighbors; +block_dns_message_t block_dns; +dns_cfg_message_t dns; +enable_dhcp_message_t dhcp; +register_ring_buffers_message_t rrb; +set_mtu_message_t mtu; +wins_cfg_message_t wins; +} pipe_message_t; static DWORD AddListItem(list_item_t **pfirst, LPVOID data) @@ -1610,19 +1622,7 @@ static VOID HandleMessage(HANDLE pipe, HANDLE ovpn_proc, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { -DWORD read; -union { -message_header_t header; -address_message_t address; -route_message_t route; -flush_neighbors_message_t flush_neighbors; -block_dns_message_t block_dns; -dns_cfg_message_t dns; -enable_dhcp_message_t dhcp; -register_ring_buffers_message_t rrb; -set_mtu_message_t mtu; -wins_cfg_message_t wins; -} msg; +pipe_message_t msg; ack_message_t ack = { .header = { .type = msg_acknowledgement, @@ -1632,7 +1632,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, .error_number = ERROR_MESSAGE_DATA }; -read = ReadPipeAsync(pipe, &msg, bytes, count, events); +DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) { goto out; @@ -2059,6 +2059,13 @@ RunOpenvpn(LPVOID p) break; } +if (bytes > sizeof(pipe_message_t)) +{ +/* process at the other side of the pipe is misbehaving, shut it down */ +MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); +break; +} + HandleMessage(ovpn_pipe, proc_info.hProcess, bytes, 1, &exit_event, &undo_lists); } -- 2.42.0.windows.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] interactive.c: disable remote access to the service pipe
Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privileged interactive service on a victim machine and start openvpn processes remotely. CVE: 2024-24974 Microsoft case number: 85925 Reported-by: Vladimir Tokarev Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- v2: add CVE and MSFT case number to the commit message src/openvpnserv/interactive.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 24e3f341..6a977b68 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID) openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT(".\\pipe\\" PACKAGE "%ls\\service"), service_instance); pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) { -- 2.42.0.windows.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] interactive.c: Fix potential stack overflow issue
When reading message from the pipe, we first peek the pipe to get the size of the message waiting to be read and then read the message. A compromised OpenVPN process could send an excessively large message, which would result in a stack-allocated message buffer overflow. To address this, we terminate the misbehaving process if the peeked message size exceeds the maximum allowable size. Reported-by: Vladimir Tokarev Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- src/openvpnserv/interactive.c | 35 +-- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 32c8996c..24e3f341 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -106,6 +106,18 @@ typedef struct { struct tun_ring *receive_ring; } ring_buffer_maps_t; +typedef union { +message_header_t header; +address_message_t address; +route_message_t route; +flush_neighbors_message_t flush_neighbors; +block_dns_message_t block_dns; +dns_cfg_message_t dns; +enable_dhcp_message_t dhcp; +register_ring_buffers_message_t rrb; +set_mtu_message_t mtu; +wins_cfg_message_t wins; +} pipe_message_t; static DWORD AddListItem(list_item_t **pfirst, LPVOID data) @@ -1610,19 +1622,7 @@ static VOID HandleMessage(HANDLE pipe, HANDLE ovpn_proc, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { -DWORD read; -union { -message_header_t header; -address_message_t address; -route_message_t route; -flush_neighbors_message_t flush_neighbors; -block_dns_message_t block_dns; -dns_cfg_message_t dns; -enable_dhcp_message_t dhcp; -register_ring_buffers_message_t rrb; -set_mtu_message_t mtu; -wins_cfg_message_t wins; -} msg; +pipe_message_t msg; ack_message_t ack = { .header = { .type = msg_acknowledgement, @@ -1632,7 +1632,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, .error_number = ERROR_MESSAGE_DATA }; -read = ReadPipeAsync(pipe, &msg, bytes, count, events); +DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) { goto out; @@ -2059,6 +2059,13 @@ RunOpenvpn(LPVOID p) break; } +if (bytes > sizeof(pipe_message_t)) +{ +/* process at the other side of the pipe is misbehaving, shut it down */ +MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); +break; +} + HandleMessage(ovpn_pipe, proc_info.hProcess, bytes, 1, &exit_event, &undo_lists); } -- 2.42.0.windows.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] interactive.c: disable remote access to the service pipe
Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privileged interactive service on a victim machine and start openvpn processes remotely. Reported-by: Vladimir Tokarev Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- src/openvpnserv/interactive.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 24e3f341..6a977b68 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID) openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT(".\\pipe\\" PACKAGE "%ls\\service"), service_instance); pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) { -- 2.42.0.windows.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] win32: Enforce loading of plugins from a trusted directory
Currently, there's a risk associated with allowing plugins to be loaded from any location. This update ensures plugins are only loaded from a trusted directory, which is either: - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing, then HKLM\SOFTWARE\OpenVPN, which is installation directory) - System directory Loading from UNC paths is disallowed. Note: This change affects only Windows environments. CVE: 2024-27903 Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d Reported-by: Vladimir Tokarev Signed-off-by: Lev Stipakov Acked-by: Selva Nair --- src/openvpn/plugin.c | 18 +-- src/openvpn/win32.c | 77 +--- src/openvpn/win32.h | 27 3 files changed, 107 insertions(+), 15 deletions(-) diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index b4d4a986..3d62eced 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -277,11 +277,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) #else /* ifndef _WIN32 */ -rel = !platform_absolute_pathname(p->so_pathname); -p->module = LoadLibraryW(wide_string(p->so_pathname, &gc)); +WCHAR *wpath = wide_string(p->so_pathname, &gc); +WCHAR normalized_plugin_path[MAX_PATH] = {0}; +/* Normalize the plugin path, converting any relative paths to absolute paths. */ +if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL)) +{ +msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath); +} + +if (!plugin_in_trusted_dir(normalized_plugin_path)) +{ +msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path); +} + +p->module = LoadLibraryW(normalized_plugin_path); if (!p->module) { -msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname); +msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path); } #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 6b7ba5e4..7ed32811 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -1497,27 +1497,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const for return (len >= 0 && len < size); } -static BOOL -get_install_path(WCHAR *path, DWORD size) +bool +get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size) { WCHAR reg_path[256]; -HKEY key; -BOOL res = FALSE; +HKEY hkey; openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); -LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); +LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hkey); if (status != ERROR_SUCCESS) { -return res; +return false; } -/* The default value of REG_KEY is the install path */ -status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); -res = status == ERROR_SUCCESS; +status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value, &size); -RegCloseKey(key); +RegCloseKey(hkey); -return res; +return status == ERROR_SUCCESS; } static void @@ -1526,7 +1523,7 @@ set_openssl_env_vars() const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32"; WCHAR install_path[MAX_PATH] = { 0 }; -if (!get_install_path(install_path, _countof(install_path))) +if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path))) { /* if we cannot find installation path from the registry, * use Windows directory as a fallback @@ -1605,4 +1602,60 @@ win32_sleep(const int n) } } } + +bool +plugin_in_trusted_dir(const WCHAR *plugin_path) +{ +/* UNC paths are not allowed */ +if (wcsncmp(plugin_path, L"", 2) == 0) +{ +msg(M_WARN, "UNC paths for plugins are not allowed."); +return false; +} + +WCHAR plugin_dir[MAX_PATH] = { 0 }; + +/* Attempt to retrieve the trusted plugin directory path from the registry, + * using installation path as a fallback */ +if (!get_openvpn_reg_value(L"plugin_dir", plugin_dir, _countof(plugin_dir)) +&& !get_openvpn_reg_value(NULL, plugin_dir, _countof(plugin_dir))) +{ +msg(M_WARN, "Installation path could not be determined."); +} + +/* Get the system directory */ +WCHAR system_dir[MAX_PATH] = { 0 }; +if (GetSystemDirectoryW(system_dir, _countof(system_dir)) == 0) +{ +msg(M_NONFATAL | M_ERRNO, "Failed to get system directory."); +} + +if ((wcslen(plugin_dir) == 0) && (wcslen(system_dir) == 0)) +{ +return false; +} + +WCHAR normalized_plugin_dir[MAX_PATH] = { 0 }; + +/* Normalize the plugin dir */ +if (wcslen(p