From 85bd50a577d582d94aa5ff4ddca8604e04ff65a8 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Thu, 14 Nov 2019 18:45:05 +0100 Subject: [PATCH 01/14] Finalizing OpenVPN 3 release v3.3.3 Signed-off-by: David Sommerseth --- openvpn/common/version.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn/common/version.hpp b/openvpn/common/version.hpp index 5b587c28..1bb5b7cd 100644 --- a/openvpn/common/version.hpp +++ b/openvpn/common/version.hpp @@ -24,5 +24,5 @@ #pragma once #ifndef OPENVPN_VERSION -#define OPENVPN_VERSION "3.3.2" +#define OPENVPN_VERSION "3.3.3" #endif From 8b302a01c8df14cd7145835b3a1fbb247a8d38c4 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Thu, 14 Nov 2019 18:45:33 +0100 Subject: [PATCH 02/14] Finalizing OpenVPN 3 release v3.4.2 Signed-off-by: David Sommerseth --- openvpn/common/version.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn/common/version.hpp b/openvpn/common/version.hpp index 667be60a..0393b21d 100644 --- a/openvpn/common/version.hpp +++ b/openvpn/common/version.hpp @@ -24,5 +24,5 @@ #pragma once #ifndef OPENVPN_VERSION -#define OPENVPN_VERSION "3.4.1" +#define OPENVPN_VERSION "3.4.2" #endif From c824c032b1a2207cc0a608301748fd701b705ccb Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Thu, 27 Feb 2020 13:20:18 +0100 Subject: [PATCH 03/14] deps: Update to mbedtls-2.7.13 This release contains several critical security fixes. URL: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released URL: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 CVE: CVE-2019-18222 Signed-off-by: David Sommerseth --- deps/lib-versions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deps/lib-versions b/deps/lib-versions index ac2d9502..c0adc14f 100644 --- a/deps/lib-versions +++ b/deps/lib-versions @@ -4,8 +4,8 @@ export ASIO_CSUM=fa8c3a16dc2163f5b3451f2a14ce95277c971f46700497d4e94af6059c00dc0 export LZ4_VERSION=lz4-1.8.3 export LZ4_CSUM=33af5936ac06536805f9745e0b6d61da606a1f8b4cc5c04dd3cbaca3b9b4fc43 -export MBEDTLS_VERSION=mbedtls-2.7.12 -export MBEDTLS_CSUM=d3a36dbc9f607747daa6875c1ab2e41f49eff5fc99d3436b4f3ac90c89f3c143 +export MBEDTLS_VERSION=mbedtls-2.7.13 +export MBEDTLS_CSUM=6772fe21c7755dc513920e84adec629d39188b6451542ebaece428f0eba655c9 export OPENSSL_VERSION=openssl-1.0.2h From 042502c932da8f6e78319d58f77589d2e27a9e02 Mon Sep 17 00:00:00 2001 From: Dmitriy Dudnik Date: Tue, 25 Feb 2020 17:41:14 +0200 Subject: [PATCH 04/14] Additional mappings for OpenSSL errors to OpenVPN error codes OpenVPNClient::connect method doesn't communicate common OpenSSL errors through it's return value due to lack of mappings of OpenSSL errors to OpenVPN error codes in OpenSSLException implementation. This commit fixes the issue by introducing new error codes: - SSL_CA_MD_TOO_WEAK - SSL_CA_KEY_TOO_SMALL - SSL_DH_KEY_TOO_SMALL These error codes are mapped to corresponding OpenSSL errors: - SSL_R_CA_MD_TOO_WEAK - SSL_R_CA_KEY_TOO_SMALL - SSL_R_DH_KEY_TOO_SMALL Signed-off-by: Dmitriy Dudnik --- openvpn/error/error.hpp | 6 ++++++ openvpn/openssl/util/error.hpp | 9 +++++++++ 2 files changed, 15 insertions(+) diff --git a/openvpn/error/error.hpp b/openvpn/error/error.hpp index 59cc61e0..75a1070a 100644 --- a/openvpn/error/error.hpp +++ b/openvpn/error/error.hpp @@ -61,6 +61,9 @@ namespace openvpn { UDP_CONNECT_ERROR, // client error on UDP connect SSL_ERROR, // errors resulting from read/write on SSL object SSL_PARTIAL_WRITE, // SSL object did not process all written cleartext + SSL_CA_MD_TOO_WEAK, // CA message digest is too weak + SSL_CA_KEY_TOO_SMALL, // CA key is too small + SSL_DH_KEY_TOO_SMALL, // DH key is too small ENCAPSULATION_ERROR, // exceptions thrown during packet encapsulation EPKI_CERT_ERROR, // error obtaining certificate from External PKI provider EPKI_SIGN_ERROR, // error obtaining RSA signature from External PKI provider @@ -139,6 +142,9 @@ namespace openvpn { "UDP_CONNECT_ERROR", "SSL_ERROR", "SSL_PARTIAL_WRITE", + "SSL_CA_MD_TOO_WEAK", + "SSL_CA_KEY_TOO_SMALL", + "SSL_DH_KEY_TOO_SMALL", "ENCAPSULATION_ERROR", "EPKI_CERT_ERROR", "EPKI_SIGN_ERROR", diff --git a/openvpn/openssl/util/error.hpp b/openvpn/openssl/util/error.hpp index 8f1695f3..accc36ce 100644 --- a/openvpn/openssl/util/error.hpp +++ b/openvpn/openssl/util/error.hpp @@ -144,6 +144,15 @@ namespace openvpn { case SSL_R_UNSUPPORTED_PROTOCOL: set_code(Error::TLS_VERSION_MIN, true); break; + case SSL_R_CA_MD_TOO_WEAK: + set_code(Error::SSL_CA_MD_TOO_WEAK, true); + break; + case SSL_R_CA_KEY_TOO_SMALL: + set_code(Error:SSL_CA_KEY_TOO_SMALL, true); + break; + case SSL_R_DH_KEY_TOO_SMALL: + set_code(Error::SSL_DH_KEY_TOO_SMALL, true); + break; } } errtxt = tmp.str(); From 65a5e959bc7c3145ca5567ab252eb5457147deb5 Mon Sep 17 00:00:00 2001 From: Dmitriy Dudnik Date: Tue, 3 Mar 2020 16:18:14 +0200 Subject: [PATCH 05/14] Fix typo in OpenSSL error mapping Signed-off-by: Dmitriy Dudnik --- openvpn/openssl/util/error.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn/openssl/util/error.hpp b/openvpn/openssl/util/error.hpp index accc36ce..ad864e3c 100644 --- a/openvpn/openssl/util/error.hpp +++ b/openvpn/openssl/util/error.hpp @@ -148,7 +148,7 @@ namespace openvpn { set_code(Error::SSL_CA_MD_TOO_WEAK, true); break; case SSL_R_CA_KEY_TOO_SMALL: - set_code(Error:SSL_CA_KEY_TOO_SMALL, true); + set_code(Error::SSL_CA_KEY_TOO_SMALL, true); break; case SSL_R_DH_KEY_TOO_SMALL: set_code(Error::SSL_DH_KEY_TOO_SMALL, true); From 44e8dd8c01f5f7d34e3b29fe6c2972f7d98f64d7 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Tue, 3 Mar 2020 15:53:48 +0100 Subject: [PATCH 06/14] Fix build issues against OpenSSL 1.0.x The two prior changes broke OpenSSL 1.0.x support, due to the SSL_R_CA_MD_TOO_WEAK and SSL_R_CA_KEY_TOO_SMALL error codes arrived first in OpenSSL 1.1.0 Signed-off-by: David Sommerseth --- openvpn/openssl/util/error.hpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openvpn/openssl/util/error.hpp b/openvpn/openssl/util/error.hpp index ad864e3c..2c786801 100644 --- a/openvpn/openssl/util/error.hpp +++ b/openvpn/openssl/util/error.hpp @@ -144,12 +144,15 @@ namespace openvpn { case SSL_R_UNSUPPORTED_PROTOCOL: set_code(Error::TLS_VERSION_MIN, true); break; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + // These error codes are not available in older OpenSSL versions case SSL_R_CA_MD_TOO_WEAK: set_code(Error::SSL_CA_MD_TOO_WEAK, true); break; case SSL_R_CA_KEY_TOO_SMALL: set_code(Error::SSL_CA_KEY_TOO_SMALL, true); break; +#endif // OpenSSL >= 1.1.0 case SSL_R_DH_KEY_TOO_SMALL: set_code(Error::SSL_DH_KEY_TOO_SMALL, true); break; From f225fcd0586fa21d3f12535e0a4ef14fb09617da Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Tue, 3 Mar 2020 21:52:49 +0100 Subject: [PATCH 07/14] Finalizing OpenVPN 3 release v3.3.4 This update only upgrades mbed TLS to version 2.7.13 Signed-off-by: David Sommerseth --- openvpn/common/version.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn/common/version.hpp b/openvpn/common/version.hpp index 1bb5b7cd..a3d88048 100644 --- a/openvpn/common/version.hpp +++ b/openvpn/common/version.hpp @@ -24,5 +24,5 @@ #pragma once #ifndef OPENVPN_VERSION -#define OPENVPN_VERSION "3.3.3" +#define OPENVPN_VERSION "3.3.4" #endif From d5471e1846f377e98eb5a87a99f8ba47cbe7bde4 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 18 Mar 2020 18:51:15 +0100 Subject: [PATCH 08/14] Increase OpenSSL version to 1.1.1e --- deps/lib-versions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deps/lib-versions b/deps/lib-versions index dbe43f18..c264ddaf 100644 --- a/deps/lib-versions +++ b/deps/lib-versions @@ -19,6 +19,6 @@ export CITYHASH_CSUM=f70368facd15735dffc77fe2b27ab505bfdd05be5e9166d94149a8744c2 export LZO_VERSION=lzo-2.10 export LZO_CSUM=c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b4221a072 -export OPENSSL_VERSION=openssl-1.1.1d -export OPENSSL_CSUM=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 +export OPENSSL_VERSION=openssl-1.1.1e +export OPENSSL_CSUM=694f61ac11cb51c9bf73f54e771ff6022b0327a43bbdfa1b2f19de1662a6dcbe From 34435cbf65c95437e12c23307def5b3b6df96746 Mon Sep 17 00:00:00 2001 From: ybarnovych Date: Tue, 31 Mar 2020 16:50:52 +0300 Subject: [PATCH 09/14] Support optional HTTP Status Code reason In HTTP 1.1 specification reason phrase in HTTP Status becomes optional. For example, Tomcat 9 doesn't provide it. See details: https://bz.apache.org/bugzilla/show_bug.cgi?id=60183 We need to make changes in our HTTP response parser accordingly. Signed-off-by: Yuriy Barnovych yuriy@openvpn.net --- openvpn/http/reply.hpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openvpn/http/reply.hpp b/openvpn/http/reply.hpp index 9c303af5..377141ad 100644 --- a/openvpn/http/reply.hpp +++ b/openvpn/http/reply.hpp @@ -245,7 +245,12 @@ namespace openvpn { return fail; } case status_text_start: - if (!Util::is_char(input) || Util::is_ctl(input) || Util::is_tspecial(input)) + if (input == '\r') + { + state_ = expecting_newline_1; + return pending; + } + else if (!Util::is_char(input) || Util::is_ctl(input) || Util::is_tspecial(input)) { return fail; } From 89a32839443b3b143c3e9d725e36f4bbe4515700 Mon Sep 17 00:00:00 2001 From: Dmitriy Dudnik Date: Thu, 2 Apr 2020 15:54:44 +0300 Subject: [PATCH 10/14] Fix variable name typo in build-openssl Signed-off-by: Dmitriy Dudnik --- deps/openssl/build-openssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/openssl/build-openssl b/deps/openssl/build-openssl index 200dc6e6..ea15ffaa 100755 --- a/deps/openssl/build-openssl +++ b/deps/openssl/build-openssl @@ -38,7 +38,7 @@ fi # source helper functions . $O3/core/deps/functions.sh -FNAME=openssl-${OPNESSL_VERSION}.tar.gz +FNAME=openssl-${OPENSSL_VERSION}.tar.gz URL=https://www.openssl.org/source/${OPENSSL_VERSION}.tar.gz CSUM=${OPENSSL_CSUM} From abb7857452b39a045faba70f574ae8393e1087be Mon Sep 17 00:00:00 2001 From: Dmitriy Dudnik Date: Thu, 2 Apr 2020 17:01:18 +0300 Subject: [PATCH 11/14] Bump openssl version to 1.1.1f Signed-off-by: Dmitriy Dudnik --- deps/lib-versions | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deps/lib-versions b/deps/lib-versions index c264ddaf..67b51353 100644 --- a/deps/lib-versions +++ b/deps/lib-versions @@ -19,6 +19,7 @@ export CITYHASH_CSUM=f70368facd15735dffc77fe2b27ab505bfdd05be5e9166d94149a8744c2 export LZO_VERSION=lzo-2.10 export LZO_CSUM=c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b4221a072 -export OPENSSL_VERSION=openssl-1.1.1e -export OPENSSL_CSUM=694f61ac11cb51c9bf73f54e771ff6022b0327a43bbdfa1b2f19de1662a6dcbe +export OPENSSL_VERSION=openssl-1.1.1f +export OPENSSL_CSUM=186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 + From a88f2379c357666953fa25e9d28f634eec918de4 Mon Sep 17 00:00:00 2001 From: Dmitriy Dudnik Date: Tue, 21 Apr 2020 19:42:11 +0300 Subject: [PATCH 12/14] win/tunutil.hpp: fix TAP adapter name query Previous attempt to fix the issue resulted in most TapNameGuidPair structs in the list having no name. Last parameter passed to RegQueryValueExW has to represent the amount of bytes available at wbuf. Doing otherwise will either cause SEGFAULT or return ERROR_MORE_DATA. Signed-off-by: Dmitriy Dudnik --- openvpn/tun/win/tunutil.hpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openvpn/tun/win/tunutil.hpp b/openvpn/tun/win/tunutil.hpp index 6e2752f9..7bb7737e 100644 --- a/openvpn/tun/win/tunutil.hpp +++ b/openvpn/tun/win/tunutil.hpp @@ -288,15 +288,16 @@ namespace openvpn { continue; wchar_t wbuf[256] = L""; + DWORD cbwbuf = sizeof(wbuf); status = ::RegQueryValueExW(connection_key(), L"Name", nullptr, &data_type, (LPBYTE)wbuf, - &len); + &cbwbuf); if (status != ERROR_SUCCESS || data_type != REG_SZ) continue; - wbuf[(sizeof(wbuf) / sizeof(wchar_t)) - 1] = L'\0'; + wbuf[(cbwbuf / sizeof(wchar_t)) - 1] = L'\0'; // iterate through self and try to patch the name { From bbcf90171f8595b913992ebd4abf2703c8101a68 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 22 Apr 2020 14:58:49 +0200 Subject: [PATCH 13/14] Upgrade OpenSSL to 1.1.1g Signed-off-by: Arne Schwabe --- deps/lib-versions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deps/lib-versions b/deps/lib-versions index 67b51353..66af65f1 100644 --- a/deps/lib-versions +++ b/deps/lib-versions @@ -19,7 +19,7 @@ export CITYHASH_CSUM=f70368facd15735dffc77fe2b27ab505bfdd05be5e9166d94149a8744c2 export LZO_VERSION=lzo-2.10 export LZO_CSUM=c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b4221a072 -export OPENSSL_VERSION=openssl-1.1.1f -export OPENSSL_CSUM=186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 +export OPENSSL_VERSION=openssl-1.1.1g +export OPENSSL_CSUM=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 From 59f201be90d9587168ee76e2c3f0df3413df83c7 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Fri, 24 Apr 2020 16:41:28 +0200 Subject: [PATCH 14/14] Finalizing OpenVPN 3 Core library release v3.5.5 Signed-off-by: David Sommerseth --- openvpn/common/version.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn/common/version.hpp b/openvpn/common/version.hpp index f7400162..6cc18dee 100644 --- a/openvpn/common/version.hpp +++ b/openvpn/common/version.hpp @@ -24,5 +24,5 @@ #pragma once #ifndef OPENVPN_VERSION -#define OPENVPN_VERSION "3.5.4" +#define OPENVPN_VERSION "3.5.5" #endif