From https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage:
--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks.
This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel.
It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.
This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error.
You may want to use --setenv opt or --ignore-unknown-option (not suitable for Windows XP) to ignore said error.
Note that pushing unknown options from server does not trigger fatal errors.
The function has been greatly improved, here are some of the changes:
- The required SESSION (c->Session) parameter is checked correctly: the function returns immediately in case it's NULL. Previously, the function didn't return in case the parameter was NULL; multiple checks were in place, but not in all instances where the parameter was dereferenced.
- The resolved IP address is cached with all proxy types.
- The "RestoreServerNameAndPort" variable is documented.
- The Debug() messages have been improved.
This commit moves the generic (not related to our protocol) proxy stuff from Cedar to Mayaqua, in dedicated files.
The functions are refactored so that they all have the same arguments and follow the same logic.
Dedicated error codes are added, in order to indicate clearly why the function(s) failed.
Coverity Scan detected an out-of-bounds access issue: OvsProcessData() checked whether the payload size was bigger than the size of the buffer, instead of checking whether the entire packet size (payload size + 2 bytes) was, resulting in an out-of-bounds access in case the payload size is bigger than 1998.
This commit also improves the variable names, the comments and adds two Debug() lines.
OvsDecrypt() returns 0 when it fails, resulting in "size" rolling over with an end result of 4294967292.
This commit fixes the issue by checking whether "size" is greater than sizeof(UINT) before performing the subtraction.
The bug was caused by a typo in the StrCpy() call: the source buffer was the same as the destination one, meaning that the function didn't do anything.
- Fixed the RADIUS PEAP client to use the standard TLS versioning.
- Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information.
- Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication.
Hardcoded paths are used in log file enumeration such as LogFileList
command or GenerateEraseFileList function to delete old log files when
disk free space is lacking.
Fixes: SoftEtherVPN/SoftEtherVPN#972
If SecureNAT is enabled and the hostname of the server
is longer than 16characters, every NETBIOS name resolution
query triggers the buffer overflow. If the server was built
with stack protection, the process will be killed.
This commit adds a protocol interface to the server, its purpose is to manage TCP connections and the various third-party protocols.
More specifically, ProtoHandleConnection() takes care of exchanging the packets between the local and remote endpoint; the protocol implementation only has to parse them and act accordingly.
The interface knows which protocol is the connection for by calling IsPacketForMe(), a function implemented for each protocol.
A race condition in the DHCP server caused it to offer the same IP address to multiple clients when they connected at the same time, because an offered IP address was considered free until the final step (DHCP_ACK).
This commit introduces a list to keep track of the pending leases created during DHCP_OFFER, so that an IP address is guaranteed to be offered to a single client.
StrCat() appends a string to an already existing string. In order to know where the existing string ends, it uses StrLen() which in turn uses strlen(), a function considered unsafe because it doesn't stop until it finds the null character.
Since the string was allocated but not initialized, StrCat() was either:
- Working correctly.
- Copying only a part of the string.
- Making the program crash via strlen().
The fix consists in using StrCpy(), which starts writing at the beginning of the string.
found by cppcheck
[src/Cedar/DDNS.c:656]: (style) Condition 'ret==NULL' is always true
[src/Cedar/DDNS.c:515] -> [src/Cedar/DDNS.c:640]: (style) The expression 'use_https == false' is always true because 'use_https' and 'false' represent the same value.
[src/Cedar/DDNS.c:516] -> [src/Cedar/DDNS.c:648]: (style) The expression 'no_cert_verify == false' is always true because 'no_cert_verify' and 'false' represent the same value.
[src/Cedar/DDNS.c:816] -> [src/Cedar/DDNS.c:860]: (style) The expression 'no_cert_verify == false' is always true because 'no_cert_verify' and 'false' represent the same value.
[src/Cedar/DDNS.c:530]: (style) Variable 'use_vgs' is assigned a value that is never used.
[src/Cedar/DDNS.c:497]: (style) The function 'DCUpdateNow' is never used.
found by cppcheck
[src/Cedar/Account.c:523]: (style) The function 'GetUserPolicy' is never used.
[src/Cedar/Account.c:163]: (style) The function 'NormalizePolicyName' is never used.
found by cppcheck
[src/Cedar/Command.c:23220] -> [src/Cedar/Command.c:23232]: (style) Variable 'len' is reassigned a value before the old one has been used.
found by cppcheck
[src/Cedar/CM.c:4509]: (style) Variable 'easy' is assigned a value that is never used.
[src/Cedar/CM.c:4547]: (style) Variable 'hub_name' is assigned a value that is never used.
[src/Cedar/CM.c:4609]: (style) Variable 'is_account' is assigned a value that is never used.
[src/Cedar/CM.c:8545]: (style) The function 'CmLoadK' is never used.
To fix the bug of OpenVPN 2.4.6 and particular version of kernel mode TAP driver on Linux, the TAP device must be up after the OpenVPN client is connected. However there is no direct push instruction to do so to OpenVPN client. Therefore we push the dummy IPv4 address (RFC7600) to the OpenVPN client to enforce the TAP driver UP state.
This allows an OpenVPN client to bypass a firewall which is aware of the protocol and is able to block it.
The XOR mask set on the server has to be the same on the client, otherwise it will not be able to connect with certain obfuscation modes.
A special OpenVPN client built with the "XOR patch" is required in order to use this function, because it has never been merged in the official OpenVPN repository.
Two parameters are added to the server configuration: "OpenVPNObfuscationMethod" and "OpenVPNObfuscationMask".
Their value can be retrieved with "OpenVpnObfuscationGet" and set with "OpenVpnObfuscationEnable" in the VPN Command Line Management Utility.
resolve possible null pointer dereference
found by cppcheck
[src/Cedar/Protocol.c:3138] -> [src/Cedar/Protocol.c:3071]: (warning) Either the condition 's!=NULL' is redundant or there is possible null pointer dereference: s.
[src/Cedar/Protocol.c:916]: (style) Variable 'save' is assigned a value that is never used.
[src/Cedar/Protocol.c:6242]: (style) Variable 'size' is assigned a value that is never used.
[src/Cedar/Protocol.c:778]: (style) Variable 'old_disable' is assigned a value that is never used.
[src/Cedar/Protocol.c:1021]: (style) Variable 'save' is assigned a value that is never used.
[src/Cedar/Protocol.c:3708]: (style) Variable 'is_vgc' is assigned a value that is never used.
[src/Cedar/Protocol.c:5785]: (style) Variable 's' is assigned a value that is never used.
[src/Cedar/Protocol.c:6164]: (style) The function 'SocksConnectEx' is never used.
[src/Cedar/Protocol.c:907]: (style) The function 'CompareNodeInfo' is never used.
[src/Cedar/Protocol.c:6968]: (style) The function 'ProxyConnect' is never used.
[src/Cedar/Protocol.c:3986]: (style) The function 'SecureDelete' is never used.
[src/Cedar/Protocol.c:4042]: (style) The function 'SecureEnum' is never used.
[src/Cedar/Protocol.c:4127]: (style) The function 'SecureWrite' is never used.
[src/Cedar/Protocol.c:6463]: (style) The function 'SocksConnect' is never used.
[src/Cedar/Protocol.c:7185]: (style) The function 'TcpConnectEx2' is never used.
[src/Cedar/Protocol.c:7206]: (style) The function 'TcpIpConnect' is never used.
1.0.0.1 is a real IP address, owned by CloudFlare and used for their DNS service.
This commit changes the IP address we push to 192.0.0.8, which is defined in RFC7600 as dummy IPv4 address.
found by cppcheck
[src/Cedar/Proto_IkePacket.c:958]: (style) The function 'IkeNewCertPayload' is never used.
[src/Cedar/Proto_IkePacket.c:942]: (style) The function 'IkeNewCertRequestPayload' is never used.
[src/Cedar/Proto_IkePacket.c:875]: (style) The function 'IkeNewNoticeErrorInvalidExchangeTypePayload' is never used.
[src/Cedar/Proto_IkePacket.c:2542]: (style) The function 'IkeNewSpi' is never used.
[src/Cedar/Proto_IkePacket.c:142]: (style) The function 'IkePhase1CryptIdToKeySize' is never used.
[src/Cedar/Proto_IkePacket.c:157]: (style) The function 'IkePhase2CryptIdToKeySize' is never used.
[src/Cedar/Proto_IkePacket.c:172]: (style) The function 'IkeStrToPhase1CryptId' is never used.
[src/Cedar/Proto_IkePacket.c:187]: (style) The function 'IkeStrToPhase1HashId' is never used.
[src/Cedar/Proto_IkePacket.c:196]: (style) The function 'IkeStrToPhase2CryptId' is never used.
[src/Cedar/Proto_IkePacket.c:211]: (style) The function 'IkeStrToPhase2HashId' is never used.
[src/Cedar/Proto_IkePacket.c:2168]: (style) Condition 'b==NULL' is always true
1. ifdef DEBUG -> defined(_DEBUG) || defined(DEBUG)
In VC++ compilers, the macro is "_DEBUG", not "DEBUG".
2. If set memcheck = true, the program will be vitally slow since it will log all malloc() / realloc() / free() calls to find the cause of memory leak.
For normal debug we set memcheck = false.
Please set memcheck = true if you want to test the cause of memory leaks.
- Hash() has been removed because it was ambiguous, Md5() and Sha0() are proper replacements.
- HMacMd5() and HMacSha1() now share a common implementation handled by the new Internal_HMac() function.
- NewMd() and MdProcess() now support plain hashing (without the key).
- NewMd(), SetMdKey() and MdProcess() now check the OpenSSL functions' return value and in case of failure a debug message is printed along with the error string, if available.
- SetMdKey()'s return value has been changed from void to bool, so that it's possible to know whether the function succeeded or not.
- MdProcess()' return value has been changed from void to UINT (unsigned int) and the function now returns the number of bytes written by HMAC_Final() or EVP_DigestFinal_ex().
also cleanup a code based on PVS analyzer findings
src/Cedar/Hub.c 5279 warn V547 Expression 'e->UpdatedTime <= oldest_time' is always true.
src/Cedar/Hub.c 5840 warn V581 The conditional expressions of the 'if' statements situated alongside each other are identical. Check lines: 5828, 5840.
coverity thinks there might be null pointer dereference, make it
happier by removing check (there's a check against NULL in function itself).
condition "a.DataSize <= 1500" is always true
The previous regex expression removed all the 0s present in the input string, meaning that it caused the build to fail in case one of the date/time values was effectively 0.
found by coverity, cppcheck
[src/Cedar/Hub.c:6663]: (style) The function 'CalcTrafficEntryDiff' is never used.
[src/Cedar/Hub.c:3387]: (style) The function 'GetSessionByPtr' is never used.
[src/Cedar/Hub.c:3139]: (style) The function 'SetSessionFirstRedirectHttpUrl' is never used.
[src/Cedar/Hub.c:3912]: (style) The function 'VgsSetEmbTag' is never used.
[src/Cedar/Hub.c:3918]: (style) The function 'VgsSetUserAgentValue' is never used.
Pull request #294 added SHA-256, SHA-384, and SHA-512 support to the protocol, but part of it was removed in faee11ff09, because it caused a buffer over-read crash.
It also broke the MD5 implementation because the switch-case block didn't handle the type anymore.
This pull request fixes all the implementations and improves the IkeHMac() function by using the dedicated hashing functions.
found by coverity, cppcheck
[src/Cedar/Server.c:2899]: (style) Variable 'is_vgs_enabled' is assigned a value that is never used.
[src/Cedar/Server.c:3961]: (style) Variable 'id' is assigned a value that is never used.
[src/Cedar/Server.c:5723]: (style) Variable 'c' is assigned a value that is never used.
[src/Cedar/Server.c:5767]: (style) Variable 'num_connections_per_ip' is assigned a value that is never used.
[src/Cedar/Server.c:7327]: (style) Variable 'num' is assigned a value that is never used.
[src/Cedar/Server.c:8444]: (style) The function 'SiCallEnumHubBegin' is never used.
[src/Cedar/Server.c:8454]: (style) The function 'SiCallEnumHubEnd' is never used.
[src/Cedar/Server.c:9923]: (style) The function 'SiCallTaskAsyncBegin' is never used.
[src/Cedar/Server.c:9949]: (style) The function 'SiCallTaskAsyncEnd' is never used.
[src/Cedar/Server.c:10769]: (style) The function 'SiCheckCurrentRegion' is never used.
[src/Cedar/Server.c:2831]: (style) The function 'SiGetAzureEnable' is never used.
[src/Cedar/Server.c:208]: (style) The function 'SiGetServerNumUserObjects' is never used.
[src/Cedar/Server.c:2435]: (style) The function 'SiInitBridge' is never used.
[src/Cedar/Server.c:2540]: (style) The function 'SiTest' is never used.
[src/Cedar/Server.c:6707]: (style) The function 'StGetServer' is never used.
found by coverity, cppcheck
[src/Cedar/Session.c:1856]: (style) The function 'CompareSession' is never used.
[src/Cedar/Session.c:2384]: (style) The function 'DebugPrintSessionKey' is never used.
[src/Cedar/Session.c:2102]: (style) The function 'GetSessionFromKey32' is never used.
remove unused variable
[src/Cedar/IPsec_IKE.c:4332] -> [src/Cedar/IPsec_IKE.c:4332]: (style) Same expression on both sides of '||'.
[src/Cedar/IPsec_IKE.c:1665]: (style) Variable 'zero' is assigned a value that is never used.
found by coverity, cppcheck
[src/Cedar/Cedar.c:1605]: (style) The function 'EnableDebugLog' is never used.
[src/Cedar/Cedar.c:858]: (style) The function 'GetUnestablishedConnections' is never used.
[src/Cedar/Cedar.c:652]: (style) The function 'InitHiddenPassword' is never used.
[src/Cedar/Cedar.c:633]: (style) The function 'IsHiddenPasswordChanged' is never used.
[src/Cedar/Cedar.c:393]: (style) The function 'IsInNoSsl' is never used.
[src/Cedar/Cedar.c:1785]: (style) The function 'IsLaterBuild' is never used.
found by coverity, cppcheck
[src/Cedar/Client.c:9094]: (style) Unused variable: i
[src/Cedar/Client.c:500] -> [src/Cedar/Client.c:503]: (style) Variable 'ret' is reassigned a value before the old one has been used.
found by coverity, cppcheck
[src/Cedar/Client.c:10486]: (style) The function 'CiFreeInnerVPNServer' is never used.
[src/Cedar/Client.c:10877]: (style) The function 'CiGetNumActiveSessions' is never used.
[src/Cedar/Client.c:2042]: (style) The function 'CiHasAccountSensitiveInformationFile' is never used.
[src/Cedar/Client.c:10469]: (style) The function 'CiNewInnerVPNServer' is never used.
[src/Cedar/Client.c:1128]: (style) The function 'CncGetSessionId' is never used.
[src/Cedar/Client.c:767]: (style) The function 'CncPasswordDlgHaltThread' is never used.
[src/Cedar/Client.c:10681]: (style) The function 'CompareInternetSetting' is never used.
[src/Cedar/Client.c:11060]: (style) The function 'CtGetClient' is never used.
[src/Cedar/Client.c:5128]: (style) The function 'InRpcClientNotify' is never used.
[src/Cedar/Client.c:4340]: (style) The function 'InRpcEnumObjectInSecure' is never used.
[src/Cedar/Client.c:5140]: (style) The function 'OutRpcClientNotify' is never used.
[src/Cedar/Client.c:5657]: (style) Condition 'reg_port!=0' is always false
[src/Cedar/Client.c:683]: (style) Variable 'ret' is assigned a value that is never used.
[src/Cedar/Client.c:725]: (style) Variable 'ret' is assigned a value that is never used.
[src/Cedar/Client.c:1013]: (style) Variable 'param' is assigned a value that is never used.
found by coverity, cppcheck
[src/Cedar/BridgeUnix.c:270] -> [src/Cedar/BridgeUnix.c:279]: (style) Variable 'ret' is reassigned a value before the old one has been used.
[src/Cedar/BridgeUnix.c:560] -> [src/Cedar/BridgeUnix.c:569]: (style) Variable 't' is reassigned a value before the old one has been used.
[src/Cedar/BridgeUnix.c:1528] -> [src/Cedar/BridgeUnix.c:1537]: (style) Variable 'ret' is reassigned a value before the old one has been used.
[src/Cedar/BridgeUnix.c:1278]: (style) Unused variable: c
[src/Cedar/BridgeUnix.c:1090]: (style) The function 'DlipAttachRequest' is never used.
found by coverity, cppcheck
[src/Cedar/Command.c:9378]: (style) Variable 'ret' is assigned a value that is never used.
[src/Cedar/Command.c:9999]: (style) The function 'CmdEvalNetworkAndSubnetMask6' is never used.
found by coverity, cppcheck
[src/Cedar/EtherLog.c:327]: (style) The function 'EcAddLicenseKey' is never used.
[src/Cedar/EtherLog.c:385]: (style) The function 'ElCheckLicense' is never used.
found by cppcheck and coverity
[src/Cedar/Command.c:523] -> [src/Cedar/Command.c:532]: (style) Variable 'ok' is reassigned a value before the old one has been used.
[src/Cedar/Command.c:776]: (style) Variable 'tick2' is assigned a value that is never used.
[src/Cedar/Command.c:2244]: (style) Variable 'halt_timeout' is assigned a value that is never used.
[src/Cedar/Command.c:2246]: (style) Variable 'check_clock_seed' is assigned a value that is never used.
[src/Cedar/Command.c:2247]: (style) Variable 'halting' is assigned a value that is never used.
[src/Cedar/Command.c:6904]: (style) Unused variable: tmp
[src/Cedar/Command.c:12217]: (style) Variable 'packet_log' is assigned a value that is never used.
[src/Cedar/Command.c:20825]: (style) Variable 'ret' is assigned a value that is never used.
[src/Cedar/Command.c:20883]: (style) Variable 'ret' is assigned a value that is never used.
[src/Cedar/Command.c:20927]: (style) Variable 'ret' is assigned a value that is never used.
[src/Cedar/Command.c:10022]: (style) The function 'CmdEvalIpAndMask46' is never used.
[src/Cedar/Command.c:10109]: (style) The function 'CmdEvalNetworkAndSubnetMask46' is never used.
[src/Cedar/Command.c:23025]: (style) The function 'CmdPrintRow' is never used.
[src/Cedar/Command.c:167]: (style) The function 'InRpcTtResult' is never used.
[src/Cedar/Command.c:148]: (style) The function 'OutRpcTtResult' is never used.