Heiko Hund [Fri, 13 May 2022 09:37:40 +0000 (11:37 +0200)]
signal --dns support in peer info
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220513093740.1091639-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24350.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 May 2022 01:24:57 +0000 (03:24 +0200)]
dns: also (re)place foreign dhcp options in env
Override DNS related foreign_options with values set by the --dns
option. This is done so that scripts looking for these options continue
to work if only --dns option were pushed, or the values in the
--dhcp-options differ from what's pushed in --dns.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220527012457.1819262-5-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24432.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 24 May 2022 09:19:16 +0000 (12:19 +0300)]
Set o->use_peer_id flag for p2p mode
There are two flags to indicate peer-id usage, one is
in tls_multi struct and another one is in options.
For P2P mode we don't set this flag in options,
which is used in MTU calculation. As a result,
automatically calculated MSS value in P2P mode is wrong,
Fix by bring use_peer_id flag in options and tls_multi
into sync for P2P.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220524091916.145-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24430.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Martin Janů [Fri, 10 Jun 2022 12:04:05 +0000 (12:04 +0000)]
Update the replay-window backtrack log message
The man pages reference a logging message which has been rephrased
in ac1310528a248c99e039e7afaf48724ad1b7f10e. This commit updates the
man page message to reflect the change for improved grep-ability.
Signed-off-by: Martin Janů <martin.janu@protonmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <SVrvuTydxR6Qs_mvwvG7mqT8iLV0inlcCMXoenZTMI8M0LkosV4pZsH9m_XCTwcRWAPN5H8Zdro0ubhJrnSp6v5KC2ZNAL9So0Y2SKiSe7g=@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24472.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 May 2022 01:24:56 +0000 (03:24 +0200)]
rename foreign_option() and move it up
Add setenv_ prefix to foreign_option funtion so it is more obvious what
it does. Move it further up within options.c, so it is defined before
all future callers. Also declare all argv strings const.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220527012457.1819262-4-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24436.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 May 2022 01:24:54 +0000 (03:24 +0200)]
remove foreign_option() call for IPv6 DNS servers
The call survived since the initial commit 94bfc256d, where it was added
as a fallback, since no IPv6 DNS server handling was implemented at the
time. Now there's dhcp_option_dns6_parse() which adds the servers to the
tuntap options, just like how it is done with the v4 servers.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220527012457.1819262-2-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24433.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 23 May 2022 10:35:46 +0000 (12:35 +0200)]
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Since we used the OpenSSL <=1.1 names as part of our OCC message, they
are now unfortunately part of our wire protocol.
OpenSSL 3.0 will still accept the "old" names so we do not need to use
this translation table for forward lookup, only for returning the name
with md_kt_name()
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220523103546.3425388-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24423.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 16 May 2022 10:48:07 +0000 (12:48 +0200)]
Implement ED448 and ED25519 support in xkey_provider
OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
Instead of belonging to the elliptic curve type or to a common Edwards
curve type, ED448 and ED25519 have each their own type.
Also, OpenSSL expects signatures using these curves to be done with the
EVP_DigestSign API instead of the EVP_Sign API but using md=NULL.
This has been tested using a "fake" external key that used a normal
software key instead of a hardware implementation but that makes no
difference from the perspective of xkey_provider/management interface.
Patch v2: remove name functions from ed448/ed25519, ensure md is NULL
for ed448/ed25519 and handle NULL/none better in general.
Patch v3: do not pass NULL as string for the OSSL params.
Heiko Hund [Tue, 17 May 2022 21:01:21 +0000 (23:01 +0200)]
pre-commit: uncrustify based on staged changes
Previously the generated patch was based on the file(s) in the working
directory. This is a problem if you have not to be commited changes
there and these changes fix formatting issues that exist in the staging
area. This effectively circumventes the script from rejecting the
commit.
An example:
git add file.c
git commit
... pre-commit hooks complains about formatting ...
... you fix the file manually, forget to git add ...
git commit
... succeeds, even though the commit still has issues ...
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220517210121.1312072-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24376.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 13 May 2022 10:15:26 +0000 (12:15 +0200)]
Pass proper sockaddr_* structure for IPv6 socket errors.
commit 043c67f363429 enhances format_extended_socket_error() by
recognizing IPv6 extended socket errors, but neglected to change
the "sockaddr_in" buffer passed to recvmsg() to "sockaddr_storage".
According to documentation, recvmsg() should not have overrun
that buffer (we pass the size of the struct), but according to
ASAN it does... so, pass a pointer to the correct structure.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220513101526.11486-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24352.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 3 May 2022 00:28:40 +0000 (03:28 +0300)]
Fix M_ERRNO behavior on Windows
We use M_ERRNO flag in logging to display error code
and error message. This has been broken on Windows,
where we use error code from GetLastError() and
error description from strerror(). strerror() expects
C runtime error code, which is quite different from
last error code from WinAPI call. As a result, we got
incorrect error description.
The ultimate fix would be introducing another flag
for WinAPI errors, like M_WINERR and use either that or
M_ERRNO depends on context. However, the change would be
quite intrusive and in some cases it is hard to say which
one to use without looking into internals.
Instead we stick to M_ERRNO and in Windows case we
first try to obtain error code from GetLastError() and
if it returns ERROR_SUCCESS (which is 0), we assume that
we have C runtime error and use errno. To get error
description we use strerror_win32() with GetLastError()
and strerror() with errno.
strerror_win32() uses FormatMessage() internally, which
is the right way to get WinAPI error description.
Gert Doering [Tue, 22 Feb 2022 14:35:14 +0000 (15:35 +0100)]
Implement --mtu-disc for IPv6 UDP sockets.
Commit 4225114b96 repaired "--mtu-disc yes" brokenness for IPv4 UDP sockets
(caused by autoconf/ifdef issues). This patch adds new functionality
to do --mtu-disc for IPv6 sockets as well.
Half of it (setsockopt(IPV6_MTU_DISCOVER)) was already there, but
receiving of detailed socket errors was missing the enablement of
setsockopt(IPV6_RECVERR) and parsing of IPPROTO_IPV6/IPV6_RECVERR
messages received.
With that, we now get (sending over a route with "mtu 1300"):
2022-02-22 15:28:07 write UDPv6 [EMSGSIZE Path-MTU=1300]: Message too long
(fd=3,code=90)
2022-02-22 15:28:07 Note adjusting 'mssfix 1400 mtu' to 'mssfix 1300 mtu'
according to path MTU discovery
2022-02-22 15:28:07 Note adjusting 'fragment 1400 mtu' to 'fragment 1300
mtu' according to path MTU discovery
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222143514.3480-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23879.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 6 May 2022 13:28:35 +0000 (15:28 +0200)]
Add uncrustify check to github actions
This adds checking if the code style is still clean github actions with the
exact version of uncrustify that is required and might also be helpful for
external commiters to get notified about code style problem when running
the Github actions on their own repository.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220506132836.1318985-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24300.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 3 May 2022 11:29:00 +0000 (13:29 +0200)]
Extract read_incoming_tls_plaintext into its own function
This makes the tls_process_state function a bit easier to read
and allows extending the read_incoming_tls_plaintext function
later without making tls_process_state even longer.
Patch v2: fix compile error.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220503112900.933975-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:48 +0000 (16:29 +0200)]
Optimise three-way handshake condition for S_PRE_START to S_START
We move to the S_START when we have finished the three-way handshake. After
the three way handshake is done, the client will send the TLS Client Hello
packet.
Currently we consider the three way handshake only complete if all
outgoing packets have been acked (which in this case is the one
HARD_RESET_CLIENT or HARD_RESET_SERVER) and also all ACKs for incoming
packets have been sent out.
Waiting for the ack of our own packet is important as it signals that the
other side is really responding. However, the need to also send out all
ACKs for packets we received before moving to the next state breaks
piggybacking the ACKs onto the next control packet.
With this change both server and client will only send a P_CONTROL_V1 with
the TLS Client Hello and the TLS Server Hello with piggybacked ack instead
sending an P_ACK_V1 + P_CONTROL_V1, reducing the number of packets in a
handshake by 2.
This also allows the server to avoid resending P_CONTROL_HARD_RESET_V2
to complete the three-way handshake with HMAC. Only packets with
an ACK contain the remote session id that we need for HMAC session id
verification. The ACK_V1 packet that complets this three-way handshake
can get lost. But the P_CONTROL_V1 with the piggybacked ACK will get
retransmitted. This allows to put the burden of retransmission fully on
the client.
The S_GOT_KEY/S_SENT_KEY -> S_ACTIVE is similar. We do not need to wait
for the ack packet to be sent to move the state forward. This has however
no effect on actual packets since there are normally no outstanding ACKs
here.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-14-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24161.html
Arne Schwabe [Thu, 5 May 2022 13:03:48 +0000 (15:03 +0200)]
Implement HMAC based session id for tls-crypt v2
Tls-crypt v2 is more complicated to implement a proper stateless
handshake. To allow state handshake this commit does
- introduce a new packet CONTROL_WKC_V1 that repeats the wrapped
client key.
- introduce a way to negotiate the support for this packet in the
three way handshake
Details about the protocol changes are in tls-crypt-v2.txt. Optional
arguments to the tls-crypt-v2 option have been added to explicitly
allow or disallow client that do not support the stateless handshake.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v3: improve grammar, style, comments, fix unit tests
Patch v4: remove explicit flag for ability to resend WKc,
clean up comments, improve code style in some instances Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220505130348.1183195-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24287.html
Arne Schwabe [Wed, 4 May 2022 11:18:02 +0000 (13:18 +0200)]
Remove workaround for Android 4.4
Android 4.4 is now 9 years old and the main user of this API (OpenVPN
for Android) does not support this OS anymore. This workaround
is now safe to remove.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220504111802.1050648-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24276.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 4 May 2022 11:31:58 +0000 (13:31 +0200)]
Fix format specifier for printing size_t on 32bit size_t platforms
Today even 32 bit platform generally use a 64bit size_t but Android
armeabi-v7a is an expection to that and uses a 32bit size_t. Use
z as correct specifier for a size_t.
Clang complained about this:
warning: format specifies type 'unsigned long' but the
argument has type 'size_t' (aka 'unsigned int') [-Wformat]
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220504113158.1051861-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24277.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:46 +0000 (16:29 +0200)]
Extract read_incoming_tls_ciphertext into function
This makes the code a bit more structured and easier to read. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-12-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24152.html
OpenVPN currently has a bit of a weakness in its early three way handshake
A single client reset packet (first packet of the handshake) will
- trigger creating a session on the server side leading to potential
ressource exhaustion
- make the server respond with 3 answers trying to get an ACK for its
P_CONTROL_HARD_RESET_SERVER_V2 answer making it an amplification
Instead of allocating a connection for each client on the initial packet
OpenVPN will now calculate a session id based on a HMAC that serves as
verifiable cookie that can be checked for authenticity when the client
responds with it. This eliminates the amplification attack and resource
exhaustion attacks.
For tls-crypt-v2 clients the HMAC based handshake is not used yet (will
be added in one of the next patches).
Patch v2: rebase on master
patch v3: fix unit tests, improve comment/style of code
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220502154310.836947-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24262.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:41 +0000 (16:29 +0200)]
Move CRL reload to key_state_init from S_START transition
The current place that we reload is a bit more efficient since it only
triggers reload after a completed 3way handshake. On the other hand the
key_state_init is a much more logical place and with the upcoming
HMAC based UDP code and TCP code, the initialisation will only be done
after a 3way handshake.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220422142953.3805364-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24156.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:40 +0000 (16:29 +0200)]
Remove pointless indentation from tls_process.
This is probably a result from earlier code that still needed to be
C89 compatible add probably added this to allow variable decleration Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24166.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:39 +0000 (16:29 +0200)]
Move tls_process_state into its own function
This function does most of the state transitions in the TLS state
machine. Moving it into its own function removes an intention area and
makes tls_process function easier to understand as the loop is more
obvious.
This is largely just a code move with small expection. bool active is
no longer directly set but inferred from to_link->len
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24157.html
Arne Schwabe [Tue, 26 Apr 2022 13:23:23 +0000 (15:23 +0200)]
Change FULL_SYNC macro to no_pending_reliable_packets function
This changes this macro to a better named inline function. This
introduces a slight whitespace problem but the next refactoring will
move the incorrectly intended block to its own function anyway.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220426132324.76517-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24213.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:37 +0000 (16:29 +0200)]
Extract session_move_pre_start as own function, use local buffer variable
This changes the C90 struct buffer declaration to a C99 style one. Also
move the state transition from S_INITIAL to S_PE_START into its own
function. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24151.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:36 +0000 (16:29 +0200)]
Refactor tls-auth/tls-crypt wrapping into into own function
This allows the the wrapping to be easier reused by a function that
does not have access to a full TLS session. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24150.html
Marc Becker [Mon, 25 Apr 2022 21:58:22 +0000 (23:58 +0200)]
fix GitHub workflow working directories in MinGW builds
replace hardcoded directory names with env variable version info
bump pkcs11-helper version to 1.29.0
bump OpenSSL version to 1.1.1n
add OpenSSL version to cache key
use release file for pkcs11-helper archive
use OpenSSL URL endpoint with all/current versions
Signed-off-by: Marc Becker <becm@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220425215822.18569-1-becm@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24202.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 13:40:35 +0000 (15:40 +0200)]
Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h
This allows these functions to be relatively easily included into the
unit test without pulling ssl.c and all the dependencies of ssl.c into
a unit test.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24149.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 13:40:34 +0000 (15:40 +0200)]
Extend tls_pre_decrypt_lite to return type of packet and keep state
This allows us to keep the temporary data for a little bit longer
so we can use this to make further checks and ultimatively use the
state to craft the HMAC based RESET reply.
For now we do not use the extra information and keep behaviour
identical.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24148.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 25 Apr 2022 12:27:09 +0000 (14:27 +0200)]
Move pre decrypt lite check to its own function
This prepares for extending this function with the HMAC based session ID
check.
Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this
code path is only used in multi udp server and OpenVPN initialises the
tls_auth_standalone always for the TOP context (CF_INIT_TLS_AUTH_STANDALONE),
even for the tcp m2mp server that does not use it).
Patch v2: replace if with ASSERT
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220425122709.4148015-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:44 +0000 (16:29 +0200)]
Make buf_write_u8/16/32 take the type they pretend to take
This functions should accept the type of integer they say to write. Calling
the u32 function with an integer that is actually 32 bit unsigned gives
compiler warnings. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24165.html
Arne Schwabe [Fri, 22 Apr 2022 13:40:30 +0000 (15:40 +0200)]
Remove tls_init_control_channel_frame_parameters wrapper function
While calling this wrapper function is strictly more correct, these
indirection layer with tiny wrapper make the code more complex and
going through more layer than it really needs to.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24172.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:35 +0000 (16:29 +0200)]
Remove EXPONENTIAL_BACKOFF define
We have EXPONENTIAL_BACKOFF as default forever (8c47de7, 2.1.1c,
2010). Remove the other code path that is dead code. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422142953.3805364-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422142953.3805364-1-arne@rfc2549.org
Arne Schwabe [Fri, 22 Apr 2022 13:40:38 +0000 (15:40 +0200)]
Remove inc_pid argument from reliable_mark_deleted that is always true
This is a small cleanup to remove a superfluous argument Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422134038.3801239-10-arne@rfc2549.org
Arne Schwabe [Fri, 22 Apr 2022 13:40:31 +0000 (15:40 +0200)]
Remove dead PID_TEST code
Enabling this test produces compile errors and by the looks of it the
test has been broken for many years. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422134038.3801239-3-arne@rfc2549.org
On most systems limits.h is pulled in by some other header and thus no
error is ever triggered, but it's possible to find the right environment
which lackis this and prevents compiling auth-pam.c (possibly when using
LibreSSL).
Include the header explicitly as it includes the definition of PATH_MAX.
(note that this bug is fixed in Gentoo since 2020 by including a custom
patch, but apparently the issue was never reported upstream)
Reported-by: Michelangelo Scopelliti <kernelpanic@gmx.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220421131909.32053-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24136.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The script is self installing if you call it with "install" as the first
parameter. Once installed as the pre-commit hook it will check files to
be committed according to the rules in uncrustify.conf and abort the
commit if there's formatting issues. The script produces a patch in /tmp
which can be git apply'ed to fix all issues found.
The script was originally authored by David Martin [1] and slightly
modified to fit our needs. At the time it had a 2-clause BSD license.
David Sommerseth [Wed, 20 Apr 2022 14:30:50 +0000 (16:30 +0200)]
The Great Reformatting of 2022
It was agreed it was time to do a full reformat fix-up of the whole
source tree again. Over time (since late 2016) small changes has not
adhered to our uncrustify defined coding style. This realigns to our
current standards.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220420143050.52790-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 20 Apr 2022 12:13:21 +0000 (14:13 +0200)]
dev-tools: Remove uncrustify -p
The -p option to uncrustify was providing debug information about
decisions done by uncrustify. This was useful when debugging why
certain formatting choices.
With newer versions of uncrustify the -p option can only be used on
individual files and not a list of files. Since still supporting this
would require a bigger rewrite of reformat-all.sh, it was chosen to
instead remove the usage of this option. If certain behaviours needs to
be debugged, running uncrustify on individual files directly will work
fine anyhow.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220420121322.42732-2-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24120.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_net.sh: delete dummy iface using iproute command
A dummy interface cannot be deleted using --rmtun because openvpn tries
to send some ioctl (i.e. TUNSETPERSIST) which is not supported by this
device type. This results in the following error:
2022-04-07 09:59:29 Cannot ioctl TUNSETPERSIST(0) ovpn-dummy0: Bad file
descriptor (errno=9)
2022-04-07 09:59:29 Exiting due to fatal error
and the interface is not deleted.
Use iproute to generically delete an interface.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407081555.25228-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24086.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: implement net_iface_new and net_iface_del APIs
These two new methods can be used to create and delete a tun or an
ovpn-dco interface via networking API.
Implementations for SITNL and iproute2 are provided
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407094146.7684-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24088.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
openvpn_execve_check() expects a set of flags as third argument and not
a loglevel. For this reason, if no FATAL behaviour is expected, we
should simply pass 0. openvpn_execve_check() will then pick the
appropriate loglevel on its own.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407201411.22486-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24090.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 2 Apr 2022 07:08:56 +0000 (09:08 +0200)]
networking: remove duplicate methods from networking_sitnl.c
The net_ctx_init/reset/free methods of sitnl are the same dummy
methods that are already defined for non-Linux platforms in the
networking.h header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220402070902.30282-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24054.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michael Baentsch [Tue, 29 Mar 2022 05:37:09 +0000 (07:37 +0200)]
Enable usage of TLS groups not identified by a NID in OpenSSL 3
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by providers.
This commit also removes the mapping of secp256r1 to prime256v1 for
the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.1
Signed-off-by: Michael Baentsch <info@baentsch.ch> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220329053709.19462-1-info@baentsch.ch>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24012.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 23 Mar 2022 14:34:52 +0000 (15:34 +0100)]
add support for --dns option
As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
For detailed information about the option consult the documentation in
this commit.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220323143452.1100446-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23997.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 24 Feb 2022 14:42:45 +0000 (15:42 +0100)]
Implement fixed MSS value for mssfix and use it for non default MTUs
This allows to set the MSS value inside the tunnel to a user specified
value instead of calculating it form (somewhat) dynamic encapsulation
overhead.
Also default to the MTU when tun-mtu does not have the default value
to ensure that packets are not larger than the tun-mtu. This only affects
packets that are routed via the VPN and none of the peers is an endpoint
since otherwise the peer would already set a lower MTU. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220224144245.878056-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23886.html
preprocessor definitions. I don't feel like replacing strdup (which is
correct POSIX function) and inet_ntoa (we always pass IPv4 address to
it, inet_ntop will make code more complex)
Above issues were discovered by bitskim.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220218235004.269-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23851.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 1 Mar 2022 13:50:54 +0000 (15:50 +0200)]
Fix incorrect default mssfix value in server mode
When calculating default mssfix, we take into account
protocol overhead, which usually includes 3 bytes peer-id.
Peer-id usage is indicated by options->use_peer_id flag.
In client mode it is set when applying pushed options.
In server mode it is not set and as a result mssfix value
is 3 bytes off.
Fix by setting this flag in multi.c when calculating
tunnel-specific options.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220301135054.277-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23896.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
With the introduction of SITNL two occurrences of ETH_ALEN
were introduced in the code. This define exists on Linux in
the linux/if_ether.h header, however the latter is included
in linux/if_tun.h which may or may not exist (depending on
how old your system is).
If the system lacks if_tun.h then the compilation fails because
ETH_ALEN cannot be found.
For this reason, swap ETH_ALEN with OPENVPN_ETH_ALEN which is
already used in other places of the code.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220223080628.4773-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23882.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
netmask is simply used to reflect the value of p[2], therefore
it can be dropped and p[2] can directly be used instead.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220314131356.11577-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23941.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 16 Mar 2022 13:54:11 +0000 (15:54 +0200)]
vcpkg-ports\pkcs11-helper: shorten patch filename
"make dist" uses 'tar -o' which breaks on long filenames:
tar:
openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind
icate-OpenSSL-EC-support.patch:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
and then "make dist" continues.
Make filename shorter to make tar happy.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316135411.217-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sun, 13 Mar 2022 19:31:54 +0000 (20:31 +0100)]
plugins: Remove defer/simple.c sample plugin
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-4-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23933.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 22 Feb 2022 11:38:32 +0000 (12:38 +0100)]
Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work:
- setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
- "extended error reporting" (setsockopt(IP_RECVERR) and
then via mtu.c/format_extended_socket_error()) to react on
"packet too big" errors on sendto() / sendmsg()
Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).
Thus, the "non-helpful" socket error message turns into:
2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery
... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Trac: #1452
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 14 Feb 2022 12:24:09 +0000 (14:24 +0200)]
openvpnmsica: add ovpn-dco custom actions
Add two custom actions to service ovpn-dco driver installation.
- EvaluateDriver
Runs under user privileges. Determines what action (install/uninstall)
should be performed on ovpn-dco component.
- ProcessDriver
Runs under SYSTEM privileges. Performs driver (un)installation.
During uninstall, all existing adapters with given hwid (ovpn-dco)
are removed.
The logic is inspired by custom actions from tap-windows6 installer
(https://github.com/OpenVPN/tap-windows6/tree/master/msm).
Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Simon Rozman <simon@rozman.si> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214122409.260-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.
In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220217163159.7936-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
doc/options: clean up documentation for --proto and related options
The family specific options were generally omitted.
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net> Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220215145425.1989-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23798.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
With b39725cf ("Remove md_kt_t and change crypto API to use const char*")
the logic for validating ciphers and md algorithms has been changed.
We should now *always* use md_valid() when validating a digest alg.
At the same time, add '!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe <arne@rfc2549.org> Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme <tincantech@protonmail.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220215123157.10615-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23793.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 14 Feb 2022 09:26:07 +0000 (10:26 +0100)]
Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros
The buffer overhaul simplified the frame struct to a point that these
macros are either not used anymore or are not adding any benefit in
understanding the code anymore. Replace the macros with direct member
acessses.
Patch v2: Remove all FRAME_HEADROOM macros Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214092607.3785665-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23785.html
Arne Schwabe [Mon, 14 Feb 2022 02:10:53 +0000 (03:10 +0100)]
Fix 'defined but not used' warnings with enable-small/disable-management
Some functions are only used when management is used or enable-small is
not used. Fix the ifdefs to correctly also include these helper
functions the ifdefs to avoid compile errors when using -Werror
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214021054.3750071-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23779.html
projects / thirdparty / openvpn.git / log
