Arne Schwabe [Tue, 21 Jul 2020 16:38:11 +0000 (18:38 +0200)]
Indicate that a client is in pull mode in IV_PROTO
This allows us to skip waiting for the first PUSH_REQUEST message from
the client to send the response.
This changes the interpretation of IV_PROTO from a scalar to a bitfield
Since we only have IV_PROTO=2 defined so far and will support DATA_V2
this should not make any problem. This avoid adding another IV_xxx variable
that takes valuable space in the protocol frame.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Use bitmask for IV_PROTO_DATA_V2 and add more documentation.
Patch V3: Rewrite IV_PROTO paragraph in man page, incoperate spelling fixes
by Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200721163811.22745-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20525.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 17 Jul 2020 13:47:37 +0000 (15:47 +0200)]
Avoid sending --cipher to clients not supporting NCP
The NCP rework introduced a regression of sending a --cipher
command as part of the push message when the client does not
support NCP. This is is more a cosmetic issue since the client
will log that as warning in the log and ignore it.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717134739.21168-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Right now t_net.sh depends on t_client.rc in order to source the
RUN_SUDO variable only.
However, t_client.rc is something that a few people only have configured
and thus this would result in t_net.sh almost never executed even if it
just could.
Drop dependency on t_client.rc by falling back to RUN_SUDO=sudo when the
file is missing and no RUN_SUDO is passed via env.
While at it, reword the error message to better match the current logic
flow.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200721195518.14358-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20533.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 21 Jul 2020 15:49:22 +0000 (17:49 +0200)]
Implement tls-groups option to specify eliptic curves/groups
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.
However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.
The tls-groups option allows to modify the group list to account
for these corner cases.
Patch V2: Uses local gc_arena instead of malloc/free, reword commit
message. Fix other typos/clarify messages
Patch V3: Style fixes, adjust code to changes from mbedTLS session
fix
Patch V5: Fix compilation with OpenSSL 1.0.2
Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
which accidentally got lost.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 21 Jul 2020 10:01:28 +0000 (12:01 +0200)]
Remove key-method 1
Key-method 1 is only needed to talk to pre OpenVPN 2.0 clients.
Patch V2: Fix style. Make V1 op codes illegal, remove all code handling
v1 op codes and give a good warning message if we encounter
them in the legal op codes pre-check.
Patch V3: Add a bit more comments in the existing methods.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200721100128.9850-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20516.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 20 Jul 2020 11:30:10 +0000 (13:30 +0200)]
Remove --client-cert-not-required
This removes support for the --client-cert-not-required option. To
avoid starting a server with this option just ignored, which would make
it impossible for existing clients to connect it will exit with
instructions to replace this option with --verify-client-cert none.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200720113010.10450-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20502.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 20 Jul 2020 12:17:04 +0000 (14:17 +0200)]
Require AEAD support in the crypto library
All supported crypto libraries have AEAD support and with our
ncp/de facto default cipher AES-256-GCM we do not want to support
the obscure corner case of a library with disabled AEAD.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Remove three instances of (harmless) #ifdef Steffan spotted
that can be removed now too. Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200720121704.20333-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20506.html
Arne Schwabe [Fri, 17 Jul 2020 13:47:32 +0000 (15:47 +0200)]
Drop support for OpenSSL 1.0.1
OpenSSL 1.0.1 was supported until 2016-12-31. Rhel6/Centos6 still
use this version but considering that RHEL7 and RHEL8 are already
out, these versions can also stay with OpenVPN 2.4.
All the supported Debian based distributions also come with at
least 1.0.2.
We (accidently) unconditionally compiled some key exporter code on
OpenSSL 1.0.2+ without problems. So always compile the whole
key exporter feature for OpenSSL.
This also allows the tls groups commit to be applied without
adding ifdefs to disable that functionality on OpenSSL 1.0.1
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20441.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 20 Jul 2020 10:38:22 +0000 (12:38 +0200)]
travis: Fix make distcheck failure
Since commit f500c49c8e0, the man page and html documentation need to be
generated when building out of the git repository, as both openvpn.8 and
openvpn.8.html will be shipped pregenerated inside the tarball generated
by 'make dist'.
Travis was lacking the python-docutils package, which made the
'make distcheck' build test fail.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200720103822.26088-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20497.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 19 Jul 2020 17:34:36 +0000 (19:34 +0200)]
client-connect: Implement deferred connect support for plugin API v2
The V2 API is simpler than the V1 API since there is no passing of
data via files. This also means that with the current API the V2 API
cannot support async notify via files. Adding a file just for async
notify seems very hacky and when needed we should implement a better
option when async is needed for the plugin V2 API.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20480.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
client-connect: Add deferred support to the client-connect v1 plugin handler
Uses the infrastructure provided and used in the previous patch to provide
deferral support to the v1 client-connect plugin handler as well.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
PATCH V3: Modify the API to also (optionally) call the plugin on a deferred
call (CLIENT_CONNECT_DEFER).
This allows the plugin authors to be more flexible and make the V1 API more
similar to the CLIENT_CONNECT_V2 API.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20483.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
client-connect: Add deferred support to the client-connect script handler
This patch introduces the concept of a return value file for the
client-connect handlers (this is very similar to the auth value file
used during deferred authentication). The file name is stored in the
client_connect_state struct.
In addition, the patch also moves the storage of the client config file
name into struct client_connect_state.
Both changes are used by the client-connect script handler to support
deferred client-connection handling. The deferred return value file
(deferred_ret_file) is passed to the script via the environment.
If the script succeeds and writes the value for deferral (2) into the
deferred_ret_file, the handler knows to indicate deferral. Later on,
the deferred handler checks whether the value of the deferred_ret_file
has been updated to success or failure.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20200719173436.16431-2-arne@rfc2549.org Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 19 Jul 2020 17:34:32 +0000 (19:34 +0200)]
Remove CAS_PARTIAL state
This state is used to handle a corner case when multiple connect
handlers are active and one of them fails. Unfortunately, this state
complicates the state machine a bit without a good benefit.
Current behaviour:
First/all connect handler(s) fail:
- client disconnect handler is not called at all
At least one connect handler succeeds but a subsequent handler fails:
- client disconect is called when we actually
disconnect the client (a few seconds later, max tls timeout)
All connect handlers suceed:
- client disconect is called when we actually
disconnect the client
This patches changes the behaviour in the second to immediately
call disconnect_handler in this case.
This simplifies the logic that already caused a bug and the
behaviour change is very little and affects only a pretty
exotic corner case.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20482.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sun, 19 Jul 2020 11:48:53 +0000 (13:48 +0200)]
doc/man: Do not install man *.rst files
When the man page got split up into several .rst files, these files got
listed into dist_doc_DATA=. This variable will both distribute (package
in the source tarball) and install these files into /usr/share/doc.
This was not intended, and it duplicates the content and makes the doc
dir quite messy.
By moving these files to dist_noinst_DATA= instead, these files are
still distributed but not installed via 'make install'.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719114853.24168-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20476.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
options: don't leak inline'd key material in logfile
With the conversion of the introduction of a bool variable to signal
when a certain string is a filename or the actual (inline'd) key
material, the SHOW_STR() macro is now leaking the inline'd material to
the log file.
This happens because SHOW_STR will just print the content of the passed
argument without any check. With the new logic this should not happen
anymore.
A new macro SHOW_STR_INLINE() is therefore introduced which will check
the appropriate bool member before deciding to print the actual string
content or not.
Trac: #1304 Reported-by: Richard Bonhomme <tincanteksup@gmail.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717212820.8998-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20472.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 16 Jul 2020 13:43:10 +0000 (15:43 +0200)]
client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect
This patch moves the state, that was previously tracked within the
multi_connection_established() function, into struct client_connect_state.
The multi_connection_established() function can now be exited and
re-entered as many times as necessary - without losing the client-connect
handling state.
The patch also adds the new return value CC_RET_DEFERRED which indicates
that the handler couldn't complete immediately, and needs to be called
later. At that point multi_connection_established() will exit without
indicating completion.
Each client-connect handler now has an additional argument: "deferred",
to signal "additional call(s) while in deferred state". The first call
to a handler always sets "deferred = false". If that call returns
CC_RET_DEFERRED, the next call to the handler will be "deferred = true".
For some handlers (mda, ccd) this can never happen, so we ASSERT()
on !deferred. If that ever triggers, something is wrong in our data
structures and we should better abort.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V3: Use a static struct in multi_instance instead of using
malloc/free and use two states (deferred with and without
result) instead of one to eliminate the counter that was
only tested for > 0.
Patch V5: Use new states in context_auth instead of the extra state
that the patch series previously used.
Patch V6: Restructure code to make it a bit more readable, rebase on
master.
Patch V7: move deferred bool into client connect handler calls, switch
to switch case
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200716134315.17742-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20395.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 17 Jul 2020 11:01:36 +0000 (13:01 +0200)]
doc/man: Add misssing renegotiation.rst to Makefile.am
This file did not get added to Makefile.am by a mistake during the
man-page overhaul, and the issue this causes is not easily spotted.
If a consumer of a tarball (created with 'make dist' from the git
tree) tries runs 'make clean' and 'make dist' plus have
python-docutils installed from such a tarball, it will explode and
complain about this missing file.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717110136.11579-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20431.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 17 Jul 2020 10:54:53 +0000 (12:54 +0200)]
doc/man: Documentation for --bind-dev / VRFs on Linux
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic> Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717105453.10718-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20429.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Richard Bonhomme [Thu, 16 Jul 2020 22:53:37 +0000 (00:53 +0200)]
doc/man: Update --txqueuelen default setting (Now OS default)
Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com> Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-8-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20415.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Thu, 16 Jul 2020 22:53:36 +0000 (00:53 +0200)]
doc/man: Adopt compression documentation
Commit c67e93b25208be2 updated the man page in reagrds to new
compression options and improving existing compression options. This
adopts those changes into the .rst format.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-7-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20414.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Thu, 16 Jul 2020 22:53:35 +0000 (00:53 +0200)]
doc/man: Mark compression options as deprecated
Due to the VORACLE attack vector, compression in general is deprecated.
Make this clear in the man page.
Also remove an incorrect statement claiming --compress lzo is compatible
with --comp-lzo. It is not, as --compress lzo uses a different
compression framing than --comp-lzo.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-6-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20417.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Thu, 16 Jul 2020 22:53:31 +0000 (00:53 +0200)]
doc/man: convert openvpn.8 to split-up .rst files
To avoid keeping around a full-size openvpn.rst file which is never
needed but will take space in the repo forever, patches 01...04
of the big documentation overhaul projects were squashed togehter,
keeping the individual commit logs and URL references below.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is a combination of 4 commits.
* This is the 1st commit message:
doc/man: Add an .rst formatted version of the man page
This is the first step to move away from a manually editing g/nroff
encoded man page.
Some modifications was needed to ensure formatting was consistent and
rendered reasonably okay in GitHub and that the generated man page
(using rst2man) is looking as a proper man page. Unsupported options
has also been moved into its own section. HTML rendering directly
using rst2html has also been used to validate the conversion.
The rst2man and rst2html utilities comes from the python-docutils
project: https://docutils.sourceforge.io/
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-2-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is the commit message #2:
doc/man: Replace old man page with generated man page
The doc/openvpn.8 and doc/openvpn.8.html files are now being removed
from the git tree, as it will be generated from the doc/openvpn.8.rst
file using python-docutils.
An additional dist-hook is added so these files are generated
automatically when source tarballs are generated for releases. This
means users compiling directly from the source tarball will not need
python-docutils installed.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-3-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is the commit message #3:
doc/man: Split up and reorganize main man page
The openvpn.8.rst file is quite long and hard to edit, as it covers
several hundred options. Some options were even documented multiple
places. The example has also received some attention, cleaning up
old and outdated infomration.
In this commit the main man page is split up into multiple sections
and options are sorted into each of the corresponding section.
Inside each category, each option is for now sorted alphabetically.
The main openvpn.8.rst file is currently kept unchanged and will be
handled in the next commit.
Many language improvements contributed by Richard Bonhomme has also
been incorproated.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-4-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is the commit message #4:
doc/man: Complete openvpn.8.rst splitting
This rebuilds the openvpn.8.rst content by using the text which was
split out in the previous commit by using RST ..include statements.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-5-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 15 Jul 2020 09:01:05 +0000 (11:01 +0200)]
Add deferred authentication support to plugin-auth-pam
If OpenVPN signals deferred authentication support (by setting
the internal environment variables "auth_control_file" and
"deferred_auth_pam"), do not wait for PAM stack to finish. Instead,
the privileged PAM process returns RESPONSE_DEFER via the control
socket, which gets turned into OPENVPN_PLUGIN_FUNC_DEFERRED towards
openvpn.
The PAM process will then fork() and handle all the PAM auth in
the new process, signalling success/failure back by means of the
auth_control_file (forking twice, to simplify wait() handling).
With the extra fork(), multiple deferred authentications can run at
the same time - otherwise the first one would block the next auth
call (because the child would not be ready again to read from the
control socket).
Lightly tested on Linux.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
v2:
- only do deferred auth if "deferred_auth_pam" is set (env)
- put deferred auth logic into do_deferred_pam_auth()
- line-wrap lines where needed
- close "background end" of socketpair in deferred auth process
- remove leftover /* plugin_log() */ lines from initial testing
- tested over a few hundred "15s delayed" authentication cycles
v3:
- uncrustify new code
- do not abort background process if do_deferred_pam_auth() fails
(this can only happen if fork() fails, which is assumed to be
temporary, or if something is wrong with the socketpair which we
should notice on the next read()) --> change do_deferred_pam_auth()
to "void"
- add documentation to README.auth-pam and Changes.rst Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200715090105.22296-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20361.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 11 Jul 2020 09:36:48 +0000 (11:36 +0200)]
client-connect: Change cas_context from int to enum
This deviates from Fabian's original patch that relied on the now
removed connection_established bool as pointer being NULL or non NULL as
implicit third state and making connection_established as a substate of
(cas_context == CAS_PENDING)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: extend cas_context with two new states instead adding an
extra mini state machine.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20292.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
client-connect: Refactor to use return values instead of modifying a passed-in flag
This patch changes the way the client-connect helper functions communicate
with the main function. Instead of updating cc_succeeded and cc_succeeded_count,
they now return either CC_RET_SUCCEEDED, CC_RET_FAILED or CC_RET_SKIPPED.
In addition, the client-connect helpers are now called in completely
identical ways. This is in preparation of handling the helpers as simple
call-backs.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V5: Minor style fixes
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20286.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
client-connect: Move multi_client_connect_setenv into early_setup
This patch moves multi_client_connect_setenv into
multi_client_connect_early_setup and makes sure that every client-connect
handling function updates the virtual address selection.
Background: This unifies how the client-connect handling functions work.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20288.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Refactor multi_client_connect_source_ccd(), so that
options_server_import() (or the success path in general) is only
entered in one place within the function.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V5: Simplify the logic even further to make it more easy to
understand.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200711093655.23686-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20287.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN will (on windows) concatenate them all together into a single
"option 119" for the tapv9 DHCP server. Max length is 254 in total.
DNS label compression is not used - it's complicated, and Windows does
not need it. See RFC 3397 for more details.
This only works with the tun/tap driver, not with wintun.
On non-windows platforms, these settings are exported in the environment
towards --up scripts (or to the management interface), and need to be
picked up there.
Signed-off-by: Jan Just Keijser <jan.just.keijser@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <c404dd17-e0db-ce61-0d79-864a5736f2d0@nikhef.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20349.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
client-connect: Split multi_connection_established into separate functions
This patch splits up the multi_connection_established() function. Each new
helper function does a specific job. Functions that do a similar job
receive a similar calling interface.
The patch tries not to reindent code, so that the real changes are as
clearly visible as possible. (A follow-up patch will only do indentation
changes.)
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
PATCH v3: Since the code has changed enough from the time the original
patch to the current master, the splitting has been redone from the
current code. Also some style and minor code changes have been added
doing this patch. This and the big reformatting done before eliminates
the follow up patch with only indentation changes.
The original patch already replaced some instances of
option_permission_mask with CLIENT_CONNECT_OPT_MASK. The V3 version does
this more consistently.
Patch v4: Move config -> mi->cc_config into its own commit
Patch v5: Clean up some minor issues, add one missing check on
temporary file deletion, rebase on latest master.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200711093655.23686-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20289.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 13 Jul 2020 09:32:52 +0000 (11:32 +0200)]
Handle connecting clients without NCP or OCC without crashing.
ssl_ncp.c:ncp_get_best_cipher() would crash if a client connects without
NCP (or with a NCP cipher list that does not contain the first NCP cipher
in the server list) due to a NULL pointer strcmp().
Work around / fix by just assigning an empty string to remote_cipher here
("not NULL but will never match either").
Add new warning message in multi.c for the "we do not know what the
client can do" case (no NCP and non-helpful OCC), rewrapped the existing
message to keep line lenght limit.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200713093252.30916-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20309.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 11 Jul 2020 09:36:42 +0000 (11:36 +0200)]
Allow changing fallback cipher from ccd files/client-connect
This allows to control the fallback cipher that is used when the
client/server do have any common cipher on a per client basis.
The patch is similar to Steffan's
[PATCH v4] Allow changing cipher from a ccd file.
Steffan's old patch also moves the cipher negotiation to
multi_established_connection() which I independently discovered and
implemented in commit 5e78bf66fa9 (Extract process_incoming_push_reply
from process_incoming_push_msg)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 9 Jul 2020 10:16:01 +0000 (12:16 +0200)]
Cleanup: Remove special case code for old poor man's NCP.
Ever since the NCPv2 the ncp_get_best_cipher uses the global
options->ncp_enabled option and ignore the tls_session->ncp_enabled
option.
The server side's poor man's NCP is implemented as seeing the list
of supported ciphers from the peer as just one cipher so this special
handling for poor man's NCP of the older NCP here is not needed anymore.
Theoretically we can now get rid of tls_session->ncp_enabled but doing
so requires more refactoring since options is not available in the
methods that still use it. And when we remove ncp-disable the variable
will be removed anyway.
This commit moves the data channel key generation for the corner case of a
client not supporting NCP but having the same cipher as the server to
the same function that also generates data channel keys for NCP and
poort man's NCP.
This has an unintended side effect of changing the calculated frame
size for this special case. The old path did call
tls_session_update_crypto_params.
To avoid this change in behaviour, this patch adds a hacky
workaround for this.
A proper solution for this needs still be found but this allows the patch
set to be merged.
Document the remaining usage of tls_poor_mans_ncp better.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20251.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 9 Jul 2020 10:16:00 +0000 (12:16 +0200)]
Generate data channel keys after connect options have been parsed
The simplify the control flow, it makes more sense to generate the
data keys when all the prerequisites for generating the data channel
keys (ncp cipher selection etc) are met instead of delaying it to the
next incoming PUSH_REQUEST message.
This also eliminates the need for the hack introduced by commit 3b06b57d9 to generate the data channel keys on the async file close
event.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20253.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 9 Jul 2020 10:15:59 +0000 (12:15 +0200)]
Move protocol option negotiation from push_prepare to new function
This clean ups the code and removes the surprising side effects
of preparing a push reply to also select protocol options.
We also remember if we have seen a push request without async
push. This improves reaction time if deferred auth is involved
like managment interface deferred auth. The other benefit is
removing a number of ifdefs.
NOTE: this patch breaks asynchronous authentication (via plugins
and possibly also via management interface). The next commit will
fix this. This is understood and hereby documented, but the two
individual commits are much cleaner without trying to fix it here
or squash both together.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20255.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 9 Jul 2020 10:15:58 +0000 (12:15 +0200)]
Extract process_incoming_push_reply from process_incoming_push_msg
This is a small refactoring to make both function more readable. It also
eliminates the ret variable in process_incoming_push_msg that now serves
no purpose anymore.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20254.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 9 Jul 2020 10:15:57 +0000 (12:15 +0200)]
Make key_state->authenticated more state machine like
This order the states from unauthenticated to authenticated and also
changes the comparison for KS_AUTH_FALSE from != to >
It also add comments and documents part using the state machine
better.
Remove a now obsolete comment and two obsolete ifdefs. While
keeping the ifdef in ssl_verify would save a few bytes of code,
this is too minor to justify keeping the ifdef
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20258.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
For some reason, openvpn --version has since the beginning of time
returned exit code 1. A quick sample among common unix utilities confirms
that the rest of the world agrees with me that 0 makes more sense. Let's
make openvpn --version exit with exit code 0 too.
Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 7 Jul 2020 08:42:20 +0000 (10:42 +0200)]
Remove --writepid file on program exit.
For whatever reason, we never removed the pid file on program exit.
Not only this is unclean, but it also makes testing for "I want this
test case to FAIL" in t_client.sh more annoying to code for "is the
OpenVPN process still around?"...
Do not unlink the file if chroot() is active (might be outside the
chroot arena - testing for realpath etc. is left for someone else).
v2: make this work on M_FATAL exit, by unlinking from openvpn_exit() in
error.h - this requires moving write_pid() to init.c so module hierarchy
is maintained and introducing a static variable to save the PID file
name (otherwise it is no longer available when the top level GC is gone).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707084220.45753-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20224.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 6 Jul 2020 16:35:16 +0000 (18:35 +0200)]
merge key_state->authenticated and key_state->auth_deferred
Both are tightly coupled often both are checked at the same time.
Merging them into one state makes the code simpler and also brings
us closer in the direction of a state machine
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200706163516.11390-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20216.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Christopher Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200630095443.7188-1-cschenk@mail.uni-paderborn.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20171.html
Lev Stipakov [Fri, 3 Jul 2020 19:20:29 +0000 (22:20 +0300)]
tap.c: fix adapter renaming
Turns out that renaming adapter by setting registry key doesn't
really work - while new adapter name is shown in control panel
etc, when one tries to change adapter properties (like set DNS)
with netsh call - it fails:
Fri Mar 13 09:05:36 2020 us=569311 Setting IPv4 dns servers
on 'OpenVPN Wintun' (if_index = 14) using service
Fri Mar 13 09:05:37 2020 us=118028 TUN: adding IPv4 dns failed
using service: Funktio ei kelpaa. [status=1 if_name=OpenVPN Wintun]
This renames adapter with netsh command, like:
netsh interface set interface
name="Local Area Connection 2" newname="OpenVPN Wintun"
Above functionality is used by tapctl.exe and openvpnsica.dll
(during installation).
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <20200703192029.306-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20207.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 26 Jun 2020 08:27:43 +0000 (10:27 +0200)]
t_client.sh: correctly report all failed instances in summary
t_client.sh reports a summary at the end:
Test sets succeeded: none.
Test sets failed: 1 2 3 4 5.
for tests that are skipped due to the pre-test ping check ("vpn target
IP must not ping before VPN ist started") the script forgot to add
the instance number to the summary line. Fixed.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200626082743.15397-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20130.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 3 Jul 2020 09:55:06 +0000 (11:55 +0200)]
Remove did_open_context, defined and connection_established_flag
multi_instance->defined is not used anywhere.
did_open_context is always set to true when a context is created in
multi_create_instance, so checking it for true is always true.
context_auth is also always set to CAS_PENDING in multi_create_instance.
connection_established_flag is only set to true if context_auth
is changed from CAS_PENDING to one another state, so we can also check
for cas_context != CAS_PENDING.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200703095506.28559-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20200.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 2 Jul 2020 12:52:24 +0000 (14:52 +0200)]
Remove push_reply_deferred variable
The variable has no useful function (anymore?).
There is only one place where this variable was checked
else if (!c->c2.push_reply_deferred && c->c2.context_auth ==
CAS_SUCCEEDED)
This condition also depends on context_auth == CAS_SUCCEEDED but the only
code path that sets context_auth = CAS_SUCCEEDED also sets
push_reply_deferred = false;
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200702125224.13516-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20186.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 29 Jun 2020 17:51:09 +0000 (19:51 +0200)]
Fix 'engine' unit test on FreeBSD (specifically 'not GNU make')
The rules to generate $(builddir)/openssl.cnf from $(srcdir)/openssl.cnf.in
only worked for GNU Make. BSD make needs the rules more explicit, and
the target must not have a directory specification (fixes commit 542c69c37).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Message-Id: <20200629175109.94276-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20159.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi.c: use mi->cc_config instead of config variable
Commit ("Remove parameter config from multi_client_connect_mda") has
removed the config variable in favour of mi->cc_config, however one
occurence was not changed.
Fix it now by properly using mi->cc_config.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200701140517.11176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20180.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 29 Jun 2020 18:04:05 +0000 (20:04 +0200)]
Linux: do not change --txqueuelen OS default if not configured.
Remove default setting of "set txqueuelen to 100". This default dates
back to the "pre git" times (before 2005) and might have been beneficial
back then - nowadays, the Linux default is 500, and thus reducing(!)
txqueuelen by-default can cause TX packet drops on the tun interface,
and that's bad for throughput.
This is a similar change to commit f0b64e5dc (remove setting of the
socket send/receive buffers by default) - similar vintage of the
existing code, similar motivation.
Note: buffer length can be checked with "ip link show" (qlen NNN)
See also:
https://ivanvari.com/solving-openvpn-poor-throughput-and-packet-loss/
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200629180405.17671-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20160.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This options allows the user to specify a network interface or VRF
device the OpenVPN process should use when making a connection or
binding to an address.
This is done by setting the SO_BINDTODEVICE option to the corresponding
socket (on Linux). SO_BINDTODEVICE forces all packets sent on that socket
to go out via the specified interface, and only packets coming in on
that interface are received by OpenVPN.
When used in a VRF context on Linux [0], you can also specify the name
of the VRF ("--bind-dev external_vrf"), which will put the OpenVPN
"network side" into this VRF. This allows making connections using a
non-default VRF and having the tun/tap interface in the default VRF.
Thanks to David Ahern (Cumulus Networks) for insights on this.
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1593427748-29801-2-git-send-email-max@rfc2324.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20156.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 26 Jun 2020 12:53:32 +0000 (14:53 +0200)]
Reformat files using uncrustify
Some of the commits, especially engine have not strictly used uncrustify
clean code. Rerun uncrustify to make them compliant again. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200626125332.15385-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20142.html
Arne Schwabe [Fri, 26 Jun 2020 11:05:54 +0000 (13:05 +0200)]
Make compression asymmetric by default and add warnings
This commit introduces the allow-compression option that allow
changing the new default to the previous default or to a stricter
version.
Warning for comp-lzo/compress are not generated in the post option check
(options_postprocess_mutate) since these warnings should also be shown
on pushed options. Moving the showing the warning showing for
allow-compression to options_postprocess_mutate will complicate the
option handling without giving any other benefit.
Patch V2: fix spelling and grammer (thanks tincantech), also fix
uncompressiable to incompressible in three other instances in the
source code
Patch V3: fix overlong lines. Do not allow compression to be pushed
Patch V4: rename COMP_F_NO_ASYM to COMP_F_ALLOW_COMPRESS, fix style.
The logic of warnings etc in options.c has not been changed
since adding all the code to mutate_options would a lot more
and more complicated code and after discussion we decided that
it is okay as is.
Patch V5: Reword warnings, rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200626110554.3690-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20138.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Bottomley [Tue, 23 Jun 2020 23:02:34 +0000 (16:02 -0700)]
engine-key tests: make check_engine_keys.sh work with --enable-small
--enable-small eliminates one of the openssl errors the test is
looking for, so alter the grep also to account for the message in this
version. Additionally output log.txt on failure so any test platform
gives an easy clue about what went wrong.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1592953354.2103.3.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20102.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Bottomley [Mon, 22 Jun 2020 23:23:19 +0000 (16:23 -0700)]
Add unit tests for engine keys
Testing engines is problematic, so one of the prerequisites built for
the tests is a simple openssl engine that reads a non-standard PEM
guarded key. The test is simply can we run a client/server
configuration with the usual sample key replaced by an engine key.
The trivial engine prints out some operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200622232319.8143-2-James.Bottomley@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20075.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 20 Jun 2020 14:39:40 +0000 (16:39 +0200)]
Convert plugin/auth-pam.c from stderr logging to plugin_log().
More recent OpenVPN APIs pass a function pointer for a logging function
(plugin_log()) to plugins. Using this will make the plugin logs appear
wherever openvpn logs to - file, syslog, stderr.
This patch converts plugin/auth-pam.c "fairly mechanically" to use this
new API. Real errors are logged with PLOG_ERR or PLOG_ERR|PLOG_ERRNO,
while debug info is logged with PLOG_NOTE (subject to the already-existing
debug level handling inside plugin/auth-pam, via "setenv verb <n>").
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200620143940.11704-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20037.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 20 Jun 2020 18:05:32 +0000 (20:05 +0200)]
Depreciation warning for --topology net30 on servers with IPv4 pools.
IPv4 pool handling needs lots of extra code to deal with "topology net30",
so we want to remove that combination in a future release.
Warn people about this in 2.5 so nobody is hit by this as a surprise.
Client- and ifconfig-support for net30 will stay, as "just net30" is not
what brings maintenance effort here (totally removing all options except
"topology subnet" would be beneficial but is a bit too radical today)
Trac: #1288
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200620180532.15738-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20041.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 20 Jun 2020 17:23:03 +0000 (19:23 +0200)]
Change timestamps in file-based logging to ISO 8601 time format.
Replace existing ctime() output which is hard to sort and compare
with ISO 8601 / RFC 3399 "YYYY-MM-DD hh:mm:dd" format for file-based
logging (stderr or --log file).
RFC 3399 5.6 permits use of a space for full-date-full-time separation,
which is used to enhance readability.
Sylog or --machine-readable-output are not affected.
Trac: #719
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200620172303.15010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20040.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 19 May 2020 22:00:04 +0000 (00:00 +0200)]
Implement forwarding client CR_RESPONSE messages to management
When signalling the client that it should do Challenge response
without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server
needs forward the response via the management console.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19910.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 19 May 2020 22:00:03 +0000 (00:00 +0200)]
Implement sending AUTH_PENDING challenges to clients
This implements sending AUTH_PENDING and INFO_PRE messages to clients
that indicate that the clients should be continue authentication with
a second factor. This can currently be out of band (openurl) or a normal
challenge/response two like TOTP (CR_TEXT).
Unfortunately this patch spend so much time in review in openvpn2 that
the corosponding IV_SSO commit in openvpn3 (34a3f264) already made its
way to released products so changing this right now is difficult.
Arne Schwabe [Tue, 19 May 2020 22:00:02 +0000 (00:00 +0200)]
Implement sending response to challenge via CR_RESPONSE
When a client announces its support to support text based
challenge/response via IV_SSO=crtext,the client needs to also
be able to reply to that response.
This adds the "cr-response" management function to be able to
do this. The answer should be base64 encoded.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19907.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Jun 2020 11:25:18 +0000 (13:25 +0200)]
Make cipher_kt_get also accept OpenVPN config cipher name
Basically calls to cipher_kt_get were calling
translate_cipher_name_from_openvpn. The only two exception were the
(broken) unit test and tls-crypt that uses cipher_kt_get("AES-256-CTR")
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200605112519.22714-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19969.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Jun 2020 11:25:17 +0000 (13:25 +0200)]
Make cipher_kt_name always return normalised cipher name
The mbed TLS variant of the call already returned the normalised
name while the OpenSSL variant did not. On top of that, all calls but
one to cipher_kt_name were translate_cipher_name_to_openvpn. This commit
moves the call of translate_cipher_name_to_openvpn into cipher_kt_name
or avoids calling it twice in the case of mbed TLS.
The one case that did not translate_cipher_name_to_openvpn is an
internal ssl_openssl.c method that should call EVP_CIPHER_name anyway.
Also simplify cipher_name_cmp function that is only used by
openvpn --show-ciphers with the modified cipher_kt_name
function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200605112519.22714-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19970.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 4 Jun 2020 23:53:38 +0000 (01:53 +0200)]
Add .git-blame-ignore-revs with reformat commits
This allows git blame to ignore reformatting changes and instead
to show the previous commit that changed the line.
To avoid manually building the list of commits this commit
adds a file with a list of reformatting commits. I might have
missed a few but this should be a good start. To use the file
use:
multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured
When no IPv4 pool is configured (but we have an IPv6 pool
only), the multi_select_virtual_addr() function will spit
a warning when allocating an address for a new client.
This happens because the code will check for some IPv4
bits and will see that they are missing.
However, these bits are not really important, because in
this use case we don't want to configure any IPv4 address
at all.
For this reason it is safe to wrap this entire logic in
an if-block that just does not execute when no IPv4 pool
is configured.
This avoids the warning and will also avoid any other
hidden side effect.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200610084549.4028-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20012.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 6a8cd033 ("pool: add support for ifconfig-pool-persist with IPv6
only") has accidentally introduced an include for 'options.h', which
revealed to not be useful at all. Remove it.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200610090100.29738-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20011.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 9 Jun 2020 08:02:29 +0000 (10:02 +0200)]
Simplify pool size handling, fix possible array overrun on pool reading.
Remove separate ipv4.size and ipv6.size in the pool structure, return
to a single pool_size, which is also the allocated array size.
All calls to ifconfig_pool_size() change to "pool->size" now.
pool->size is set to the size of the active pool, or if both IPv4 and IPv6
are in use, to the smaller size (same underlying logic as in 452113155e7,
but really put it into the size field).
This fixes a SIGSEGV crash if an ifconfig-pool-persist file is loaded
that has IPv6 and no IPv4 (= ipv6 handle is used) and that has more
entries than the IPv4 pool size (comparison was done with ipv6.size,
not with actual pool size), introduced by commit 6a8cd033b18.
While at it, fix pool size calculation for IPv6 pools >= /112
(too many -1), introduced by commit 452113155e7.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200609080229.2564-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20006.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
route: warn on IPv4 routes installation when no IPv4 is configured
Same as already happens for IPv6, it is useful for the user to throw a
warning when an IPv4 route is about to be installed and the tun interface
has no IPv4 configured.
The twin message for IPv4 is adapted to have the same format.
The warning is not fatal, becuase the route might actually be external
to the tun interface and therefore it may still work.
At the same time, modify the error message used for a route
installation failure to explicitly mention "IPv4" since this it is
used in the IPv4 code path only.
Trac: #208 Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200530000600.1680-6-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19946.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Bottomley [Thu, 28 May 2020 22:59:19 +0000 (15:59 -0700)]
crypto_openssl: add initialization to pick up local configuration
The test programme for the new openssl engine code requires overriding
the system default configuration file to point to the location of the
test engine. Add an initialization stanza that makes this behaviour
universal, so now anyone running openvpn configured with openssl can
specify their own configuration file with the OPENSSL_CONF environment
variable.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200528225920.6983-3-James.Bottomley@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19936.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Bottomley [Thu, 28 May 2020 22:59:18 +0000 (15:59 -0700)]
openssl: add engine method for loading the key
As well as doing crypto acceleration, engines can also be used to load
key files. If the engine is set, and the private key loading fails
for bio methods, this patch makes openvpn try to get the engine to
load the key. If that succeeds, we end up using an engine based key.
This can be used with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200528225920.6983-2-James.Bottomley@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19937.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
allow usage of --server-ipv6 even when no --server is specified
Until now OpenVPN has not allowed to specify --server-ipv6
if no --server was also set. This constraint comes from the
fact that most of the IPv6 logic (i.e. ifconfig-pool handling)
relied on IPv4 components to be activated and configured as
well.
Now that the IPv6 code path has been made independent from
IPv4, it is finally possible to to relax the constraint
mentioned above and make it possible for the user to have a
configurations with --server-ipv6 only.
Trac: #208 Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200530000600.1680-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19949.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Jeremy Evans [Wed, 20 May 2020 18:34:04 +0000 (11:34 -0700)]
Switch assertion failure to returning false
This assertion failure can be hit in production, which causes the
openvpn server process to stop and all clients to be disconnected.
Bug #1270 has been filed for this issue on Trac by another user
who has experienced the issue, and this patch attempts to address it.
Tracing callers, it appears that some callers check ks->authenticated
before calling, but others do not. It may be possible to add the check
for the callers that do not check, but this seems to be a simpler
solution.
To give some background, we hit this assertion failure, with the
following log output:
```
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received
control message: 'PUSH_REQUEST'
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL
[username]: 'PUSH_REPLY,redirect-gateway
def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology
subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id
89' (status=1)
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at
/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated)
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal
error
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP
interface
```
using the following OpenVPN server configuration:
```
port 1194
proto udp
dev-type tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
push "redirect-gateway def1"
push "comp-lzo"
push "persist-key"
push "persist-tun"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
cd /home/openvpn/server
chroot /var/empty
daemon
verb 3
crl-verify crl.pem
tls-auth ta.key 0
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher ECDHE-RSA-AES256-GCM-SHA384
ncp-disable
mute-replay-warnings
script-security 3
auth-user-pass-verify "ldap-auth/ldap-auth" via-env
auth-user-pass-optional
```
The failed assertion is inside the function
`tls_session_generate_data_channel_keys`, which is called 3 other places
in `ssl.c.`:
* `key_method_2_write`: checks for `ks->authenticated` before calling
* `key_method_2_read`: appears to run in client mode but not in server
mode
* `tls_session_update_crypto_params`: runs in server mode and does not
check before calling
That leads me to believe the problem caller is
`tls_session_update_crypto_params`. There.s three callers of
`tls_session_update_crypto_params`:.
* `incoming_push_message` (`push.c`): Probably this caller, since the
server pushes configuration to clients, and the log shows the
assertion failure right after the push reply.
* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is
disabled in config, and async push was not enabled when compiling.
* `do_deferred_options` (`init.c`): Not this caller. The server
configuration doesn't pull.
Changing the assertion to returning false appears to be the simplest
fix. Another approach would be changing callers to check
`ks->authenticated` before calling, either
`tls_session_update_crypto_params` or `incoming_push_message`.
Signed-off-by: Jeremy Evans <code@jeremyevans.net> Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200520183404.54822-1-code@jeremyevans.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 18 May 2020 15:54:27 +0000 (17:54 +0200)]
Refuse server mode on Android
After the commit 042429d3 "build: Remove --disable-server from ./configure"
Android needs another way to ensure that OpenVPN is not run in server mode.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200518155427.17283-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19904.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 7 May 2020 13:25:34 +0000 (15:25 +0200)]
Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2
Change crypto_pem_encode to not put a nul-terminated terminated
string into the buffer. This was useful for printf but should
not be written into the file.
Instead do not assume that the buffer is null terminated and
print only the number of bytes in the buffer. Also fix a
similar case in printing static key where the 0 byte was
never added to the buffer
Patch V2: make pem_encode behave more like other similar functions in
OpenVPN
and do not null terminate.
Patch V3: also make the mbed TLS variant of pem_decode behave like other
similar functions in OpeNVPN and accept a not null-terminated
buffer.
Patch V4: The newly introduced unit test
test_tls_crypt_v2_write_client_key_file_metadata
was added after the V3 version of the patch and now misses the
strlen with memcmp replacment that were added to
test_tls_crypt_v2_write_client_key_file. Also add the
modifictions to this function.
Unconditionally allocate buffer in mbed TLS path as
requested by Steffan.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200507132534.6380-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19852.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
