]> git.ipfire.org Git - thirdparty/openvpn.git/log
thirdparty/openvpn.git
19 months agoDocument that auth-user-pass may be inlined
Selva Nair [Tue, 20 Feb 2024 17:52:15 +0000 (12:52 -0500)] 
Document that auth-user-pass may be inlined

Commits 7d48d31b39619b7f added support for inlining username
and, optionally, password.
Add a description of its usage in the man page.

Github: resolves OpenVPN/openvpn#370

Change-Id: I7a1765661f7676eeba8016024080fd1026220ced
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20240220175215.2731491-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28284.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fad2d7017eee366317bb18b34416e7788cbe2372)

19 months agopreparing release 2.6.9 v2.6.9
Gert Doering [Sun, 11 Feb 2024 10:00:18 +0000 (11:00 +0100)] 
preparing release 2.6.9

version.m4, ChangeLog, Changes.rst

19 months agodco-freebsd: dynamically re-allocate buffer if it's too small
Kristof Provost [Wed, 24 Jan 2024 15:27:39 +0000 (16:27 +0100)] 
dco-freebsd: dynamically re-allocate buffer if it's too small

It's possible for the buffer we provide for OVPN_GET_PEER_STATS to be
too small. Handle the error, re-allocate a larger buffer and try again
rather than failing.

Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240124152739.28248-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28128.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 62676935d738f74908845ca96819a36a8c0c230e)

19 months agodocumentation: Fixes for previous fixes to --push-peer-info
Frank Lichtenheld [Tue, 6 Feb 2024 17:47:45 +0000 (18:47 +0100)] 
documentation: Fixes for previous fixes to --push-peer-info

- Clarify compression IV_ settings
- Clarify which settings might come from --setenv

Change-Id: Id8615515c8df6e38e931e357396811234faad796
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240206174745.74828-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28184.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c1e1d132f6368a6f4b77fe956a9329a60331b63e)

19 months agodocumentation: Update and fix documentation for --push-peer-info
Frank Lichtenheld [Tue, 6 Feb 2024 14:10:57 +0000 (15:10 +0100)] 
documentation: Update and fix documentation for --push-peer-info

- description of IV_PROTO was outdated, missing a lot
  of flags
- complete list of compression flags, but separate them out
- various other style/grammar/typo fixes

Change-Id: I7f854a5a14d2a2a391ebb78a2a92b3e14cfd8be6
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240206141057.46249-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28178.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b66d545ce25689588c4dbd1fb525204c78871ed0)

20 months agoREADME.cmake.md: Document minimum required CMake version for --preset
Frank Lichtenheld [Thu, 1 Feb 2024 12:30:39 +0000 (13:30 +0100)] 
README.cmake.md: Document minimum required CMake version for --preset

CMakePreset.json is supported since 3.19, but we have a version
3 preset file, so need at least 3.21.

Github: OpenVPN/openvpn#489
Change-Id: I44c555f6ffa08f2aee739c7f687fa3b678c86231
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240201123039.174176-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28160.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 53b16d07e889b69128203d3b50ed47ceb77c5771)

20 months ago--http-proxy-user-pass: allow to specify in either order with --http-proxy
Frank Lichtenheld [Mon, 22 Jan 2024 09:21:22 +0000 (10:21 +0100)] 
--http-proxy-user-pass: allow to specify in either order with --http-proxy

Previously, when using a third argument to --http-proxy other
than auto/auto-nct, order did matter between --http-proxy and
--http-proxy-user-pass. Always prefer --http-proxy-user-pass
when given.

Change-Id: I6f402db2fb73f1206fbc1139c47d2bf4378376fa
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240122092122.8591-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28099.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a634cc5eccd55f1d14197da7376bb819bdf72cb6)

20 months agobuf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
Frank Lichtenheld [Fri, 19 Jan 2024 12:03:41 +0000 (13:03 +0100)] 
buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'

As Coverity says:
An unsigned value can never be negative, so this test will always
evaluate the same way.

Was changed from int to size_t in commit
7fc608da4ec388c9209bd009cd5053ac0ff7df38 which triggered warning,
but the check did not make sense before, either.

Change-Id: I64f094eeb0ca8c3953a94d742adf468faf27dab3
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240119120341.22933-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28093.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bc29bd6a3376158b73d069758122739fbf93c022)

20 months agoproxy-options.rst: Add proper documentation for --http-proxy-user-pass
Frank Lichtenheld [Thu, 18 Jan 2024 16:49:03 +0000 (17:49 +0100)] 
proxy-options.rst: Add proper documentation for --http-proxy-user-pass

And extend examples section for authenticated HTTP proxies because
is was misleading.

Change-Id: I7a754d0b4a76a9227bf922f65176cd9ec4d7670c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240118164903.22519-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28083.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d3f84afedd33734416704d5d92e8d3ac639ef491)

20 months agoRemove conditional text for Apache2 linking exception
Arne Schwabe [Thu, 18 Jan 2024 13:55:30 +0000 (14:55 +0100)] 
Remove conditional text for Apache2 linking exception

With the reimplementation of the tls-export feature and removal/approval
or being trivial of the rest of the code, now all the code falls under
new license. Remove the conditional text of the license to be only valid
for parts of OpenVPN.

Change-Id: Ia9c5453dc08679ffb73a275ddd4f28095ff1c1f8
Acked-by: dazo <dazo@eurephia.org>
Message-Id: <20240118135530.3911-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28077.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 275aa892c30e91adfec9276f6d6845756b141c62)

20 months agoEnable key export with mbed TLS 3.x.y
Max Fillinger [Fri, 17 Nov 2023 09:14:01 +0000 (10:14 +0100)] 
Enable key export with mbed TLS 3.x.y

Change-Id: I8e90530726b7f7ba3cee0438f2d81a1ac42e821b
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231117091401.25793-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27458.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b5faf1b2e90fd44c5137a2b8f3da98c7ae482fc1)

20 months agoDisable TLS 1.3 support with mbed TLS
Max Fillinger [Wed, 15 Nov 2023 15:17:40 +0000 (16:17 +0100)] 
Disable TLS 1.3 support with mbed TLS

As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.

Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit efad93d049c318a3bd9ea5956c6ac8237b8d6d70)

20 months agoUpdate README.mbedtls
Max Fillinger [Wed, 25 Oct 2023 12:19:28 +0000 (14:19 +0200)] 
Update README.mbedtls

Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f53f06316dbb804128fc5cbee1d8edb274ce81df)

20 months agoAdd support for mbedtls 3.X.Y
Max Fillinger [Wed, 25 Oct 2023 12:18:30 +0000 (14:18 +0200)] 
Add support for mbedtls 3.X.Y

Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:

 * Netscape certificate type
 * key usage (you can check key usage, but not get the raw bytes)

I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.

Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.

Change-Id: I445a93e84dc54b865b757038d22318ac427fce96
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ace7a4f1c271550bb8ad276663e045ab97a46f16)

20 months agoNTLM: increase size of phase 2 response we can handle
Frank Lichtenheld [Wed, 17 Jan 2024 09:49:52 +0000 (10:49 +0100)] 
NTLM: increase size of phase 2 response we can handle

With NTLMv2 the target information buffer can be rather large
even with normal domain setups.

In my test setup it was 152 bytes starting at offset 71.
Overall the base64 encode phase 2 response was 300 byte long.
The linked documentation has 98 bytes at offset 60. 128 byte
is clearly too low.

While here improve the error messaging, so that if the buffer
is too small at least one can determine that in the log.

Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117094952.25938-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28052.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
20 months agoNTLM: add length check to add_security_buffer
Frank Lichtenheld [Wed, 17 Jan 2024 09:17:11 +0000 (10:17 +0100)] 
NTLM: add length check to add_security_buffer

Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.

Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117091711.5366-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28042.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
20 months agoImplement the --tls-export-cert feature
Arne Schwabe [Tue, 16 Jan 2024 10:15:56 +0000 (11:15 +0100)] 
Implement the --tls-export-cert feature

This is a re-implementation of the --tls-export-cert feature. This
was necessary to due to missing approval to re-license the old
(now removed) code. The re-implementation is based on the following
description of the feature provided by David:

  Add an option to export certificate in PEM format of the remote
  peer to a given directory.

  For example: --tls-export-cert /var/tmp

  This option should use a randomised filename, which is provided via a
  "peer_cert" environment variable for the --tls-verify script or the
  OPENVPN_PLUGIN_TLS_VERIFY plug-in hook.

Once the script or plugin call has completed, OpenVPN should delete
this file.

Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116101556.2257-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28014.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c58c7c3c669461805956dabc703c1279fe58eeee)

21 months agofix uncrustify complaints about previous patch
Gert Doering [Sat, 6 Jan 2024 08:38:41 +0000 (09:38 +0100)] 
fix uncrustify complaints about previous patch

cherry-picking the previous patch (9abf74c92c) picked the "raw patch"
as it came in from the mailing list, not the whitespace-fixed version
that ended up in master - so fix release/2.6 here.

Only whitespace changes.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
21 months agoFix IPv6 route add/delete message log level
Steffan Karger [Fri, 5 Jan 2024 13:57:42 +0000 (14:57 +0100)] 
Fix IPv6 route add/delete message log level

We have D_ROUTE for route addition/deletion messages, which prints at
loglevel 3. Use that for IPv6, like we do for IPv4 to reduce terminal
spam for non-legacy-networking setups. Prvious code would print the
messages at --verb 1.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240105135742.21174-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27954.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b959b02b4f607628896b4092f7ddfa675e87d929)

21 months agoClarify that the tls-crypt-v2-verify has a very limited env set
Arne Schwabe [Fri, 5 Jan 2024 14:24:32 +0000 (15:24 +0100)] 
Clarify that the tls-crypt-v2-verify has a very limited env set

Change-Id: Ida4d22455c51773b6713caf94a4b4fbe136a6ded
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240105142432.26298-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27944.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a9fe012ca64d81af37a08666d3e4e74250113db2)

21 months agoMake it more explicit and visible when pkg-config is not found
Arne Schwabe [Fri, 5 Jan 2024 14:05:40 +0000 (15:05 +0100)] 
Make it more explicit and visible when pkg-config is not found

Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.

On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.

When found:

    configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO

not found:

    configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (not found) installed? Must be version 3.4.0 or newer for DCO

On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:

checking for pkg-config... no
configure: error: pkg-config is required

Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240105140540.14757-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27939.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c0f38019b4a2044c1fe873d7d33c13ce571d3386)

21 months agoCheck PRF availability on initialisation and add --force-tls-key-material-export
Arne Schwabe [Thu, 4 Jan 2024 14:02:14 +0000 (15:02 +0100)] 
Check PRF availability on initialisation and add --force-tls-key-material-export

We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.

Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240104140214.32196-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fa7960961415fa4f368e9bbb39dc4047680ff30c)

21 months agoget_default_gateway() HWADDR overhaul
Gert Doering [Mon, 1 Jan 2024 09:27:14 +0000 (10:27 +0100)] 
get_default_gateway() HWADDR overhaul

commit f13331005d5a7 (gerrit/454) most painfully works around the limitations
of the SIOCGIFCONF API, with struct member access on an unaligned buffer,
possibly overrunning sockaddr structures, etc. - and the result still did
not work on OpenSolaris and OpenBSD (no AF_LINK in the returned elements).

Reading through OpenBSD "ifconfig" source, I found getifaddrs(3), which
is exactly what we want here - it works on FreeBSD, NetBSD, OpenBSD and
MacOS, and all returned pointers are properly aligned, so the code gets
shorter, easier to read, and UBSAN is still happy.

OpenSolaris does have getifaddrs(3), but (surprise) it does not work, as
in "it does not return AF_LINK addresses".  It does have SIOCGIFHWADDR,
instead, and "man if_tcp" claims "should behave in a manner compatible
with Linux" - so TARGET_SOLARIS gets a copy of the Linux code now (works).

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101092714.18992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27891.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 76d11614797617708c31dc3db22e3568fee3de6d)

21 months agoOpenBSD: repair --show-gateway
Gert Doering [Mon, 1 Jan 2024 09:40:54 +0000 (10:40 +0100)] 
OpenBSD: repair --show-gateway

OpenBSD route sockets do not want to be passed RTA_IFP on RTM_GET
- if we do this, we get back EINVAL.

On other platforms, if we do not request RTA_IFP, we will not get
back interface information for queried routes - on OpenBSD, RTA_IFP
comes back always...

So we need to #ifdef this, RTA_IFP on all platforms except OpenBSD.

(Found this fix in OpenBSD's ports tree, in their patches for OpenVPN
2.6.8 - but they just remove RTA_IFP, no #ifdef, so we can't just apply
their patch)

While at it, add M_ERRNO to the "write to routing socket" error message.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101094054.38869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27892.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit acf6f33987c72d9151f68eb618bbaf2d10e61877)

21 months agoFix unaligned access in macOS, FreeBSD, Solaris hwaddr
Arne Schwabe [Sun, 31 Dec 2023 17:34:31 +0000 (18:34 +0100)] 
Fix unaligned access in macOS, FreeBSD, Solaris hwaddr

The undefined behaviour USAN clang checker found this.

This fix is a bit messy but so are the original structures.

Since the API on Solaris/Illuminos does not return the AF_LINK
sockaddr type we are interested in, there is little value in
fixing the code on that platform to iterate through a list
that does not contain the element we are looking for.

Add includes stddef.h for offsetof and integer.h for max_int.

Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231231173431.31356-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27885.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f13331005d5a75f2788685485d46be1fe2f133a1)

21 months agodocumentation: improve documentation of --x509-track
Frank Lichtenheld [Wed, 13 Dec 2023 14:33:24 +0000 (15:33 +0100)] 
documentation: improve documentation of --x509-track

In the current state it was completely unclear to me how you
would use this. Extended the description based on reading the
code and experimentation.

Change-Id: Ibf728f9d624e64ecda094d66fa562bd3916829d2
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231213143324.226443-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 139607286ce5d618ece8b17923ce12f418695f4c)

21 months agofix(ssl): init peer_id when init tls_multi
yatta [Thu, 19 Oct 2023 17:12:13 +0000 (01:12 +0800)] 
fix(ssl): init peer_id when init tls_multi

When openvpn run in UDP server mode, if ssl connections reach the
max clients, the next connection would be failed in `multi_create_instance`
and the half connection will be close in `multi_close_instance`, which
may lead array `m->instances[0]` covered unexpectedly and make the
first connection interrupt, this patch fix this problem by init `peer_id`
with `MAX_PEER_ID` in `tils_multi_init`.

Signed-off-by: yatta <ytzhang01@foxmail.com
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27260.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e30504d86f0fe5556acc0cb8e6975c5b2277661)

21 months agoExtend the error message when TLS 1.0 PRF fails
Arne Schwabe [Wed, 13 Dec 2023 10:53:08 +0000 (11:53 +0100)] 
Extend the error message when TLS 1.0 PRF fails

This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)

The current error messages

  TLS Error: PRF calcuation failed
  TLS Error: generate_key_expansion failed

are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or
newer.

Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231213105308.121460-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6ff816142c1acdaee149c4daabb297fefc2ccde0)

21 months agotun.c: don't attempt to delete DNS and WINS servers if they're not set
Lev Stipakov [Wed, 20 Dec 2023 13:36:37 +0000 (14:36 +0100)] 
tun.c: don't attempt to delete DNS and WINS servers if they're not set

Commits

    1c4a47f7 ("wintun: set adapter properties via interactive service")
    18826de5 ("Set WINS servers via interactice service")

added functionality of add/remove DNS/WINS via interactive
service, which is used mostly by dco-win and wintun (tap-windows6
normally uses DHCP). There is a check in code - if DNS/WINS addresses
are not pushed, nothing is added.

However, due to bug we always attempted to remove DNS/WINS,
even if nothing was added. Removing WINS, for example, could take
up to 3 seconds.

This change fixes this by improving check "has DNS/WINS been pushed?".

While on it, convert do_XXX_service() functions to "void" from "bool",
since we never check their return values.

Change-Id: I21a36d24f8e213c780f55acbe3e4df555c93542a
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231220133637.60996-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27843.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c590868a721881dd21bfb77ecf846e6c8720e4ef)

21 months agounit_tests: remove includes for mock_msg.h
Frank Lichtenheld [Fri, 8 Dec 2023 17:35:29 +0000 (18:35 +0100)] 
unit_tests: remove includes for mock_msg.h

Not actually used.

Change-Id: I5e394bb73702d87562ed354100eaff9b41f5389e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231208173529.95023-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27727.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9b4ed6d801b3c67f6b5f5341e5a1b161778d0d32)

22 months agoRemove superfluous x509_write_pem()
David Sommerseth [Wed, 22 Nov 2023 19:00:57 +0000 (20:00 +0100)] 
Remove superfluous x509_write_pem()

After removing --tls-export-cert, this function was left in the code
base with no other users.  This was an oversight in the previous
change.  Removing it to avoid leaving dead code behind.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122190057.120384-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27561.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f015643fe23d7847ad45b7763f31bfc6baed2159)

22 months agoRemove --tls-export-cert
David Sommerseth [Wed, 22 Nov 2023 14:31:01 +0000 (15:31 +0100)] 
Remove --tls-export-cert

As OpenVPN 2.6+ is doing some adoptions to the license text, all
prior contributors need to accept this new text.  Unfortunately, Mathieu
Giannecchini who implemented the --tls-export-cert feature did not
respond at all.  Without an explicit acceptance we need to remove this
feature to avoid potential legal complications.

If this is still a wanted feature, it will need to be re-implemented
from scratch.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122143101.58483-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27557.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 12c5ef1fe6a6010362f3098d11b554566687c1f7)

22 months agovcpkg-ports/pkcs11-helper: bump to version 1.30
Marc Becker [Mon, 4 Dec 2023 15:33:45 +0000 (16:33 +0100)] 
vcpkg-ports/pkcs11-helper: bump to version 1.30

update metadata references for pkcs11-helper v1.30
remove local patches incorporated in new upstream

Signed-off-by: Marc Becker <marc.becker@astos.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231204153345.1146-1-marc.becker@astos.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27678.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a78b0e45dff3a0f0332de47c55aadd76c5919370)

22 months agodocumentation: remove reference to removed option --show-proxy-settings
Frank Lichtenheld [Mon, 4 Dec 2023 15:34:44 +0000 (16:34 +0100)] 
documentation: remove reference to removed option --show-proxy-settings

This option was removed in 2.3.0.

Change-Id: I243ba135ce36cff36ba77eead7dcd9354bd94ab7
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231204153444.56906-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27677.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e569b16d5c456e1f89c9de2d19938b38c3914020)

22 months agoRemove compat versionhelpers.h and remove cmake/configure check for it
Arne Schwabe [Tue, 28 Nov 2023 10:39:50 +0000 (11:39 +0100)] 
Remove compat versionhelpers.h and remove cmake/configure check for it

The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.

Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a68595a582b2c6c220b4f4502753d5f4154000d8)

22 months agoAdd check for nice in cmake config
Arne Schwabe [Tue, 28 Nov 2023 10:41:29 +0000 (11:41 +0100)] 
Add check for nice in cmake config

Change-Id: I2cc8f9b82079acca250db5871ffd9fad2997d1a8
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128104129.62761-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4d8ee61ce2c2a8b387773d33b4dd01bc2e147941)

22 months agoconfigure.ac: Remove unused AC_TYPE_SIGNAL macro
Frank Lichtenheld [Tue, 28 Nov 2023 10:37:40 +0000 (11:37 +0100)] 
configure.ac: Remove unused AC_TYPE_SIGNAL macro

Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.

And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."

Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be05b590e8d5edebd8e35d97af34b0ba7e5350e6)

22 months agoAdd missing check for nl_socket_alloc failure
Arne Schwabe [Tue, 21 Nov 2023 17:06:03 +0000 (18:06 +0100)] 
Add missing check for nl_socket_alloc failure

This can happen if the memory alloc fails.

Patch V2: add goto error
Patch V3: return -ENOMEM instead of going to error

Change-Id: Iee66caa794d267ac5f8bee584633352893047171
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20231121170603.886801-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27541.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d1c31e428120bb0fc9488c62c1691c92a37d94c3)

22 months agoFix check_session_buf_not_used using wrong index
Arne Schwabe [Tue, 28 Nov 2023 10:43:59 +0000 (11:43 +0100)] 
Fix check_session_buf_not_used using wrong index

The inner loop used i instead of j when iterating through the buffers.

Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds.  So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.

Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 59551b93cdb55397d63b2fe58ad99612821c0faf)

22 months agoRemove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
Arne Schwabe [Fri, 1 Dec 2023 11:17:17 +0000 (12:17 +0100)] 
Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway

This debug code is not very useful as it is outdated and the same
functionality is provided by --show-gateway

Change-Id: Ie7fd59cc84e2eb024086c28c2ec2a5606a2b2e7c
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231201111717.14940-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27624.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6158228f16836f56a564d4533e7b513dc6170854)

22 months agoDocument tls-exit option mainly as test option
Arne Schwabe [Fri, 1 Dec 2023 11:19:37 +0000 (12:19 +0100)] 
Document tls-exit option mainly as test option

Change-Id: I93afff2372c4150d6bddc8c07fd4ebc8bfb0cc3e
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231201111937.15214-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ee6417e9d602d7d2db018739f07724b4660bf980)

22 months agoGHA: clean up libressl builds with newer libressl
Frank Lichtenheld [Fri, 1 Dec 2023 12:36:49 +0000 (13:36 +0100)] 
GHA: clean up libressl builds with newer libressl

- Update to latest stable release
- Work-around patches not required anymore
- Official URL of repo has changed

Change-Id: I9b8e69f2b9838cea4cb9001f4e8960b8a39724ef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231201123649.18127-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27635.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 664dde85be91a5432efe52c90089fcf2bf5d6a3c)

22 months agoLog SSL alerts more prominently
Arne Schwabe [Tue, 21 Nov 2023 10:39:30 +0000 (11:39 +0100)] 
Log SSL alerts more prominently

When we receive an SSL alert from a server we currently only log a
very cryptic OpenSSL error message:

   OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70

This also enables logging the much more readable SSL error message:

   Received fatal SSL alert: protocol version

which previously needed --verb 8 to be displayed (now verb 3). Also rework the
message to be better readable.

Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121103930.15175-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a1cb1b47b138b9f654cd0bca5de6d08dbca61888)

22 months agosample-keys: renew for the next 10 years
Frank Lichtenheld [Tue, 21 Nov 2023 11:04:30 +0000 (12:04 +0100)] 
sample-keys: renew for the next 10 years

Old expiration was October 2024, less than a year away.
Give everyone the chance to get the new keys before tests
start failing.

Change-Id: Ie264ec1ec61fd71e8cc87987be3e2adc2735c201
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121110430.16893-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27530.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 78e0c5f2f57a18e8ea60951696a458a4b3ff3621)

22 months agoRemove unused function prototype crypto_adjust_frame_parameters
Arne Schwabe [Tue, 21 Nov 2023 10:40:37 +0000 (11:40 +0100)] 
Remove unused function prototype crypto_adjust_frame_parameters

Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121104037.15307-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27524.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 66f109117649237947e3e5cd33a36f81bde71a2b)

22 months agoprotocol_dump: tls-crypt support
Reynir Björnsson [Thu, 26 Oct 2023 14:55:32 +0000 (16:55 +0200)] 
protocol_dump: tls-crypt support

Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.

This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets.  It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.

Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 227799b8345128dd3adf2029323457804209fe93)

22 months agopreparing release 2.6.8 v2.6.8
Gert Doering [Fri, 17 Nov 2023 07:23:21 +0000 (08:23 +0100)] 
preparing release 2.6.8

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>
22 months agoWarn if pushed options require DHCP
Lev Stipakov [Wed, 15 Nov 2023 12:06:56 +0000 (13:06 +0100)] 
Warn if pushed options require DHCP

Some pushed options (such as DOMAIN-SEARCH) require DHCP server to work.

Warn user that such options will not work if the current driver (such
as dco-win) doesn't support DHCP.

Change-Id: Ie512544329a91fae15409cb18f29d8be617051a1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120656.6825-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 85fc834b0229b87e466b4f60bd2618b2ecd27a5f)

22 months agoMake --dns options apply for tap-windows6 driver
Lev Stipakov [Wed, 15 Nov 2023 12:06:23 +0000 (13:06 +0100)] 
Make --dns options apply for tap-windows6 driver

When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.

Fix by adding missing assignment of tuntap_options.dhcp_options.

Github: fixes OpenVPN/openvpn#447

Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 60def50420b050e628f4388e3c9ff771eb70a549)

22 months agoDo not check key_state buffers that are in S_UNDEF state
Arne Schwabe [Wed, 15 Nov 2023 10:33:31 +0000 (11:33 +0100)] 
Do not check key_state buffers that are in S_UNDEF state

When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.

Github: fixes OpenVPN/openvpn#449

Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a903ebe9361d451daee71c225e141f4e1b67107d)

22 months agoconfig.h: fix incorrect defines for _wopen()
Lev Stipakov [Tue, 14 Nov 2023 14:16:53 +0000 (15:16 +0100)] 
config.h: fix incorrect defines for _wopen()

This is a regression from commit

  01341840 ("add basic CMake based build")

S_IRUSR and S_IWUSR should NOT be defined as 0 but
as _S_IREAD and _S_IWRITE, as it was already fixed in commit

  077445d0 ("Fix some more wrong defines in config-msvc.h")

Those are used as permission mode when opening a file. Passing
zero makes file read-only, which break for example --status-file
functionality.

Github: fixes OpenVPN/openvpn#454
Trac: #1430

Change-Id: I53eaee85d7b284af6bc63da5f6d8f310ddd96c47
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231114141653.10486-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27393.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2fcfb77a8111cce9308bb893f52ecdb77de91e7c)

22 months agodoc: Correct typos in multiple documentation files
Aquila Macedo [Thu, 19 Oct 2023 19:40:49 +0000 (16:40 -0300)] 
doc: Correct typos in multiple documentation files

Fixed typographical errors in various documentation files for improved clarity and readability.

Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314)

22 months agoplatform.c: Do not depend Windows build on HAVE_CHDIR
Frank Lichtenheld [Sat, 11 Nov 2023 08:18:08 +0000 (09:18 +0100)] 
platform.c: Do not depend Windows build on HAVE_CHDIR

This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.

Github: fixes OpenVPN/openvpn#448

Change-Id: I0c78ce452135fe2c80275da449215ba926471018
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 012ea92c414282488e3d60c87452849bde64aac4)

22 months agopreparing release 2.6.7 v2.6.7
Gert Doering [Wed, 8 Nov 2023 13:20:06 +0000 (14:20 +0100)] 
preparing release 2.6.7

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>
22 months agoFix using to_link buffer after freed
Arne Schwabe [Fri, 27 Oct 2023 12:19:37 +0000 (14:19 +0200)] 
Fix using to_link buffer after freed

When I refactored the tls_state_change method in
9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.

The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free.  The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.

CVE: 2023-46850

This affects everyone, even with tls-auth/tls-crypt enabled.

Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
22 months agoDouble check that we do not use a freed buffer when freeing a session
Arne Schwabe [Wed, 25 Oct 2023 15:46:24 +0000 (17:46 +0200)] 
Double check that we do not use a freed buffer when freeing a session

This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.

This will detect and clear that to_link buffer in that case.

Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
22 months agoRemove saving initial frame code
Arne Schwabe [Thu, 19 Oct 2023 13:14:33 +0000 (15:14 +0200)] 
Remove saving initial frame code

This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.

This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.

CVE: 2023-46849

Only people with --fragment in their config are affected

Change-Id: Icc612bab5700879606290639e1b8773f61ec670d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
23 months agodco: warn if DATA_V1 packets are sent to userspace
Lev Stipakov [Sun, 22 Oct 2023 08:27:40 +0000 (10:27 +0200)] 
dco: warn if DATA_V1 packets are sent to userspace

Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.

This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.

Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.

We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.

Github: fixes OpenVPN/openvpn#422

Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df7beea404df48745a608c584d863c5a377b7a1e)

23 months agoRemove openssl engine method for loading the key
Arne Schwabe [Fri, 6 Oct 2023 11:19:10 +0000 (13:19 +0200)] 
Remove openssl engine method for loading the key

This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.

The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus
subsequent fixes).

Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231006111910.3541180-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27133.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e7427bcbb9b16b52d81c65b01d440a8ecd1e6ea7)

23 months agoAdd warning if a p2p NCP client connects to a p2mp server
Arne Schwabe [Mon, 9 Oct 2023 10:53:36 +0000 (12:53 +0200)] 
Add warning if a p2p NCP client connects to a p2mp server

Change-Id: I85ae4e1167e1395b4f59d5d0ecf6c38befcaa8a7
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105336.34267-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27191.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2574ae5e6961ed5b39531a7f98e537f72f87bcfb)

23 months agodco-win: get driver version
Lev Stipakov [Sun, 8 Oct 2023 11:27:55 +0000 (13:27 +0200)] 
dco-win: get driver version

Print dco-win driver version using the new ioctl.
Requires dco-win driver 1.0.0 or newer to work.

Change-Id: I1d0d909e7fca3f51b5c848f1a771a989ab040f17
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008112755.23568-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27174.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8e5f8a4c4f8e01dc7317ac87a85d3204882d6bf)

23 months agoPrint peer temporary key details
Arne Schwabe [Mon, 9 Oct 2023 10:55:18 +0000 (12:55 +0200)] 
Print peer temporary key details

The peer temporary key in TLS session is related to the PFS
exchange/generation. From the SSL_get_peer_tmp_key manual page:

   For example, if ECDHE is in use, then this represents the
   peer's public ECDHE key.

Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105518.34432-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27192.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4e80aac451b99d5cc0b0cf268ca678e602959191)

23 months agoAdd warning for the --show-groups command that some groups are missing
Arne Schwabe [Mon, 9 Oct 2023 10:57:14 +0000 (12:57 +0200)] 
Add warning for the --show-groups command that some groups are missing

OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.

Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a840d5099a7d1a5ceb752c481fc345f6385719df)

23 months agodoc: fix argument name in --route-delay documentation
Frank Lichtenheld [Fri, 13 Oct 2023 10:23:16 +0000 (12:23 +0200)] 
doc: fix argument name in --route-delay documentation

Also remove redundant "by default".

Change-Id: I6f55d15ce6a5fe2f59bbc1cb51c8474f1f81dfca
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231013102316.330086-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27197.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9e99ac54a6373a259ed82f45fbbf9e7a1b38ab6b)

2 years agoLog OpenSSL errors on failure to set certificate
Selva Nair [Sun, 1 Oct 2023 17:49:20 +0000 (13:49 -0400)] 
Log OpenSSL errors on failure to set certificate

Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.

Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.

Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2671dcb69837ae58b3303f11c1b6ba4cee8eea00)

2 years agoRemove all traces of the previous MSVC build system
Frank Lichtenheld [Tue, 26 Sep 2023 09:51:18 +0000 (11:51 +0200)] 
Remove all traces of the previous MSVC build system

Completely replaced by the CMake build system now.

v2:
 - rebase on top of my dist fixes

Change-Id: I807cffa40f18faa1adec4e15e84c032877a2b92e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230926095118.29924-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230926095118.29924-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agoCMake: backport CMake buildsystem from master to release/2.6
Frank Lichtenheld [Tue, 26 Sep 2023 09:50:30 +0000 (11:50 +0200)] 
CMake: backport CMake buildsystem from master to release/2.6

This is based on the initial CMake patch by
Arne Schwabe, but extends that to provide
a complete replacement for existing MinGW
build (autotools based) and MSVC build
(openvpn.sln).

The following features are added while switching
these builds to CMake:
 - vcpkg support for MinGW build, allowing for
   trivial cross-compilation on Linux
 - Add unittests to MSVC build
 - Rework MSVC config header generation, removing
   need for separate headers between autotools
   and MSVC

The following advantages are reasons for switching
to CMake over the existing MSVC build:
 - Easier to maintain CMake files without IDE
   than the sln and vcxproj files
 - Able to maintain MSVC and MinGW build side-by-side

The plan is to completely remove the existing MSVC
build system but leave the existing autotools builds
in place as-is, including MinGW support.

CMake is not the intended build system for Unix-like
platforms and there are no current plans to switch
to it.

This commits squashes a lot of commits from master
together, since most of them are just fixes or
enhancements for the original CMake commit. The
decisions was not to bloat the release/2.6 commit
history with these detours.

It contains the following commits:
- add basic CMake based build
  (commit 0134184012dd46ec44cbca7eb3ece39037ae0bfa by
   Arne Schwabe)
- CMake: Add complete MinGW and MSVC build
  (commit e8881ec6dd63bd80ce05202573eac54ab8657fcb)
- CMake: Add /Brepro to MSVC link options
  (commit 5e94e8de4bfaf6637124947a3489710b591e5e26)
- Do not blindly assume python3 is also the interpreter that runs rst2html
  (commit 5dbec1c019d14880ae7bf364b062d3589c7fd9e7 by
   Arne Schwabe)
- Only add -Wno-stringop-truncation on supported compilers
  (commit eb3cd5ea36f9bf235da7b8a51fd6ce29780f0e39 by
   Arne Schwabe)
- CMake: Throw a clear error when config.h in top-level source directory
  (commit 0652ae84f4528daa57da344eee28b7385a6659a1)
- openvpnmsica: link C runtime statically
  (commit 3be4986ea3d6e27acd3e3a317c15dfe07688e135 by
   Lev Stipakov)
- CMake: Support doc builds on Windows machines that do not have .py file association
  (commit 22213a8834ba5ba5c9818015730edbf3766ad915)
- README.cmake.md: Add new documentation for CMake buildsystem
  (commit 53055fd23efb6209b12d3662427158e25247f1fe)
- Check if the -wrap argument is actually supported by the platform's ld
  (commit 4ef76f0ee4e122dcd616e1b1e2d652562ab10756 by
   Arne Schwabe)
- GHA: update to run-vcpkg@v11
  (commit 66e33ee81d1d7fa3495ae3aad6e673766e296687)
- GHA: refactor mingw UTs and add missing tls_crypt
  (commit 26c663f12815f55c483dbe660e28448dc63221d1)
- CMake: various small non-functional improvements
  (commit 95cc5faa16833acaf12a4d273c5c848984fc73ce)
- CMake: fix broken daemonization and syslog functionality
  (commit 8ae6c48d5d52dec8ec6e47cc1cfe89de9f2ffbcd)
- CMake: fix HAVE_DAEMON detection on Linux
  (commit e363b393f2d1b72590666554e17d928c1603f8d5)

Change-Id: I6de18261d5dc7f8561612184059656c73f33a5f2
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Co-authored-by: Arne Schwabe <arne@rfc2549.org>
Co-authored-by: Lev Stipakov <lev@openvpn.net>
Message-Id: <20230926095030.29779-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27107.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agovcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6
Frank Lichtenheld [Fri, 22 Sep 2023 16:03:24 +0000 (18:03 +0200)] 
vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6

Contains the following commits:
- Make compatible with mingw build
  (commit 17746e53f65249b42017256056c5415099df288d)
- Convert CONTROL to vcpkg.json
  (commit a2160d3e42a1eff59aee3d984fd3354907f4379f)
- reference upstream PRs in patches
  (commit 9577ffe92f033d8452cff0a3dbdfdc943655c5b8)
- rename patches to make file names shorter
  (commit 0c25a5462e945f537d1836b47a5f147a2132875c)

Change-Id: Ie61fed8758e44576939a8bb0a04bc95245a3ce18
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20230922160324.166907-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27083.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agoMock openvpn_exece on win32 also for test_tls_crypt
Arne Schwabe [Mon, 25 Sep 2023 09:44:09 +0000 (11:44 +0200)] 
Mock openvpn_exece on win32 also for test_tls_crypt

This function is needed to commpile on win32 as run_command.c defines it
on Unix Linux but on windows it is defined in win32.c which pulls in too
many other unresolvable symbols.

Patch v2: Also add mock_win32_execve.c to automake files

Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit ede590e57c96c2b16d9bf462c4b1dd967b37c432)
Message-Id: <20230925094409.40429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27097.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agoMake cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
Selva Nair [Fri, 22 Sep 2023 16:04:05 +0000 (18:04 +0200)] 
Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant

- Do not use non-literal initializers for static objects
- Replace empty initializer {} by {0}

Change-Id: Ifb961a4df2b8b8300633192e1a268669f6f41a35
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Heiko Hund <heiko@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Co-authored-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922160405.167057-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27084.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agobuffer: use memcpy in buf_catrunc
Frank Lichtenheld [Fri, 22 Sep 2023 16:04:41 +0000 (18:04 +0200)] 
buffer: use memcpy in buf_catrunc

Since we use strlen() to determine the length
and then check it ourselves, there is really
no point in using strncpy.

But the compiler might complain that we use
the output of strlen() for the length of
strncpy which is usually a sign for bugs:

error: ‘strncpy’ specified bound depends
 on the length of the source argument
 [-Werror=stringop-overflow=]

Warning was at least triggered for
mingw-gcc version 10-win32 20220113.

Also change the type of len to size_t
which avoids potential problems with
signed overflow.

v2:
 - make len size_t and change code to avoid any theoretical overflows
 - remove useless casts
v3:
 - fix off-by-one introduced by v2 %)
v4:
 - ignore unsigned overflow to simplify code

Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Heiko Hund <heiko@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c89a97e449baaf60924a362555d35184f188a646)
Message-Id: <20230922160441.167168-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agoGHA: new workflow to submit scan to Coverity Scan service
Frank Lichtenheld [Mon, 11 Sep 2023 11:07:35 +0000 (13:07 +0200)] 
GHA: new workflow to submit scan to Coverity Scan service

Not on every push due to submit limits.

Use caching to not submit a scan for the same git commit
twice. Since we have many days without pushes to master
this saves a lot of Github and Coverity resources.

v2:
 - add caching to not submit redundant scans

Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230911110735.34491-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 607ae9b821665dadb6bd0a3ceb6288bda10d5e67)

2 years agodns option: remove support for exclude-domains
Heiko Hund [Fri, 22 Sep 2023 10:43:34 +0000 (12:43 +0200)] 
dns option: remove support for exclude-domains

No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.

Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b7eea48708ee73a5999f98626fb8d31d8f88ea6f)

2 years agoGHA: do not trigger builds in openvpn-build anymore
Frank Lichtenheld [Fri, 22 Sep 2023 10:39:36 +0000 (12:39 +0200)] 
GHA: do not trigger builds in openvpn-build anymore

We do this via explicit PRs now, generated by renovate.
This allows much better control over what state of the
code gets built.

Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922103936.37230-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27060.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 37d6c61a3decf64d0db1cd3d033483c9db5c4c91)

2 years agoWarn user if INFO control command is too long
Lev Stipakov [Fri, 22 Sep 2023 10:50:55 +0000 (12:50 +0200)] 
Warn user if INFO control command is too long

"INFO_PRE,..." command length is limited to 256 bytes. If the server
implementation pushes command which is too long, warn the user and
don't send the truncated command to a management client.

Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922105055.37969-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c)

2 years agodco: fix crash when --multihome is used with --proto tcp
Antonio Quartulli [Tue, 15 Aug 2023 23:15:55 +0000 (01:15 +0200)] 
dco: fix crash when --multihome is used with --proto tcp

Although it's a combination of options that is not really useful,
when specifying --multihome along with --proto tcp and DCO is enabled,
OpenVPN will crash while attempting to access c2.link_socket_actual
(NULL for the TCP case) in order to retrieve the local address (in
function dco_multi_get_localaddr())

Prevent crash by running this code only if proto is UDP.
The same check is already performed in socket.c/h for the non-DCO
case.

Github: fixes OpenVPN/openvpn#390
Change-Id: I61adc26ce2ff737e020c3d980902a46758cb23e5
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230815231555.6465-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26953.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0793eb105c5720c4eb31af71c9db81459439e510)

2 years agoconfigure: disable engines if OPENSSL_NO_ENGINE is defined
orbea [Sat, 9 Sep 2023 13:49:56 +0000 (06:49 -0700)] 
configure: disable engines if OPENSSL_NO_ENGINE is defined

Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.

Signed-off-by: orbea <orbea@riseup.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230909134956.5902-1-orbea@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26994.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 34bf473e19118eecf525e7401ef37b1cbf661e67)

2 years agopreparing release 2.6.6 v2.6.6
Gert Doering [Mon, 14 Aug 2023 10:36:15 +0000 (12:36 +0200)] 
preparing release 2.6.6

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>
2 years agoMake received OCC exit messages more visible in log.
Gert Doering [Mon, 14 Aug 2023 06:04:09 +0000 (08:04 +0200)] 
Make received OCC exit messages more visible in log.

Currently, OCC exit messages are only logged at some high debug level
(and if OpenVPN compiled with DEBUG), while control-channel EEN messages
are logged on verb 1.  Make this consistent, both in wording and in
log level.

Both messages are prefixed with the "channel" where the exit message
came in.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230814060409.50742-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26949.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f910a42b86e90f1893a668ee280422b6587ada1)

2 years agoshow extra info for OpenSSL errors
Arne Schwabe [Fri, 11 Aug 2023 12:15:03 +0000 (14:15 +0200)] 
show extra info for OpenSSL errors

This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command

    openvpn --providers vollbit

will print out (on macOS):

     OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)

Patch v2: Format message more like current messages

Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f8485f2870277fb7ccdb4097380e35dc35b064e)

2 years agoroute: Fix overriding return value of add_route3
Frank Lichtenheld [Fri, 28 Jul 2023 12:47:12 +0000 (14:47 +0200)] 
route: Fix overriding return value of add_route3

The return value of add_bypass_routes overwrites
the return value of add_route3 instead of combining
them.

Coverity: CID 1539180 (#1 of 1): Unused value (UNUSED_VALUE)

Change-Id: I78f92f363fe203af5661c6958b2417ea30f7055c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <60951251cdb2f39b20cfc86130c2dc0570ba0363-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26900.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8067cc8d1b384d3eb0fc9000992710b02951b266)

2 years agontlm: Clarify details on NTLM phase 3 decoding
David Sommerseth [Wed, 2 Aug 2023 11:31:49 +0000 (13:31 +0200)] 
ntlm: Clarify details on NTLM phase 3 decoding

The code was not very clear if we accept the base64 decode if the
NTLM challenge was truncated or not.  Move the related code lines
closer to where buf is first used and comment that we are not concerned
about any truncation.

If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect.  The
buffer size is fixed and known to be in a cleared state before the
decode starts.

Resolves: TOB-OVPN-14
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f19391139836aa07312cf5b3ebbd00941d22ddc7)

2 years agopkcs11_openssl: Disable unused code
Frank Lichtenheld [Fri, 28 Jul 2023 12:42:01 +0000 (14:42 +0200)] 
pkcs11_openssl: Disable unused code

Coverity: CID 1539183 (#1 of 1): Structurally dead code (UNREACHABLE)

Change-Id: I889de8bafb581b810a026c7359fbfee94f1b5a4e
Gerrit: http://gerrit.openvpn.net/c/openvpn/+/317
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <6b941ce86c4031a5535d6c1997e6ae06c9aec7b3-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26901.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38fbddc94596b6b2d8fa93a8bd0aca7dbb220def)

2 years agooptions: Do not hide variables from parent scope
Frank Lichtenheld [Fri, 28 Jul 2023 12:50:16 +0000 (14:50 +0200)] 
options: Do not hide variables from parent scope

msglevel hides the function parameter of the same name,
which could lead to confusion. Use a unique name.

Change-Id: I9f9d0f0d5ab03f8cdfd7ba7200f2d56613cc586d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <d549c9b5e5d66624ef82f99206898ff8e43a5fb5-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26902.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f7c8cc092b8b6f5659cf8abd8d8624fc16f3dda2)

2 years agoSet WINS servers via interactice service
Lev Stipakov [Thu, 27 Jul 2023 15:47:06 +0000 (18:47 +0300)] 
Set WINS servers via interactice service

At the moments WINS servers are set either:

 - via DHCP, which works only for tap-windows6 driver
 - via netsh when running without interactice service

This means that in 2.6 default setup (interactive service and dco)
WINS is silently ignored.

Add WINS support for non-DHCP drivers (like dco) by passing
WINS settings to interactive service and set them there with
netsh call, similar approach as we use for setting DNS.

Fixes https://github.com/OpenVPN/openvpn/issues/373

Change-Id: I47c22dcb728011dcedaae47cd03a57219e9c7607
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230728131246.694-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26903.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 18826de5737789cb74b48fc40a9ff5cb37d38d98)

2 years agoconfigure.ac: fix typ0 in LIBCAPNG_CFALGS
Antonio Quartulli [Tue, 25 Jul 2023 06:58:40 +0000 (08:58 +0200)] 
configure.ac: fix typ0 in LIBCAPNG_CFALGS

Github: fixes OpenVPN/openvpn#371

Reported-by: Matt Whitlock <gentoo@mattwhitlock.name>
Change-Id: Ic473fbc447741e54a9aac83c70bc4e6d87d91080
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230725065840.24568-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20230725065840.24568-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bd95104a2b375f87eb37441d33c8e35bd1c19b1f)

2 years agoImplement using --peer-fingerprint without CA certificates
Arne Schwabe [Wed, 24 May 2023 13:24:24 +0000 (15:24 +0200)] 
Implement using --peer-fingerprint without CA certificates

This is implements --peer-fingerprint command to support OpenVPN
authentication without involving a PKI.

The current implementation in OpenVPN for peer fingerprint has been already
extensively rewritten from the original submission from Jason [1]. The
commit preserved the original author since it was based on Jason code/idea.

This commit is based on two previous commits that prepare the infrastructure
to use a simple to use --peer-fingerprint directive instead of using
a --tls-verify script like the v1 of the patch proposed.  The two commits
preparing this are:

 - Extend verify-hash to allow multiple hashes
 - Implement peer-fingerprint to check fingerprint of peer certificate

These preceding patches make this actual patch quite short. There are some
lines in this patch that bear some similarity to the ones like

    if (!preverify_ok && !session->opt->verify_hash_no_ca)

vs

    if (!preverify_ok && !session->opt->ca_file_none)

But these similarities are one line fragments and dictated by the
surrounding style and program flow, so even a complete black box
implementation will likely end up with the same lines.

[1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16781.html

Change-Id: Ie74c3d606c5429455c293c367462244566a936e3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230524132424.3098475-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26723.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3746da7f04acf872f251d3673551963380c4d77)

2 years agoRevert commit 423ced962d
Arne Schwabe [Wed, 24 May 2023 13:24:23 +0000 (15:24 +0200)] 
Revert commit 423ced962d

This reverts commit 423ced962db3129b4ed551c489624faba4340652, which
has Jason A. Donenfeld listed as author as the patch was based on his
initial submission.

We have not received permission to relicense the original patch.

Change-Id: I8142753928498169032450c56d0497a5042bdc9b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230524132424.3098475-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26722.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 370334828659e205941eecd1c90f085a64ca539d)

2 years agoIgnore Ipv6 route delete request on Android and set ipv4 verbosity to 7
Arne Schwabe [Wed, 12 Jul 2023 09:46:20 +0000 (11:46 +0200)] 
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7

Android has no facility nor need one to delete routes as routes are
automatically cleaned up when the tun interface is closed. Also adjust
the IPv4 message to be only shown and verb 7 and rephrase the message.

Change-Id: If8f920d378c31e9ea773ce1f56f3df50f1ec36cd
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230712094620.569273-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26848.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ab01eaf49fa9341ff647206bd6e3017770cc0674)

2 years agomanage.c: document missing KID parameter
Lev Stipakov [Fri, 14 Jul 2023 11:18:02 +0000 (14:18 +0300)] 
manage.c: document missing KID parameter

Commit a261e173 ("Make sending plain text control message session
aware") added KID parameter to "client-pending-auth" management command,
but forgot to mention it in the output of management help.

Change-Id: I201bdaa5fe4020d15a9dd1674aba5e0c45170731
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230714111802.1773-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26856.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f5201eedd4ea55414bf8310668a3d00e7bf8ea71)

2 years agofix typo: dhcp-options to dhcp-option in vpn-network-options.rst
George Pchelkin [Fri, 14 Jul 2023 09:25:57 +0000 (11:25 +0200)] 
fix typo: dhcp-options to dhcp-option in vpn-network-options.rst

Closes: OpenVPN/openvpn#313
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230714092557.229260-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26855.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9d2e947e7358c7998f13b142d8bf17a2ce9eb7a3)

2 years agotun.c: enclose DNS domain in single quotes in WMIC call
Lev Stipakov [Mon, 10 Jul 2023 11:21:22 +0000 (14:21 +0300)] 
tun.c: enclose DNS domain in single quotes in WMIC call

This is needed to support domains with hyphens.

Not using double quotes here, since our code replaces
them with underbars (see
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).

Github: fixes OpenVPN/openvpn#363

Change-Id: Iab536922d0731635cef529b5caf542f637b8d491
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230710112122.576-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26841.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4057814a8a783d4fb1475f49f073f6b3a7797677)

2 years agoPrint a more user-friendly error when tls-crypt-v2 client auth fails
Arne Schwabe [Mon, 22 May 2023 09:12:31 +0000 (11:12 +0200)] 
Print a more user-friendly error when tls-crypt-v2 client auth fails

While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.

Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b)

2 years agoRemove old Travis CI related files
Frank Lichtenheld [Fri, 7 Jul 2023 14:46:28 +0000 (16:46 +0200)] 
Remove old Travis CI related files

They are not used or mainained anymore. So just remove them.

Change-Id: I704f7c9a9fe9a2b988410c4586183302392e690d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230707144628.378541-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26834.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fd43636c417b479e95ca9f3eca6b90c410bc7686)

2 years agoFix CR_RESPONSE mangaement message using wrong key_id
Arne Schwabe [Mon, 22 May 2023 10:11:38 +0000 (12:11 +0200)] 
Fix CR_RESPONSE mangaement message using wrong key_id

the management interface expects the management key id instead
of the openvpn key id. In the past they often were the same for low ids
which hid the bug quite well.

Also do not pick uninitialised keystates (management key_id is not valid
in these).

Patch v2: do not add logging

Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-By: Jemmy Wang
Github: fixes OpenVPN/openvpn#359
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230522101138.2842378-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26719.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 223baa9c9b818e4c542a9037f190f53ce6f7af5c)

2 years agowork around false positive warning with mingw 12
Heiko Hund [Thu, 6 Jul 2023 17:19:22 +0000 (19:19 +0200)] 
work around false positive warning with mingw 12

When cross compiling for Windows with Ubuntu 23.04 mingw complains about

  route.c:344:26: warning: ‘special.S_un.S_addr’ may be used uninitialized

which is wrong technically. However the workaround isn't really
intrusive and while there are other warnings caused by libtool, the
cmake mingw build completes with -Werror now.

Change-Id: I8a0f59707570722eab41af2db76980ced04e6d54
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230706171922.752429-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26831.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d559affd313a8f995db15908887fbc8f16a24659)

2 years agofix warning with gcc 12.2.0 (compiler bug?)
Arne Schwabe [Sun, 27 Nov 2022 08:59:33 +0000 (09:59 +0100)] 
fix warning with gcc 12.2.0 (compiler bug?)

Changing the argument of check_malloc_return from const void* to void*
removes the warning from gcc 12.2.0:

In file included from ../../../openvpn-git/src/openvpn/crypto_openssl.c:40:
../../../openvpn-git/src/openvpn/buffer.h: In function ‘hmac_ctx_new’:
../../../openvpn-git/src/openvpn/buffer.h:1030:9: warning: ‘ctx’ may be
used uninitialized [-Wmaybe-uninitialized]
 1030 |         check_malloc_return((dptr) = (type *)
malloc(sizeof(type))); \
      |         ^~~~~~~~~~~~~~~~~~~
../../../openvpn-git/src/openvpn/buffer.h:1076:1: note: by argument 1 of
type ‘const void *’ to ‘check_malloc_return’ declared here
 1076 | check_malloc_return(const void *p)
      | ^~~~~~~~~~~~~~~~~~~

This more a quick fix/heads up for other people encountering the issue
on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in
our code or a compiler bug.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221127085933.3487177-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25549.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5ad793e8cab8fcccae93fe9442eca6a6de8c044c)

2 years agoAvoid unused function warning/error on FreeBSD (and potientially others)
Arne Schwabe [Sat, 1 Jul 2023 20:24:53 +0000 (22:24 +0200)] 
Avoid unused function warning/error on FreeBSD (and potientially others)

the funktion is_on_link is not used on FreeBSD and triggers a
warning/error (-Werror) on FreeBSD.

Patch v2: use actual platforms instead an ifndef FreeBSD

Change-Id: I6757d6509ff3ff522d6de417372a21e73ccca3ba
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230701202453.3517822-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 99035769233fb1186b72cd8e1e9966a0d077e53d)

2 years agotest_tls_crypt: Improve mock() usage to be more portable
Frank Lichtenheld [Fri, 30 Jun 2023 12:39:08 +0000 (14:39 +0200)] 
test_tls_crypt: Improve mock() usage to be more portable

Use the casting variants of mock(). Using the mock_ptr_type
fixes an existing bug where test_tls_crypt.c couldn't
build in MinGW 32bit:

test_tls_crypt.c:127:27: error:
cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
  127 |     const char *pem_str = (const char *) mock();

Change-Id: I6c03313b8677fa07c07e718b1f85f7efd3c4dea8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230630123908.82588-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26796.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e87e44f7bcdffc208292cce9d314e2e52a175026)

2 years agounit_tests: Add missing cert_data.h to source list for unit tests
Frank Lichtenheld [Wed, 21 Jun 2023 12:58:42 +0000 (14:58 +0200)] 
unit_tests: Add missing cert_data.h to source list for unit tests

Document the dependency. Also fixes cert_data.h missing from
distribution.

This is the "backport" of commit
97223cb057a0edfafd28b34427449bb3eda7d0be to release/2.6.

Change-Id: Ib82208bfa12cc8ba5ff08b4c010bf398bc92d249
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230621125842.191355-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26765.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>