Reynir Björnsson [Thu, 16 May 2024 11:58:08 +0000 (13:58 +0200)]
Only schedule_exit() once
If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.
schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.
Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.
This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".
This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.
CVE: 2024-28882
Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661 Signed-off-by: Reynir Björnsson <reynir@reynir.dk> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 55bb3260c12bae33b6a8eac73cbb6972f8517411)
Arne Schwabe [Wed, 8 May 2024 22:05:40 +0000 (00:05 +0200)]
Workaround issue in LibreSSL crashing when enumerating digests/ciphers
OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname
and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an
invalid nid in the process so that it would segfault.
Workaround but doing that NULL check in OpenVPN instead of leaving it
to the library.
Github: see also https://github.com/libressl/openbsd/issues/150
Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240508220540.12554-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28649.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b3a271b11723cbe520ad4ce6b4b0459de57ade06)
Arne Schwabe [Thu, 2 May 2024 12:22:31 +0000 (14:22 +0200)]
Replace macos11 with macos14 in github runners
Github's documentation states: macos-11 label has been deprecated and
will no longer be available after 6/28/2024. Add macos14 which is nowadays
supported instead.
The github macos-14 runner is using the M1 platform with ARM, so this
requires a bit more adjustment of paths.
Change-Id: Ia70f230b2e9a78939d1875395205c8f48c4944b7 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240502122231.672-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240502122231.672-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 02f0845be7e54e8676e73621e424b6a1540b88b5)
- Remove obsolete ifconfig_broadcast. Since this was
removed in 2.5.0, do not add a removal note but just
completely remove it.
- Add missing documentation of IPv6 variants for
ifconfig_pool_* variables.
Github: fixes Openvpn/openvpn#527
Change-Id: Ia8c8de6799f0291fc900628fbd06c8a414e741ca Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240321161623.2794161-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28438.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a94226cdc8ed037a6763675aa47e6c821983f174)
phase2_tcp_server: fix Coverity issue 'Dereference after null check'
As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway
There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.
v2:
- fix cleanly by actually asserting that sig_info is defined
Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071448.12143-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8c629fe64c67ea0a8454753be99db44df7ce53e)
Arne Schwabe [Mon, 25 Mar 2024 12:50:52 +0000 (13:50 +0100)]
Use snprintf instead of sprintf for get_ssl_library_version
This is avoid a warning/error (when using -Werror) under current macOS
of sprintf:
__deprecated_msg("This function is provided for compatibility
reasons only. Due to security concerns inherent in the design
of sprintf(3), it is highly recommended that you use snprintf(3)
instead.")
Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240325125052.14135-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6a60d1bef424088df55f4d07efd45ce080fc7132)
Previously the sections "Encryption Options" and
"Data channel cipher negotiation" were on the same
level as "OPTIONS", which makes no sense. Instead
move them and their subsections one level down.
Use ` since that was already in use in section
"Virtual Routing and Forwarding".
Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071520.12513-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3fdf5aa04f7b96a3b7110f75306306ac5d7ed5fd)
- Remove compression settings. Not recommended anymore.
- Remove old cipher setting. Replaced by data-ciphers negotiation.
- Add comment how to set data-ciphers for very old clients.
- Remove/reword some old comments. e.g. no need to reference
OpenVPN 1.x anymore.
- Mention peer-fingerprint alternative.
- comment out "tls-auth" as that is not needed for a bare-bones VPN config
and needs additional setup.
Github: #511
Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071320.11348-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b0fc10abd06fa2307e95c8a60fa94f7ccc08d2ac)
Lev Stipakov [Mon, 18 Mar 2024 18:17:44 +0000 (19:17 +0100)]
Disable DCO if proxy is set via management
Commit
45a1cb2a ("Disable DCO if proxy is set via management")
attempted to disable DCO when proxy is set via management interface. However,
at least on Windows this doesn't work, since:
- setting tuntap_options->disable_dco to true is not enough to disable DCO
- at this point it is a bit too late, since we've already done DCO-specific
adjustments
Since proxy can be set via management only if --management-query-proxy is
specified, the better way is to add a check to dco_check_startup_option().
Github: fixes OpenVPN/openvpn#522
Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240318181744.20625-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fd6b8395f6cee8a61111c28f335ec25ed6db11f7)
Lev Stipakov [Tue, 19 Mar 2024 15:27:11 +0000 (17:27 +0200)]
interactive.c: Fix potential stack overflow issue
When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.
To address this, we terminate the misbehaving process if the peeked message
size exceeds the maximum allowable size.
CVE: 2024-27459
Microsoft case number: 85932
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20240319152803.1801-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639)
Lev Stipakov [Tue, 19 Mar 2024 15:16:07 +0000 (17:16 +0200)]
interactive.c: disable remote access to the service pipe
Remote access to the service pipe is not needed and might
be a potential attack vector.
For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged interactive service on a victim machine
and start openvpn processes remotely.
CVE: 2024-24974
Microsoft case number: 85925
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20240319151723.936-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2c1de0f0803360c0a6408f754066bd3a6fb28237)
Lev Stipakov [Tue, 19 Mar 2024 13:53:45 +0000 (15:53 +0200)]
win32: Enforce loading of plugins from a trusted directory
Currently, there's a risk associated with allowing plugins to be loaded
from any location. This update ensures plugins are only loaded from a
trusted directory, which is either:
- HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
then HKLM\SOFTWARE\OpenVPN, which is installation directory)
- System directory
Loading from UNC paths is disallowed.
Note: This change affects only Windows environments.
CVE: 2024-27903
Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20240319135355.1279-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit aaea545d8a940f761898d736b68bcb067d503b1d)
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240308102818.9249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240308102818.9249-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0c7cf0694ee6f878168330e9a084c255c51a9e8b)
Kristof Provost [Wed, 24 Jan 2024 15:27:39 +0000 (16:27 +0100)]
dco-freebsd: dynamically re-allocate buffer if it's too small
It's possible for the buffer we provide for OVPN_GET_PEER_STATS to be
too small. Handle the error, re-allocate a larger buffer and try again
rather than failing.
Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240124152739.28248-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28128.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 62676935d738f74908845ca96819a36a8c0c230e)
documentation: Update and fix documentation for --push-peer-info
- description of IV_PROTO was outdated, missing a lot
of flags
- complete list of compression flags, but separate them out
- various other style/grammar/typo fixes
Change-Id: I7f854a5a14d2a2a391ebb78a2a92b3e14cfd8be6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240206141057.46249-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28178.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b66d545ce25689588c4dbd1fb525204c78871ed0)
--http-proxy-user-pass: allow to specify in either order with --http-proxy
Previously, when using a third argument to --http-proxy other
than auto/auto-nct, order did matter between --http-proxy and
--http-proxy-user-pass. Always prefer --http-proxy-user-pass
when given.
Change-Id: I6f402db2fb73f1206fbc1139c47d2bf4378376fa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240122092122.8591-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28099.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a634cc5eccd55f1d14197da7376bb819bdf72cb6)
Arne Schwabe [Thu, 18 Jan 2024 13:55:30 +0000 (14:55 +0100)]
Remove conditional text for Apache2 linking exception
With the reimplementation of the tls-export feature and removal/approval
or being trivial of the rest of the code, now all the code falls under
new license. Remove the conditional text of the license to be only valid
for parts of OpenVPN.
Change-Id: Ia9c5453dc08679ffb73a275ddd4f28095ff1c1f8 Acked-by: dazo <dazo@eurephia.org>
Message-Id: <20240118135530.3911-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28077.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 275aa892c30e91adfec9276f6d6845756b141c62)
Max Fillinger [Wed, 15 Nov 2023 15:17:40 +0000 (16:17 +0100)]
Disable TLS 1.3 support with mbed TLS
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit efad93d049c318a3bd9ea5956c6ac8237b8d6d70)
Max Fillinger [Wed, 25 Oct 2023 12:18:30 +0000 (14:18 +0200)]
Add support for mbedtls 3.X.Y
Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:
* Netscape certificate type
* key usage (you can check key usage, but not get the raw bytes)
I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.
Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.
Change-Id: I445a93e84dc54b865b757038d22318ac427fce96 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ace7a4f1c271550bb8ad276663e045ab97a46f16)
NTLM: increase size of phase 2 response we can handle
With NTLMv2 the target information buffer can be rather large
even with normal domain setups.
In my test setup it was 152 bytes starting at offset 71.
Overall the base64 encode phase 2 response was 300 byte long.
The linked documentation has 98 bytes at offset 60. 128 byte
is clearly too low.
While here improve the error messaging, so that if the buffer
is too small at least one can determine that in the log.
Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117094952.25938-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28052.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 16 Jan 2024 10:15:56 +0000 (11:15 +0100)]
Implement the --tls-export-cert feature
This is a re-implementation of the --tls-export-cert feature. This
was necessary to due to missing approval to re-license the old
(now removed) code. The re-implementation is based on the following
description of the feature provided by David:
Add an option to export certificate in PEM format of the remote
peer to a given directory.
For example: --tls-export-cert /var/tmp
This option should use a randomised filename, which is provided via a
"peer_cert" environment variable for the --tls-verify script or the
OPENVPN_PLUGIN_TLS_VERIFY plug-in hook.
Once the script or plugin call has completed, OpenVPN should delete
this file.
Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116101556.2257-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28014.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c58c7c3c669461805956dabc703c1279fe58eeee)
Gert Doering [Sat, 6 Jan 2024 08:38:41 +0000 (09:38 +0100)]
fix uncrustify complaints about previous patch
cherry-picking the previous patch (9abf74c92c) picked the "raw patch"
as it came in from the mailing list, not the whitespace-fixed version
that ended up in master - so fix release/2.6 here.
Steffan Karger [Fri, 5 Jan 2024 13:57:42 +0000 (14:57 +0100)]
Fix IPv6 route add/delete message log level
We have D_ROUTE for route addition/deletion messages, which prints at
loglevel 3. Use that for IPv6, like we do for IPv4 to reduce terminal
spam for non-legacy-networking setups. Prvious code would print the
messages at --verb 1.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240105135742.21174-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27954.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b959b02b4f607628896b4092f7ddfa675e87d929)
Arne Schwabe [Fri, 5 Jan 2024 14:05:40 +0000 (15:05 +0100)]
Make it more explicit and visible when pkg-config is not found
Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.
On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.
When found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO
not found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (not found) installed? Must be version 3.4.0 or newer for DCO
On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:
checking for pkg-config... no
configure: error: pkg-config is required
Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240105140540.14757-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27939.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c0f38019b4a2044c1fe873d7d33c13ce571d3386)
Arne Schwabe [Thu, 4 Jan 2024 14:02:14 +0000 (15:02 +0100)]
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240104140214.32196-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fa7960961415fa4f368e9bbb39dc4047680ff30c)
Gert Doering [Mon, 1 Jan 2024 09:27:14 +0000 (10:27 +0100)]
get_default_gateway() HWADDR overhaul
commit f13331005d5a7 (gerrit/454) most painfully works around the limitations
of the SIOCGIFCONF API, with struct member access on an unaligned buffer,
possibly overrunning sockaddr structures, etc. - and the result still did
not work on OpenSolaris and OpenBSD (no AF_LINK in the returned elements).
Reading through OpenBSD "ifconfig" source, I found getifaddrs(3), which
is exactly what we want here - it works on FreeBSD, NetBSD, OpenBSD and
MacOS, and all returned pointers are properly aligned, so the code gets
shorter, easier to read, and UBSAN is still happy.
OpenSolaris does have getifaddrs(3), but (surprise) it does not work, as
in "it does not return AF_LINK addresses". It does have SIOCGIFHWADDR,
instead, and "man if_tcp" claims "should behave in a manner compatible
with Linux" - so TARGET_SOLARIS gets a copy of the Linux code now (works).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101092714.18992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27891.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 76d11614797617708c31dc3db22e3568fee3de6d)
Gert Doering [Mon, 1 Jan 2024 09:40:54 +0000 (10:40 +0100)]
OpenBSD: repair --show-gateway
OpenBSD route sockets do not want to be passed RTA_IFP on RTM_GET
- if we do this, we get back EINVAL.
On other platforms, if we do not request RTA_IFP, we will not get
back interface information for queried routes - on OpenBSD, RTA_IFP
comes back always...
So we need to #ifdef this, RTA_IFP on all platforms except OpenBSD.
(Found this fix in OpenBSD's ports tree, in their patches for OpenVPN
2.6.8 - but they just remove RTA_IFP, no #ifdef, so we can't just apply
their patch)
While at it, add M_ERRNO to the "write to routing socket" error message.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101094054.38869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27892.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit acf6f33987c72d9151f68eb618bbaf2d10e61877)
Arne Schwabe [Sun, 31 Dec 2023 17:34:31 +0000 (18:34 +0100)]
Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
The undefined behaviour USAN clang checker found this.
This fix is a bit messy but so are the original structures.
Since the API on Solaris/Illuminos does not return the AF_LINK
sockaddr type we are interested in, there is little value in
fixing the code on that platform to iterate through a list
that does not contain the element we are looking for.
Add includes stddef.h for offsetof and integer.h for max_int.
Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231231173431.31356-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27885.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f13331005d5a75f2788685485d46be1fe2f133a1)
yatta [Thu, 19 Oct 2023 17:12:13 +0000 (01:12 +0800)]
fix(ssl): init peer_id when init tls_multi
When openvpn run in UDP server mode, if ssl connections reach the
max clients, the next connection would be failed in `multi_create_instance`
and the half connection will be close in `multi_close_instance`, which
may lead array `m->instances[0]` covered unexpectedly and make the
first connection interrupt, this patch fix this problem by init `peer_id`
with `MAX_PEER_ID` in `tils_multi_init`.
Signed-off-by: yatta <ytzhang01@foxmail.com Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e30504d86f0fe5556acc0cb8e6975c5b2277661)
Arne Schwabe [Wed, 13 Dec 2023 10:53:08 +0000 (11:53 +0100)]
Extend the error message when TLS 1.0 PRF fails
This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)
are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or
newer.
Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231213105308.121460-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6ff816142c1acdaee149c4daabb297fefc2ccde0)
Lev Stipakov [Wed, 20 Dec 2023 13:36:37 +0000 (14:36 +0100)]
tun.c: don't attempt to delete DNS and WINS servers if they're not set
Commits
1c4a47f7 ("wintun: set adapter properties via interactive service") 18826de5 ("Set WINS servers via interactice service")
added functionality of add/remove DNS/WINS via interactive
service, which is used mostly by dco-win and wintun (tap-windows6
normally uses DHCP). There is a check in code - if DNS/WINS addresses
are not pushed, nothing is added.
However, due to bug we always attempted to remove DNS/WINS,
even if nothing was added. Removing WINS, for example, could take
up to 3 seconds.
This change fixes this by improving check "has DNS/WINS been pushed?".
While on it, convert do_XXX_service() functions to "void" from "bool",
since we never check their return values.
Change-Id: I21a36d24f8e213c780f55acbe3e4df555c93542a Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231220133637.60996-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27843.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c590868a721881dd21bfb77ecf846e6c8720e4ef)
David Sommerseth [Wed, 22 Nov 2023 19:00:57 +0000 (20:00 +0100)]
Remove superfluous x509_write_pem()
After removing --tls-export-cert, this function was left in the code
base with no other users. This was an oversight in the previous
change. Removing it to avoid leaving dead code behind.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122190057.120384-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27561.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f015643fe23d7847ad45b7763f31bfc6baed2159)
David Sommerseth [Wed, 22 Nov 2023 14:31:01 +0000 (15:31 +0100)]
Remove --tls-export-cert
As OpenVPN 2.6+ is doing some adoptions to the license text, all
prior contributors need to accept this new text. Unfortunately, Mathieu
Giannecchini who implemented the --tls-export-cert feature did not
respond at all. Without an explicit acceptance we need to remove this
feature to avoid potential legal complications.
If this is still a wanted feature, it will need to be re-implemented
from scratch.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122143101.58483-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27557.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 12c5ef1fe6a6010362f3098d11b554566687c1f7)
Arne Schwabe [Tue, 28 Nov 2023 10:39:50 +0000 (11:39 +0100)]
Remove compat versionhelpers.h and remove cmake/configure check for it
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a68595a582b2c6c220b4f4502753d5f4154000d8)
Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."
Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be05b590e8d5edebd8e35d97af34b0ba7e5350e6)
Arne Schwabe [Tue, 28 Nov 2023 10:43:59 +0000 (11:43 +0100)]
Fix check_session_buf_not_used using wrong index
The inner loop used i instead of j when iterating through the buffers.
Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds. So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 59551b93cdb55397d63b2fe58ad99612821c0faf)
Reynir Björnsson [Thu, 26 Oct 2023 14:55:32 +0000 (16:55 +0200)]
protocol_dump: tls-crypt support
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 227799b8345128dd3adf2029323457804209fe93)
Lev Stipakov [Wed, 15 Nov 2023 12:06:23 +0000 (13:06 +0100)]
Make --dns options apply for tap-windows6 driver
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixes OpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 60def50420b050e628f4388e3c9ff771eb70a549)
Arne Schwabe [Wed, 15 Nov 2023 10:33:31 +0000 (11:33 +0100)]
Do not check key_state buffers that are in S_UNDEF state
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a903ebe9361d451daee71c225e141f4e1b67107d)
platform.c: Do not depend Windows build on HAVE_CHDIR
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixes OpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 012ea92c414282488e3d60c87452849bde64aac4)
Arne Schwabe [Fri, 27 Oct 2023 12:19:37 +0000 (14:19 +0200)]
Fix using to_link buffer after freed
When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 25 Oct 2023 15:46:24 +0000 (17:46 +0200)]
Double check that we do not use a freed buffer when freeing a session
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 19 Oct 2023 13:14:33 +0000 (15:14 +0200)]
Remove saving initial frame code
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 22 Oct 2023 08:27:40 +0000 (10:27 +0200)]
dco: warn if DATA_V1 packets are sent to userspace
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixes OpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df7beea404df48745a608c584d863c5a377b7a1e)
Arne Schwabe [Fri, 6 Oct 2023 11:19:10 +0000 (13:19 +0200)]
Remove openssl engine method for loading the key
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
Arne Schwabe [Mon, 9 Oct 2023 10:57:14 +0000 (12:57 +0200)]
Add warning for the --show-groups command that some groups are missing
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a840d5099a7d1a5ceb752c481fc345f6385719df)
Selva Nair [Sun, 1 Oct 2023 17:49:20 +0000 (13:49 -0400)]
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2671dcb69837ae58b3303f11c1b6ba4cee8eea00)
CMake: backport CMake buildsystem from master to release/2.6
This is based on the initial CMake patch by
Arne Schwabe, but extends that to provide
a complete replacement for existing MinGW
build (autotools based) and MSVC build
(openvpn.sln).
The following features are added while switching
these builds to CMake:
- vcpkg support for MinGW build, allowing for
trivial cross-compilation on Linux
- Add unittests to MSVC build
- Rework MSVC config header generation, removing
need for separate headers between autotools
and MSVC
The following advantages are reasons for switching
to CMake over the existing MSVC build:
- Easier to maintain CMake files without IDE
than the sln and vcxproj files
- Able to maintain MSVC and MinGW build side-by-side
The plan is to completely remove the existing MSVC
build system but leave the existing autotools builds
in place as-is, including MinGW support.
CMake is not the intended build system for Unix-like
platforms and there are no current plans to switch
to it.
This commits squashes a lot of commits from master
together, since most of them are just fixes or
enhancements for the original CMake commit. The
decisions was not to bloat the release/2.6 commit
history with these detours.
Arne Schwabe [Mon, 25 Sep 2023 09:44:09 +0000 (11:44 +0200)]
Mock openvpn_exece on win32 also for test_tls_crypt
This function is needed to commpile on win32 as run_command.c defines it
on Unix Linux but on windows it is defined in win32.c which pulls in too
many other unresolvable symbols.
Patch v2: Also add mock_win32_execve.c to automake files
Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit ede590e57c96c2b16d9bf462c4b1dd967b37c432)
Message-Id: <20230925094409.40429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27097.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we use strlen() to determine the length
and then check it ourselves, there is really
no point in using strncpy.
But the compiler might complain that we use
the output of strlen() for the length of
strncpy which is usually a sign for bugs:
error: ‘strncpy’ specified bound depends
on the length of the source argument
[-Werror=stringop-overflow=]
Warning was at least triggered for
mingw-gcc version 10-win32 20220113.
Also change the type of len to size_t
which avoids potential problems with
signed overflow.
v2:
- make len size_t and change code to avoid any theoretical overflows
- remove useless casts
v3:
- fix off-by-one introduced by v2 %)
v4:
- ignore unsigned overflow to simplify code
Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <a@unstable.cc> Acked-by: Heiko Hund <heiko@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c89a97e449baaf60924a362555d35184f188a646)
Message-Id: <20230922160441.167168-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27085.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
GHA: new workflow to submit scan to Coverity Scan service
Not on every push due to submit limits.
Use caching to not submit a scan for the same git commit
twice. Since we have many days without pushes to master
this saves a lot of Github and Coverity resources.
v2:
- add caching to not submit redundant scans
Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230911110735.34491-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 607ae9b821665dadb6bd0a3ceb6288bda10d5e67)
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b7eea48708ee73a5999f98626fb8d31d8f88ea6f)
projects / thirdparty / openvpn.git / log
