Gert Doering [Mon, 2 Aug 2021 13:31:27 +0000 (15:31 +0200)]
Ignore --explicit-exit-notify in TCP mode.
Mixed udp+tcp configs can not have --explicit-exit-notify in them
today because this option is refused in TCP mode. At the same time,
it was always possible to push the option both in UDP and TCP mode
(with a warning logged in TCP mode, and the option reset to 0).
Do the same thing for local config - warn, and reset to 0.
(Leaving it enabled in TCP mode is harmless, but causes extra error
messages in the log which is undesired behaviour. Maybe one should
just fix the underlying logic for TCP mode instead, but this is more
invasive)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210802133127.25000-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22690.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 2 Aug 2021 10:07:40 +0000 (12:07 +0200)]
Remove unistd.h from unit test
the unit tests do not compile under Windows since Windows does not
provide a unistd.h header. The header is still included on Unix
platforms via syshead.h
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210802100740.694474-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22685.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 28 Jul 2021 12:30:50 +0000 (14:30 +0200)]
Support NCP in pure P2P VPN setups
Currently P2P mode of OpenVPN is on of the few places that cannot negotiate
modern OpenVPN features. This becomes more and more problematic since P2P
and P2MP code diverge more and more and also the lack of switching to more
advanced features like Data v2 currently blocks P2P mode from working
together with the upcoming ovpn-dco support.
This NCP support is a lot simpler and works in the following way:
- P2P peer announce an extremely limited IV_ variable set
(IV_PROTO and IV_CIPHERS)
- Both peers check if the IV_PROTO_NCP_P2P bit is present in IV_PROTO
- if yes both sides deterministically determine according to
IV_PROTO and IV_CIPHER what options can be used and start using these
There are no poor man's NCP or other compatibility workaround like in the
normal NCP, making this NCP leaner and more deterministic.
Patch v2: remove empty lines, add doxygen comment to push_peer_info, fix
push_peer_info >= 2 that should be > 2
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210728123050.564595-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22671.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 28 Jul 2021 15:49:22 +0000 (17:49 +0200)]
Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
This is meant to give new users a quickstart for a useable OpenVPN
setup. Our own documentation is lacking in this regard and many
tutorials that can be found online are often questionable in some
aspects.
Linking the individual RST file on github also give a tutorial
in a nicely formatted way.
Patch V2: Fix grammar/spelling mistakes (thanks tincantech), move
to openvpn-examples(5).
Patch v3: use server.key and server.crt instead of server.pem/serverkey.pem
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210728154922.568796-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22674.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 26 Jul 2021 22:39:20 +0000 (01:39 +0300)]
GitHub Actions: fix MSVC builds
By reasons remain unknown, MSVC GitHub Actions
started to fail after some irrelevant change.
While problem is also reproduced on my GitHub fork,
I couldn't reproduce it locally. Despiteadding
debug logging to GitHub Actions it is not clear
what went wrong:
##[debug]Exit code '3221225477' received from command
'"D:\a\openvpn\openvpn\vcpkg\vcpkg.exe"'
Turns out that update to a newer vcpkg commit fixed the problem.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210726223920.144-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22678.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 20 May 2021 15:11:47 +0000 (17:11 +0200)]
Remove --ncp-disable option
NCP has proven to be stable and apart from the one VPN Provider doing
hacky things with homebrewed NCP we have not had any reports about
ncp-disable being required. Remove ncp-disable to simplify code paths.
Note: This patch breaks client without --pull. The follow up patch
for P2P NCP will restore that. But to avoid all the NCP/non-NCP special
cases to be implemented in P2P. P2P will directly switch from always
non-NCP to always NCP.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22418.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 19 Jul 2021 13:31:32 +0000 (15:31 +0200)]
Cleanup handling of initial auth token
This changes that auth_token_initial is set when the token is
initially generated instead when pushing the token. Even I do not
know anymore why I did it in this way in the first place. Also use
multi->auth_token_initial as source for the sesssion ID since it should
now always be available. Also set auth_token_initial directly to
up->password once we verified that we have gotten a valid token from
a client. This cleans ups the logic in generating the environment and
makes the code flow clearer.
Since the change makes auth_token_initial always available we need to add
a check to only send a PUSH reply to update the token on renegotiations.
The old code relied on multi->auth_token not being set in this case.
This commit also removes the workaround for old OpenVPN clients. These
were only available as commercial OpenVPN Connect client and not in use
anymore.
Furthermore, introduce a check if the session ID has changed during a
session. Even though this is still a valid authentication changing to
a different auth token mid session is highly irregular and should never
occur naturally.
Patch V2: rebase.
Patch V3: fix formatting, clarifying commit message, remove initial
token workaround for old v3.
Patch v4: move sending the auth-token for renegotiations to a sane place
and trigger it when the TLS session reaches its fully authenticated
state.
Patch v5: Move also setting auth_token_inital from up->password to a more
logical place, general cleanups, add session id mismatch check
Patch v6: Rework some comments and general cleanup of small things
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210719133132.128783-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22645.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 23 Jun 2021 18:37:28 +0000 (20:37 +0200)]
Fix tls-cert-profile broken on OpenSSL 1.1+
Commit bc36d9d569 removed the autoconf detection of various OpenSSL
functions. This overlooked HAVE_SSL_CTX_SET_SECURITY_LEVEL check in
tls_ctx_set_cert_profile. Replace this also with a version number
based check.
Tested with LibreSSL on OpenBSD 6.8, OpenSSL 1.1 and wolfSSL.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210623183728.2565286-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22584.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 5 Jul 2021 13:34:14 +0000 (15:34 +0200)]
Introduce S_GENERATED_KEYS state and generate keys only when authenticated
Since generating data channel keys does not happen when we have reached
the S_ACTIVE/S_GOT_KEY state anymore like it used to be before NCP, the
state that data channel keys have been created deserves its own state in
the TLS session state machine.
The changes done by this commit are rather intrusive since they
move the key generation to a completely different place and also
rely on the state machine to decide if keys should be
generated rather than on the complicated conditions that were
implemented in the key_method_2_write/read methods.
A (intended) side effect of this change is that sessions that
are still in deferred state (ks->authenticated == KS_DEFERRED)
will not have data channel keys generated. This avoids corner
cases where a not fully authenticated sessions might leak data.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v2: rebased
Patch v3: fix crash in non TLS mode
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210705133414.3102815-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22617.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The IV_HWADDR description was only partially correct, as there are more
implementations using other values than the MAC address of the default
gateway.
The intention of this value is to provide a unique identifier of the
client and on some platforms this is not possible to retrieve other than
to generate this information.
The 64 bytes limitation is an arbitrary value, it is not enforced by
OpenVPN 2.x. But it was considered a good idea to at least have some
reasonable upper limit of how long this string can be, at least for
those implementing support for this information.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210709134849.161728-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22625.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 30 Jun 2021 18:51:34 +0000 (20:51 +0200)]
doc: Use generic rules for man/html generation
Prior to this patch, the Makefile.am needs to be modified multiple
places to add a new man or HTML page to be generated. Since it is not
too often we modify this, it is easy to miss these finer details.
This changes the man and HTML generator rules to be more generic and use
variables as many places as possible. Also moved all the lines which
should not need to be changed as much towards the bottom-half of the
file.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210630185134.144826-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22604.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 25 Jun 2021 01:04:05 +0000 (04:04 +0300)]
Fix console prompts with redirected log
When openvpn needs to prompt user for a password
(for example, to set management interface password),
the prompt is written to standard error device.
When log is redirected to a file, that prompt is written
to that file and not to the "original" stderr. Moreover, on recent
Insider build (21390.2025) openvpn exits with fatal error
get_console_input_win32(): unexpected error: No such device or address
(errno=6)
while attempting to write that prompt.
When redirecting stdout/stderr, we use _dup2() to associate stderr
descriptor with a log file. This call closes file associated
with stderr descriptor, which might explain why it has stopped
working (original stderr is closed and WriteFile() fails) and on
older versions it appears to work "by accident" - not failing
but use redirected stderr instead of original one.
Fix by creating new file descriptor with _dup() for stderr
before redirect and use this descriptor for writing prompts.
While on it, make code a bit more C99-ish by moving variables
declaration from the beginning of the scope to the actual
initialisation.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210625010405.224-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20210625010405.224-1-lstipakov@gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 18 Jun 2021 18:12:46 +0000 (20:12 +0200)]
Add error reporting to get_console_input_win32().
When the function setup fails due to invalid file handles, or because
WriteFile(err, ...) fails (due to file handle corruption elsewhere),
the function used to silently "return false"
Change this to print a M_WARN|M_ERRNO message.
Also, change the function style to early-return style (= large diff, but
most are indent changes only).
v2: fix spurious "}" that was left over from change to early-return.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210618181246.30769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22577.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 4 Jun 2021 14:39:38 +0000 (16:39 +0200)]
Make waiting on auth an explicit state in the context state machine
Previously we relied on checking tls_authentication_status to check
wether to determine if the context auth state is actually valid or not.
This patch eliminates that check by introducing waiting on the
authentication as extra state in the context auth, state machine.
The simplification and reorganization of the state machine in this
and the previous patches also eliminates a number of corner cases,
including the specific one that lead to CVE-2020-15078.
Patch v3: Fix ccd config from management being ignored
Patch v4: Fix race condition, we need to accept the config from
management if we are in CAS_WAITING_AUTH or earlier states
and not just in CAS_WAITING_AUTH state
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210604143938.779193-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22491.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 20 May 2021 15:11:42 +0000 (17:11 +0200)]
Add connection_established as state in tls_multi->context_auth
The socket_info->connection_establish is set through
link_socket_set_outgoing_addr when we reach FULL_SYNC. This patch
introduces a new state in context_auth that replaces the
connection_established state for TLS connections. This make the state
machine easier to understand.
Also, rename "enum client_connect_status" to "multi_status", re-order
states so CAS_NOT_CONNECTED (=0) is the default state, and introduce
CAS_CONNECT_DONE as numerically highest so "are we done?" can be
easily checked.
This is part of the patchset to fix CVE-2020-15078 in "master" by
reorganizing the handling of incoming new and renegotiated TLS sessions
to make the code easier to understand and less prone to "edge case"
issues.
Patch v2: fix p2p mode server without (without ncp)
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22419.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 20 May 2021 15:11:40 +0000 (17:11 +0200)]
Move auth_token_state from multi to key_state
The auth-token check is tied to the username/password that is coming
via a specific SSL session, so keep the state also in the key_state
structure.
This also ensures the auth_token_state is always set to 0 on a new
session since we clear the key_state object at the start of a new
SSL session.
This is a prerequisite patch to fix 2020-15078 in the following two
commits.
This also applies the changes to the auth_token_test.c. The change of
tls_session to a pointer is necessary since before that we had tls_session
not tied to the multi and had two tls_session used in the test. One
implicitly in tls_multi and one explicit one. Merge these to one.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22415.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 17 Jun 2021 06:12:26 +0000 (09:12 +0300)]
crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file. However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
CVE-2121-3606 has been assigned to acknowledge this risk.
Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).
CVE: 2121-3606 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 2 Jun 2021 19:47:39 +0000 (15:47 -0400)]
Apply the connect-retry backoff to only one side of a connection
p2p connections with both ends backing off seldom succeed
as their connection attempt durations becomes increasingly
unlikely to overlap when the retry wait time is long.
Avoid this by applying the backoff logic only on TCP clients
or the tls_client side for UDP.
Regression warning: shared secret setups are left out of the
backoff logic.
Trac: #1010, #1384
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210602194739.29488-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22485.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 20 May 2021 15:11:41 +0000 (17:11 +0200)]
Implement auth-token-user
When not using username and password (i.e. auth-user-pass) it can still
be desirable to provide the client with an auth-token, e.g. for allowing
a session to continue after a reconnect without requiring 2FA again.
However, without --auth-user-pass openvpn does not have a username and will
ignore any pushed auth-token command.
This patch adds support for auth-token-user to set the username that should
be used for auth-token
The spec of using auth-token-user base64-encoded-user are the ones that
OpenVPN3 already implements.
Patch V2: Improve style, fix comments and commit message
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22417.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 7 Jun 2021 10:42:13 +0000 (13:42 +0300)]
contrib/vcpkg-ports: add pkcs11-helper port
pkcs11-helper is a dependency library used by OpenVPN.
So far it has been built only by mingw.
Since we're making MSVC build system a first class citizen,
we need to build depencencies with MSVC, which we do with vcpkg.
All dependencies are in vcpkg official repo, expect pkcs11-helper.
This provides vcpkg port for building pkcs11-helper.
To build for other arch, use x86-windows-ovpn or arm64-windows-ovpn.
Custom triplets are defines so that lz4 is linked statically and
other libraries dynamically.
Since we don't have CMake support yet, we cannot use vcpkg manifest
mode, since it doesn't work with overlay ports
(https://github.com/microsoft/vcpkg/issues/12289),
therefore this one-time manual dependency installation is required.
While on it, bump msvc-generate project target version to VS2019 and
cleanup leftovers from compat.vcxproj.filters.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210514045704.686-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22389.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 8 Jun 2021 15:24:34 +0000 (17:24 +0200)]
Add github actions
dummy0 gives strange errors on the Ubuntu 16 runner on github actions
because
dummy already exist, so use a more unique ovpn-dummy0 name instead.
Github actions are a good alternative to travis-ci, which futrure is
questionable
at the moment without payment. The github actions also allows building on
macOS
and Windows (not included in this commit). The matrix is a bit different
than Coverity and uses different Ubuntu version with their native OpenSSL
(1.0.2, 1.1.1)/mbed TLS instead of manually compiling different OpenSSL
versions on just Ubuntu 20.04.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210608152434.1403999-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22511.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Matthias Andree [Thu, 3 Jun 2021 12:30:19 +0000 (14:30 +0200)]
Fix SIGSEGV (NULL deref) receiving push "echo"
A server pushing "echo" without arguments can crash the client.
In such a situation, the code in question receives p[1] == NULL
(which was CLEAR(p)'ed above), hands it strncmp, which then
dereferences the null pointer.
Original report and analysis here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331
Selva Nair [Wed, 26 May 2021 22:49:19 +0000 (18:49 -0400)]
Replace TEXT(__FUNCTION__) by __FUNCTION__ in openvpnmscia.c
TEXT(__FUNCTION__) does not work in mingw as __FUNCTION__
is not a macro. Instead, use __FUNCTION__ as a narrow
string in both UNICODE and ANSI builds.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210526224919.511-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22461.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 25 May 2021 17:38:38 +0000 (13:38 -0400)]
Print format spec changes for tapctl and openvpnmscia
The tapctl and openvpnmscia codebase is written with an intent of
supporting both unicode and ansi builds. This patch does not attempt
to change that although non-unicode support looks untested
and buggy.
The main change is to replace %s by PRIsLPTSR that is defined
as %ls or %s depending on _UNICODE is defined ot not.
v2: add missing ')' and fix whitespace
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210525173838.3969-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22453.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sat, 22 May 2021 03:32:31 +0000 (23:32 -0400)]
Use C standard compliant format specs in wprintf functions
- Use %ls for wchar_t * and %hs for char * variables
This makes it possible to build correctly with or without
__USE_MINGW_ANIS_STDIO defined. When this define is not used
all printf/scanf family functions are resolved from the windows
runtime MSVCRT. Newer (since version 8) mingw-w64 versions have
started automatically enabling this macro under some feature
sets such as _GNU_SOURCE and C99.
The changes should not affect MSVC builds as Windows support
these format specifications.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210522033232.20548-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22436.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sat, 22 May 2021 03:32:30 +0000 (23:32 -0400)]
Make it explicit that WIndows build requires UNICODE support
The interactive service code implicitly treats TCHAR == WCHAR in
several places with the assumption that we build only with UNICODE
defined. Make this explicit and remove some redundant code.
Also replace openvpn_sntprintf(), _tprintf() and similar with
explicit wide string functions. This adds some definiteness as
to which stdio functions are used, and helps the next commit that
makes those calls C-standard compliant.
Also, replace direct swprintf calls with openvpn_swprintf.
Note: we need UNICODE defined mainly because of the use of
TEXT("..") throughout the code. If those are replaced by L"..",
we could build with just -municode as done for OpenVPN
core.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210522033232.20548-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 11 May 2021 07:57:39 +0000 (10:57 +0300)]
openvpnmsica: properly schedule reboot in the end of installation
A deferred custom action can not set the reboot status via MsiSetMode.
To schedule reboot:
- get user's temp directory in immediate custom action
(EvaluateTUNTAPAdapters) which is called in the beginning of
installation and pass it to the deffered action
- in deferred action (ProcessDeferredAction) create a special empty file
in user's temp directory if reboot is required
- in the end of installation call immediate custom action
(CheckAndScheduleReboot) which checks the existence of special file
and uses MsiSetMode() to schedule reboot
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210511075739.158-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22335.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 13 May 2021 14:00:39 +0000 (17:00 +0300)]
win32: add missing include header
Commit 5a571fb0 ("Move utility function from win32.c to win32-util.c")
moved some functions from win32.[ch] to a new win32-util.[ch], but missed
adding new include header, which results in compilation errors like:
>cryptoapi.c
>C:\Users\lev\Projects\openvpn\src\openvpn\cryptoapi.c(755,53): error
C2220: the following warning is treated as an error
>C:\Users\lev\Projects\openvpn\src\openvpn\cryptoapi.c(755,53):
warning C4047: '=': 'const void *' differs in levels of indirection from
'int'
Fix by adding #include "win32-util.h" to "win32.h".
While on it, update vcxproj.filters with a new header so that
it looks "correct" in VS project view.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210513140039.265-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22379.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 10 May 2021 13:13:56 +0000 (15:13 +0200)]
Use exponential backoff for caching in tls_authentication_status
The caching in tls_authentication_status broke the quick reaction to
authentication status in the code paths that did not do caching like
PUSH_REQUEST reply code path.
This patch introduces exponential backoff for the caching so we still
retain the quick reaction while still keeping the benefit of caching.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210510131356.968965-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22327.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 6 May 2021 14:12:59 +0000 (16:12 +0200)]
Return cached result in tls_authentication_status
tls_authentication_status does caching to avoid file I/O more than
every TLS_MULTI_AUTH_STATUS_INTERVAL (10s) per connection. But
counter-intuitively it does not return the cached result but rather
TLS_AUTHENTICATION_UNDEFINED if the cache is not refreshed by the call.
This is workarounded by forcing a refresh in some areas of the code
(latency = 0).
This patch changes the behaviour by always returning the last known
status and only updating the file status when the i/o timeout for the
caches is reached.
The old logic in send_auth_failed is fragile in the sense that if
it is called again while an exit is scheduled it will reset the timer
to 5s again. Since we now always report the status from
tls_authentication_status() instead only every 10s, this caused OpenVPN
to infinitively reset the timer. Fix this by only setting the status
if no exit is scheduled. The function is still called multiple times but
since it is with coarse timer frequency, the 4 extra calls (1 per second)
are better than to add more extra code to avoid these calls.
The patch also changes the DEFINE enum into a real enum.
Patch v2: only update tas_cache_last_udpate when actually updating the cache.
Patch v3: avoid rearming timer
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210506141259.309741-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22318.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 May 2021 13:15:09 +0000 (15:15 +0200)]
Move utility function from win32.c to win32-util.c
This done to allow to include parts win32.c when building unit tests
as win32.c itself has too many dependencies and cannot be included in
a small unit test.
Also fix a missing Windows.h include in error.h that otherwise
breaks complation when included from unit tests.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22348.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 May 2021 13:15:03 +0000 (15:15 +0200)]
Remove explicit struct iovec check (HAVE_IOVEC)
This macro is currently used only in 3 places in syshead.h
- EXTENDED_SOCKET_ERROR_CAPABILITY is linux specific anyway and
starts with #if defined(HAVE_LINUX_TYPES_H)
- port share and ip_pktinfo macros depends on sendmsg/recvmsg
that implicitly also require iovec
So in all three cases we can implicitly assume that iovec is present
and do not need to make this explicit check
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22343.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add CRL extractor script for --crl-verify dir mode
When --crl-verify is enabled, specified CRL file gets reloaded on
every client connection. With huge CRL files it may take a significant
amount of time - seconds and tens of seconds, during which OpenVPN is
blocked and can't serve existing and/or incoming connections due its
singlethread nature.
In alternative mode --crl-verify option takes directory containing
files named as decimal serial numbers of the revoked certificates and
'dir' flag, revoked certificate check is being done by checking the
presence of client's certificate number in that directory.
This script allow to perform incremental extraction of revoked serial
numbers from CRL by adding absent ones and removing excess ones.
Arne Schwabe [Mon, 3 May 2021 10:58:50 +0000 (12:58 +0200)]
Remove support for blocking connect()
It is hard to imagine that we still have any supported OS that does
not support non-blocking connect while still supporting non-blocking
sockets in general.
Patch V2: remove epoll.h removal that should have been in other patch.
Patch V3: remove another instance in socket.c that I misseds in v1
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105850.3903732-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22291.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 22 Apr 2021 15:29:39 +0000 (17:29 +0200)]
Remove a number of platform specific checks in configure.ac
- Remove windows XP/old mingw compat code in socket.c
- Use _WIN32 instead checking for existence of windows.h, winsock2.h
and ws2tcpip.h in autconf
- Remove check for unlink. The last remaining use is a check inside
a Unix socket.
- Even Windows has umask, so remove the check for it
- Move epoll.h inclusion to event.c
Patch V2: Add epoll.h syshead.h that accidently was put into another
patch
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22201.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 22 Apr 2021 15:29:36 +0000 (17:29 +0200)]
Move direct.h header where it is used
The direct.h header provides only a handful of functions [1] of which
we only use _wchdir. Directly included the direct.h file where it is
used and remove autoconf magic around it.
A switch block in interactive.c is missing the _undo_type_max value
of the neum set, thus triggering a compiler warning.
Due to the logic, this value cannot really be assigned to the variable
being examinated, however, add the missing enum value to silence
the warning.
Fixes:
interactive.c: In function ‘Undo’:
interactive.c:1561:13: warning: enumeration value ‘_undo_type_max’ not
handled in switch [-Wswitch]
1561 | switch (type)
| ^~~~~~
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210501130640.9330-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22267.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
warn_used is a static variable but that is used only under certain
conditions. These conditions do not apply for Windows and therefore
mingw is spitting a warning for unused variable.
Move variable declaration inside code block that uses it.
Fixes:
run_command.c: In function ‘openvpn_popen’:
run_command.c:236:17: warning: unused variable ‘warn_shown’
[-Wunused-variable]
236 | static bool warn_shown = false;
| ^~~~~~~~~~
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210501130640.9330-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22265.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
windows: use appropriate and portable format specifier for 64bit pointer
To print a 64bit poiner, fprintf() must be provided with the appropriate
format specifier.
The most portable in this case is PRIx64, which is redefined accordingly
on each platform. It comes from inttypes.h and it's the recommended way
to print a 64bit long hex value.
Fixes various warnings of this type:
event.c: In function ‘we_ctl’:
event.c:235:24: warning: 'I' flag used with ‘%x’ gnu_printf format
[-Wformat=]
235 | dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg="
ptr_format,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
error.h:151:68: note: in definition of macro ‘dmsg’
151 | #define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags),
__VA_ARGS__);} EXIT_FATAL(flags); } while (false)
|
^~~~~~~~~~~
event.c:235:24: warning: format ‘%x’ expects argument of type ‘unsigned
int’, but argument 6 has type ‘long long unsigned int’ [-Wformat=]
235 | dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg="
ptr_format,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......
239 | (ptr_type)arg);
| ~~~~~~~~~~~~~
| |
| long long unsigned int
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210501130640.9330-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add documentation on EVENT_READ/EVENT_WRITE constants
Changes from v4:
- get rid of the overly complex EVENT_SHIFT() macro
Changes from v3:
- re-introduce READ/WRITE_SHIFT because they are different from
EVENT_READ/WRITE
- define also EVENT_READ/WRITE using READ/WRITE_SHIFT
Changes from v2:
- moved event definitions to event.h
- removed READ/WRITE_SHIFT and use EVENT_READ/WRITE
- removed ifdefs around *_SHIFTS definitions in event.h
Changes from v1:
- fixed typ0s
- extended comment
- moved *_SHIFT definition to openvpn.h
- made READ/WRITE events dependant on _SHIFT definition with a macro
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210427191314.21317-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22247.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Crypto backends are implementing the cipher_des_encrypt_ecb()
function without fully respecting the type of the argumentis as described
in the function prototype.
All ECB arguments (key, input block and output block) are expected to
be 8 bytes long, for this reason the prototype specifies the arguments
as 3 arrays of 8 bytes in size.
Convert the implementations to also explicitly mention the size of the
array they expect to receive in input.
Fixes these warnings:
crypto_openssl.c:866:39: warning: argument 2 of type ‘unsigned char *’
declared as a pointer [-Warray-parameter=]
866 | unsigned char *src,
| ~~~~~~~~~~~~~~~^~~
In file included from crypto.h:125,
from crypto_openssl.c:42:
crypto_backend.h:202:43: note: previously declared as an array ‘unsigned
char[8]’
202 | unsigned char src[DES_KEY_LENGTH],
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
crypto_openssl.c:867:39: warning: argument 3 of type ‘unsigned char *’
declared as a pointer [-Warray-parameter=]
867 | unsigned char *dst)
| ~~~~~~~~~~~~~~~^~~
In file included from crypto.h:125,
from crypto_openssl.c:42:
crypto_backend.h:203:43: note: previously declared as an array ‘unsigned
char[8]’
203 | unsigned char dst[DES_KEY_LENGTH]);
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210428081054.29081-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20210428081054.29081-1-a@unstable.cc Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 7 Apr 2021 15:49:51 +0000 (17:49 +0200)]
Implement deferred auth for scripts
This patch also refactors the if condition that checks the result of
the authentication since that has become quite unreadable. It renames
s1/s2 and extracts some parts of the condition into individual variables
to make the condition better understandle
Patch v2: add refactoring of the if condition
Patch v4: fix documentation not mentioning method as 2nd line
Patch v5: fix deferred auth used by both plugin and script not working
Patch v6: Add missing async inotify for script deferred auth
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210407154951.13330-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22072.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 27 Apr 2021 11:03:00 +0000 (13:03 +0200)]
rewrite parse_hash_fingerprint()
The existing code was doing far too much work for too little
gain - copying the string segment for scanf(), checking extra
for spaces, making the result quite unreadable.
Verify each segment with (short-circuited) isxdigit() checks,
then feed directly to scanf(), which will stop parsing on ':'
or end-of-string.
Rewrite error message to differentiate "hash too short" (including
number of bytes read) and "hash too long" (it did not terminate when
we had enough bytes).
While at it, add an option printer for the resulting o->verify_hash
list to show_settings().
v2:
fix typo in commit message
appease whitespace dragon
add printing of verify_hash_algo and verify_hash_depth
print correct hash length for SHA1 certs
fix incorrect assignment to options->verify_hash_algo in c3a7065d5
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210427110300.6911-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22241.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 8 Apr 2021 14:02:26 +0000 (16:02 +0200)]
Change options->data_channel_use_ekm to flags
Instead maintaining two different representation of the data channel
options in struct options and struct tls_options, use the same
flags variable that tls_options uses.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210408140229.31824-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22084.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 21 Apr 2021 12:34:15 +0000 (14:34 +0200)]
Allow all GCM ciphers
OpenSSL also allows ARIA-GCM and that works well with our implementation
While the handpicked list was needed for earlier OpenSSL versions (and
is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
1.0.2 and 1.1.x works as expected.
Patch V2: Remove special cases for AES-GCM ciphers.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210421123415.1942917-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22168.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 22 Apr 2021 15:17:18 +0000 (17:17 +0200)]
Move tls_select_primary_key into its own function
tls_pre_encrypt mainly performs the task of selecting the primary
encryption key but also performs other minor tasks. To allow only
querying for the key that should be used for encryption extract this
part of the function into its own function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210422151724.2132573-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22198.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
options: check for blanks in fingerprints and reject string if found
A fingerprint is not expected to contains any blank (white space),
however, the parser routine will still attempt parsing the octect
and ignore the space.
This means that a fingerprint like
"5 :F0: 8:75:70:46:6E:(...)"
will be parsed successfully.
Explicitly check for spaces in the various octets, before conversion,
and error out if any is found.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210421234908.12817-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22182.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Thu, 15 Apr 2021 09:34:54 +0000 (11:34 +0200)]
Abort if CRL file can't be stat-ed in ssl_init
Now that the path for the CRL file is handled correctly when using
chroot, there's no good reason for the file to be inaccessible during
ssl_init().
This commit ensures that the CRL file is accessed successfully at least
once, which fixes a bug where the mbedtls version of OpenVPN wouldn't
use a reloaded CRL if it initially failed to access the file.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415093454.18324-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22118.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Thu, 15 Apr 2021 09:12:48 +0000 (11:12 +0200)]
In init_ssl, open the correct CRL path pre-chroot
When using the chroot option, the init_ssl function can be called before
entering the chroot or, when OpenVPN receives a SIGHUP, afterwards. This
commit ensures that OpenVPN tries to open the correct path for the CRL
file in either situation.
This commit does not address key and certificate files. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415091248.18149-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22117.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 28 Mar 2021 12:02:41 +0000 (14:02 +0200)]
Fix condition to generate session keys
When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with
the same port/ip as an existing session, it will give it the slot of the
renegotiation session (TM_UNTRUSTED). And when the authentication
succeeds it will replace the current session. In the case of a SOFT_RESET
this a renegotiation and we will generated data channel keys at the of
key_method_2_write function as key-id > 0.
For a HARD RESET the key-id is 0. Since we already have gone through
connect stages and set context_auth to CAS_SUCCEEDED, we don't
call all the connect stages again, and therefore also never call
multi_client_generate_tls_keys for this session.
This commit changes postponing the key generation to be done only if
the multi_connect has not yet been finished.
Patch V2: Explain better in the commit message why this change is done.
Trac: #1316
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210328120241.27605-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21873.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 18 Apr 2021 16:01:11 +0000 (18:01 +0200)]
Move context_auth from context_2 to tls_multi and name it multi_state
context_2 and tls_multi have the same life cycle for TLS connections
but so this move does not affect behaviour of the variable.
OpenVPN TLS multi code has a grown a lot more complex and code that
handles multi objects needs to know the state that the object is in.
Since not all code has access to the context_2 struct, the code that
does not have access is often not checking the state directly but
checks other parts of multi that have been affected from a state
change.
This patch also renames it to multi_state as this variable represents
the multi state machine status rather than just the state of the connect
authentication (more upcoming patches will move other states
into this variable).
Patch V2: also rename context_auth to multi_state, explain a bit why this
change is done.
Patch V3: Add comments for c2->multi NULL check forwarding. Fix compile
with ENABLE_ASYNC_PUSH.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210418160111.1494779-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22155.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 16 Apr 2021 11:09:55 +0000 (13:09 +0200)]
Add parsing of dhcp-option PROXY_HTTP
This adds support for setting a HTTP proxy that should be used after
connecting to a VPN.
The syntax has been picked to have compatibility with OpenVPN3.
Otherwise I would have used HTTP-PROXY instead.
Since this option requires an additional argument compared to the
existing dhcp-option keywords, move checking the number of arguments
to the individual keywords.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210416110955.1162574-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22129.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix IPv4 default gateway with multiple route tables
Current default gateway selection for zero destination address just
dumps and parses all the routing tables. If any of non-main table
with default route comes first, wrong default gateway can be picked.
Since adding/removing routes currently handles only main table,
let's stick to RT_TABLE_MAIN while selecting default route too.
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp <donaldsharp72@gmail.com> Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210416120708.1532-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22130.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 15 Apr 2021 11:45:41 +0000 (13:45 +0200)]
Remove LibreSSL specific defines not needed for modern LibreSSL
Most of the functions remove were either already have a version check
against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
and SSL_library_init.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415114541.1001644-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22119.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 8 Apr 2021 12:00:27 +0000 (14:00 +0200)]
Always save/restore pull options
The makes the code path for pull and non-pull more aligned and even
though this might do extra work for non-pull scenarios, saving the
few bytes of memory is not a worthwhile optimisation here.
Additionally with the upcoming P2P mode NCP, the client needs to
save/restore a subset of these options anyway.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210408120029.19438-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22079.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 6 Apr 2021 16:25:18 +0000 (18:25 +0200)]
Remove OpenSSL configure checks
These checks for the functions take a lot of time in configure call and
also having these checks make it more blurry for which of the supported
OpenSSL versions (and libraries claiming to be OpenSSL) are actually
needed.
Tested with OpenSSL 1.1.1(Ubuntu 20, macOS), 1.0.2 (CentOS7),
1.1.0 (Debian stretch), LibreSSL (OpenBSD 6.8) and wolfSSL
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210406162518.4075-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22051.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Mon, 12 Apr 2021 17:46:17 +0000 (19:46 +0200)]
Fix build with mbedtls w/o SSL renegotiation support
In mbedtls, support for SSL renegotiation can be disabled at
compile-time. However, OpenVPN cannot be built with such a library
because it calls mbedtls_ssl_conf_renegotiation() to disable this
feature at runtime. This function doesn't exist when mbedtls was built
without support for SSL renegotiation.
This commit fixes the build by ifdef'ing out the function call when
mbedtls was built without support for SSL renegotiation.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 6 Apr 2021 16:25:16 +0000 (18:25 +0200)]
Remove a number of checks for functions/headers that are always present
For the unlink function we actually have code that just ignores
the unlink call if the unlink function is not present. But all
platforms should have an unlink function.
This also removes all conditionals check for the headers that
belong to the C99 standard library header list
(https://en.cppreference.com/w/c/header).
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210406162518.4075-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22053.html Signed-off-by: Gert Doering <gert@greenie.muc.de>