Arne Schwabe [Fri, 22 Apr 2022 14:29:39 +0000 (16:29 +0200)]
Move tls_process_state into its own function
This function does most of the state transitions in the TLS state
machine. Moving it into its own function removes an intention area and
makes tls_process function easier to understand as the loop is more
obvious.
This is largely just a code move with small expection. bool active is
no longer directly set but inferred from to_link->len
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24157.html
Arne Schwabe [Tue, 26 Apr 2022 13:23:23 +0000 (15:23 +0200)]
Change FULL_SYNC macro to no_pending_reliable_packets function
This changes this macro to a better named inline function. This
introduces a slight whitespace problem but the next refactoring will
move the incorrectly intended block to its own function anyway.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220426132324.76517-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24213.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:37 +0000 (16:29 +0200)]
Extract session_move_pre_start as own function, use local buffer variable
This changes the C90 struct buffer declaration to a C99 style one. Also
move the state transition from S_INITIAL to S_PE_START into its own
function. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24151.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:36 +0000 (16:29 +0200)]
Refactor tls-auth/tls-crypt wrapping into into own function
This allows the the wrapping to be easier reused by a function that
does not have access to a full TLS session. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24150.html
Marc Becker [Mon, 25 Apr 2022 21:58:22 +0000 (23:58 +0200)]
fix GitHub workflow working directories in MinGW builds
replace hardcoded directory names with env variable version info
bump pkcs11-helper version to 1.29.0
bump OpenSSL version to 1.1.1n
add OpenSSL version to cache key
use release file for pkcs11-helper archive
use OpenSSL URL endpoint with all/current versions
Signed-off-by: Marc Becker <becm@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220425215822.18569-1-becm@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24202.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 13:40:35 +0000 (15:40 +0200)]
Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h
This allows these functions to be relatively easily included into the
unit test without pulling ssl.c and all the dependencies of ssl.c into
a unit test.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24149.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 13:40:34 +0000 (15:40 +0200)]
Extend tls_pre_decrypt_lite to return type of packet and keep state
This allows us to keep the temporary data for a little bit longer
so we can use this to make further checks and ultimatively use the
state to craft the HMAC based RESET reply.
For now we do not use the extra information and keep behaviour
identical.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24148.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 25 Apr 2022 12:27:09 +0000 (14:27 +0200)]
Move pre decrypt lite check to its own function
This prepares for extending this function with the HMAC based session ID
check.
Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this
code path is only used in multi udp server and OpenVPN initialises the
tls_auth_standalone always for the TOP context (CF_INIT_TLS_AUTH_STANDALONE),
even for the tcp m2mp server that does not use it).
Patch v2: replace if with ASSERT
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220425122709.4148015-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:44 +0000 (16:29 +0200)]
Make buf_write_u8/16/32 take the type they pretend to take
This functions should accept the type of integer they say to write. Calling
the u32 function with an integer that is actually 32 bit unsigned gives
compiler warnings. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24165.html
Arne Schwabe [Fri, 22 Apr 2022 13:40:30 +0000 (15:40 +0200)]
Remove tls_init_control_channel_frame_parameters wrapper function
While calling this wrapper function is strictly more correct, these
indirection layer with tiny wrapper make the code more complex and
going through more layer than it really needs to.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24172.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:35 +0000 (16:29 +0200)]
Remove EXPONENTIAL_BACKOFF define
We have EXPONENTIAL_BACKOFF as default forever (8c47de7, 2.1.1c,
2010). Remove the other code path that is dead code. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422142953.3805364-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422142953.3805364-1-arne@rfc2549.org
Arne Schwabe [Fri, 22 Apr 2022 13:40:38 +0000 (15:40 +0200)]
Remove inc_pid argument from reliable_mark_deleted that is always true
This is a small cleanup to remove a superfluous argument Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422134038.3801239-10-arne@rfc2549.org
Arne Schwabe [Fri, 22 Apr 2022 13:40:31 +0000 (15:40 +0200)]
Remove dead PID_TEST code
Enabling this test produces compile errors and by the looks of it the
test has been broken for many years. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422134038.3801239-3-arne@rfc2549.org
On most systems limits.h is pulled in by some other header and thus no
error is ever triggered, but it's possible to find the right environment
which lackis this and prevents compiling auth-pam.c (possibly when using
LibreSSL).
Include the header explicitly as it includes the definition of PATH_MAX.
(note that this bug is fixed in Gentoo since 2020 by including a custom
patch, but apparently the issue was never reported upstream)
Reported-by: Michelangelo Scopelliti <kernelpanic@gmx.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220421131909.32053-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24136.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The script is self installing if you call it with "install" as the first
parameter. Once installed as the pre-commit hook it will check files to
be committed according to the rules in uncrustify.conf and abort the
commit if there's formatting issues. The script produces a patch in /tmp
which can be git apply'ed to fix all issues found.
The script was originally authored by David Martin [1] and slightly
modified to fit our needs. At the time it had a 2-clause BSD license.
David Sommerseth [Wed, 20 Apr 2022 14:30:50 +0000 (16:30 +0200)]
The Great Reformatting of 2022
It was agreed it was time to do a full reformat fix-up of the whole
source tree again. Over time (since late 2016) small changes has not
adhered to our uncrustify defined coding style. This realigns to our
current standards.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220420143050.52790-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 20 Apr 2022 12:13:21 +0000 (14:13 +0200)]
dev-tools: Remove uncrustify -p
The -p option to uncrustify was providing debug information about
decisions done by uncrustify. This was useful when debugging why
certain formatting choices.
With newer versions of uncrustify the -p option can only be used on
individual files and not a list of files. Since still supporting this
would require a bigger rewrite of reformat-all.sh, it was chosen to
instead remove the usage of this option. If certain behaviours needs to
be debugged, running uncrustify on individual files directly will work
fine anyhow.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220420121322.42732-2-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24120.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_net.sh: delete dummy iface using iproute command
A dummy interface cannot be deleted using --rmtun because openvpn tries
to send some ioctl (i.e. TUNSETPERSIST) which is not supported by this
device type. This results in the following error:
2022-04-07 09:59:29 Cannot ioctl TUNSETPERSIST(0) ovpn-dummy0: Bad file
descriptor (errno=9)
2022-04-07 09:59:29 Exiting due to fatal error
and the interface is not deleted.
Use iproute to generically delete an interface.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407081555.25228-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24086.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: implement net_iface_new and net_iface_del APIs
These two new methods can be used to create and delete a tun or an
ovpn-dco interface via networking API.
Implementations for SITNL and iproute2 are provided
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407094146.7684-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24088.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
openvpn_execve_check() expects a set of flags as third argument and not
a loglevel. For this reason, if no FATAL behaviour is expected, we
should simply pass 0. openvpn_execve_check() will then pick the
appropriate loglevel on its own.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407201411.22486-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24090.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 2 Apr 2022 07:08:56 +0000 (09:08 +0200)]
networking: remove duplicate methods from networking_sitnl.c
The net_ctx_init/reset/free methods of sitnl are the same dummy
methods that are already defined for non-Linux platforms in the
networking.h header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220402070902.30282-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24054.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michael Baentsch [Tue, 29 Mar 2022 05:37:09 +0000 (07:37 +0200)]
Enable usage of TLS groups not identified by a NID in OpenSSL 3
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by providers.
This commit also removes the mapping of secp256r1 to prime256v1 for
the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.1
Signed-off-by: Michael Baentsch <info@baentsch.ch> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220329053709.19462-1-info@baentsch.ch>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24012.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 23 Mar 2022 14:34:52 +0000 (15:34 +0100)]
add support for --dns option
As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
For detailed information about the option consult the documentation in
this commit.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220323143452.1100446-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23997.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 24 Feb 2022 14:42:45 +0000 (15:42 +0100)]
Implement fixed MSS value for mssfix and use it for non default MTUs
This allows to set the MSS value inside the tunnel to a user specified
value instead of calculating it form (somewhat) dynamic encapsulation
overhead.
Also default to the MTU when tun-mtu does not have the default value
to ensure that packets are not larger than the tun-mtu. This only affects
packets that are routed via the VPN and none of the peers is an endpoint
since otherwise the peer would already set a lower MTU. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220224144245.878056-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23886.html
preprocessor definitions. I don't feel like replacing strdup (which is
correct POSIX function) and inet_ntoa (we always pass IPv4 address to
it, inet_ntop will make code more complex)
Above issues were discovered by bitskim.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220218235004.269-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23851.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 1 Mar 2022 13:50:54 +0000 (15:50 +0200)]
Fix incorrect default mssfix value in server mode
When calculating default mssfix, we take into account
protocol overhead, which usually includes 3 bytes peer-id.
Peer-id usage is indicated by options->use_peer_id flag.
In client mode it is set when applying pushed options.
In server mode it is not set and as a result mssfix value
is 3 bytes off.
Fix by setting this flag in multi.c when calculating
tunnel-specific options.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220301135054.277-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23896.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
With the introduction of SITNL two occurrences of ETH_ALEN
were introduced in the code. This define exists on Linux in
the linux/if_ether.h header, however the latter is included
in linux/if_tun.h which may or may not exist (depending on
how old your system is).
If the system lacks if_tun.h then the compilation fails because
ETH_ALEN cannot be found.
For this reason, swap ETH_ALEN with OPENVPN_ETH_ALEN which is
already used in other places of the code.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220223080628.4773-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23882.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
netmask is simply used to reflect the value of p[2], therefore
it can be dropped and p[2] can directly be used instead.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220314131356.11577-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23941.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 16 Mar 2022 13:54:11 +0000 (15:54 +0200)]
vcpkg-ports\pkcs11-helper: shorten patch filename
"make dist" uses 'tar -o' which breaks on long filenames:
tar:
openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind
icate-OpenSSL-EC-support.patch:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
and then "make dist" continues.
Make filename shorter to make tar happy.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316135411.217-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sun, 13 Mar 2022 19:31:54 +0000 (20:31 +0100)]
plugins: Remove defer/simple.c sample plugin
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-4-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23933.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 22 Feb 2022 11:38:32 +0000 (12:38 +0100)]
Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work:
- setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
- "extended error reporting" (setsockopt(IP_RECVERR) and
then via mtu.c/format_extended_socket_error()) to react on
"packet too big" errors on sendto() / sendmsg()
Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).
Thus, the "non-helpful" socket error message turns into:
2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery
... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Trac: #1452
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 14 Feb 2022 12:24:09 +0000 (14:24 +0200)]
openvpnmsica: add ovpn-dco custom actions
Add two custom actions to service ovpn-dco driver installation.
- EvaluateDriver
Runs under user privileges. Determines what action (install/uninstall)
should be performed on ovpn-dco component.
- ProcessDriver
Runs under SYSTEM privileges. Performs driver (un)installation.
During uninstall, all existing adapters with given hwid (ovpn-dco)
are removed.
The logic is inspired by custom actions from tap-windows6 installer
(https://github.com/OpenVPN/tap-windows6/tree/master/msm).
Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Simon Rozman <simon@rozman.si> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214122409.260-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.
In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220217163159.7936-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
doc/options: clean up documentation for --proto and related options
The family specific options were generally omitted.
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net> Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220215145425.1989-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23798.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
With b39725cf ("Remove md_kt_t and change crypto API to use const char*")
the logic for validating ciphers and md algorithms has been changed.
We should now *always* use md_valid() when validating a digest alg.
At the same time, add '!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe <arne@rfc2549.org> Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme <tincantech@protonmail.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220215123157.10615-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23793.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 14 Feb 2022 09:26:07 +0000 (10:26 +0100)]
Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros
The buffer overhaul simplified the frame struct to a point that these
macros are either not used anymore or are not adding any benefit in
understanding the code anymore. Replace the macros with direct member
acessses.
Patch v2: Remove all FRAME_HEADROOM macros Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214092607.3785665-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23785.html
Arne Schwabe [Mon, 14 Feb 2022 02:10:53 +0000 (03:10 +0100)]
Fix 'defined but not used' warnings with enable-small/disable-management
Some functions are only used when management is used or enable-small is
not used. Fix the ifdefs to correctly also include these helper
functions the ifdefs to avoid compile errors when using -Werror
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214021054.3750071-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23779.html
Arne Schwabe [Fri, 5 Nov 2021 15:07:42 +0000 (16:07 +0100)]
Default to --cipher BF-CBC if not set and compat-mode < 2.4.0
When we try to make a configuration compatible to a version earlier
than 2.4.0 we probably need to have a --cipher configured since NCP
is not available. In configuration where --cipher is not specified
we default to BF-CBC to support these old clients.
Note that with OpenSSL 3.0 you will also need to enable the legacy
provider otherwise we bail out since BF-CBC is no longer supported.
Also move the condition so BF-CBC gets included in the data-ciphers
list.
Patch v2: move the comment to a better place.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20211105150742.2909443-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23100.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
README.IPv6 is quite useless because IPv6 is not a second
class citizen anymore. Most of the content is "obvious" or explained in
the manpage along with other details/options.
TODO.IPv6 is old and many implemented things are still reported there
for no clear reason. Delete file and report still open items in our
tracking system.
Cc: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220207155757.22314-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23729.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 10 Feb 2022 16:26:28 +0000 (17:26 +0100)]
Update fragment and mssfix related warnings
The warning that fragment/mssfix needs also tun-mtu set to 1500 makes
little sense. Remove it completely. Instead warn if there are
incosistencies
between --fragment and mssfix.
Patch v2: clarify the mssfix and fragment mtu warning message
Patch v4: Rebase
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210162632.3309974-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23753.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 12 Feb 2022 00:33:31 +0000 (01:33 +0100)]
Add mtu paramter to --fragment and change fragment calculation
Instead relying on the link_mtu_dynamic field and its calculation
in the frame struct, add a new field max_fragment_size and add
a calculation of it similar to mssfix.
Also whenever mssfix value is calculated, we also want to calculate
the values for fragment as both options need to be calculated from
the real overhead.
Patch v2: Fix syntax in rst man page
Patch v5: fix segfault when get_ip_encap_overhead gets called early in
init_instance and note that these calls will always be
overwritten by NCP in tls_session_update_crypto_params
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220212003331.3483107-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23764.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 10 Feb 2022 16:26:26 +0000 (17:26 +0100)]
Change the default for mssfix to mssfix 1492 mtu
The current default is 1450, which translates to 1478 byte packets for udp4
and 1498 byte packets for udp6. This commit changes the mssfix default
to take the outer IP overhead into account as well and changes the target
to
1492. 1492 was picked in our community meeting for being a very common
encapsulation upper bound.
The change also disables an mssfix default if tun-mtu is set to a value
different than 1500.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210162632.3309974-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23754.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 8 Feb 2022 11:49:05 +0000 (13:49 +0200)]
msvc: cleanup
Remove unused macros for dependency directories,
since dependencies are handled by vcpkg.
Remove unused .bat files.
Reported-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220208114905.100-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 4 Feb 2022 11:42:01 +0000 (12:42 +0100)]
Repair --inactive with 'bytes' argument larger 2Gbytes.
--inactive has an optional 2nd parameter specifiying the number of
bytes that need to be sent/received in the given time window. This
was parsed with atoi(), stored in an 32bit int. atoi() overflows at
2Gbyte (signed int), which makes gcc return "0" and MSVC "2^31-1"
for the value reported in the ticket (10G) - so on gcc, this was
behaving like "not set", while windows builds after 2.5.4 honoured
this setting, and aborted (unexpectedly) due to "not enough traffic".
Fix by increasing word length of all involved variables to int64_t.
While add it, add option printer SHOW_LONG(), and print variable.
This has the potential to break existing setups where this value is
set unreasonably high, thus "impossible to achieve in the interval",
but which was never noticed before due to "overflow, 0, ignored".
Thus, print WARNING if a value >INT_MAX (2Gbyte) is configured.
v2: use atoll(), as atol() is limited to INT_MAX on MSVC, and PRi64
for format string. Rename SHOW_LONG() to SHOW_INT64().
Trac: #1448
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220204114201.5632-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: move OpenSSL specific FIPS check to its backend
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
This way we move any OpenSSL specific bit to its own
backend and directly use the new cipher_valid_reason() API in the
generic code.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23714.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: move validation logic from cipher_get to cipher_valid
With cipher validation performed in cipher_get(), a cipher is never
returned in any case if some check fails.
This prevents OpenVPN from operating on all ciphers provided by the SSL
library, like printing them to the user.
Move the validation logic to cipher_valid() so that checks are performed
only when OpenVPN really want to know if a cipher is usable or not.
Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in
API") Cc: Arne Schwabe <arne@rfc2549.org> Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23713.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:26 +0000 (17:25 +0100)]
Remove link_mtu parameter when running up/down scripts
The link mtu is no longer used and calculating a compatibility link
MTU just for scripts makes little sense as well. Replace the parameter
instead with a fixed parameter 0.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23493.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
strcasecmp() was initially declared in string.h and subsequently moved
to strings.h. For historical reasons it still exists in string.h, but
would require _DEFAULT_SOURCE to be defined.
Due to the above, just include strings.h as currently dictated by the
manpage.
Fixes the following warning:
keying-material-exporter-demo/keyingmaterialexporter.c:155:14: warning:
implicit declaration of function strncasecmp’; did you mean ‘strncmp’?
[-Wimplicit-function-declaration]
155 | if (!strncasecmp(objbuf, "CN", 2))
| ^~~~~~~~~~~
| strncmp
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220203082620.8186-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23702.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:23 +0000 (17:25 +0100)]
Implement optional mtu parameter for mssfix
The current mssfix parameter is a bit difficult to use as it needs
manual calculation of the allowable packet size and also the resulting
MSS value does not take into account if IPv4 or IPv6 is used on the
outer tunnel. Add 'mtu' parameter to fix both of these problem by
dynamically including the real overhead.
The syntax and naming of the parameter is chosen for compatiblity with
OpenVPN3.
Arne Schwabe [Sat, 1 Jan 2022 16:25:22 +0000 (17:25 +0100)]
Fix datagram_overhead and assorted functions
This function is supposed to calculate the overhead of the protocol
header (IP/IPv6 + TCP/UDP). But at some point the index that used
to index the array proto_overhead and the associated PROTO_N went
completely out of sync. This fixed the function and related caller
to again calculate the overhead as intended.
Note that IPv6 mapped IPv4 addresses still have the wrong overhead
calculated as they treated are as IPv6 addresses (0:0:0:0:0:ffff::/96)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23504.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 24 Jan 2022 02:54:59 +0000 (03:54 +0100)]
Change buffer allocation calculation and checks to be more static
Currently we use half dynamic buffer sizes where we use have a fixed
overhead for crypto (crypto_max_overhead) but use a dynamic overhead
for the the other small header sizes.
Patch v3: rebase
Patch v4: add size of ack array to control channel frame size
Patch v5: fix calculation of compression overhead calculated over 0 instead
of payload size
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220124025459.1042317-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23638.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:20 +0000 (17:25 +0100)]
Fix mssfix and frame calculation in CBC mode
This commit fixes the MSS calculation in CBC mode. This fix has two parts:
- Added rounding to a multiple of block size during calculation of overhead
- In CBC mode the packet ID is part of the plaintext (or payload) rather
than part of the header (like for AEAD), adjust the functions to
correctly reflect this.
OCC link calculation is not affected since it ignores rounding of CBC
block size completely.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23494.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Fri, 21 Jan 2022 18:57:52 +0000 (13:57 -0500)]
Do not error when md_kt_size() is called with mdname="none"
An easy way to trigger this error is to run an otherwise working setup
(at say verb = 4) with increased verbosity of verb >= 7 and using a GCM
cipher (e.g., AES-256-GCM). It will cause a fatal exit while printing the
cipher and hmac in key2_print().
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220121185752.14138-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23631.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
unit-test: fix test_crypto when USE_COMP is not defined
This unit-test did not consider the case when USE_COMP is not defined,
thus generating a compiler error.
Adapt the test to the case when no compression is available.
Cc: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220121144313.24961-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23628.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In the past we had issues with patches accidentally breaking less common
OpenVPN configurations. For this reason it makes sense to some of those
configurations build via CI.
Lev Stipakov [Mon, 17 Jan 2022 09:49:17 +0000 (11:49 +0200)]
tun: remove tun_finalize()
tun_finalize() is essentially subset of socket_finalize() apart from:
- using WSAFoo() functions instead of Foo()
- "from" address is not returned
There is no clear official statement that one can use non-WSA
API on handles, so let's be on a safe side and use both.
Introduce sockethandle_t abstraction, which represents
socket and handle. Add SocketHandle* routines which call
proper API depends on underlying type in abstraction.
Rename socket_finalize() to sockethandle_finalize(), take
sockethandle_t and new routines into use and kick tun_finalize().
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20220117094917.178-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23555.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 19 Jan 2022 18:21:26 +0000 (19:21 +0100)]
crypto: Fix OPENSSL_FIPS enabled builds
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.
Without this fix, the following compilation error appears:
./src/openvpn/crypto.c: In function ‘print_cipher’:
./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in
this function); did you mean ‘iphdr’?
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
^~~~~~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220119182126.56880-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23570.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 20 Jan 2022 16:16:16 +0000 (11:16 -0500)]
Add a unit test for external key provider
Tests:
- Check SIGNATURE and KEYMGMT methods can be fetched
from the provider
- Load sample RSA and EC keys as management-external-key
and check that their sign callbacks are correctly exercised:
with and without digest support mocked in the client
capability flag.
-Test generic key load and signature
v4: 16/18 and 17/18 of v3 squashed into one patch
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220120161616.13447-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23608.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:24 +0000 (11:59 -0500)]
pkcs11: Interface the xkey provider with pkcs11-helper
- Load the 'private key' handle through the provider and set it in
SSL_CTX
- Add a sign op function to interface provider with pkcs11-helper.
Previously we used its "OpenSSL Session" which internally sets up
callbacks in RSA and EC key methods. Not useful for the provider
interface, so, we directly call the PKCS#11 sign operation
as done with mbedTLS.
- tls_libctx is made global for accessing from pkcs11_openssl.c
Supports ECDSA and RSA_PKCS1_PADDING signatures. PSS support
will be added when pkcs11-helper with our PR for specifying
CK_MECHANISM variable in sign operations is released.
(i.e., next release of pkcs11-helper).
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-15-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23442.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
