Steffan Karger [Fri, 5 Jan 2024 13:57:42 +0000 (14:57 +0100)]
Fix IPv6 route add/delete message log level
We have D_ROUTE for route addition/deletion messages, which prints at
loglevel 3. Use that for IPv6, like we do for IPv4 to reduce terminal
spam for non-legacy-networking setups. Prvious code would print the
messages at --verb 1.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240105135742.21174-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27954.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b959b02b4f607628896b4092f7ddfa675e87d929)
Arne Schwabe [Fri, 5 Jan 2024 14:05:40 +0000 (15:05 +0100)]
Make it more explicit and visible when pkg-config is not found
Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.
On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.
When found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO
not found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (not found) installed? Must be version 3.4.0 or newer for DCO
On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:
checking for pkg-config... no
configure: error: pkg-config is required
Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240105140540.14757-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27939.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c0f38019b4a2044c1fe873d7d33c13ce571d3386)
Arne Schwabe [Thu, 4 Jan 2024 14:02:14 +0000 (15:02 +0100)]
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240104140214.32196-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fa7960961415fa4f368e9bbb39dc4047680ff30c)
Gert Doering [Mon, 1 Jan 2024 09:27:14 +0000 (10:27 +0100)]
get_default_gateway() HWADDR overhaul
commit f13331005d5a7 (gerrit/454) most painfully works around the limitations
of the SIOCGIFCONF API, with struct member access on an unaligned buffer,
possibly overrunning sockaddr structures, etc. - and the result still did
not work on OpenSolaris and OpenBSD (no AF_LINK in the returned elements).
Reading through OpenBSD "ifconfig" source, I found getifaddrs(3), which
is exactly what we want here - it works on FreeBSD, NetBSD, OpenBSD and
MacOS, and all returned pointers are properly aligned, so the code gets
shorter, easier to read, and UBSAN is still happy.
OpenSolaris does have getifaddrs(3), but (surprise) it does not work, as
in "it does not return AF_LINK addresses". It does have SIOCGIFHWADDR,
instead, and "man if_tcp" claims "should behave in a manner compatible
with Linux" - so TARGET_SOLARIS gets a copy of the Linux code now (works).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101092714.18992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27891.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 76d11614797617708c31dc3db22e3568fee3de6d)
Gert Doering [Mon, 1 Jan 2024 09:40:54 +0000 (10:40 +0100)]
OpenBSD: repair --show-gateway
OpenBSD route sockets do not want to be passed RTA_IFP on RTM_GET
- if we do this, we get back EINVAL.
On other platforms, if we do not request RTA_IFP, we will not get
back interface information for queried routes - on OpenBSD, RTA_IFP
comes back always...
So we need to #ifdef this, RTA_IFP on all platforms except OpenBSD.
(Found this fix in OpenBSD's ports tree, in their patches for OpenVPN
2.6.8 - but they just remove RTA_IFP, no #ifdef, so we can't just apply
their patch)
While at it, add M_ERRNO to the "write to routing socket" error message.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101094054.38869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27892.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit acf6f33987c72d9151f68eb618bbaf2d10e61877)
Arne Schwabe [Sun, 31 Dec 2023 17:34:31 +0000 (18:34 +0100)]
Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
The undefined behaviour USAN clang checker found this.
This fix is a bit messy but so are the original structures.
Since the API on Solaris/Illuminos does not return the AF_LINK
sockaddr type we are interested in, there is little value in
fixing the code on that platform to iterate through a list
that does not contain the element we are looking for.
Add includes stddef.h for offsetof and integer.h for max_int.
Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231231173431.31356-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27885.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f13331005d5a75f2788685485d46be1fe2f133a1)
yatta [Thu, 19 Oct 2023 17:12:13 +0000 (01:12 +0800)]
fix(ssl): init peer_id when init tls_multi
When openvpn run in UDP server mode, if ssl connections reach the
max clients, the next connection would be failed in `multi_create_instance`
and the half connection will be close in `multi_close_instance`, which
may lead array `m->instances[0]` covered unexpectedly and make the
first connection interrupt, this patch fix this problem by init `peer_id`
with `MAX_PEER_ID` in `tils_multi_init`.
Signed-off-by: yatta <ytzhang01@foxmail.com Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e30504d86f0fe5556acc0cb8e6975c5b2277661)
Arne Schwabe [Wed, 13 Dec 2023 10:53:08 +0000 (11:53 +0100)]
Extend the error message when TLS 1.0 PRF fails
This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)
are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or
newer.
Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231213105308.121460-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6ff816142c1acdaee149c4daabb297fefc2ccde0)
Lev Stipakov [Wed, 20 Dec 2023 13:36:37 +0000 (14:36 +0100)]
tun.c: don't attempt to delete DNS and WINS servers if they're not set
Commits
1c4a47f7 ("wintun: set adapter properties via interactive service") 18826de5 ("Set WINS servers via interactice service")
added functionality of add/remove DNS/WINS via interactive
service, which is used mostly by dco-win and wintun (tap-windows6
normally uses DHCP). There is a check in code - if DNS/WINS addresses
are not pushed, nothing is added.
However, due to bug we always attempted to remove DNS/WINS,
even if nothing was added. Removing WINS, for example, could take
up to 3 seconds.
This change fixes this by improving check "has DNS/WINS been pushed?".
While on it, convert do_XXX_service() functions to "void" from "bool",
since we never check their return values.
Change-Id: I21a36d24f8e213c780f55acbe3e4df555c93542a Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231220133637.60996-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27843.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c590868a721881dd21bfb77ecf846e6c8720e4ef)
David Sommerseth [Wed, 22 Nov 2023 19:00:57 +0000 (20:00 +0100)]
Remove superfluous x509_write_pem()
After removing --tls-export-cert, this function was left in the code
base with no other users. This was an oversight in the previous
change. Removing it to avoid leaving dead code behind.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122190057.120384-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27561.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f015643fe23d7847ad45b7763f31bfc6baed2159)
David Sommerseth [Wed, 22 Nov 2023 14:31:01 +0000 (15:31 +0100)]
Remove --tls-export-cert
As OpenVPN 2.6+ is doing some adoptions to the license text, all
prior contributors need to accept this new text. Unfortunately, Mathieu
Giannecchini who implemented the --tls-export-cert feature did not
respond at all. Without an explicit acceptance we need to remove this
feature to avoid potential legal complications.
If this is still a wanted feature, it will need to be re-implemented
from scratch.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122143101.58483-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27557.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 12c5ef1fe6a6010362f3098d11b554566687c1f7)
Arne Schwabe [Tue, 28 Nov 2023 10:39:50 +0000 (11:39 +0100)]
Remove compat versionhelpers.h and remove cmake/configure check for it
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a68595a582b2c6c220b4f4502753d5f4154000d8)
Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."
Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be05b590e8d5edebd8e35d97af34b0ba7e5350e6)
Arne Schwabe [Tue, 28 Nov 2023 10:43:59 +0000 (11:43 +0100)]
Fix check_session_buf_not_used using wrong index
The inner loop used i instead of j when iterating through the buffers.
Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds. So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 59551b93cdb55397d63b2fe58ad99612821c0faf)
Reynir Björnsson [Thu, 26 Oct 2023 14:55:32 +0000 (16:55 +0200)]
protocol_dump: tls-crypt support
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 227799b8345128dd3adf2029323457804209fe93)
Lev Stipakov [Wed, 15 Nov 2023 12:06:23 +0000 (13:06 +0100)]
Make --dns options apply for tap-windows6 driver
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixes OpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 60def50420b050e628f4388e3c9ff771eb70a549)
Arne Schwabe [Wed, 15 Nov 2023 10:33:31 +0000 (11:33 +0100)]
Do not check key_state buffers that are in S_UNDEF state
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a903ebe9361d451daee71c225e141f4e1b67107d)
platform.c: Do not depend Windows build on HAVE_CHDIR
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixes OpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 012ea92c414282488e3d60c87452849bde64aac4)
Arne Schwabe [Fri, 27 Oct 2023 12:19:37 +0000 (14:19 +0200)]
Fix using to_link buffer after freed
When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 25 Oct 2023 15:46:24 +0000 (17:46 +0200)]
Double check that we do not use a freed buffer when freeing a session
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 19 Oct 2023 13:14:33 +0000 (15:14 +0200)]
Remove saving initial frame code
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 22 Oct 2023 08:27:40 +0000 (10:27 +0200)]
dco: warn if DATA_V1 packets are sent to userspace
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixes OpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df7beea404df48745a608c584d863c5a377b7a1e)
Arne Schwabe [Fri, 6 Oct 2023 11:19:10 +0000 (13:19 +0200)]
Remove openssl engine method for loading the key
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
Arne Schwabe [Mon, 9 Oct 2023 10:57:14 +0000 (12:57 +0200)]
Add warning for the --show-groups command that some groups are missing
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a840d5099a7d1a5ceb752c481fc345f6385719df)
Selva Nair [Sun, 1 Oct 2023 17:49:20 +0000 (13:49 -0400)]
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2671dcb69837ae58b3303f11c1b6ba4cee8eea00)
CMake: backport CMake buildsystem from master to release/2.6
This is based on the initial CMake patch by
Arne Schwabe, but extends that to provide
a complete replacement for existing MinGW
build (autotools based) and MSVC build
(openvpn.sln).
The following features are added while switching
these builds to CMake:
- vcpkg support for MinGW build, allowing for
trivial cross-compilation on Linux
- Add unittests to MSVC build
- Rework MSVC config header generation, removing
need for separate headers between autotools
and MSVC
The following advantages are reasons for switching
to CMake over the existing MSVC build:
- Easier to maintain CMake files without IDE
than the sln and vcxproj files
- Able to maintain MSVC and MinGW build side-by-side
The plan is to completely remove the existing MSVC
build system but leave the existing autotools builds
in place as-is, including MinGW support.
CMake is not the intended build system for Unix-like
platforms and there are no current plans to switch
to it.
This commits squashes a lot of commits from master
together, since most of them are just fixes or
enhancements for the original CMake commit. The
decisions was not to bloat the release/2.6 commit
history with these detours.
Arne Schwabe [Mon, 25 Sep 2023 09:44:09 +0000 (11:44 +0200)]
Mock openvpn_exece on win32 also for test_tls_crypt
This function is needed to commpile on win32 as run_command.c defines it
on Unix Linux but on windows it is defined in win32.c which pulls in too
many other unresolvable symbols.
Patch v2: Also add mock_win32_execve.c to automake files
Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit ede590e57c96c2b16d9bf462c4b1dd967b37c432)
Message-Id: <20230925094409.40429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27097.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we use strlen() to determine the length
and then check it ourselves, there is really
no point in using strncpy.
But the compiler might complain that we use
the output of strlen() for the length of
strncpy which is usually a sign for bugs:
error: ‘strncpy’ specified bound depends
on the length of the source argument
[-Werror=stringop-overflow=]
Warning was at least triggered for
mingw-gcc version 10-win32 20220113.
Also change the type of len to size_t
which avoids potential problems with
signed overflow.
v2:
- make len size_t and change code to avoid any theoretical overflows
- remove useless casts
v3:
- fix off-by-one introduced by v2 %)
v4:
- ignore unsigned overflow to simplify code
Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <a@unstable.cc> Acked-by: Heiko Hund <heiko@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c89a97e449baaf60924a362555d35184f188a646)
Message-Id: <20230922160441.167168-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27085.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
GHA: new workflow to submit scan to Coverity Scan service
Not on every push due to submit limits.
Use caching to not submit a scan for the same git commit
twice. Since we have many days without pushes to master
this saves a lot of Github and Coverity resources.
v2:
- add caching to not submit redundant scans
Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230911110735.34491-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 607ae9b821665dadb6bd0a3ceb6288bda10d5e67)
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b7eea48708ee73a5999f98626fb8d31d8f88ea6f)
Lev Stipakov [Fri, 22 Sep 2023 10:50:55 +0000 (12:50 +0200)]
Warn user if INFO control command is too long
"INFO_PRE,..." command length is limited to 256 bytes. If the server
implementation pushes command which is too long, warn the user and
don't send the truncated command to a management client.
Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922105055.37969-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c)
dco: fix crash when --multihome is used with --proto tcp
Although it's a combination of options that is not really useful,
when specifying --multihome along with --proto tcp and DCO is enabled,
OpenVPN will crash while attempting to access c2.link_socket_actual
(NULL for the TCP case) in order to retrieve the local address (in
function dco_multi_get_localaddr())
Prevent crash by running this code only if proto is UDP.
The same check is already performed in socket.c/h for the non-DCO
case.
Github: fixes OpenVPN/openvpn#390
Change-Id: I61adc26ce2ff737e020c3d980902a46758cb23e5 Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230815231555.6465-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26953.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0793eb105c5720c4eb31af71c9db81459439e510)
configure: disable engines if OPENSSL_NO_ENGINE is defined
Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.
Signed-off-by: orbea <orbea@riseup.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230909134956.5902-1-orbea@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26994.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 34bf473e19118eecf525e7401ef37b1cbf661e67)
Gert Doering [Mon, 14 Aug 2023 06:04:09 +0000 (08:04 +0200)]
Make received OCC exit messages more visible in log.
Currently, OCC exit messages are only logged at some high debug level
(and if OpenVPN compiled with DEBUG), while control-channel EEN messages
are logged on verb 1. Make this consistent, both in wording and in
log level.
Both messages are prefixed with the "channel" where the exit message
came in.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230814060409.50742-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26949.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f910a42b86e90f1893a668ee280422b6587ada1)
Arne Schwabe [Fri, 11 Aug 2023 12:15:03 +0000 (14:15 +0200)]
show extra info for OpenSSL errors
This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command
openvpn --providers vollbit
will print out (on macOS):
OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)
Patch v2: Format message more like current messages
Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f8485f2870277fb7ccdb4097380e35dc35b064e)
The code was not very clear if we accept the base64 decode if the
NTLM challenge was truncated or not. Move the related code lines
closer to where buf is first used and comment that we are not concerned
about any truncation.
If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect. The
buffer size is fixed and known to be in a cleared state before the
decode starts.
Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26919.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f19391139836aa07312cf5b3ebbd00941d22ddc7)
Lev Stipakov [Thu, 27 Jul 2023 15:47:06 +0000 (18:47 +0300)]
Set WINS servers via interactice service
At the moments WINS servers are set either:
- via DHCP, which works only for tap-windows6 driver
- via netsh when running without interactice service
This means that in 2.6 default setup (interactive service and dco)
WINS is silently ignored.
Add WINS support for non-DHCP drivers (like dco) by passing
WINS settings to interactive service and set them there with
netsh call, similar approach as we use for setting DNS.
Arne Schwabe [Wed, 24 May 2023 13:24:24 +0000 (15:24 +0200)]
Implement using --peer-fingerprint without CA certificates
This is implements --peer-fingerprint command to support OpenVPN
authentication without involving a PKI.
The current implementation in OpenVPN for peer fingerprint has been already
extensively rewritten from the original submission from Jason [1]. The
commit preserved the original author since it was based on Jason code/idea.
This commit is based on two previous commits that prepare the infrastructure
to use a simple to use --peer-fingerprint directive instead of using
a --tls-verify script like the v1 of the patch proposed. The two commits
preparing this are:
- Extend verify-hash to allow multiple hashes
- Implement peer-fingerprint to check fingerprint of peer certificate
These preceding patches make this actual patch quite short. There are some
lines in this patch that bear some similarity to the ones like
if (!preverify_ok && !session->opt->verify_hash_no_ca)
vs
if (!preverify_ok && !session->opt->ca_file_none)
But these similarities are one line fragments and dictated by the
surrounding style and program flow, so even a complete black box
implementation will likely end up with the same lines.
Arne Schwabe [Wed, 12 Jul 2023 09:46:20 +0000 (11:46 +0200)]
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
Android has no facility nor need one to delete routes as routes are
automatically cleaned up when the tun interface is closed. Also adjust
the IPv4 message to be only shown and verb 7 and rephrase the message.
Change-Id: If8f920d378c31e9ea773ce1f56f3df50f1ec36cd Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230712094620.569273-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26848.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ab01eaf49fa9341ff647206bd6e3017770cc0674)
Lev Stipakov [Fri, 14 Jul 2023 11:18:02 +0000 (14:18 +0300)]
manage.c: document missing KID parameter
Commit a261e173 ("Make sending plain text control message session
aware") added KID parameter to "client-pending-auth" management command,
but forgot to mention it in the output of management help.
Change-Id: I201bdaa5fe4020d15a9dd1674aba5e0c45170731 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230714111802.1773-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26856.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f5201eedd4ea55414bf8310668a3d00e7bf8ea71)
Lev Stipakov [Mon, 10 Jul 2023 11:21:22 +0000 (14:21 +0300)]
tun.c: enclose DNS domain in single quotes in WMIC call
This is needed to support domains with hyphens.
Not using double quotes here, since our code replaces
them with underbars (see
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).
Github: fixes OpenVPN/openvpn#363
Change-Id: Iab536922d0731635cef529b5caf542f637b8d491 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230710112122.576-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26841.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4057814a8a783d4fb1475f49f073f6b3a7797677)
Arne Schwabe [Mon, 22 May 2023 09:12:31 +0000 (11:12 +0200)]
Print a more user-friendly error when tls-crypt-v2 client auth fails
While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.
Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b)
Arne Schwabe [Mon, 22 May 2023 10:11:38 +0000 (12:11 +0200)]
Fix CR_RESPONSE mangaement message using wrong key_id
the management interface expects the management key id instead
of the openvpn key id. In the past they often were the same for low ids
which hid the bug quite well.
Also do not pick uninitialised keystates (management key_id is not valid
in these).
Patch v2: do not add logging
Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-By: Jemmy Wang
Github: fixes OpenVPN/openvpn#359 Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230522101138.2842378-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26719.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 223baa9c9b818e4c542a9037f190f53ce6f7af5c)
When cross compiling for Windows with Ubuntu 23.04 mingw complains about
route.c:344:26: warning: ‘special.S_un.S_addr’ may be used uninitialized
which is wrong technically. However the workaround isn't really
intrusive and while there are other warnings caused by libtool, the
cmake mingw build completes with -Werror now.
Change-Id: I8a0f59707570722eab41af2db76980ced04e6d54 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230706171922.752429-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d559affd313a8f995db15908887fbc8f16a24659)
Arne Schwabe [Sun, 27 Nov 2022 08:59:33 +0000 (09:59 +0100)]
fix warning with gcc 12.2.0 (compiler bug?)
Changing the argument of check_malloc_return from const void* to void*
removes the warning from gcc 12.2.0:
In file included from ../../../openvpn-git/src/openvpn/crypto_openssl.c:40:
../../../openvpn-git/src/openvpn/buffer.h: In function ‘hmac_ctx_new’:
../../../openvpn-git/src/openvpn/buffer.h:1030:9: warning: ‘ctx’ may be
used uninitialized [-Wmaybe-uninitialized]
1030 | check_malloc_return((dptr) = (type *)
malloc(sizeof(type))); \
| ^~~~~~~~~~~~~~~~~~~
../../../openvpn-git/src/openvpn/buffer.h:1076:1: note: by argument 1 of
type ‘const void *’ to ‘check_malloc_return’ declared here
1076 | check_malloc_return(const void *p)
| ^~~~~~~~~~~~~~~~~~~
This more a quick fix/heads up for other people encountering the issue
on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in
our code or a compiler bug.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221127085933.3487177-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25549.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5ad793e8cab8fcccae93fe9442eca6a6de8c044c)
Sergey Korolev [Mon, 26 Jun 2023 13:09:39 +0000 (16:09 +0300)]
dco-linux: fix counter print format
Avoid compilation warnings on 32 bit platforms.
dco_linux.c: In function 'dco_update_peer_stat':
dco_linux.c:830:26: error: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'counter_type'
{aka 'long long unsigned int'} [-Werror=format=]
830 | msg(D_DCO_DEBUG, "%s / dco_read_bytes: %lu", __func__,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
831 | c2->dco_read_bytes);
| ~~~~~~~~~~~~~~~~~~
| |
| counter_type {aka long long unsigned int}
Signed-off-by: Sergey Korolev <sergey.korolev@keenetic.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230626130939.3267280-1-sergey.korolev@keenetic.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26767.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 330bef679544b6a22d16a800c898927a785d74fc)
Selva Nair [Thu, 18 May 2023 17:33:45 +0000 (13:33 -0400)]
Interactive service: do not force a target desktop for openvpn.exe
Setting the desktop as "winsta0\default" does not always work when run
from a non-interactive session which may not have access to the
the window station "Winsta0". Leave this as NULL to let the system
automatically assign a window station and desktop.
Test runs on Win10 confirm that "Winsta0\Default" still gets selected
when run interactively (e.g., using the GUI or from task scheduler as
an interactive job). This is the same behaviour as now.
The change allows "interactive service" to be used for launching
OpenVPN from non-interactive sessions. For example, when service client
is a non-interactive task from the task scheduler, the default desktop
in a custom window station gets assigned to openvpn.exe.
Note that we already run openvpn.exe in a non-interactive window
station when directly launched by "automatic service".
Github: Fixes OpenVPN/openvpn-gui#626
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230518173345.2722530-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26705.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 244d9b7942dabf0297c8f689457eeb0f9fa0aa1e)
Selva Nair [Tue, 16 May 2023 02:42:32 +0000 (22:42 -0400)]
Correctly handle Unicode names for exit event
Currently we use the ANSI version of CreateEvent causing name of the
exit event to be interpreted differently depending on the code page
in effect. Internally all strings parsed from command line and config
file are stored as UTF8-encoded Uniode. When passed to Windows API calls,
these should be converted to UTF16 and wide character version of the API
should be used.
CreateEvent calls for unnamed events are left unchanged as there is no
text-encoding dependence in those cases.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230516024232.2680491-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26666.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 80b073b649fca54f5021f6b4ae45a1e74a07faea)
A fallout of my memleak investigation. These are
not leaks, we just assign a value that is never
read before overwritten. Not critical, but since
I already stumbled over it...
Change-Id: I761ea3d289f49a20e42a3d1bfccebce3c7447afe Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230515155407.38647-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26662.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b5cf76cbdc0d7ef2817b71f4611d99455e2d48ea)
projects / thirdparty / openvpn.git / log
