Arne Schwabe [Mon, 9 Oct 2023 10:57:14 +0000 (12:57 +0200)]
Add warning for the --show-groups command that some groups are missing
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a840d5099a7d1a5ceb752c481fc345f6385719df)
Selva Nair [Sun, 1 Oct 2023 17:49:20 +0000 (13:49 -0400)]
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2671dcb69837ae58b3303f11c1b6ba4cee8eea00)
CMake: backport CMake buildsystem from master to release/2.6
This is based on the initial CMake patch by
Arne Schwabe, but extends that to provide
a complete replacement for existing MinGW
build (autotools based) and MSVC build
(openvpn.sln).
The following features are added while switching
these builds to CMake:
- vcpkg support for MinGW build, allowing for
trivial cross-compilation on Linux
- Add unittests to MSVC build
- Rework MSVC config header generation, removing
need for separate headers between autotools
and MSVC
The following advantages are reasons for switching
to CMake over the existing MSVC build:
- Easier to maintain CMake files without IDE
than the sln and vcxproj files
- Able to maintain MSVC and MinGW build side-by-side
The plan is to completely remove the existing MSVC
build system but leave the existing autotools builds
in place as-is, including MinGW support.
CMake is not the intended build system for Unix-like
platforms and there are no current plans to switch
to it.
This commits squashes a lot of commits from master
together, since most of them are just fixes or
enhancements for the original CMake commit. The
decisions was not to bloat the release/2.6 commit
history with these detours.
Arne Schwabe [Mon, 25 Sep 2023 09:44:09 +0000 (11:44 +0200)]
Mock openvpn_exece on win32 also for test_tls_crypt
This function is needed to commpile on win32 as run_command.c defines it
on Unix Linux but on windows it is defined in win32.c which pulls in too
many other unresolvable symbols.
Patch v2: Also add mock_win32_execve.c to automake files
Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit ede590e57c96c2b16d9bf462c4b1dd967b37c432)
Message-Id: <20230925094409.40429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27097.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we use strlen() to determine the length
and then check it ourselves, there is really
no point in using strncpy.
But the compiler might complain that we use
the output of strlen() for the length of
strncpy which is usually a sign for bugs:
error: ‘strncpy’ specified bound depends
on the length of the source argument
[-Werror=stringop-overflow=]
Warning was at least triggered for
mingw-gcc version 10-win32 20220113.
Also change the type of len to size_t
which avoids potential problems with
signed overflow.
v2:
- make len size_t and change code to avoid any theoretical overflows
- remove useless casts
v3:
- fix off-by-one introduced by v2 %)
v4:
- ignore unsigned overflow to simplify code
Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <a@unstable.cc> Acked-by: Heiko Hund <heiko@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c89a97e449baaf60924a362555d35184f188a646)
Message-Id: <20230922160441.167168-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27085.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
GHA: new workflow to submit scan to Coverity Scan service
Not on every push due to submit limits.
Use caching to not submit a scan for the same git commit
twice. Since we have many days without pushes to master
this saves a lot of Github and Coverity resources.
v2:
- add caching to not submit redundant scans
Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230911110735.34491-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 607ae9b821665dadb6bd0a3ceb6288bda10d5e67)
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b7eea48708ee73a5999f98626fb8d31d8f88ea6f)
Lev Stipakov [Fri, 22 Sep 2023 10:50:55 +0000 (12:50 +0200)]
Warn user if INFO control command is too long
"INFO_PRE,..." command length is limited to 256 bytes. If the server
implementation pushes command which is too long, warn the user and
don't send the truncated command to a management client.
Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922105055.37969-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c)
dco: fix crash when --multihome is used with --proto tcp
Although it's a combination of options that is not really useful,
when specifying --multihome along with --proto tcp and DCO is enabled,
OpenVPN will crash while attempting to access c2.link_socket_actual
(NULL for the TCP case) in order to retrieve the local address (in
function dco_multi_get_localaddr())
Prevent crash by running this code only if proto is UDP.
The same check is already performed in socket.c/h for the non-DCO
case.
Github: fixes OpenVPN/openvpn#390
Change-Id: I61adc26ce2ff737e020c3d980902a46758cb23e5 Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230815231555.6465-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26953.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0793eb105c5720c4eb31af71c9db81459439e510)
configure: disable engines if OPENSSL_NO_ENGINE is defined
Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.
Signed-off-by: orbea <orbea@riseup.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230909134956.5902-1-orbea@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26994.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 34bf473e19118eecf525e7401ef37b1cbf661e67)
Gert Doering [Mon, 14 Aug 2023 06:04:09 +0000 (08:04 +0200)]
Make received OCC exit messages more visible in log.
Currently, OCC exit messages are only logged at some high debug level
(and if OpenVPN compiled with DEBUG), while control-channel EEN messages
are logged on verb 1. Make this consistent, both in wording and in
log level.
Both messages are prefixed with the "channel" where the exit message
came in.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230814060409.50742-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26949.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f910a42b86e90f1893a668ee280422b6587ada1)
Arne Schwabe [Fri, 11 Aug 2023 12:15:03 +0000 (14:15 +0200)]
show extra info for OpenSSL errors
This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command
openvpn --providers vollbit
will print out (on macOS):
OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)
Patch v2: Format message more like current messages
Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f8485f2870277fb7ccdb4097380e35dc35b064e)
The code was not very clear if we accept the base64 decode if the
NTLM challenge was truncated or not. Move the related code lines
closer to where buf is first used and comment that we are not concerned
about any truncation.
If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect. The
buffer size is fixed and known to be in a cleared state before the
decode starts.
Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26919.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f19391139836aa07312cf5b3ebbd00941d22ddc7)
Lev Stipakov [Thu, 27 Jul 2023 15:47:06 +0000 (18:47 +0300)]
Set WINS servers via interactice service
At the moments WINS servers are set either:
- via DHCP, which works only for tap-windows6 driver
- via netsh when running without interactice service
This means that in 2.6 default setup (interactive service and dco)
WINS is silently ignored.
Add WINS support for non-DHCP drivers (like dco) by passing
WINS settings to interactive service and set them there with
netsh call, similar approach as we use for setting DNS.
Arne Schwabe [Wed, 24 May 2023 13:24:24 +0000 (15:24 +0200)]
Implement using --peer-fingerprint without CA certificates
This is implements --peer-fingerprint command to support OpenVPN
authentication without involving a PKI.
The current implementation in OpenVPN for peer fingerprint has been already
extensively rewritten from the original submission from Jason [1]. The
commit preserved the original author since it was based on Jason code/idea.
This commit is based on two previous commits that prepare the infrastructure
to use a simple to use --peer-fingerprint directive instead of using
a --tls-verify script like the v1 of the patch proposed. The two commits
preparing this are:
- Extend verify-hash to allow multiple hashes
- Implement peer-fingerprint to check fingerprint of peer certificate
These preceding patches make this actual patch quite short. There are some
lines in this patch that bear some similarity to the ones like
if (!preverify_ok && !session->opt->verify_hash_no_ca)
vs
if (!preverify_ok && !session->opt->ca_file_none)
But these similarities are one line fragments and dictated by the
surrounding style and program flow, so even a complete black box
implementation will likely end up with the same lines.
Arne Schwabe [Wed, 12 Jul 2023 09:46:20 +0000 (11:46 +0200)]
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
Android has no facility nor need one to delete routes as routes are
automatically cleaned up when the tun interface is closed. Also adjust
the IPv4 message to be only shown and verb 7 and rephrase the message.
Change-Id: If8f920d378c31e9ea773ce1f56f3df50f1ec36cd Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230712094620.569273-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26848.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ab01eaf49fa9341ff647206bd6e3017770cc0674)
Lev Stipakov [Fri, 14 Jul 2023 11:18:02 +0000 (14:18 +0300)]
manage.c: document missing KID parameter
Commit a261e173 ("Make sending plain text control message session
aware") added KID parameter to "client-pending-auth" management command,
but forgot to mention it in the output of management help.
Change-Id: I201bdaa5fe4020d15a9dd1674aba5e0c45170731 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230714111802.1773-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26856.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f5201eedd4ea55414bf8310668a3d00e7bf8ea71)
Lev Stipakov [Mon, 10 Jul 2023 11:21:22 +0000 (14:21 +0300)]
tun.c: enclose DNS domain in single quotes in WMIC call
This is needed to support domains with hyphens.
Not using double quotes here, since our code replaces
them with underbars (see
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).
Github: fixes OpenVPN/openvpn#363
Change-Id: Iab536922d0731635cef529b5caf542f637b8d491 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230710112122.576-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26841.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4057814a8a783d4fb1475f49f073f6b3a7797677)
Arne Schwabe [Mon, 22 May 2023 09:12:31 +0000 (11:12 +0200)]
Print a more user-friendly error when tls-crypt-v2 client auth fails
While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.
Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b)
Arne Schwabe [Mon, 22 May 2023 10:11:38 +0000 (12:11 +0200)]
Fix CR_RESPONSE mangaement message using wrong key_id
the management interface expects the management key id instead
of the openvpn key id. In the past they often were the same for low ids
which hid the bug quite well.
Also do not pick uninitialised keystates (management key_id is not valid
in these).
Patch v2: do not add logging
Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-By: Jemmy Wang
Github: fixes OpenVPN/openvpn#359 Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230522101138.2842378-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26719.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 223baa9c9b818e4c542a9037f190f53ce6f7af5c)
When cross compiling for Windows with Ubuntu 23.04 mingw complains about
route.c:344:26: warning: ‘special.S_un.S_addr’ may be used uninitialized
which is wrong technically. However the workaround isn't really
intrusive and while there are other warnings caused by libtool, the
cmake mingw build completes with -Werror now.
Change-Id: I8a0f59707570722eab41af2db76980ced04e6d54 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230706171922.752429-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d559affd313a8f995db15908887fbc8f16a24659)
Arne Schwabe [Sun, 27 Nov 2022 08:59:33 +0000 (09:59 +0100)]
fix warning with gcc 12.2.0 (compiler bug?)
Changing the argument of check_malloc_return from const void* to void*
removes the warning from gcc 12.2.0:
In file included from ../../../openvpn-git/src/openvpn/crypto_openssl.c:40:
../../../openvpn-git/src/openvpn/buffer.h: In function ‘hmac_ctx_new’:
../../../openvpn-git/src/openvpn/buffer.h:1030:9: warning: ‘ctx’ may be
used uninitialized [-Wmaybe-uninitialized]
1030 | check_malloc_return((dptr) = (type *)
malloc(sizeof(type))); \
| ^~~~~~~~~~~~~~~~~~~
../../../openvpn-git/src/openvpn/buffer.h:1076:1: note: by argument 1 of
type ‘const void *’ to ‘check_malloc_return’ declared here
1076 | check_malloc_return(const void *p)
| ^~~~~~~~~~~~~~~~~~~
This more a quick fix/heads up for other people encountering the issue
on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in
our code or a compiler bug.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221127085933.3487177-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25549.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5ad793e8cab8fcccae93fe9442eca6a6de8c044c)
Sergey Korolev [Mon, 26 Jun 2023 13:09:39 +0000 (16:09 +0300)]
dco-linux: fix counter print format
Avoid compilation warnings on 32 bit platforms.
dco_linux.c: In function 'dco_update_peer_stat':
dco_linux.c:830:26: error: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'counter_type'
{aka 'long long unsigned int'} [-Werror=format=]
830 | msg(D_DCO_DEBUG, "%s / dco_read_bytes: %lu", __func__,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
831 | c2->dco_read_bytes);
| ~~~~~~~~~~~~~~~~~~
| |
| counter_type {aka long long unsigned int}
Signed-off-by: Sergey Korolev <sergey.korolev@keenetic.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230626130939.3267280-1-sergey.korolev@keenetic.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26767.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 330bef679544b6a22d16a800c898927a785d74fc)
Selva Nair [Thu, 18 May 2023 17:33:45 +0000 (13:33 -0400)]
Interactive service: do not force a target desktop for openvpn.exe
Setting the desktop as "winsta0\default" does not always work when run
from a non-interactive session which may not have access to the
the window station "Winsta0". Leave this as NULL to let the system
automatically assign a window station and desktop.
Test runs on Win10 confirm that "Winsta0\Default" still gets selected
when run interactively (e.g., using the GUI or from task scheduler as
an interactive job). This is the same behaviour as now.
The change allows "interactive service" to be used for launching
OpenVPN from non-interactive sessions. For example, when service client
is a non-interactive task from the task scheduler, the default desktop
in a custom window station gets assigned to openvpn.exe.
Note that we already run openvpn.exe in a non-interactive window
station when directly launched by "automatic service".
Github: Fixes OpenVPN/openvpn-gui#626
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230518173345.2722530-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26705.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 244d9b7942dabf0297c8f689457eeb0f9fa0aa1e)
Selva Nair [Tue, 16 May 2023 02:42:32 +0000 (22:42 -0400)]
Correctly handle Unicode names for exit event
Currently we use the ANSI version of CreateEvent causing name of the
exit event to be interpreted differently depending on the code page
in effect. Internally all strings parsed from command line and config
file are stored as UTF8-encoded Uniode. When passed to Windows API calls,
these should be converted to UTF16 and wide character version of the API
should be used.
CreateEvent calls for unnamed events are left unchanged as there is no
text-encoding dependence in those cases.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230516024232.2680491-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26666.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 80b073b649fca54f5021f6b4ae45a1e74a07faea)
A fallout of my memleak investigation. These are
not leaks, we just assign a value that is never
read before overwritten. Not critical, but since
I already stumbled over it...
Change-Id: I761ea3d289f49a20e42a3d1bfccebce3c7447afe Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230515155407.38647-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26662.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b5cf76cbdc0d7ef2817b71f4611d99455e2d48ea)
It is generated from t_client.sh.in by configure,
so no need to ship it. Due to the dependency on
the configuration it also might break reproducibility
of the dist tarball.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230418134941.86637-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26596.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d75a2dfc3e11daa1650f838517b610e6632d0445)
- We assume that all text passed to the management interface
and written to log file are in Unicode (UTF-8). This is broken by
the use of the ANSI version of FormatMessage() for Windows error
messages. Fix by using FormatMessageW() and converting the UTF-16
result to UTF-8.
v2: assign return value of FormatMessageW() to DWORD, not int
Github: fixes OpenVPN/openvpn#319
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230418141446.1755363-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26598.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fed67642dccbcf115952df0709a98929c1fc52b8)
Arne Schwabe [Wed, 26 Apr 2023 09:49:31 +0000 (11:49 +0200)]
Add Apache2 linking with for new commits
After first round of mailing people with more than 10 commits we have
almost all committers have agreed. This put this license in the realm
of having a realistic change to work. Had any of these contributers
disagreed, rewriting all their code might have been not feasible.
The rationale of adding this exception now is to avoid having to
have a second round of agreement for new contributers and ensure
that all new code will include the exemption.
patch v2: add explaination and use exception rather than excemption
patch v3: actually send v3
Change-Id: Ide83f914f383b53ef37ddf628e4da5a78e241bf0 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20230426094931.1168078-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26610.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7b21c69dbe1e1ecfb5bed564417387892b42108a)
Fix all issues raised by this. The following issue
classes were reported:
Possible title underline, too short for the title.
Treating it as ordinary text because it's so short.
(:: at the start of the line directly below text,
either add empty line of merge into : on previous line)
Enumerated list start value not ordinal-1
(error in numbering)
Change-Id: Id3b0f7be4602f70115c60e6ddb89f6ed58e94e64 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230331132429.601635-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26567.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fafb05f6f3a7a1b46c278961ec8d2d8970f01096)
Lev Stipakov [Thu, 6 Apr 2023 07:15:46 +0000 (10:15 +0300)]
Support of DNS domain for DHCP-less drivers
We set DNS domain either via interactve service or DHCP.
When interactive service is not used, for example,
when profiles are started by OpenVPNService, this option
is not working for DCO and wintun.
This implements setting DNS domain via WMIC command,
similar to implementation in interactive service.
This is done when:
- interactive service is not used
- DHCP is not used (ip-win32 is either NETSH or IPAPI,
or IPv4 address is not pushed)
Github: fixes OpenVPN/openvpn#306
Change-Id: Ic72a4ecd0414c0d7bf013415f52640fd122cb739 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230406071546.1056-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26582.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6cf7ce4eb33626b861031f965b35c3107d75e843)
Selva Nair [Mon, 27 Mar 2023 17:12:36 +0000 (13:12 -0400)]
Bug-fix: segfault in dco_get_peer_stats()
We persist peer-stats when restarting, but an early restart
before open_tun results in a segfault in dco_get_peer_stats().
To reproduce, trigger a TLS handshake error due to lack of common
protocols, for example.
Fix by checking that tuntap is defined before dereferencing it.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230327171236.51771-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26530.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 10c3f25a26bce480f80624c5ef4cb6774a31c305)
Lev Stipakov [Fri, 24 Mar 2023 12:18:18 +0000 (14:18 +0200)]
Don't overwrite socket flags when using DCO on Windows
Socket flags can be pushed, in which case they overwrite
existing value. We use socket flags to distingust between
DCO handle and socket on Windows. If server pushes --socket-flags,
we treat DCO handle as socket and everything explodes.
Fix by making link_socket_update_flags() update flags
(like name suggests) instead of overwriting them. Also
do not set TCP_NODELAY on DCO handle on Windows because
it doesn't make sense.
Change-Id: Ia34d73ca49041cb0ce22b84751cdbff57de96048 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230324121818.2358-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26513.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 82e7d5cfd81f03f045ace2bf1d3590b79441ea17)
Arne Schwabe [Fri, 24 Mar 2023 12:10:50 +0000 (13:10 +0100)]
Parse compression options and bail out when compression is disabled
This change keeps the option parsing of compression options even when
compression is disabled. This allows OpenVPN to also refuse/reject
connections that try to use compression when compression is completely
disabled.
Patch v4: fix one missing USE_COMP
Change-Id: I9d7afd8f1d67d2455b4ec6bc12f4dcde80140c4f Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230324121050.1350913-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26512.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a8170dd0e76a7440f3291ad26d78f8ca247a191b)
Arne Schwabe [Fri, 24 Mar 2023 10:06:40 +0000 (11:06 +0100)]
Add 'allow-compression stub-only' internally for DCO
This changes the "no" setting of allow-compression to also refuse framing
if DCO is active. This is important for our DCO implementations as these
do not implement framing.
This behaviour surfaced when a commercial VPN provider was pushing
"comp-lzo no" to a client with DCO. While we are technically at fault here
for announcing comp-lzo no support by announcing IV_LZO_STUB=1, the
VPN provider continues to push "comp-lzo no" even in absense of that
flag.
As the new default we default to 'allow-compression no' if DCO is
enabled and to 'allow-compression stub' otherwise.
This will now also bail out if the server pushes a compression setting that
we do not support as mismatching compression is almost never a working
connection. In the case of lz4-v2 and lzo-v2 you might have a connection
that works mostly but some packets will be dropped since they compressed
which is not desirable either since it becomes very hard to debug.
Patch v2: bail out if server pushes an unsupported method. Also include this
bail out logic when OpenVPN is compiled without compression support.
Patch v3: always parse all compression option and move logic to check method
Patch v4: fix for not setting correct default for non-dco
Change-Id: Ibd0c77af24e2214b3055d585dc23a4b06dccd414 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230324100640.1340535-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26509.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4117d950788eebfaf6c9b5dde278e3a81b9e805d)
dco-linux: implement dco_get_peer_stats{, multi} API
With this API it is possible to retrieve the stats for a specific peer
or for all peers and then update the userspace counters with the value
reported by DCO.
Change-Id: Ia3990b86b1be7ca844fb1674b39ce0d60528ccff Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230322192757.20767-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26481.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5a8fb55ac8cf4019afee884d3be545ddf87435a4)
dco-freebsd: use m->instances[] instead of m->hash
When retrieving the multi_instance of a specific peer,
there is no need to peform a linear search across the
whole m->hash list. We can directly access the needed
object via m->instances[peer-id] in constant time (and
just one line of code).
Adapt the dco-freebsd code to do so.
v4: use "peerid" everywhere as that's what FreeBSD does, change message
text
Cc: Kristof Provost <kp@FreeBSD.org>
Change-Id: I8d8af6f872146604a9710edf443db65df48ac3cb Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Kristof Provost <kp@freebsd.org>
Message-Id: <20230323080341.51624-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20230323080341.51624-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 03145f223236df90b35d1db444319fd3f785792b)
Lev Stipakov [Wed, 22 Mar 2023 11:34:08 +0000 (13:34 +0200)]
Fix '--inactive <time> 0' behavior for DCO
Make sure we exit if <bytes> is 0 (not set) and no traffic
was produced.
According to man page and non-DCO --inactive implementation,
we exit if amount of bytes produced is less than <bytes> specified.
DCO implementation will do off-by-ones, but we consider it as okay
since we don't want to complicate code to handle both bytes=0 and >0
cases.
Change-Id: I4c089e486728a43bfe42596787c00355838311da Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230322113408.2057-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230322113408.2057-1-lstipakov@gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c64b46b15476351ca19f9a8f3cb8185aa2c7e07)
Heiko Hund [Fri, 10 Mar 2023 05:08:12 +0000 (06:08 +0100)]
dns option: allow up to eight addresses per server
This change allows configuration of more than one address per family
for a DNS server. This way you can specify backup addresses in case a
server is not reachable. During closer inspection of the various DNS
backend in supported operation systems it turned out that our previous
idea to have more than one DNS server applied in order of priority does
not work in most cases. Thus it became important to be able to specify
backup addresses. So instead of doing
dns server 1 address 1.2.3.4 2001::1
dns server 2 address 5.6.7.8 2001::2
to specify a backup addresses, this is now done like so:
dns server 1 address 1.2.3.4 2001::1
dns server 1 address 5.6.7.8 2001::2
or you can have all the addresses on one line if you like:
dns server 1 address 1.2.3.4 2001::1 2001::2 5.6.7.8
This also saves some repeated options when (backup) servers share the
same settings like "resolve-domains" compared to the originally intended
way.
The order in which addresses are given is retained for backends that
support this sort of cross address family ordering.
Change-Id: I9bd3d6d05da4e61a5fa05c0e455fc770b1fe186a Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230310050814.67246-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26386.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 424ae5906388af8769ae448080fa3b7ec266e8d8)
The agreement with the DCO submodule is that no API should be called if
DCO is actually disabled. For this reason, every invocation must happen
only after having checked that dco_enabled() returns true.
Add missing checks before invoking dco_get_peer_stats_multi()
Reported-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230321102842.10780-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26458.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 891c71db5e26291b19885b9a5ae5c72011b86658)
dco-linux: remove M_ERRNO flag when printing netlink error message
Netlink has its own error space and reports errors via the return
value of its functions.
For this reason remove the M_ERRNO flag when printing its errors.
At the moment we get something like this:
netlink reports error (-7): Invalid input data or parameter: Interrupted
system call (errno=4)
where the errno=4 (and its human readable representation) is a leftover
from the previous recv() interrupted by a signal and it is totally
unrelated to this netlink failure.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230320195820.6675-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26452.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23903fd579353c9892415a750f17a9832a79cced)
Selva Nair [Sat, 18 Mar 2023 14:43:25 +0000 (10:43 -0400)]
Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
- This is the only remaining function in cryptoapi.c that has no
direct or indirect test.
This test confirms that an SSL_CTX context gets a certificate and
private key loaded into it and the public key in the certificate
matches the private key. As signing with certificate/key pairs
fetched from the store is independently tested by the 'cryptoapi_sign'
test, signing is not re-tested here.
The functions "setup_/teardown_cryptoapi_sign()" are renamed to
"setup_/teardown_xkey_provider()" to better reflect their purpose.
These are also reused for the new test.
While touching this context, also fix a memory leak in
test_cryptoapi_sign: X509_get_pubkey() -> X509_get0_pubkey()
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230318144325.1316320-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26438.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 85da9de524f34db3f6bd4ebc110b25c6bcbc273d)
Arne Schwabe [Wed, 1 Mar 2023 13:44:55 +0000 (14:44 +0100)]
Only update frame calculation if we have a valid link sockets
Without this, we will caculate a pointer to the linksocket relative to a
null pointer in get_link_socket_info(), which itself does not crash and
the pointer seems not to be accessed later, so we do not get a crash here.
This is still not the correct behaviour and the undefined behaviour
sanitiser from llvm/clang finds this.
Change-Id: I82a20ac72f60f8770ea1b4ab0c8cdea31868abe7 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301134455.2810114-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26318.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2d17869f8d9d8e27f64f1a7cd1514fbbb768807b)
Arne Schwabe [Wed, 1 Mar 2023 13:53:53 +0000 (14:53 +0100)]
Make sending plain text control message session aware
The control messages coming from auth pending should always be on the
session that triggered them (i.e. INITIAL or ACTIVE) and not always on the
active session. Rework the code path that trigger those messsages from
management and plugin/script to specify the TLS session.
We only support the two TLS sessions that are supposed to be active. TLS
sessions in any lame slot (TM_LAME or KS_LAME) are not considered to be
candidates for sending messages as these slots only serve to keep key
material around.
Unfortunately, this fix requires the management interface to be changed
to allow including the specific session the messages should to go to. As
there are very few users of this interface with auth-pending, I made this
a hard change instead of adding hacky workaround code that is not always
working correctly anyway.
send_control_channel_string() will continue to only use the primary session
and key but the current users of that (push replys and exit notification)
already require the established session to be the active one, so there
no changes needed at the moment.
Github: fixes OpenVPN/openvpn#256
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301135353.2811069-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26320.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a261e173341f8e68505a6ab5a413d09b0797a459)
Arne Schwabe [Wed, 1 Mar 2023 13:53:52 +0000 (14:53 +0100)]
Use key_state instead of multi for tls_send_payload parameter
Currently, this function and other parts of OpenVPN assume that
multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session
to send control message.
This assumption was only achieve through complicated session moving and
shuffling in our state machine in the past. The old logic basically also
always assumed that control messages are always for fully authenticated
clients. This assumption was never really true (see AUTH_FAILED message)
but has been broken even more by auth-pending. Cleaning up the state machine
transitions in 7dcde87b7a broke this assumption even more.
This change now allows to specify the key_state/TLS session that is used to
send the control message.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301135353.2811069-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26319.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 06af538eb7bde36feb20ef63febb171c9607a5e6)
Lev Stipakov [Wed, 15 Mar 2023 13:38:08 +0000 (15:38 +0200)]
Support --inactive option for DCO
When DCO is in use, userland doesn't see any traffic
which breaks --inactive option.
Fix by adding inactivity check to inactivity timeout
callback. Get the cumulative tun bytes count (ping packets
are excluded) from DCO and compare it to the previous value
stored in c2.inactivity_bytes. Reset inactivity timer and
update c2.inactivity_bytes if amount of new bytes exceeds
inactivity_minimum_bytes, otherwise terminate session
due to inactivity.
Github: Fixes OpenVPN/openvpn#228
Currently works only on Windows, since we don't yet have
single peer stats implementation for Linux and FreeBSD.
Change-Id: Ib417b965bc4a2c17b51935b43c9627b106716526 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20230315133808.1550-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26421.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 514eefb14ace41a5790e59b81654d1d5eed60670)
Selva Nair [Wed, 15 Mar 2023 01:35:16 +0000 (21:35 -0400)]
Add a test for signing with certificates in Windows store
- For each sample certificate/key pair imported into the store,
load the key into xkey-provider and sign a test message.
As the key is "provided", signing will use appropriate
backend (Windows CNG in this case).
The signature is then verified using OpenSSL.
Change-Id: I520b34ba51e8c6d0247a82edc52bde181ab5a717 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-5-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26416.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0267649a21a2af1b60fbddcb78b0ed642080d6fd)
Selva Nair [Wed, 15 Mar 2023 01:35:15 +0000 (21:35 -0400)]
Refactor SSL_CTX_use_CryptoAPI_certificate()
- Loading the certificate and key into the provider is split out of
setting up the SSL context. This allows testing of signing by
cryptoapi-provider interface without dependence on SSL context
or link-time wrapping.
Change-Id: I269b94589636425e1ba9bf953047d238fa830376 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-4-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26414.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0ad5f4d6c44daedca00dc399a5f914ac5850caa0)
Selva Nair [Wed, 15 Mar 2023 01:35:14 +0000 (21:35 -0400)]
Add tests for finding certificates in Windows cert store
- find_certificate_in_store tested using 'SUBJ:', 'THUMB:'
and 'ISSUER:' select strings. Uses test certificates
imported into the store during the import test.
Change-Id: Ib5138465e6228538af592ca98b3d877277355f59 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26415.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b538a334284716757c48026bf6ace95e33258943)
Selva Nair [Wed, 15 Mar 2023 01:35:13 +0000 (21:35 -0400)]
Import some sample certificates into Windows store for testing
- A few sample certificates are defined and imported into
Windows certificate store (user store).
This only tests the import process. Use of these certs to test the
core functionality of 'cryptoapicert' are in following commits.
Change-Id: Ida5fc12c5bad5fde202da0bf0e8cdc71efe548c2 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26417.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d6cf0239e835d98b66c71d701e70128db9ca7e9a)
Arne Schwabe [Wed, 15 Mar 2023 19:55:12 +0000 (20:55 +0100)]
Fix memory leaks in HMAC initial packet generation
The HMAC leaks are just forgotten frees/deinitialisations.
tls_wrap_control() will sometimes return the original buffer (non
tls-crypt) and sometimes tls_wrap.work, so handling this buffer lifetime
is a bit more complicated. Instead of further complicating that code
just give our work buffer the same lifetime as the other one inside
tls_wrap.work (put it into per-session gc_arena) as that is also more
consistent.
Second, packet_id_init() allocates a buffer with malloc and not using a
gc_arena, so we need to also manually free it.
Patch v2: add missing deallocations in unit tests of the new workbuf
Patch v3: remove useless allocation of 0 size buffer in
tls_auth_standalone_init
Found-By: clang with asan
Change-Id: I0cff44f79ee7e3bcf7b5981fc94f469c15f21af3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315195512.323070-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8ecaadd2ac38f2c2d4bcd40eeaea7401aa737a1)
Selva Nair [Tue, 14 Mar 2023 12:21:34 +0000 (08:21 -0400)]
Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex()
which returns EC signature as raw r|s concatenated. But OpenSSL expects
a DER encoded ASN.1 structure.
Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig()
is consolidated with sig to DER conversion as ecdsa_bin2der() and
moved to xkey_helper.c
In the past when we used OpenSSL hooks installed by pkcs11-helper,
such a conversion was not required as it was internally handled by
the library.
Reported by: Tom <openvpn@sup-logistik.de>
Also see: https://bugzilla.redhat.com/show_bug.cgi?id=2177834 Tested-by: Florian Apolloner <florian@apolloner.eu>
Change-Id: Ie20cf81edd643ab8ef3c41321353d11fd66c188c Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230314122134.1248576-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26406.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b7cf18f750f2a020032e09b6c4184579896876ee)
projects / thirdparty / openvpn.git / log
