Selva Nair [Wed, 30 Jan 2019 15:53:20 +0000 (10:53 -0500)]
Handle PSS padding in cryptoapicert
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
To test this code path, both the server and client should
be built with OpenSSL 1.1.1 and use TLS version >= 1.2
Tested on Windows 7 client against a Linux server.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1548863600-491-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18188.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 22 Jan 2019 15:03:28 +0000 (16:03 +0100)]
Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file
The function is fairly generic and to avoid duplicating the same
functionality move the function to crypto.c and change fixed string to
be the same as the pem_name parameter.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190122150333.1061-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20190122150333.1061-1-arne@rfc2549.org
Simon Rozman [Wed, 19 Dec 2018 20:26:11 +0000 (21:26 +0100)]
Detect missing TAP driver and bail out gracefully
When no TUN/TAP driver is installed a interface cannot be created. This
patch detects this condition and bails out with an error message.
This also fixes a typo in one of the error messages. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181219202611.2144-4-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18038.html
Steffan Karger [Sat, 19 Jan 2019 10:34:00 +0000 (11:34 +0100)]
Fix tls-auth/crypt in connection blocks with --persist-key
If --persist-key was used, we would always try to pre-load the 'global'
tls-auth/crypt file. That would result in using the wrong key (leading
to a failed connection) or en error is there was to 'global' key:
Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null))
Sat Jan 19 11:09:01 2019 Exiting due to fatal error
Fix that by loading loading the key from the current connection entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190119103400.12887-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 22 Jan 2019 13:41:03 +0000 (15:41 +0200)]
crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer
OpenSSL's version of crypto_pem_encode() uses PEM_write_bio()
function to write PEM-encoded data to BIO object. That method doesn't
add NUL termanator, unlike its mbedTLS counterpart
mbedtls_pem_write_buffer().
The code which uses PEM data treats it as a string, so missing NUL
terminator makes sanitizer to compain.
Fix by adding a NUL terminator.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1548164463-13366-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18141.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 22 Jan 2019 15:50:32 +0000 (10:50 -0500)]
White-list pull-filter and script-security in interactive service
This allows the Windows GUI to use these options on the command
line without triggering user authorization errors.
Useful for
(i) ignoring certain pushed options such as "route-method" which
could otherwise bypass the interactive service
(ii) enforcing a safer script-security setting from the GUI
See also:
https://github.com/OpenVPN/openvpn-gui/issues/235#issuecomment-456142928
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1548172232-11268-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18154.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Wed, 19 Dec 2018 20:26:08 +0000 (21:26 +0100)]
Make DriverCertification MSI property public
Making DriverCertification public (containing only upper-case letters)
allows the property set by FindSystemInfo custom action to be passed
from InstallUISequence sequence to InstallExecuteSequence. This
eliminates the need to execute FindSystemInfo in both sequences. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181219202611.2144-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18037.html
Simon Rozman [Tue, 27 Nov 2018 00:28:08 +0000 (01:28 +0100)]
Add a MSI custom actions to close and relaunch OpenVPN GUI
This custom actions are used by MSI setup to close OpenVPN GUI before
performing an upgrade and relaunch it afterwards. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181127002808.19200-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17959.html
Simon Rozman [Wed, 21 Nov 2018 16:36:53 +0000 (17:36 +0100)]
Add detection of active VPN connections for MSI packages
This patch adds a simple up/down detection for each TAP interface found.
All "up" TAP interface IDs are listed as an `ACTIVETAPINTERFACES` MSI
property.
This allows MSI packages to test for active VPN connections on updates. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181121163653.4904-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17942.html
Simon Rozman [Mon, 12 Nov 2018 12:22:44 +0000 (13:22 +0100)]
Delete TAP interface before the TAP driver is uninstalled
The previous version of MSI installer did:
- Execution Pass: rename the TAP interface to some temporary name
- Commit/Rollback Pass: delete the TAP interface / rename the interface
back to original name
However, the WiX Toolset's Diffx extension to install and remove drivers
removed the TAP driver between the execution and commit passes. The TAP
driver removal makes all TAP interfaces unavailable and our custom
action couldn't find the interface to delete any more.
While the system where OpenVPN was uninstalled didn't have any TAP
interfaces any more as expected behaviour, the problem appears after
reinstalling the OpenVPN. Some residue TAP interface registry keys
remain on the system, causing the TAP interface to reappear as "Ethernet
NN" interface next time the TAP driver is installed. This causes TAP
interfaces to accumulate when cycling install-uninstall-install...
Therefore, it is better to remove the TAP interfaces before the TAP
driver is removed, and reinstall the TAP interface back should the
rollback be required. Though it won't be exactly the same interface
again.
I wonder if the WiX Diffx extension supports execute/commit/rollback
feature of MSI in the first place. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181112122246.13556-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17906.html
Simon Rozman [Mon, 12 Nov 2018 12:22:46 +0000 (13:22 +0100)]
Make MSI custom action debug pop-up more informative
Each MSI custom action pops-up a message box in the _DEBUG version
before commencing execution. This opens a time window for developer to
attach debugger to the msiexec.exe process, set the breakpoints before
custom action proceeds with execution.
While those pop-up dialogs are targeted to a limited audience, they were
very sparse. With this patch, they become more informative and they also
provide PID of the msiexec.exe process to attach debugger to. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181112122246.13556-3-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17907.html
Simon Rozman [Tue, 16 Oct 2018 10:26:27 +0000 (12:26 +0200)]
Detect TAP interfaces with root-enumerated hardware ID
This patch extends the TAP interface enumerating to detect the TAP
interfaces registered using "root\tap0901" hardware ID. Before, only TAP
interfaces with legacy "tap0901" HWID were detected by openvpn.exe.
The openvpnmsica.dll and tapctl.exe install TAP interfaces using root-
enumerated HWIDs, and were not detected by openvpn.exe. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181016102627.18676-5-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17762.html
Simon Rozman [Tue, 16 Oct 2018 10:26:26 +0000 (12:26 +0200)]
Add MSI custom action for reliable Windows 10 detection
This patch introduces a `FindSystemInfo()` MSI custom action to reliably
detect Windows 10. The MSI built-in properties for Windows version
detection depend on bootstrapper's manifest. We could provide our own
Windows 10 compatible EXE bootstrapper, but that would cover the
Windows 10 detection in the `InstallUISequence` only. The
`InstallExecuteSequence` is launched by msiexec.exe which we cannot
tamper with would still report `VersionNT` as Windows 8 (603). Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-4-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17763.html
Simon Rozman [Tue, 16 Oct 2018 10:26:25 +0000 (12:26 +0200)]
Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC
This makes MSVC and MinGW build environments more alike. Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-3-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17764.html
Simon Rozman [Tue, 16 Oct 2018 10:26:24 +0000 (12:26 +0200)]
Prevent __stdcall name mangling of MSVC
Using `extern "C" __declspec(dllexport) __stdcall`, Win32 MSVC compiler
exports the functions are as `_name@N`. Exporting functions using
`/EXPORT` linker flag allows us to specify exact function name.
Note: The 64-bit MSVC compiler does not exhibit `__stdcall` name-
mangling. Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-2-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17765.html
Simon Rozman [Tue, 16 Oct 2018 10:26:23 +0000 (12:26 +0200)]
Set output name to libopenvpnmsica.dll in MSVC builds too
On MinGW builds, the Libtool produces libopenvpnmsica.dll. The MSVC
properties were updated to match this. Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17766.html
Simon Rozman [Wed, 10 Oct 2018 19:23:37 +0000 (21:23 +0200)]
Introduce tapctl.exe utility and openvpnmsica.dll MSI CA
The tapctl.exe utility is a future replacement for the devcon.exe/
tapinstall.exe utility. While this utility does not offer TAP driver
installation or upgrading, its purpose is to manipulate TAP virtual
network interfaces on Windows. In the long term, its code could be
integrated into openvpn.exe with `--mktun` and `--rmtun`.
The openvpnmsica.dll provides additional MSI custom actions for TUN/TAP
interface creation on install. The interface creation is customizable
using the `TAPInterface` MSI table and is fully compliant with MSI's
deffered processing, commit and rollback. Detailed instruction and
documentation is to be published when MSI packaging completed.
Those utilities were placed into openvpn repository to join the
established compile-sign-package OpenVPN workflow.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181010192337.6984-1-simon@rozman.si>
URL: https://www.mail-archive.com/search?l=mid&q=20181010192337.6984-1-simon@rozman.si
Arne Schwabe [Mon, 14 Jan 2019 15:48:16 +0000 (16:48 +0100)]
Add send_control_channel_string_dowork variant
The send_control_channel_string_dowork variant does not schedule
the sending of the actual and can be used where struct context is not
available. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190114154819.6064-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18092.html
Arne Schwabe [Mon, 14 Jan 2019 15:48:15 +0000 (16:48 +0100)]
Refactor tls_crypt_v2_write_server_key_file into crypto.c
This allows the method to be resued for generating other types of keys
that should also not be reused as tls-crypt/tls-auth keys. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190114154819.6064-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18090.html
Arne Schwabe [Mon, 14 Jan 2019 15:48:14 +0000 (16:48 +0100)]
Fix loading inline tls-crypt-v2 keys with mbed TLS
Using a tls-crypt-v2 key with mbed TLS inline results in
PEM decode error: source buffer not null-terminated
This is because the mbed TLS decode PEM function excepts the last byte
in the buffer to be 0x00. When constructing the buffer we only made as
big as strlen, which does not include the 0x00 byte of a string. Add an
extra byte to ensure also the null byte is included in the buffer. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190114154819.6064-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18091.html
Steffan Karger [Wed, 16 Jan 2019 15:24:50 +0000 (16:24 +0100)]
Extend tls-crypt-v2 unit tests
This commit adds two tests for tls-crypt-v2 to verify the client and
server key generation. These are introduced primarily as a regression
test for the off-by-one bug fixed by Arne in tls_crypt_v2_read_keyfile()
recently (no commit hash availble, patch has not been applied yet).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <E1gjn4T-0003e9-LN@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 5 Dec 2018 21:40:37 +0000 (22:40 +0100)]
Stop complaining about IPv6 routes without gateway address.
The IPv6 routing code inherited assumptions and the message
"OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6
option and no default was specified by either --route-ipv6-gateway or
--ifconfig-ipv6 options"
from the IPv4 routing code.
This was never really correct, as no gateway is needed for "into tun
device" IPv6 routes, and the "--route-ipv6-gateway" option it refers
to also never existed. (Routes on tap interfaces *do* need a gateway
due to neighbour discovery being involved. As do routes on Windows,
but there we fake the gateway in tun mode anyway).
While commit d24e1b179b95 introduces support for "--route-ipv6-gateway",
the message is still falsely triggered for IPv6 routes in tun mode.
Change the code to generally accept IPv6 routes with no gateway
specification (so "--block-ipv6 --redirect-gateway ipv6" can work
without additional config). When installing IPv6 routes, check
if a gateway is needed (tap mode) but missing, and if yes, print
correct message.
Trac: #1143
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181205214037.70783-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17990.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 7 Dec 2018 12:33:03 +0000 (13:33 +0100)]
Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
For whatever reason, this function never printed port numbers for
IPv6 addresses (but it did for IPv4) - which creates a bit of
confusion for IPv6-mapped v4 addresses on a dual stack socket,
that will have ports numbers printed or not, depending on whether
it's a dual-stack v6 socket or single-stack v4.
This will not(!) add printing of port numbers for "proper" v6
addresses yet, because that might have adverse side effects to address
parsing elsewhere.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181207123303.70827-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17996.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 30 Nov 2018 13:56:41 +0000 (14:56 +0100)]
uncrustify openvpn/ sources
There are an amazing number of brackets that were either
totally missing, or have snuck up on the "for(...){"
line. Further, uncrustify wants "|" in multi-line
logical expressions now at the beginning of the new
line, and "PRIi64" now gets surrounding spaces.
Added "sp_after_semi_for_empty=Add" to uncrustify.conf
to leave a few for() statements alone that look better
the way they are.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20181130135641.11533-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17970.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Wed, 10 Oct 2018 14:30:51 +0000 (16:30 +0200)]
Fallback to password authentication when auth-token fails
Under some circumstances, the auth-token stored by a client may not
be valid anymore.
For example, if the server is restarted, the client will try to
reconnect and resend the old token during authentication. Unfortunately
this attempt will fail, because the server does not keep track of tokens
used during previous runs.
With the current behaviour, depending on how auth-retry was configured,
the client will either just quit, prompt the user for username and password
as the original values are overwritten by the token, or endelessly fail
authentication by sending the old token over and over.
This patch changes the behaviour of the client so that, upon failed
authentication using a token, it will drop the token, perform a soft
restart (USR1) and attempt re-authenticating with the original password
provided by the user if auth-nocache was not specified.
Patch V3: remove all server changes, include only minimal non
intrusive client changes that only improve error recovery but don't
change overall behaviour.
Patch V4: forget add push.c to git index, now also included
Patch V5: is fixing overlong lines and one minor style problem.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181010143051.27163-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 3 Dec 2018 16:48:18 +0000 (17:48 +0100)]
Implement block-ipv6
This can be used to redirect all IPv6 traffic to the tun interface,
effectively black holing the IPv6 traffic. Without ICMPv6 error
messages this will result in timeouts when the server does not send
error codes. block-ipv6 allows client side only blocking on all
platforms that OpenVPN supports IPv6. On Android it is only way to do
sensible IPv6 blocking on Android < 5.0 and broken devices (Samsung).
PATCH V6:
- Rebase on master and run uncrustify on the patch
PATCH V5:
- Fix even more style issues by Antonio
- Remove check for dev == tun as this also works for tap
PATCH V4:
- Fix more style issues reported by Antonio
- Clarify parts of the patch in comments and manpage
PATCH V3:
- Fix style iusses reported by Antonio and accidentily commited parts
- merge udp_checksum and ipv6_checkusm into common ip_checksum method
- Use fake ff80::7 address when no other address is configured.
- Make block-ipv6 also work for server by replying block-ipv6 to all
ipv6 traffic send to the server
Note for the server the process_ip happens before the ipv6 route
lookup so every ipv6 packet, regardless of its source address is
replyied to with a no route to host packet.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181203164818.15756-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 24 Oct 2018 10:12:05 +0000 (12:12 +0200)]
Remove deprecated --compat-x509-names and --no-name-remapping
As promised, remove these options for OpenVPN 2.5.
If a user still uses these, print an error that the user should update it's
configuration. Just printing a warning would cause much more confusing
errors, somewhere in middle of a failed connection attempt because the
(non-compat) names no longer match the expected names.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540375925-6111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 31 Oct 2018 13:07:16 +0000 (14:07 +0100)]
tls-crypt-v2: fix client reconnect bug
As reported by tincantech on the openvpn-devel IRC channel, a tls-crypt-v2
client could be caused to trigger an assert in tls_crypt_wrap() because the
client key might not be correctly initialized after a reconnect attempt.
This was caused by code that was written before the connection-block
tls-auth/tls-crypt logic was integrated (57d6f103), rebased on that change,
but not sufficiently changed to be compatible with the new logic.
This commit fixes that bug.
Note that I also moved the violating hunk of code to the same function
where the tls-auth and tls-crypt (v1) keys are initialized. Once moved
there, it is immediately clear that v2 didn't follow the same (new) logic.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Tested-by: Richard Bonhomme <tincanteksup@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540991236-4016-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17866.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 31 Oct 2018 10:22:57 +0000 (11:22 +0100)]
tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section
As kitsune1 mentioned in IRC, this section should explain that
"--tls-crypt-v2-genkey client" requires the user to supply the server
key using "--tls-crypt-v2".
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540981377-22752-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17865.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The exact type of time_t is platform dependent and therefore
can't be assumed to be uint64_t all the time.
For example, on 32bit platforms, where time_t is defined as long
(32bit), the compiler will generate the following warning, due
to the arithmetic used in the macro:
tls_crypt.c:745:29: warning: shift count >= width of type
[-Wshift-count-overflow]
Force time_t to be parsed as uint64_t.
Reported-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181031160124.26972-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17868.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 25 Oct 2018 03:05:16 +0000 (23:05 -0400)]
Declare Windows version of openvpn_execve() before use
commit bf97c00f7dba441b504881f38e40afcbb610a39f moved
the generic openvpn_execve() to run_command.c and made it static.
But the Windows version is still in win32.c and is called from
run_command.c
Fix by declaring the function in win32.h
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1540436716-5725-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17825.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 22 Oct 2018 11:45:15 +0000 (13:45 +0200)]
tls-crypt-v2: add script hook to verify metadata
To allow rejecting incoming connections very early in the handshake,
add a --tls-crypt-v2-verify option that allows administators to
run an external command to verify the metadata from the client key.
See doc/tls-crypt-v2.txt for more details.
Because of the extra dependencies, this requires adding a mock
parse_line() to the tls-crypt unit tests. Also, this turns tls_wrap_free
into a static inline function, so that we don't need to compile in ssl.c
(and all of it's dependencies) with the unit tests.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-6-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17789.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Mon, 22 Oct 2018 11:45:10 +0000 (13:45 +0200)]
tls-crypt-v2: add specification to doc/
This is a preliminary description of tls-crypt-v2. It should give a good
impression about the reasoning and design behind tls-crypt-v2, but might
need some polishing and updating.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17788.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Wed, 26 Sep 2018 12:01:59 +0000 (14:01 +0200)]
Add message explaining early TLS client hello failure
In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
TLS 1.0 only without setting tls-version-min.
We currently log only
OpenSSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
which indicates the right technical error but is not very helpful to a
person without deep knowledge in SSL/TLS and OpenVPN's TLS version
history.
This commit adds a hopefully helpful message and also tells users how
to fix the old Debian 8 clients. The error message will be displayed on
the server side only.
Note that connecting with an OpenSSL 1.1.1 client to a TLS 1.0 only
server works fine.
This behaviour is also not specific to OpenVPN. Using an openssl s_client
with the -tls1 option against an openssl s_server exhibits the same
behaviour.
Patch V2: fixed message grammar, use tls-version-min 1.0 and clarify
2.3.6 and older to be actually between 2.3.2 and 2.3.6
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180926120159.19874-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17491.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Lev Stipakov [Mon, 22 Oct 2018 10:19:31 +0000 (13:19 +0300)]
Introduce openvpn_swprintf() with nul termination guarantee
Every call to swprintf is followed by line which adds nul terminator. This
patch
introduces openvpn_swprintf() which guarantees nul termination for size >
0.
Same approach as for snprintf / openvpn_snprintf.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1540203571-17646-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 8 Oct 2018 21:41:23 +0000 (23:41 +0200)]
Refuse mbed TLS external key with non RSA certificates
The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.
Instead fail early and provide a clear message that only RSA keys are
supported.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html Signed-off-by: David Sommerseth <davids@openvpn.net>
bufferlist_* functions have no documentation whatsoever and the name is
not always enough to fully understand what the function is doing.
For this reason and for the sake of having better documented code, add
function doc in buffer.h.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181010083731.31132-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17701.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Thu, 11 Oct 2018 22:06:39 +0000 (00:06 +0200)]
Use right function to set TLS1.3 restrictions in show-tls
The last version of the patch used the TLS1.2 version
tls_ctx_restrict_ciphers to set the restrictions for both
TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
for TLS1.3.
Also fix minor style problem while I am touching the function Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181011220639.7316-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html
Arne Schwabe [Wed, 10 Oct 2018 15:36:24 +0000 (17:36 +0200)]
Add better support for showing TLS 1.3 ciphersuites in --show-tls
--show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The listed ciphers
are only valid in either --tls-cipher or --tls-ciphersuites, but it's
not clear which is which. This is confusing and not really helpful.
This patch modifies show-tls to show separate lists for TLS 1.2 and
TLS 1.3.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181010153624.27957-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17723.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 11 Oct 2018 11:51:42 +0000 (14:51 +0300)]
options.c: fix broken unary minus usage
In Visual Studio when unary minus is applied to unsigned,
result is still unsigned. This means that when we use result
as function formal parameter, we pass incorrect value.
Fix by introducing frame_remove_from_extra_frame(),
which makes code semantically more clear and eliminates
the need in negative value and cast.
Since GCC didn't complain (and users too :), it probably performed
cast to signed automatically.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539258702-15427-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17739.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 10 Oct 2018 06:44:43 +0000 (08:44 +0200)]
Fix mbedtls unit tests
Commit 674b166 ("Fix build warnings related to get_random()") broke the
unit tests for mbedtls, because <mbedtls/cipher.h> was now included via
platform.c -> crypto.h -> crypto_backend.h, but the crypto cflags were
not included for that unit tests.
Since we got rid of --disable-crypto, we can now fix this by simply always
including the CRYPTO_CFLAGS in the TEST_CFLAGS (and the CRYPTO_LIBS in the
TEST_LDFLAGS). This should not only fix this occurrence, but also prevent
similar problems in the future.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1539153883-15789-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17687.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 11 Oct 2018 07:20:00 +0000 (09:20 +0200)]
mbedtls: don't print unsupported ciphers in insecure cipher list
Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too. Those are
however unsupported (as openvpn will tell you when you try to use them).
This fixes that bug.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 9 Oct 2018 20:43:15 +0000 (22:43 +0200)]
List ChaCha20-Poly1305 as stream cipher
As Antonio pointed out, "8-bit block cipher" is a bit funny. So teach
print_cipher() to print such cipher as "stream cipher".
Because I didn't want to write the same code twice, I decided to merge the
two print_cipher() implementations into one shared function. That should
make it easier to keep both backends consistent.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181009204315.8262-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 7 Oct 2018 21:55:39 +0000 (23:55 +0200)]
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Arne Schwabe [Mon, 8 Oct 2018 18:16:16 +0000 (20:16 +0200)]
Remove AUTO_USERID feature
There is no user facing way to enable this feature and way that feature
works (username build from MAC of primary net device) is questionable.
It also does not compile anymore. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008181618.8976-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17664.html
build: Fix another compile warning in console_systemd.c
console_systemd.c: In function ?get_console_input_systemd?:
console_systemd.c:75:5: warning: implicit declaration of function
?openvpn_popen? [-Wimplicit-function-declaration]
if ((std_out = openvpn_popen(&argv, NULL)) < 0)
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008180017.31413-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17660.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
platform.c: In function ?platform_create_temp_file?:
platform.c:355:31: warning: implicit declaration of function
?get_random? [-Wimplicit-function-declaration]
prefix, (unsigned long) get_random(),
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008165648.27504-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17652.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Samy Mahmoudi [Sun, 7 Oct 2018 22:35:47 +0000 (00:35 +0200)]
man: correct a --redirection-gateway option flag
Replace "servers" with "peers" in the description
of the --redirection-gateway option flag local. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007223544.GA2246@t520.my.lan>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17630.html
Simon Rozman [Mon, 8 Oct 2018 09:45:59 +0000 (11:45 +0200)]
msvc: Unify Unicode/MultiByte string setting across all cfg|plat
The openvpnserv.vcxproj source code is Windows API Unicode compliant
with only Debug|x64 set to Unicode, while other cfg|plat pairs were set
to MultiByte. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17633.html
Steffan Karger [Sun, 7 Oct 2018 22:30:34 +0000 (00:30 +0200)]
Add support for CHACHA20-POLY1305 in the data channel
We explicitly only supported GCM as a valid AEAD mode, change that to also
allow ChaCha20-Poly1305 as an AEAD cipher. That works nicely with our new
(GCM) data channel format, because is has the same 96-bit IV.
Note that we need some tricks to not treat the cipher as insecure, because
we used to only look at the block size of a cipher to determine if find a
cipher insecure. But ChaCha20-Poly1305 is a stream cipher, which
essentially
has a 'block size' of 1 byte and is reported as such. So, special-case
this
cipher to be in the list of secure ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181007223035.21179-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17629.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Mon, 8 Oct 2018 09:46:00 +0000 (11:46 +0200)]
msvc: Move common project settings to reusable property sheets
The Visual Studio 2017 project files were refactored by migrating all
repeating common settings into three property sheets: Debug.props,
Release.props and the existing PropertySheet.props.
This simplifies configuration management while providing uniformity
across projects, configurations and platforms. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-2-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17634.html
Simon Rozman [Mon, 8 Oct 2018 10:03:23 +0000 (12:03 +0200)]
Reference msvc-generate from compat to assure correct build order
Single-process builds start building compat project first and they fail,
since the referenced config-msvc-version.h is not available yet. Multi-
process rebuilds also tends to fail if the compat project is built
faster than msvc-generate is able to produce the required output files.
Adding a reference to msvc-generate project assures correct build order. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008100323.11308-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17635.html
Steffan Karger [Sun, 7 Oct 2018 17:52:15 +0000 (19:52 +0200)]
Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
Like 'proto', a mismatch in key-method, keydir or tls-auth would fail
before we ever get to the point where we can print this warning.
This prepares for removing these from the occ string later on, but also
prepares for tls-crypt-v2, which allows a server to support tls-auth and
tls-crypt-v2 connections in parallel. Such a server will send 'keydir'
and 'tls-auth' in the occ string. This change removes the spurious
warnings about that in the client log.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007175215.25009-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17618.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 5 Oct 2018 15:00:32 +0000 (17:00 +0200)]
Simplify --genkey option syntax
Instead of requiring users to do "--genkey --secret new.key", allow
them to just do "--genkey new.key". This has hit me often enough that I
decided to write a patch for it. Also, the upcoming tls-crypt-v2-genkey
uses a similar syntax and Antonio suggested we should make them consistent.
The documentation is updated to no longer mention the old syntax, but it is
still supported so people who are used to the old syntax can still use it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181005150032.16541-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17574.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 3 Oct 2018 17:21:21 +0000 (20:21 +0300)]
openvpnserv: clarify return values type
Functions openvpn_vsntprintf and openvpn_sntprintf return
values of type int, but in reality it is always 0 or 1 (and -1 for
snrptinf), which can be represented as boolean.
To make code clearer, change return type to BOOL. Also
use stdbool.h header instead of bool definition macros in automatic.c.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1538587281-3209-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17532.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 7 Oct 2018 10:00:32 +0000 (12:00 +0200)]
Fix use-after-free in tls_ctx_use_management_external_key
Commit 98bfeeb4 changed our openssl backend implementation of
tls_ctx_use_management_external_key() to no longer use
tls_ctx_load_cert_file_and_copy(), but still free'd 'cert'. Which it no
longer should do. Credits go to Arne for spotting the issue (even though
it was missed during the review).
The offending commit is only recently applied to the master branch, so was
never part of a OpenVPN release. For that reason I did not do full impact
analysis.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181007100032.17060-1-steffan@karger.me>
URL: https://www.mail-archive.com/search?l=mid&q=20181007100032.17060-1-steffan@karger.me Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Fri, 13 Apr 2018 12:47:56 +0000 (14:47 +0200)]
Signed/unsigned warnings of MSVC resolved
This patch fixes the signed/unsigned comparison warnings discovered when
compiling openvpnserv using MSVC.
Wherever possible, it changes iterator and/or size variables to a more
appropriate type, or uses type-casting when it is safe to do so. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180413124756.5756-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16756.html
ensure function declarations are compiled with their definitions
Function prototypes should be included when compiling their
definitions so that it is clear to compilers and static
analyzers that they are not static.
This means that several declarations have to be moved to the
related header files which in turn have to be included by the
source files implementing them.
Generally speaking this also improves the coding style and
makes this code more consistent with the rest that already
follows this rule.
Cc: Steffan Karger <steffan@karger.me> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20171111161836.23356-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15820.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 2 Oct 2018 20:01:13 +0000 (16:01 -0400)]
Enable dhcp on tap adapter using interactive service
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac: #1111
Tested on Windows 7
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17517.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Oct 2018 12:23:30 +0000 (14:23 +0200)]
Add OpenSSL compat definition for RSA_meth_set_sign
Commit 6b495dc4c5cfc118091ddc9c19330b3c9e3e3dff introduced
RSA_meth_set_sign, which is OpenSSL 1.1.0 and newer. Add a compatibility
definition. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181005122330.31431-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181005122330.31431-1-arne@rfc2549.org
Pass the hash without the DigestInfo header to NCryptSignHash()
In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets
the hash with the DigestInfo prepended. Signing this using
NCryptSignHash() with hash algorithm id set to NULL works in most cases.
But when using some hardware tokens, the data gets interpreted as the pre
TLS 1.2 MD5+SHA1 hash and is silently truncated to 36 bytes.
Avoid this by passing the raw hash to NCryptSignHash() and let it
add the DigestInfo.
To get the raw hash we set the RSA_sign() method in the rsa_method
structure. This callback bypasses rsa_priv_enc() and gets called with
the hash type and the hash.
Lev Stipakov [Thu, 20 Sep 2018 13:12:34 +0000 (16:12 +0300)]
Refactor NCP-negotiable options handling
NCP negotiation can alter options. On reconnect
client sends possibly altered options while server
expects original values. This leads to warnings
in log and, if server uses --opt-verify, breaks
reconnect.
Fix by decouple setting/unsetting NCP options from
the state of TLS context. At startup (and once per sighup)
we load original values to c->c1, which persists over
sigusr1 (restart). When tearing tunnel down we restore
(possibly altered) options back to original values.
Trac: #1105
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1537449154-26879-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17477.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 28 Sep 2018 13:26:49 +0000 (16:26 +0300)]
win: support for Visual Studio 2017
This patch enables building openvpn with Visual Studio 2017.
It is advised to use openvpn-build/msvs/build.bat which
also downloads and build required dependencies.
Changes made:
- updated path to Visual Studio toolchain
- updated platform toolset
- added missing libraries
- added x64 configurations
- enabled AEAD ciphers to make NCP work
- enabled unicode support
- updated source files in project settings
- fix includes
- restored variable which was erroneously removed
- added properties file which sets required env variables
(required to build with IDE)
- etc
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1538141209-32330-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17499.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 98bfeeb4 introduced a memory leak in SSL_CTX_use_certificate by
removing the "if(x509) { ... }" bit while not changing the
"else if(x) {}" right after to an "if(x) {}".
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20180926192706.29460-1-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
mbedtls: remove dependency on mbedtls pkcs11 module
Instead of using mbedtls's pkcs11 module, reuse the code we already have
for management-external-key to also do pkcs11 signatures. As far as mbed
is concerned, we simply provide an external signature.
This has the following advantages:
* We no longer need mbed TLS to be compiled with the pkcs11 modules
enabled (which is not enabled by default). This makes it easier to use
a system/distribution-provided mbed shared library.
* We no longer have a dependency on pkcs11-helper through mbed TLS. So if
we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538
and #549 for reason why), this will be easier.
While touching this code, switch from M_FATAL to M_WARN and proper error
handling. This improves the error reporting, and helps prevent potential
future DoS attacks if someone starts using these functions on peer input.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-3-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17463.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not load certificate from tls_ctx_use_external_private_key()
The cert and key loading logic surrounding management-external-key and
management-external cert was somewhat intertwined. Untangle these to
prepare for making the external key code more reusable.
The best part is that this even reduces the number of lines of code.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17464.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
