Samuli Seppänen [Mon, 3 Oct 2016 10:51:27 +0000 (13:51 +0300)]
Automatically cache expected IPs for t_client.sh on the first run
Previously one had to manually define correct values for the
EXPECT_IFCONFIG* variables based on what IPv4 and IPv6 addresses
the test VPN server handed out.
This was a tedious process especially with large number of tests,
as the IPs changed for every test client and for every test. With this
patch t_client.sh figures out the correct IP addresses using an
--up script and caches them to a separate file for later use.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1475491887-740-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make sure options->ciphername and options->authname are always defined
The NCP code does a strcmp(options->ciphername, ...) without first checking
whether options->ciphername is NULL. This could cause a crash when using
"--cipher none". This patch fixes that problem by ensuring that
options->ciphername (and options->authname) are never NULL. Ensuring that
options->ciphername is never null prevents us from having to write null
checks everywhere.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1475055231-1778-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12576.html
enable "--disable-crypto" build configuration for travis
Previously, 'make test' failed for --disable-crypto builds. Since
that is now fixed, we should no longer accept --disable-crypto builds
to fail 'make test' on travis.
Arne Schwabe [Thu, 14 Jul 2016 11:25:19 +0000 (13:25 +0200)]
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
Debian also incorrectly changes that the default for route parameters can
be specified by using "nil" instead of "default. The confusion is probably
coming from show_opt printing "nil" instead of "default". Change show_opt
to show "default (not set)" instead of "nil"
Original author: Alberto Gonzalez Iniesta <agi@inittab.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1468495519-25102-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1468495519-25102-1-git-send-email-arne@rfc2549.org
Lev Stipakov [Sun, 18 Sep 2016 06:51:36 +0000 (09:51 +0300)]
Support for disabled peer-id
v5:
* Few more nickpicks
v4:
* replace magic number with define
* show user a decimal value instead of hex
v3:
* move assert outside of loop
* add max-clients value check to options
v2:
* Add round brackets for clarity
* Rephrase comment
Support for disabled peer-id
When peer-id value is 0xFFFFFF, server should ignore it and treat packet
in a same way as P_DATA_V1. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1474181496-24846-1-git-send-email-lstipakov@gmail.com>
URL: http://www.mail-archive.com/search?l=mid&q=1474181496-24846-1-git-send-email-lstipakov@gmail.com
Steffan Karger [Thu, 5 May 2016 20:14:07 +0000 (22:14 +0200)]
Add SHA256 fingerprint support
Add SHA256 fingerprint support for both the normal exported fingerprints
(tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track.
Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint
internally, in cert_hash_remember() / cert_hash_compare(). And instead of
updating an #if 0'd code block that has been disabled since 2009, just
remove that.
This should take care of trac #675.
v2: update openvpn.8 accordingly
[ DS: This commit squashes in the clean-up cert_hash_remember scoping patch,
as it is highly related and tied to this primary patch ]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1462479247-21854-1-git-send-email-steffan@karger.me
Message-Id: 1474055635-7427-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg11859.html
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12464.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Sat, 17 Sep 2016 11:16:46 +0000 (13:16 +0200)]
Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set
On OS X openssl/x509.h is not in the standard include path and the
files still try to include since the includes only depend on on
ENABLE_CRYPTO_OPENSSL.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111006-16401-1-git-send-email-arne@rfc2549.org>
URL: http://www.mail-archive.com/search?l=mid&q=1474111006-16401-1-git-send-email-arne@rfc2549.org
David Sommerseth [Sat, 17 Sep 2016 11:18:05 +0000 (14:18 +0300)]
t_client.sh: Improve detection if the OpenVPN process did start during tests
This will check the OpenVPN log file if the process initialized
successfully.
It will check the log file for 30 seconds before aborting the test run.
This also has the advantage of starting the testing quicker if the
initialization goes faster than 10 seconds (which was the old sleep time).
The umask is also set to a more permissive mode to ensure the test
script is capable of reading the OpenVPN PID file, as that will be
created by root.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111085-10678-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 17 Sep 2016 10:50:33 +0000 (13:50 +0300)]
t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
[ v3 - Kick out bashism - '&>' redirect ]
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474109433-4710-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 17 Sep 2016 09:20:26 +0000 (12:20 +0300)]
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
This resolves an issue where $! returns the PID of the sudo process instead
of the PID of OpenVPN and when sudo does not properly propagate signales
down to OpenVPN.
Trac: #738 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474104026-20615-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 13 Sep 2016 20:04:58 +0000 (22:04 +0200)]
Do not abort t_client run if OpenVPN instance does not start.
Basically, an oversight - if one test instance does not start at all
(due to "tap driver not loaded") the whole script would exit, instead
of logging the failing instance and proceeding to the next test run.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160913200458.9906-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160913200458.9906-1-gert@greenie.muc.de Signed-off-by: David Sommerseth <davids@openvpn.net>
Previously, we would use the compiler's default C version, which defaults
to gnu89 for GCC < 5, gnu11 for GCC > 5, and c11 for clang, but might even
differ per distro.
One of the reasons to accept the gnu89 default of GCC < 4.9, was that MSVC
didn't support c99. But in MSVC 2015, MS finanally fixed that.
Having to support c89 in the codebase occasionally forces us to write less
readable code, for example by forcing all declaration to be at the starting
of a block (which includes 'for loop initial declarations').
Let's be clear about what standard we obey, and stop punishing ourselves
with c89/gnu89. Let's switch the master branch to c99.
v2: don't try to detect pedantic mode based on __STRICT_ANSI__, since that
will be defined when using -std=c99.
v3: only set -std=c99 if there is no -std= already present in CFLAGS
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1472760870-11769-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00194.html Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Thu, 25 Aug 2016 20:42:03 +0000 (22:42 +0200)]
Fix client connection instant timeout
Commit b3e975824ea9ebae8dbea5b451c8d02525c83ffe moved the finalizing of
TCP/UDP sockets before the UID/GID where dropped. But this did not
factor that the timeout code had been revamped [1] in the mean time.
This ensures the timout initialization is done before the the socket
finalizing has been completed.
Gert Doering [Mon, 22 Aug 2016 20:24:47 +0000 (22:24 +0200)]
Fix problems with NCP and --inetd.
NCP only works with --pull or --mode server, leading to breakage
in --inetd mode (because that has --tls-server, but not --mode server,
but clients can still ask for PUSH_REQUEST).
Fix by turning off o->ncp_enable unless (pull or mode server), and
double-fix by logging an appropriate message and refusing to change
ciphers if the server has already set up its keys.
v2: wrap long msg() text lines
Trac: 715 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: 1471897487-8354-1-git-send-email-gert@greenie.muc.de
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00060.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Lev Stipakov [Mon, 4 Jan 2016 12:43:44 +0000 (14:43 +0200)]
Drop recursively routed packets
v2: better method naming
On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.
As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.
To prevent that, drop packets which have gateway IP as
destination address.
Tested on Win7/10, OS X.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Trac: 642 Tested-by: ValdikSS <iam@valdikss.org.ru> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451911424-12970-1-git-send-email-lstipakov@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/34737757/ Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Tue, 16 Aug 2016 14:45:42 +0000 (16:45 +0200)]
Discourage using 64-bit block ciphers
As discussed with the development team, we should start moving away from
ciphers with a small block size. For OpenVPN in particular this means
moving away from 64-bit block ciphers, towards 128-bit block ciphers.
This patch makes a start with that by moving ciphers with a block
size < 128 bits to the bottom of the --show-ciphers output, and printing
a warning in the connection phase if such a cipher is used.
While touching this function, improve the output of --show-ciphers by
ordering the output alphabetically, and changing the output format
slightly.
[DS: Fixed C89 issues in patch, moving 'int nid' and 'size_t i' declaration
to begining of function instead of in the for-loops. This is also
required to not break building on stricter compiler setups where C99
must be enabled explicitly ]
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1471358742-8773-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00029.html
CVE: 2016-6329 Signed-off-by: David Sommerseth <davids@openvpn.net>
Selva Nair [Thu, 11 Aug 2016 22:58:29 +0000 (18:58 -0400)]
Avoid format specifier %zu for Windows compatibility
- Replace %zu by %u and cast the size_t variable to (unsigned int). The
cast should be safe as in all instances the number involved is small.
Note: mingw64 targets msvcrt.dll runtime that doesn't support %zu and
print "zu" instead of the number. With -Wformat the compiler
does warn that z is an unknown conversion type.
v2: Cast to (unsigned int) instead of (int).
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1470956309-31268-1-git-send-email-selva.nair@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/35274787/ Signed-off-by: David Sommerseth <davids@openvpn.net>
As reported in trac #699, OpenVPN crashes when an "--cipher none" option
is followed by "--cipher" (without arguments). Fix this by removing the
redudant ciphername_defined and authname_defined members of struct options,
and remove support to specify --cipher or --auth without an argument. That
not only fixes the issue, but also cleans up the code a bit.
v2: don't print a deprecating warning (we'll do that in the 2.3 branch),
but just rip out support for --cipher and --auth without an argument.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1469541338-1530-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12106 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Allow ncp-disable and ncp-ciphers to be specified in ccd files
This allows the ncp-disable and ncp-ciphers options to be used in 'client
config dir' files, to disable or change the negotiable crypto parameter
settings for specific clients.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1469472766-25131-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12096 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 28 Jun 2016 21:36:11 +0000 (23:36 +0200)]
Add server-side support for cipher negotiation
Pushes AES-256-GCM when a connection client advertises IV_NCP=2, and
supports serving connections to clients with different data channel
cipher configuration simultaneously.
v2:
* Update manpage
* Add Changes.rst entry
v3:
* Do not regenerate keys if the client sends a second pull request
* Don't postpone key generation if client has no IV_NCP support
v4:
* rebase on client-side NCP v4
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1467149771-10374-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12009 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 28 Jun 2016 21:33:55 +0000 (23:33 +0200)]
Add client-side support for cipher negotiation
Based on the 'IV_NCP=2' mechanism described in
http://permalink.gmane.org/gmane.network.openvpn.devel/9385.
This is the first patch of a set that adds support for cipher negotiation.
Follow-up patches will add ways to restrict or disable the mechanism, and
add server-side support.
v2:
* Account for crypto overhead through struct frame. This is less
transparant, but the code has been built to work this way. The
previous approach didn't work with TCP mode (or --port-share).
* Calculate the link-mtu sent in the options string based on the crypto
parameters specified in the config file (prevents link-mtu warnings in
older peers when connecting).
v3:
* Use existing max_int() function, instead of new MAX() macro.
* Fix typo in comment.
* Do not regenerate keys if the server sends a second push msg
* Only push IV_NCP if we're pull-client (and thus can do NCP)
v4:
* Fix rebase errors (OPT_P_NCP sneaked in, but is not introduced till 4/5,
and tls_peer_info_ncp_ver() is not needed until 5/5).
* Don't remove comment about key_id increment behaviour in init.c (but
still add the extra comments in the .h files).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1467149635-9726-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12007 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Jun 2016 02:34:49 +0000 (22:34 -0400)]
Promptly close the netcmd_semaphore handle after use
If more than one openvpn processes are running and one aborts
without releasing the semaphore, subsequent processes fail to get
a lock for the semaphore. This may be avoided by not keeping open
handles to the semaphore so that Windows can destroy it when no
open handles remain.
See also: http://article.gmane.org/gmane.network.openvpn.devel/11913
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465871689-13533-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11919 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Exponentially back off on repeated connect retries
- When the number of retries per remote exceeds a limit
(hard coded to 5), double the restart pause interval
for each additional retry per remote.
- Trigger a SIGHUP to reset the retry count when the pause
interval exceeds 1024 times the base value of restart pause.
(removed in v2 of the patch)
The base value of restart pause is set using --connect-retry
(5 seconds by default).
v2 changes (based on suggestions from Arne Schwabe <arne@rfc2549.org>)
- Do not throw SIGHUP.
- Add an optional argument to "--connect-retry n [m]" where 'm'
specifies the max value of restart pause interval (default
300 sec).
E.g., "--connect-retry 5 1800" will cause the restart pause to
scale up starting at 5 until it exceeds 1800 seconds at which
point it gets capped at 1800.
- If n == m no slow down will occur.
- While at it, fix typos and clarify the description of connect-retry-max
in the man page and Changes.rst
v3 changes (on further feedback from arne@rfc2549.org):
- Limiting the base value of retry wait interval to 16 bits moved
to options.c
- Apply backoff only in the udp and tcp-client modes. Backing off on
tcp-server could be exploited by a client in p2p-mode to maliciously
slow it down (thanks to Arne Schwabe for pointing this out.
- Fix typo in Changes.rst: "third argument" -> "second argument"
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1467732770-19110-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12050 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 24 Jun 2016 12:27:10 +0000 (14:27 +0200)]
Remove http-proxy-retry and socks-proxy-retry.
These options were probably introduced long before we had multiple
remote/connection entries. For all other connection entries, OpenVPN will
go on with the next connection if it fails. For proxies, if it fails in
some ways it works the same, for other failures it completely stops.
Removing the *-proxy-retry and defaulting to retry makes the behavior more
predictiable. Stopping after one try (regardless of reason) can be achieved
with --max-connect-retry 1
V2: Add reason for removing, remove from manpage, give a hint at
--max-connet-retry
V3: Collapse the two ifs in options.c to one block Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466771230-5266-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11988
Selva Nair [Fri, 24 Jun 2016 02:50:56 +0000 (22:50 -0400)]
Return process id of openvpn from interactive service to client
- The process id is returned as a message formatted in the same manner
as error messages from the service to the client: i.e., a three-line
message with error number formatted as 0x%08x on line 1, followed by
the PID in format 0x%08x on line 2 and a description that reads as
"Process ID" on line 3. Error number is set to zero to indicate
this is an informational message.
This provides a way for service clients to check the status of openvpn
and terminate it without needing management interface or exit event.
Useful when the interactive service is used from a launch script, or
to force-terminate openvpn from the GUI if/when needed.
v2 changes: format of the message changed as described above.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466736656-27501-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11984 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Fri, 17 Jun 2016 02:54:53 +0000 (22:54 -0400)]
Fix management-external-cert option parsing error
- Allow --management-external-cert as an alternative to --cert
- Also make sure --cert and --management-external-cert are not
both specified, and clarify in the man page that the latter
must be used with --management-external-key.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1466132093-1178-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11929 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Thu, 3 Mar 2016 08:19:05 +0000 (01:19 -0700)]
Added directive to specify HTTP proxy credentials in config.
The inline directive http-proxy-user-pass can be used to
specify proxy credentials in config, e.g.:
http-proxy proxy.tld 3128 auto-nct
<http-proxy-user-pass>
foo
bar
</http-proxy-user-pass>
This usage is already supported by OpenVPN 3.
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456993146-63968-9-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11283 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 14 Jun 2016 20:00:03 +0000 (22:00 +0200)]
mbedtls: don't set debug threshold if compiled without MBEDTLS_DEBUG_C
For targets with space constraints, one might want to compile mbed TLS
without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make
sure OpenVPN still compiles if that is the case.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11922 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 9 Jun 2016 13:00:32 +0000 (15:00 +0200)]
Change --enable-pedantic to use -std=c99 and not -ansi (C90).
There's quite a bit of our code that fails compilation with
"gcc -pedantic -ansi" and should not be changed - like, LZ4 using
"long long" variables which C90 does not have. Be pragmatic.
trac #616
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465477232-25826-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11882 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 9 Jun 2016 11:51:29 +0000 (13:51 +0200)]
Upgrade bundled compat-lz4 to upstream release r131.
Take upstream release from https://github.com/Cyan4973/lz4/releases,
copy lz4-r131/lib/lz4.c to src/compat/compat-lz4.c
copy lz4-r131/lib/lz4.h to src/compat/compat-lz4.h
change #include line in compat-lz4.c to use "compat-lz4.h" not "lz4.h"
add "config.h" block and wrap in #ifdef NEED_COMPAT_LZ4 / #endif
No other changes to upstream code.
This commit is quite huge, but this is because we bundled a fairly old
version and upstream refactored quite a lot of code, changed // comments
to /* */ style, etc - to review, compare compat-lz4.* files to upstream.
v2: add missing #ifdef NEED_COMPAT_LZ4 wrapping
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1465473089-20754-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11879 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 8 Jun 2016 12:20:39 +0000 (14:20 +0200)]
Don't limit max incoming message size based on c2->frame
"Be conservative in what you send, be liberal in what you accept"
When receiving packets, the real limitation of how much data we can accept
is the size of our internal buffers, not the maximum size we expect
incoming packets to have.
I ran into this while working on cipher negotiation, which will need
separate bookkeeping for the required internal buffer size, and the
link/tun MTU. Basing this code on the buffer size instead of c2->frame
makes that easier. A nice side-effect of this change is that it
simplifies the code.
This should also reduce the impact of using asymmetric tun/link MTU's,
such as in trac ticket #647.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465388443-15484-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11850 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 7 Jun 2016 04:44:20 +0000 (00:44 -0400)]
Ignore SIGUSR1/SIGHUP during exit notification
This allows exit notification to complete and finally trigger SIGTERM.
The current practice of allowing a restart in this state clears
the exit notification timer data and thus loses the SIGTERM.
Trac #687
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465274660-11009-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11814 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sun, 5 Jun 2016 21:41:23 +0000 (17:41 -0400)]
Add an option to filter options received from server
v2 changes:
- Add the flag "ignore" and have "reject" trigger a restart.
- Unlimited number of filters: yes, going against the consensus,
but the code looks simpler and cleaner this way.
- New commit message to reflect the changes.
Permit a client to selectively accept, ignore or reject options
pushed by the server. May be used multiple times. The filters
are applied in the order specified to each pushed option received.
The filtering stops as soon as a match is found. The action "ignore"
removes the option and continues processing the next option, while
"reject" flags an error and restarts the connection with SIGUSR1.
Prefix matching is used so that all options starting with the
specified "option" string are filtered.
will ignore all pushed routes except those starting with "192.168."
and reject the assigned ip unless its in the "10.9.0.0/24"
range. A match of the reject filter will trigger a restart. SIGUSR1
restart is used instead of SIGHUP so as to try the next remote
for reconnection.
Note the space at the end of "route " to not reject "route-gateway",
for example. All options not matched by any filter are accepted.
Acknowledges shameless imitation of --push-remove.
Inspired by Trac #682.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465162884-32520-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11808 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sat, 4 Jun 2016 15:57:13 +0000 (11:57 -0400)]
Make block-outside-dns work with persist-tun
- Remove and recreate WFP filters during restart even when
tun/tap is not re-opened. This is needed for resolving the remote.
Patch same as for v2.3 except for passing 'msg_channel'.
See also: http://article.gmane.org/gmane.network.openvpn.user/36990
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465055833-13681-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11788 Signed-off-by: Gert Doering <gert@greenie.muc.de>
It seems it was a conflict in vendor/Makefile.am's distdir target,
confusing autotools so it wouldn't actually parse that directory
properly. The result was that 'make distcheck' would fail and
tarballs created would just ship with an empty vendor/ directory.
Also remove the 'foreign' AUTOMAKE_OPTIONS flag, as we don't use
that many places at all. Things work well without this flag.
The comment had to be moved to a single line, otherwise the
white spaces between the end of the variable assignment and the
hash character got added to the variable.
[v3 - Further improve white space issues, now 'make clean'
should work too]
[v2 - Fix white space issues in path variables]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464976163-6162-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11778
David Sommerseth [Tue, 31 May 2016 10:28:46 +0000 (12:28 +0200)]
Only build and run cmocka unit tests if its submodule is initialized
Commit 40cb4cfc5d01110 added infrastructure to write unit tests using
cmocka. This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.
The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated. As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional. If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.
[v2 - Also check if cmake is available, as cmocka depends on that
to be built ]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
Jeffrey Cutter [Fri, 20 May 2016 09:25:10 +0000 (12:25 +0300)]
Update contrib/pull-resolv-conf/client.up for no DOMAIN
When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.
Jens Neuhalfen [Wed, 25 May 2016 17:57:56 +0000 (19:57 +0200)]
Add a test for auth-pam searchandreplace
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.
Add a minimal test for searchandreplace as a proof of concept.
[ Modified during commit: Enhanced documentation of functions in utils.h
to comply with doxygen standards ]
Jens Neuhalfen [Wed, 25 May 2016 17:57:55 +0000 (19:57 +0200)]
Add unit testing support via cmocka
cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.
cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).
cmocka is build during 'make check' and installed in vendor/dist/.
Selva Nair [Sun, 22 May 2016 18:39:32 +0000 (14:39 -0400)]
Fix handling of out of memory error in interactive service
Currently realloc failure in UpdateWaitHandles() is handled by
triggering exit_event and waiting for all active worker threads
to terminate. However, at this point the wait handles array
will contain an invalid value (handle of the latest thread that
is terminated), causing a cycle of WAIT_FAILED <-> continue and
trashing of the eventlog.
Fix:
- Update the wait handles again after removing the last thread:
this should not fail as no extra memory is needed. Do not set
the exit event; existing connections are not terminated.
- In case of WAIT_FAILED, break out of the while loop and exit
instead of continue. This usually happens when one or more
handles are invalid, which is hard to recover from.
Other changes:
- Use minimal initial allocation size so that the realloc code path
gets exercised (2 or more connections will cause realloc).
- Use a temp variable to check the return value of realloc().
- Initialize handles array pointer to NULL.
v2 changes:
- Increased initial allocation to 10 (warn: now 10 or more connections
needed to exercise the realloc code path).
- Moved up the declaration of "LPHANDLE tmp" to please stone-age MSVC.
Tested using a dummy realloc that returns NULL.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463942372-26958-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11708 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Josh Cepek [Mon, 18 Aug 2014 10:51:01 +0000 (05:51 -0500)]
Push an IPv6 CIDR mask used by the server, not the pool's size
Correctly handle CIDR masks when pushing clients addressing from an IPv6
pool. This change ignores the incorrectly used `bits` argument to the
--ifconfig-ipv6-pool option.
The code to save any provided CIDR mask after the pool IP is left in;
this may someday become useful when we move to allow IPv6 pools without
relying on an IPv4 pool assignment.
Signed-off-by: Josh Cepek <josh.cepek@usa.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53F1DA95.7020701@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8990 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 16 May 2016 10:13:04 +0000 (12:13 +0200)]
Implement push-remove option to selectively remove pushed options.
With this option, the server can remove individual options from the
set pushed to a client (call from --client-config-dir file, or from
--client-connect script or plugin). Options are removed at parse
time, so it is possible to do stuff like:
push-remove route-ipv6
push "route-ipv6 fd00::/8"
to first remove all IPv6 route options set so far, then add something
specific (what "push-reset" does to all the options).
Arguments to push-remove are strncmp()'ed to option string, so partial
matches like
push-remove "route-ipv6 2001:"
are possible ("remove all IPv6 routes starting with 2001:").
Implementation of remove_iroutes_from_push_route_list() had to be changed
slightly to stop it from re-enabling all disabled options again.
v3: correct quoting in commit message
only handle a single argument per push-remove statement - if multiple
options are to be removed, just use multiple push-remove statements
Trac #29, #614
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1463393584-8318-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11665 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Fri, 11 Mar 2016 04:47:26 +0000 (23:47 -0500)]
Add support for register-dns through interactive service
The call to the service returns promptly after delegating the job to
a thread, before the task is completed. In the thread, "net stop dnscache",
"net start dnscache", "ipconfig /flushdns" and "ipconfig /register-dns"
are executed in that order.
Parallel execution of these commands is prevented by a lock that is
common to all connections started by the service.
Note: "net stop .." is used instead of "sc stop.." as the latter can
return before the service has fully stopped (in STOP_PENDING state),
causing the subsequent start to fail.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1457671646-4322-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11354 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sat, 14 May 2016 00:31:24 +0000 (20:31 -0400)]
Make error non-fatal while deleting address using netsh
During windows power events such as sleep or suspend, the TUN/TAP
I/O aborts and openvpn signals SIGHUP so as to automatically reconnect
on resume (since commit ea66a2b5cdb2..). During the SIGHUP processing
operations such as address and route deletion are expected to fail. Such
failures should be treated as non-fatal to allow for this automatic
recovery logic to work. Currently, when the address deletion is handled
by netsh, errors are treated as M_FATAL. This patch changes the error
level to M_WARN.
Resolves Trac #71 (comments 37 to 43)
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1463185884-4355-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11656 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Yonan [Thu, 3 Mar 2016 07:48:12 +0000 (00:48 -0700)]
Fixed port-share bug with DoS potential
Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.
The issue is that the port-share code calls openvpn_connect()
which in turn calls select(). When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.
The fix is to use poll() (if available) instead of select().
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Jens Neuhalfen [Sun, 8 May 2016 16:17:48 +0000 (18:17 +0200)]
Prevent integration test timeout bc. of sudo
Integration tests run by t_client.sh use sudo to run openvpn as root.
If the t_client.sh script is configured to use sudo then the user
must enter the password quickly because t_client assumes a startup
failure if openvpn does not start quick enough.
If the user is not quick enough, then the tests fails.
This change will refresh the sudo timestamp at the start of the script.
Tested on MacOS X & Ubuntu Precise
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <280154CA-9468-429B-BCAC-DB632C0AFB32@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11622 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 5 May 2016 11:48:16 +0000 (13:48 +0200)]
Fix library order in -lmbedtls test.
-lmbedx509 needs to be before -lmbedcrypto, otherwise you end up with
unresolved symbols mbedtls_pk_load_file and mbedtls_pk_parse_subpubkey
on systems with static mbedtls libraries and a linker that only does
one left-to-right resolving pass through these.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20160505115050.GA81579@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11605 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 1 May 2016 18:23:06 +0000 (20:23 +0200)]
configure.ac: link to all mbed TLS libs during library detection
When for some reason the dependencies of the compiled mbed TLS libaries
(libmbedtls, libmbedcrypto and libmbedx509) are not correct, the configure
script will fail to link against libmbedcrypto and/or libmbedx509. This
is reported to happen after using 'make install' to install mbedtls.
This patch makes sure the configure tests link to all three. The build
process itself already did.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1462126986-2686-1-git-send-email-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rename files with 'polarssl' in the name to 'mbedtls'
The patch looks huge, but it's just file renames, and required changes in
includes / Makefiles. Use 'git diff -C' or a tool like gitk to easily
review this patch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460918143-408-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11459 Signed-off-by: Gert Doering <gert@greenie.muc.de>
PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move
the master branch on to the 2.x series.
This patch purges all references to polarssl, except for file names and
some comments referring to 1.2 and earlier, which were never released as
'mbed TLS'. A separate patch for the file names follows, so the real
changes are easier to spot without git-fu.
This patch intends to not change any behaviour.
The vast majority of this patch is just renaming functions and structs.
There are some small changes in the implementation:
* In ssl_polarssl.c: the debug callback prototype changed, so our
implementation changed a bit too.
* in ssl_polarssl.c: the old polarssl ssl_context is now split into a
mbedtls_ssl_config and mbedtls_ssl_context. The intention is that
mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context
contains the per-connection state. That doesn't work for us, because
we use per-connection verify callback data, while the verify callback
is registered on mbed_tls_config. Therefore we still need to init a
mbed_tls_config struct for each connection.
* in ssl_polarssl.c: the mbed bio handling changed, so our
implementation changed a bit too.
* in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse
functions now fail if we don't provide a NUL-terminated string, so use
strlen()+1 as the length argument to include the terminating NUL.
I tested this patch to work with:
* 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1)
* static key mode
* TLS mode with PEM key file
* TLS mode with password protected PEM key file
* TLS mode with management-external-key
* TLS mode with PKCS#11
* TLS mode with inline ca/key/cert/dh
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 5 Mar 2016 16:08:22 +0000 (17:08 +0100)]
Implemented x509-track for PolarSSL.
This patch is a variant of the patch to implement x509-track for
PolarSSL that was sent to openvpn-devel@ by James Yonan
(<1456993146-63968-7-git-send-email-james@openvpn.net>). It still uses
some of the original code from James, but proposes a different
implementation.
This patch does the following things differently:
* Do not introduce NID_* defines that need to be maintained. Instead,
just use the short name of the attribute for identification. This
has the advantage that we automatically support everything that
PolarSSL supports, it is less code and we do not have maintain the
list. But the disadvantage is that this approach will not error out
when an unknown attribute name is supplied. PolarSSL (at least 1.3,
I didn't check 2.x) does not provide the functions required to do
that. Instead of erroring out, this implementation will just
silently ignore the unknown --x509-track attribute name.
* Remove the ENABLE_X509_TRACK define completely - it depended just on
ENABLE_CRYPTO anyway.
* Move the --x509-track option parsing out of ENABLE_MANAGEMENT, since
it does not depend on management functionality.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL1w8e_o-GjS2jETZWxYdMbS2iKABPc6OZBA8bOVycjtA@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11350 Signed-off-by: Gert Doering <gert@greenie.muc.de>
PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint.
509_get_sha1_hash() is supposed to return the certificate fingerprint,
which is the hash of the entire certificate - including the signature -
and not just the 'to be signed' data (cert->tbs in polarssl).
This changes externally visible behavior for polarssl builds: it will
change the value of the tls_digest_N values exported to the environment
for scripts.
v2 Steffan Karger: added commit message and Changes.rst entry.
Code unchanged from v1 by James.
Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL=QYUy6N+jKgxVVuftmF=75mSEz3rYUbisT245UfB5Dg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11396 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Daniel Kubec [Wed, 27 Apr 2016 06:00:34 +0000 (08:00 +0200)]
Fix buffer size parameter for exported keying material.
Commit 41e4b67a229e774ebc57a882c386e10d80e10e7e broke the exported
keying material functionality while addressing lack of variable-length
arrays in MSVC compilers - turning an array into a gc_malloc()'ed
pointer, but still using "sizeof(ekm)" for buffer size - which is
now "4" (unsigned char *), not the actual buffer length...
Fixed!
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <49496.109.81.184.65.1461736834.squirrel@mail.actumg2.cz>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11509
Selva Nair [Sun, 20 Dec 2015 19:12:53 +0000 (14:12 -0500)]
Support reading the challenge-response from console
Trying to keep the footrpint small, this patch adds to the
convoluted code-flow in get_user_pass_cr(). Cleanup left for later.
-----8<-----
Currently prompting for a response to static-challenge
gets skipped when the username and passowrd are read
from a file. Further, dynamic challenge gets wrongly handled
as if its a username/password request.
The Fix:
- Add yet another flag in get_user_pass_cr() to
set when prompting of response from console is needed.
- In receive_auth_failed(), the challenge text received
from server _always_ copied to the auth_challenge
buffer: this is needed to trigger prompting from console
when required.
- Also show the challenge text instead of an opaque
"Response:" at the prompt.
While at it, also remove the special treatment of authfile ==
"management" in get_user_pass_cr(). The feature implied by that
test does not exist.
Tested:
- username and optionally password from file, rest from console
- the above with a static challenge
- the above with a dynamic challenge
- all of the above with systemd in place of console
- all from management with and without static/dynamic
challenge.
Thanks to Wayne Davison <wayne@opencoder.net> for pointing out the
issue with challenge-response, and an initial patch.
In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers. Let's follow this example in OpenVPN and
further restrict the default list of negotiable TLS ciphers.
Compared to earlier, this disables the following:
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
The LOW suite will be completely removed from OpenSSL in 1.1.0,
the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that do not provide forward secrecy (static DH/ECDH keys)
* DSA private keys (rarely used, and usually restricted to 1024 bits)
v2: added Changes.rst entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917927-31645-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11457 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make intend of the validation clear when validating utun parameter in
open_darwin_utun. The program logic remains unchanged.
Fixes the following compiler warning on Mac OS X:
tun.c:2847:19: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (dev_node && !strcmp ("utun", dev_node)==0)
^ ~~
tun.c:2847:19: note: add parentheses after the '!' to evaluate the
comparison first
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2847:19: note: add parentheses around left hand side expression to
silence this warning
if (dev_node && !strcmp ("utun", dev_node)==0)
^
( )
tun.c:2849:11: warning: logical not is only applied to the left hand side
of this comparison [-Wlogical-not-parentheses]
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^ ~~
tun.c:2849:11: note: add parentheses after the '!' to evaluate the
comparison first
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
tun.c:2849:11: note: add parentheses around left hand side expression to
silence this warning
if (!sscanf (dev_node, "utun%d", &utunnum)==1)
^
( )
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <3365AB24-33FD-4D9D-A57C-BF9240DC3D69@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11440 Signed-off-by: Gert Doering <gert@greenie.muc.de>
fixup: change init_key_type() param name in declaration too
Commit 66407e11 changed the name of the cfb_ofb_allowed parameter of the
init_key_type() implementation to 'tls_mode', but forgot to do the same in
the function declaration.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1460886980-12925-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11445 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 6 Mar 2016 19:39:09 +0000 (20:39 +0100)]
Implement inlining of crl files
While crl files can change regulary and it is usually not a good idea to
statically include them into config files, handling multiple files and
updating files on mobile devices is tiresome/problematic. Inlining a static
version of the crl file is better in these use cases than to use no crl at
all.
OpenVPN 3 already supports inlining crl-verify, so <crl-verify> is already
used in config files.
V2: Fixed PolarSSL and made formatting respect the 80 column limit
V3: Accidentally reverted one change too much in V2 Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1457293149-10526-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11337
James Yonan [Thu, 3 Mar 2016 08:19:00 +0000 (01:19 -0700)]
Added flags parameter to format_hex_ex.
We add the flags parameter without changing the signature of
the function by repurposing the space_break parameter into
space_break_flags where the lower 8 bits are used for the
previous space_break parameter and the higher bits are used
for flag values.
Added new flag FHE_CAPS that formats the generated hex string
in upper case.
Signed-off-by: James Yonan <james@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1456993146-63968-4-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11275 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 27 Mar 2016 14:18:16 +0000 (16:18 +0200)]
Replace MSG_TEST() macro for static inline msg_test()
Using a static inline function instead of a macro has the advantages that
(1) 'flags' is not evaluated twice and (2) coverity will stop complaining
that 'Macro compares unsigned to 0 (NO_EFFECT)' each time we use flags
with loglevel 0 (e.g. M_FATAL or M_WARN).
This has a performance impact when compiler optimizations are fully
disabled ('-O0'), but should otherwise be as fast as using a macro.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459088296-5046-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 27 Mar 2016 15:22:10 +0000 (17:22 +0200)]
Fix memory leak in argv_extract_cmd_name()
Reported by coverity (in 2009!):
1648 static char *
1649 argv_extract_cmd_name (const char *path)
1650 {
1. Condition path, taking true branch
1651 if (path)
1652 {
1653 char *path_cp = string_alloc(path, NULL); /* POSIX basename()
implementaions may modify its arguments */
1654 const char *bn = basename (path_cp);
2. Condition bn, taking true branch
1655 if (bn)
1656 {
3. alloc_fn: Storage is returned from allocation function
string_alloc. [show details]
4. var_assign: Assigning: ret = storage returned from
string_alloc(bn, NULL).
1657 char *ret = string_alloc (bn, NULL);
5. noescape: Resource ret is not freed or pointed-to in strrchr.
1658 char *dot = strrchr (ret, '.');
6. Condition dot, taking false branch
1659 if (dot)
1660 *dot = '\0';
1661 free(path_cp);
7. Condition ret[0] != 0, taking false branch
1662 if (ret[0] != '\0')
1663 return ret;
CID 27023 (#2-1 of 2): Resource leak (RESOURCE_LEAK)8.
leaked_storage: Variable ret going out of scope leaks the storage it
points to.
1664 }
1665 }
1666 return NULL;
1667 }
This function is only used by argv_printf_arglist(), and in a very specific
case, so it might be that this leak can not even occur. But coverity is
clearly right that this is a bug, so let's just fix it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1459092130-19905-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
