Arne Schwabe [Fri, 10 May 2019 12:11:08 +0000 (14:11 +0200)]
Write key to stdout if filename is not given
This change is preperation for changing the way --genkey works. Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190510121114.30468-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18445.html
This patch introduces a new unit test that is not executed
by the cmocka framework, but rather used by a new t_net.sh
bash script.
The idea behind this test is to ensure that invoking sitnl
functions or running iproute commands leads to the same
networking (interface and routing table) state.
To achieve this, the t_net.sh script first runs a binary
implemented invoking sitnl functions and then takes a
"screenshot" of the state. Subsequently a series of
iproute commands, expected to mimic exactly the same behaviour
as the sitnl functions invoked before, are executed.
The final state is then compared with the screenshot
previously taken.
If no mismatching is found, the test is passed.
The current unit_test, however, does not cover all the
sitnl functionalities and it is expected to be extended
in the future.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181219050118.6568-7-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18027.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch introduces a tiny netlink interface, optimized
for the openvpn use case.
It basically exposes all those operations that are currently
handled by directly calling the /sbin/ip command (or even
ifconfig/route, if configured).
By using netlink, openvpn won't need to spawn new processes
when configuring the tun interface or routes.
This new approach will also allow openvpn to be granted
CAP_NET_ADMIN and be able to properly work even though it
dropped the root privileges (currently handled via workarounds).
By moving this logic into the sitnl module, tun.c and route.c
also benefit from some code simplification
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181219050118.6568-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18030.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 24 May 2019 09:02:36 +0000 (11:02 +0200)]
Fix poll.h logic in syshead.h
Commit 62063162 change the include from sys/poll.h to just poll.h but
forgot to also change all occurrences of HAVE_SYS_POLL_H to HAVE_POLL_H. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190524090236.10760-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18475.html
Lev Stipakov [Tue, 30 Oct 2018 08:53:35 +0000 (10:53 +0200)]
Fix various compiler warnings
This patch fixes "unused variable/unreferenced format parameter"
warnings in different places, kudos to Visual Studio compiler
for discoveing some of those.
This also also removes unneeded uninit_management_callback_multi()
wrapper.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540889615-24868-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17855.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 8 May 2019 13:52:20 +0000 (15:52 +0200)]
tests: remove dependency on base64
Triggered by the report from Ilya, that if base64 is missing, the tests
would still report success:
Testing tls-crypt-v2 key generation (max length
metadata)..../t_lpback.sh: base64: not found
OK
PASS: t_lpback.sh
The easiest way to fix that, is to remove the dependency on base64 (which
is it's current form wouldn't work on OSX anyway, because their base64
doesn't understand "-w0").
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <E1hON0G-0007yB-3H@sfs-ml-4.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1hON0G-0007yB-3H@sfs-ml-4.v29.lw.sourceforge.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 17 Apr 2019 20:30:15 +0000 (22:30 +0200)]
build: Package missing mock_msg.h
The mock_msg.h file was not enlisted in the _SOURCES lists in
Makefile.am for the unit tests. This caused the mock_msg.h file to not
be present in the .tar.gz file created by 'make dist'.
This was not noticed earlier as we haven't really tried much to run git
clone of the cmocka project manually in vendor/ from an unpacked
tarball.
With this fix the cmocka unit tests can also run from tarballs, with
manually extracting/fetching the cmocka source code in vendor/cmocka.
Signed-off-by: David Sommerseth <davids@openvpn.net>
----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----
How to test:
- Create a tarball: make distcheck (or just 'dist')
- Extract openvpn-2.5_git.tar.gz in a clean directory
- cd openvpn-2.5_git/vendor
- git clone https://git.cryptomilk.org/projects/cmocka.git
- ./configure
- make check
- Observe that the cmocka unit tests ran as expected
Depending on the CMake version, you might want to check out cmocka git
commit b2732b52202ae48f; which is the one we use in the git submodule. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190417203015.1903-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18380.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
configure.ac: fix compile-time error in argv_testdriver
allow run tests when lzo is installed to non default directory Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190411074519.9982-2-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18357.html
David Sommerseth [Wed, 27 Mar 2019 12:06:04 +0000 (13:06 +0100)]
docs: Update INSTALL
The INSTALL file contained several minor errors, typos and was generally
not up-to-date in regards to what ./configure provides today. In
addition, several URL references have moved around to new homes.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190327120604.21101-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18307.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ilya Shipitsin [Mon, 11 Mar 2019 13:36:19 +0000 (18:36 +0500)]
travis-ci: change trusty image to xenial
Ubuntu Trusty reaches End of Life on April 30, 2019
Let us switch to xenial. Also, it simplifies mingw builds.
We do not need to add xenial mingw manually anymore
Stefan Strogin [Mon, 25 Feb 2019 18:35:31 +0000 (20:35 +0200)]
Use correct ifdefs for LibreSSL support
- TLS 1.3 is not ready yet in LibreSSL. Also there is a theoretical
possibility of OpenSSL >=1.1.1 built without TLS 1.3 support.
- EC_KEY_METHOD API and SSL_get1_supported_ciphers are added into LibreSSL
master (not yet released in 2.9.0).
- Some methods that are available since LibreSSL 2.7.0 were thrown away
in ssl_openssl.c regardless of LibreSSL version. Use them with newer
LibreSSL.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190225183531.27399-1-stefan.strogin@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 21 Feb 2019 00:46:22 +0000 (19:46 -0500)]
Better error message when script fails due to script-security setting
- Add a new return value (-2) for openvpn_execve() when external
program execution is not allowed due to a low script-security
setting.
- Add a corresponding error message
Errors and warnings in such cases will now display as
"WARNING: failed running command (<cmd>) :" followed by
"disallowed by script-security setting" on all platforms
instead of the current
"external program did not execute -- returned error code -1"
on Windows and
"external program fork failed" on other platforms.
The error is FATAL for some scripts and that behaviour is unchanged.
This helps the Windows GUI to detect when a connection failure
results from a safer script-security setting enforced by the GUI,
and show a relevant message.
v2 changes as suggested by <davds@openvpn.net>
- define macros for return values of openvpn_execve()
- replace if/else by switch() in system_error_message()
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1550709982-19319-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 20 Feb 2019 13:19:06 +0000 (14:19 +0100)]
cleanup: Remove RPM openvpn.spec build approach
Linux packaging is quite a comprehensive task these days, with many
Linux distributions and each with their own packaging guidelines. In
addition OpenVPN is packaged for most important Linux distributions
already.
The OpenVPN developers is not capable of keeping track of how all the
various recommend packaging guidelines evoloves and our RPM build
process is no longer consistent with guidelines from Fedora, RHEL or
SUSE packaging. We also don't receive any updates improving this
situation. Most likely due to packaging being handled fairly well by
the Linux distributions directly.
In addition comes systemd into play, which more and more Linux
distributions embraces - and even our own RPM openvpn.spec file didn't
account for that move.
This removes all RPM related packaging files and updates the INSTALL
file with pointers to several popular Linux distributions with
accessible information of the OpenVPN packages they provide. Linux
distributions is most likely much better at keeping the packaging
up-to-shape much better than we.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190220131906.22970-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18222.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Sun, 24 Feb 2019 18:16:21 +0000 (19:16 +0100)]
Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only
Note: Hardware ID check is used selectively. When naming the adapter, we
still need to check all existing adapters to prevent duplicate names.
When listing or removing adapters by name, the operation is limited to
TUN-Windows6 adapters only.
This patch follows Gert's recommendations from [openvpn-devel].
Signed-off-by: Simon Rozman <simon@rozman.si>
Message-ID: <20190120130813.GY962@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190224181621.27020-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18234.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Sun, 24 Feb 2019 18:14:00 +0000 (19:14 +0100)]
Add NULL checks
Extra NULL checks were added after malloc() calls to display out-of-
memory error and try to exit gracefully.
Function msica_op_create_*() now return NULL in out-of-memory condition
too. Since their output is directly used in msica_op_seq_add_head() and
msica_op_seq_add_tail() functions, later were extended to check for NULL
pointer arguments.
This patch follows Gert's recommendations from [openvpn-devel].
Signed-off-by: Simon Rozman <simon@rozman.si>
Message-ID: <20190117155829.GA92142@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190224181400.42524-1-simon@rozman.si 20190117155829.GA92142@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18231.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Thomas Quinot [Fri, 1 Feb 2019 20:43:48 +0000 (21:43 +0100)]
Fix documentation of tls-verify script argument
The second argument is the entire subject DN, not just the CN. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190201204348.22326-1-openvpn-devel=lists.sourceforge.net@thomas.quinot.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18195.html
Selva Nair [Wed, 30 Jan 2019 15:53:20 +0000 (10:53 -0500)]
Handle PSS padding in cryptoapicert
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
To test this code path, both the server and client should
be built with OpenSSL 1.1.1 and use TLS version >= 1.2
Tested on Windows 7 client against a Linux server.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1548863600-491-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18188.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 22 Jan 2019 15:03:28 +0000 (16:03 +0100)]
Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file
The function is fairly generic and to avoid duplicating the same
functionality move the function to crypto.c and change fixed string to
be the same as the pem_name parameter.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190122150333.1061-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20190122150333.1061-1-arne@rfc2549.org
Simon Rozman [Wed, 19 Dec 2018 20:26:11 +0000 (21:26 +0100)]
Detect missing TAP driver and bail out gracefully
When no TUN/TAP driver is installed a interface cannot be created. This
patch detects this condition and bails out with an error message.
This also fixes a typo in one of the error messages. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181219202611.2144-4-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18038.html
Steffan Karger [Sat, 19 Jan 2019 10:34:00 +0000 (11:34 +0100)]
Fix tls-auth/crypt in connection blocks with --persist-key
If --persist-key was used, we would always try to pre-load the 'global'
tls-auth/crypt file. That would result in using the wrong key (leading
to a failed connection) or en error is there was to 'global' key:
Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null))
Sat Jan 19 11:09:01 2019 Exiting due to fatal error
Fix that by loading loading the key from the current connection entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190119103400.12887-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 22 Jan 2019 13:41:03 +0000 (15:41 +0200)]
crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer
OpenSSL's version of crypto_pem_encode() uses PEM_write_bio()
function to write PEM-encoded data to BIO object. That method doesn't
add NUL termanator, unlike its mbedTLS counterpart
mbedtls_pem_write_buffer().
The code which uses PEM data treats it as a string, so missing NUL
terminator makes sanitizer to compain.
Fix by adding a NUL terminator.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1548164463-13366-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18141.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 22 Jan 2019 15:50:32 +0000 (10:50 -0500)]
White-list pull-filter and script-security in interactive service
This allows the Windows GUI to use these options on the command
line without triggering user authorization errors.
Useful for
(i) ignoring certain pushed options such as "route-method" which
could otherwise bypass the interactive service
(ii) enforcing a safer script-security setting from the GUI
See also:
https://github.com/OpenVPN/openvpn-gui/issues/235#issuecomment-456142928
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1548172232-11268-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18154.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Wed, 19 Dec 2018 20:26:08 +0000 (21:26 +0100)]
Make DriverCertification MSI property public
Making DriverCertification public (containing only upper-case letters)
allows the property set by FindSystemInfo custom action to be passed
from InstallUISequence sequence to InstallExecuteSequence. This
eliminates the need to execute FindSystemInfo in both sequences. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181219202611.2144-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18037.html
Simon Rozman [Tue, 27 Nov 2018 00:28:08 +0000 (01:28 +0100)]
Add a MSI custom actions to close and relaunch OpenVPN GUI
This custom actions are used by MSI setup to close OpenVPN GUI before
performing an upgrade and relaunch it afterwards. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181127002808.19200-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17959.html
Simon Rozman [Wed, 21 Nov 2018 16:36:53 +0000 (17:36 +0100)]
Add detection of active VPN connections for MSI packages
This patch adds a simple up/down detection for each TAP interface found.
All "up" TAP interface IDs are listed as an `ACTIVETAPINTERFACES` MSI
property.
This allows MSI packages to test for active VPN connections on updates. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181121163653.4904-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17942.html
Simon Rozman [Mon, 12 Nov 2018 12:22:44 +0000 (13:22 +0100)]
Delete TAP interface before the TAP driver is uninstalled
The previous version of MSI installer did:
- Execution Pass: rename the TAP interface to some temporary name
- Commit/Rollback Pass: delete the TAP interface / rename the interface
back to original name
However, the WiX Toolset's Diffx extension to install and remove drivers
removed the TAP driver between the execution and commit passes. The TAP
driver removal makes all TAP interfaces unavailable and our custom
action couldn't find the interface to delete any more.
While the system where OpenVPN was uninstalled didn't have any TAP
interfaces any more as expected behaviour, the problem appears after
reinstalling the OpenVPN. Some residue TAP interface registry keys
remain on the system, causing the TAP interface to reappear as "Ethernet
NN" interface next time the TAP driver is installed. This causes TAP
interfaces to accumulate when cycling install-uninstall-install...
Therefore, it is better to remove the TAP interfaces before the TAP
driver is removed, and reinstall the TAP interface back should the
rollback be required. Though it won't be exactly the same interface
again.
I wonder if the WiX Diffx extension supports execute/commit/rollback
feature of MSI in the first place. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181112122246.13556-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17906.html
Simon Rozman [Mon, 12 Nov 2018 12:22:46 +0000 (13:22 +0100)]
Make MSI custom action debug pop-up more informative
Each MSI custom action pops-up a message box in the _DEBUG version
before commencing execution. This opens a time window for developer to
attach debugger to the msiexec.exe process, set the breakpoints before
custom action proceeds with execution.
While those pop-up dialogs are targeted to a limited audience, they were
very sparse. With this patch, they become more informative and they also
provide PID of the msiexec.exe process to attach debugger to. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181112122246.13556-3-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17907.html
Simon Rozman [Tue, 16 Oct 2018 10:26:27 +0000 (12:26 +0200)]
Detect TAP interfaces with root-enumerated hardware ID
This patch extends the TAP interface enumerating to detect the TAP
interfaces registered using "root\tap0901" hardware ID. Before, only TAP
interfaces with legacy "tap0901" HWID were detected by openvpn.exe.
The openvpnmsica.dll and tapctl.exe install TAP interfaces using root-
enumerated HWIDs, and were not detected by openvpn.exe. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181016102627.18676-5-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17762.html
Simon Rozman [Tue, 16 Oct 2018 10:26:26 +0000 (12:26 +0200)]
Add MSI custom action for reliable Windows 10 detection
This patch introduces a `FindSystemInfo()` MSI custom action to reliably
detect Windows 10. The MSI built-in properties for Windows version
detection depend on bootstrapper's manifest. We could provide our own
Windows 10 compatible EXE bootstrapper, but that would cover the
Windows 10 detection in the `InstallUISequence` only. The
`InstallExecuteSequence` is launched by msiexec.exe which we cannot
tamper with would still report `VersionNT` as Windows 8 (603). Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-4-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17763.html
Simon Rozman [Tue, 16 Oct 2018 10:26:25 +0000 (12:26 +0200)]
Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC
This makes MSVC and MinGW build environments more alike. Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-3-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17764.html
Simon Rozman [Tue, 16 Oct 2018 10:26:24 +0000 (12:26 +0200)]
Prevent __stdcall name mangling of MSVC
Using `extern "C" __declspec(dllexport) __stdcall`, Win32 MSVC compiler
exports the functions are as `_name@N`. Exporting functions using
`/EXPORT` linker flag allows us to specify exact function name.
Note: The 64-bit MSVC compiler does not exhibit `__stdcall` name-
mangling. Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-2-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17765.html
Simon Rozman [Tue, 16 Oct 2018 10:26:23 +0000 (12:26 +0200)]
Set output name to libopenvpnmsica.dll in MSVC builds too
On MinGW builds, the Libtool produces libopenvpnmsica.dll. The MSVC
properties were updated to match this. Acked-by: Jon Kunkee <jkunkee@microsoft.com>
Message-Id: <20181016102627.18676-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17766.html
Simon Rozman [Wed, 10 Oct 2018 19:23:37 +0000 (21:23 +0200)]
Introduce tapctl.exe utility and openvpnmsica.dll MSI CA
The tapctl.exe utility is a future replacement for the devcon.exe/
tapinstall.exe utility. While this utility does not offer TAP driver
installation or upgrading, its purpose is to manipulate TAP virtual
network interfaces on Windows. In the long term, its code could be
integrated into openvpn.exe with `--mktun` and `--rmtun`.
The openvpnmsica.dll provides additional MSI custom actions for TUN/TAP
interface creation on install. The interface creation is customizable
using the `TAPInterface` MSI table and is fully compliant with MSI's
deffered processing, commit and rollback. Detailed instruction and
documentation is to be published when MSI packaging completed.
Those utilities were placed into openvpn repository to join the
established compile-sign-package OpenVPN workflow.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181010192337.6984-1-simon@rozman.si>
URL: https://www.mail-archive.com/search?l=mid&q=20181010192337.6984-1-simon@rozman.si
Arne Schwabe [Mon, 14 Jan 2019 15:48:16 +0000 (16:48 +0100)]
Add send_control_channel_string_dowork variant
The send_control_channel_string_dowork variant does not schedule
the sending of the actual and can be used where struct context is not
available. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190114154819.6064-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18092.html
Arne Schwabe [Mon, 14 Jan 2019 15:48:15 +0000 (16:48 +0100)]
Refactor tls_crypt_v2_write_server_key_file into crypto.c
This allows the method to be resued for generating other types of keys
that should also not be reused as tls-crypt/tls-auth keys. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190114154819.6064-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18090.html
Arne Schwabe [Mon, 14 Jan 2019 15:48:14 +0000 (16:48 +0100)]
Fix loading inline tls-crypt-v2 keys with mbed TLS
Using a tls-crypt-v2 key with mbed TLS inline results in
PEM decode error: source buffer not null-terminated
This is because the mbed TLS decode PEM function excepts the last byte
in the buffer to be 0x00. When constructing the buffer we only made as
big as strlen, which does not include the 0x00 byte of a string. Add an
extra byte to ensure also the null byte is included in the buffer. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190114154819.6064-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18091.html
Steffan Karger [Wed, 16 Jan 2019 15:24:50 +0000 (16:24 +0100)]
Extend tls-crypt-v2 unit tests
This commit adds two tests for tls-crypt-v2 to verify the client and
server key generation. These are introduced primarily as a regression
test for the off-by-one bug fixed by Arne in tls_crypt_v2_read_keyfile()
recently (no commit hash availble, patch has not been applied yet).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <E1gjn4T-0003e9-LN@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 5 Dec 2018 21:40:37 +0000 (22:40 +0100)]
Stop complaining about IPv6 routes without gateway address.
The IPv6 routing code inherited assumptions and the message
"OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6
option and no default was specified by either --route-ipv6-gateway or
--ifconfig-ipv6 options"
from the IPv4 routing code.
This was never really correct, as no gateway is needed for "into tun
device" IPv6 routes, and the "--route-ipv6-gateway" option it refers
to also never existed. (Routes on tap interfaces *do* need a gateway
due to neighbour discovery being involved. As do routes on Windows,
but there we fake the gateway in tun mode anyway).
While commit d24e1b179b95 introduces support for "--route-ipv6-gateway",
the message is still falsely triggered for IPv6 routes in tun mode.
Change the code to generally accept IPv6 routes with no gateway
specification (so "--block-ipv6 --redirect-gateway ipv6" can work
without additional config). When installing IPv6 routes, check
if a gateway is needed (tap mode) but missing, and if yes, print
correct message.
Trac: #1143
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181205214037.70783-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17990.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 7 Dec 2018 12:33:03 +0000 (13:33 +0100)]
Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
For whatever reason, this function never printed port numbers for
IPv6 addresses (but it did for IPv4) - which creates a bit of
confusion for IPv6-mapped v4 addresses on a dual stack socket,
that will have ports numbers printed or not, depending on whether
it's a dual-stack v6 socket or single-stack v4.
This will not(!) add printing of port numbers for "proper" v6
addresses yet, because that might have adverse side effects to address
parsing elsewhere.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181207123303.70827-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17996.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 30 Nov 2018 13:56:41 +0000 (14:56 +0100)]
uncrustify openvpn/ sources
There are an amazing number of brackets that were either
totally missing, or have snuck up on the "for(...){"
line. Further, uncrustify wants "|" in multi-line
logical expressions now at the beginning of the new
line, and "PRIi64" now gets surrounding spaces.
Added "sp_after_semi_for_empty=Add" to uncrustify.conf
to leave a few for() statements alone that look better
the way they are.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20181130135641.11533-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17970.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Wed, 10 Oct 2018 14:30:51 +0000 (16:30 +0200)]
Fallback to password authentication when auth-token fails
Under some circumstances, the auth-token stored by a client may not
be valid anymore.
For example, if the server is restarted, the client will try to
reconnect and resend the old token during authentication. Unfortunately
this attempt will fail, because the server does not keep track of tokens
used during previous runs.
With the current behaviour, depending on how auth-retry was configured,
the client will either just quit, prompt the user for username and password
as the original values are overwritten by the token, or endelessly fail
authentication by sending the old token over and over.
This patch changes the behaviour of the client so that, upon failed
authentication using a token, it will drop the token, perform a soft
restart (USR1) and attempt re-authenticating with the original password
provided by the user if auth-nocache was not specified.
Patch V3: remove all server changes, include only minimal non
intrusive client changes that only improve error recovery but don't
change overall behaviour.
Patch V4: forget add push.c to git index, now also included
Patch V5: is fixing overlong lines and one minor style problem.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181010143051.27163-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 3 Dec 2018 16:48:18 +0000 (17:48 +0100)]
Implement block-ipv6
This can be used to redirect all IPv6 traffic to the tun interface,
effectively black holing the IPv6 traffic. Without ICMPv6 error
messages this will result in timeouts when the server does not send
error codes. block-ipv6 allows client side only blocking on all
platforms that OpenVPN supports IPv6. On Android it is only way to do
sensible IPv6 blocking on Android < 5.0 and broken devices (Samsung).
PATCH V6:
- Rebase on master and run uncrustify on the patch
PATCH V5:
- Fix even more style issues by Antonio
- Remove check for dev == tun as this also works for tap
PATCH V4:
- Fix more style issues reported by Antonio
- Clarify parts of the patch in comments and manpage
PATCH V3:
- Fix style iusses reported by Antonio and accidentily commited parts
- merge udp_checksum and ipv6_checkusm into common ip_checksum method
- Use fake ff80::7 address when no other address is configured.
- Make block-ipv6 also work for server by replying block-ipv6 to all
ipv6 traffic send to the server
Note for the server the process_ip happens before the ipv6 route
lookup so every ipv6 packet, regardless of its source address is
replyied to with a no route to host packet.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181203164818.15756-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 24 Oct 2018 10:12:05 +0000 (12:12 +0200)]
Remove deprecated --compat-x509-names and --no-name-remapping
As promised, remove these options for OpenVPN 2.5.
If a user still uses these, print an error that the user should update it's
configuration. Just printing a warning would cause much more confusing
errors, somewhere in middle of a failed connection attempt because the
(non-compat) names no longer match the expected names.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540375925-6111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 31 Oct 2018 13:07:16 +0000 (14:07 +0100)]
tls-crypt-v2: fix client reconnect bug
As reported by tincantech on the openvpn-devel IRC channel, a tls-crypt-v2
client could be caused to trigger an assert in tls_crypt_wrap() because the
client key might not be correctly initialized after a reconnect attempt.
This was caused by code that was written before the connection-block
tls-auth/tls-crypt logic was integrated (57d6f103), rebased on that change,
but not sufficiently changed to be compatible with the new logic.
This commit fixes that bug.
Note that I also moved the violating hunk of code to the same function
where the tls-auth and tls-crypt (v1) keys are initialized. Once moved
there, it is immediately clear that v2 didn't follow the same (new) logic.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Tested-by: Richard Bonhomme <tincanteksup@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540991236-4016-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17866.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 31 Oct 2018 10:22:57 +0000 (11:22 +0100)]
tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section
As kitsune1 mentioned in IRC, this section should explain that
"--tls-crypt-v2-genkey client" requires the user to supply the server
key using "--tls-crypt-v2".
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540981377-22752-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17865.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The exact type of time_t is platform dependent and therefore
can't be assumed to be uint64_t all the time.
For example, on 32bit platforms, where time_t is defined as long
(32bit), the compiler will generate the following warning, due
to the arithmetic used in the macro:
tls_crypt.c:745:29: warning: shift count >= width of type
[-Wshift-count-overflow]
Force time_t to be parsed as uint64_t.
Reported-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181031160124.26972-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17868.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 25 Oct 2018 03:05:16 +0000 (23:05 -0400)]
Declare Windows version of openvpn_execve() before use
commit bf97c00f7dba441b504881f38e40afcbb610a39f moved
the generic openvpn_execve() to run_command.c and made it static.
But the Windows version is still in win32.c and is called from
run_command.c
Fix by declaring the function in win32.h
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1540436716-5725-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17825.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 22 Oct 2018 11:45:15 +0000 (13:45 +0200)]
tls-crypt-v2: add script hook to verify metadata
To allow rejecting incoming connections very early in the handshake,
add a --tls-crypt-v2-verify option that allows administators to
run an external command to verify the metadata from the client key.
See doc/tls-crypt-v2.txt for more details.
Because of the extra dependencies, this requires adding a mock
parse_line() to the tls-crypt unit tests. Also, this turns tls_wrap_free
into a static inline function, so that we don't need to compile in ssl.c
(and all of it's dependencies) with the unit tests.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-6-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17789.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Mon, 22 Oct 2018 11:45:10 +0000 (13:45 +0200)]
tls-crypt-v2: add specification to doc/
This is a preliminary description of tls-crypt-v2. It should give a good
impression about the reasoning and design behind tls-crypt-v2, but might
need some polishing and updating.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17788.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Wed, 26 Sep 2018 12:01:59 +0000 (14:01 +0200)]
Add message explaining early TLS client hello failure
In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
TLS 1.0 only without setting tls-version-min.
We currently log only
OpenSSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
which indicates the right technical error but is not very helpful to a
person without deep knowledge in SSL/TLS and OpenVPN's TLS version
history.
This commit adds a hopefully helpful message and also tells users how
to fix the old Debian 8 clients. The error message will be displayed on
the server side only.
Note that connecting with an OpenSSL 1.1.1 client to a TLS 1.0 only
server works fine.
This behaviour is also not specific to OpenVPN. Using an openssl s_client
with the -tls1 option against an openssl s_server exhibits the same
behaviour.
Patch V2: fixed message grammar, use tls-version-min 1.0 and clarify
2.3.6 and older to be actually between 2.3.2 and 2.3.6
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180926120159.19874-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17491.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Lev Stipakov [Mon, 22 Oct 2018 10:19:31 +0000 (13:19 +0300)]
Introduce openvpn_swprintf() with nul termination guarantee
Every call to swprintf is followed by line which adds nul terminator. This
patch
introduces openvpn_swprintf() which guarantees nul termination for size >
0.
Same approach as for snprintf / openvpn_snprintf.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1540203571-17646-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 8 Oct 2018 21:41:23 +0000 (23:41 +0200)]
Refuse mbed TLS external key with non RSA certificates
The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.
Instead fail early and provide a clear message that only RSA keys are
supported.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html Signed-off-by: David Sommerseth <davids@openvpn.net>
bufferlist_* functions have no documentation whatsoever and the name is
not always enough to fully understand what the function is doing.
For this reason and for the sake of having better documented code, add
function doc in buffer.h.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181010083731.31132-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17701.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Thu, 11 Oct 2018 22:06:39 +0000 (00:06 +0200)]
Use right function to set TLS1.3 restrictions in show-tls
The last version of the patch used the TLS1.2 version
tls_ctx_restrict_ciphers to set the restrictions for both
TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
for TLS1.3.
Also fix minor style problem while I am touching the function Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181011220639.7316-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html
Arne Schwabe [Wed, 10 Oct 2018 15:36:24 +0000 (17:36 +0200)]
Add better support for showing TLS 1.3 ciphersuites in --show-tls
--show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The listed ciphers
are only valid in either --tls-cipher or --tls-ciphersuites, but it's
not clear which is which. This is confusing and not really helpful.
This patch modifies show-tls to show separate lists for TLS 1.2 and
TLS 1.3.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181010153624.27957-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17723.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 11 Oct 2018 11:51:42 +0000 (14:51 +0300)]
options.c: fix broken unary minus usage
In Visual Studio when unary minus is applied to unsigned,
result is still unsigned. This means that when we use result
as function formal parameter, we pass incorrect value.
Fix by introducing frame_remove_from_extra_frame(),
which makes code semantically more clear and eliminates
the need in negative value and cast.
Since GCC didn't complain (and users too :), it probably performed
cast to signed automatically.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539258702-15427-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17739.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 10 Oct 2018 06:44:43 +0000 (08:44 +0200)]
Fix mbedtls unit tests
Commit 674b166 ("Fix build warnings related to get_random()") broke the
unit tests for mbedtls, because <mbedtls/cipher.h> was now included via
platform.c -> crypto.h -> crypto_backend.h, but the crypto cflags were
not included for that unit tests.
Since we got rid of --disable-crypto, we can now fix this by simply always
including the CRYPTO_CFLAGS in the TEST_CFLAGS (and the CRYPTO_LIBS in the
TEST_LDFLAGS). This should not only fix this occurrence, but also prevent
similar problems in the future.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1539153883-15789-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17687.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 11 Oct 2018 07:20:00 +0000 (09:20 +0200)]
mbedtls: don't print unsupported ciphers in insecure cipher list
Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too. Those are
however unsupported (as openvpn will tell you when you try to use them).
This fixes that bug.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 9 Oct 2018 20:43:15 +0000 (22:43 +0200)]
List ChaCha20-Poly1305 as stream cipher
As Antonio pointed out, "8-bit block cipher" is a bit funny. So teach
print_cipher() to print such cipher as "stream cipher".
Because I didn't want to write the same code twice, I decided to merge the
two print_cipher() implementations into one shared function. That should
make it easier to keep both backends consistent.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181009204315.8262-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 7 Oct 2018 21:55:39 +0000 (23:55 +0200)]
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Arne Schwabe [Mon, 8 Oct 2018 18:16:16 +0000 (20:16 +0200)]
Remove AUTO_USERID feature
There is no user facing way to enable this feature and way that feature
works (username build from MAC of primary net device) is questionable.
It also does not compile anymore. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008181618.8976-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17664.html
build: Fix another compile warning in console_systemd.c
console_systemd.c: In function ?get_console_input_systemd?:
console_systemd.c:75:5: warning: implicit declaration of function
?openvpn_popen? [-Wimplicit-function-declaration]
if ((std_out = openvpn_popen(&argv, NULL)) < 0)
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008180017.31413-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17660.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
platform.c: In function ?platform_create_temp_file?:
platform.c:355:31: warning: implicit declaration of function
?get_random? [-Wimplicit-function-declaration]
prefix, (unsigned long) get_random(),
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008165648.27504-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17652.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Samy Mahmoudi [Sun, 7 Oct 2018 22:35:47 +0000 (00:35 +0200)]
man: correct a --redirection-gateway option flag
Replace "servers" with "peers" in the description
of the --redirection-gateway option flag local. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007223544.GA2246@t520.my.lan>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17630.html
Simon Rozman [Mon, 8 Oct 2018 09:45:59 +0000 (11:45 +0200)]
msvc: Unify Unicode/MultiByte string setting across all cfg|plat
The openvpnserv.vcxproj source code is Windows API Unicode compliant
with only Debug|x64 set to Unicode, while other cfg|plat pairs were set
to MultiByte. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17633.html
projects / thirdparty / openvpn.git / log
