Arne Schwabe [Thu, 8 Feb 2024 08:57:49 +0000 (09:57 +0100)]
Add unit test for encrypting/decrypting data channel
This test is reusing code from --test-crypto but is modified to not rely
on the static key functionality and also only tests the most common
algorithm. So it does not yet completely replace --test-crypto
Change-Id: Ifa5ae96165d17b3cae4afc53e844bb34d1610e58 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240208085749.869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28195.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Kristof Provost [Wed, 24 Jan 2024 15:27:39 +0000 (16:27 +0100)]
dco-freebsd: dynamically re-allocate buffer if it's too small
It's possible for the buffer we provide for OVPN_GET_PEER_STATS to be
too small. Handle the error, re-allocate a larger buffer and try again
rather than failing.
Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240124152739.28248-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28128.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
documentation: Update and fix documentation for --push-peer-info
- description of IV_PROTO was outdated, missing a lot
of flags
- complete list of compression flags, but separate them out
- various other style/grammar/typo fixes
Change-Id: I7f854a5a14d2a2a391ebb78a2a92b3e14cfd8be6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240206141057.46249-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28178.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 1 Feb 2024 14:48:17 +0000 (15:48 +0100)]
Allow unit tests to fall back to hard coded location
Settings the environment variable required for running unit tests is
tiresome in my IDE (Clion). So allow unit tests to fall back to a hard
coded location in case the environment variable is not set.
Change-Id: Ide72b81f497088dd0fd2cdcfff83cbce5b48f145 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240201144817.188884-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28161.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 23 Jan 2024 10:43:58 +0000 (11:43 +0100)]
Ensure that all unit tests use unbuffered stdout and stderr
stderr is normally always unbuffered but stdout can be buffered. Especially,
when stdout is redirected it will become buffered while it is normally
unbuffered when connected to a terminal. This mean that if the unit exits
prematurely, the output in the buffered output will be lost.
As the unit test x_msg mock implementation prints even fatal on stdout
we ensure with this setup method that stdout is also unbuffered.
Change-Id: I5c06dc13e9d8ab73997f79b13c30ee8949e5e993 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240123104358.495517-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28122.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 22 Jan 2024 13:09:09 +0000 (14:09 +0100)]
Fix ssl unit tests on OpenSSL 1.0.2
OpenSSL 1.1.1 will initialise itself using clever linker magic. For
OpenSSL 1.0.2 we need to manually initialise the library. For other
unit tests just doing the OpenSSL_add_all_algorithms is enough but
this unit test needs a more complete initialisation.
Change-Id: I378081f391ad755d0a6fd5613de5c2a8bacc389a Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240122130909.10706-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28112.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
--http-proxy-user-pass: allow to specify in either order with --http-proxy
Previously, when using a third argument to --http-proxy other
than auto/auto-nct, order did matter between --http-proxy and
--http-proxy-user-pass. Always prefer --http-proxy-user-pass
when given.
Change-Id: I6f402db2fb73f1206fbc1139c47d2bf4378376fa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240122092122.8591-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28099.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
NTLM: when NTLMv1 is requested, try NTLMv2 instead
Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed
support for NTLMv1 authentication. This adjusts the
behavior for existing configurations that specify
"ntlm" keyword.
Do not error out hard, instead just try to upgrade. This
should work fine in many cases and will avoid breaking
user configs unnecessarily on upgrade.
In addition it fixes an issue with the mentioned patch
where "auto" wasn't working correctly for NTLM anymore.
Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240118151242.12169-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240118151242.12169-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 18 Jan 2024 13:55:30 +0000 (14:55 +0100)]
Remove conditional text for Apache2 linking exception
With the reimplementation of the tls-export feature and removal/approval
or being trivial of the rest of the code, now all the code falls under
new license. Remove the conditional text of the license to be only valid
for parts of OpenVPN.
Fix various 'Uninitialized scalar variable' warnings from Coverity
These are all not actually problems, since the
uninitialized parts are either .unused members of the
struct (mroute_addr) or only written to (buflen), but
still doesn't hurt to explicitely initialize them.
Change-Id: I45cd0917d24570ae9e9db7eb6c370756e4595842 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008103641.19864-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27157.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 17 Jan 2024 13:49:29 +0000 (14:49 +0100)]
cmake: symlink whole build dir not just .json file
It turned out that symlinking compile_commands.json from the top level
source dir has some issues:
* file is not created on Windows and symlinking may cause an error
* some IDEs create their own json and error out b/c a file exists
Since clangd also looks for the json in build/ directories by default,
we now symlink the whole build directory instead, not just the json file.
This approach requires for the existing build/ dir in the repo to
vanish. Luckily it only contains one automake include file, which is
moved to the top level source dir.
Lastly, make this an opt-in feature, so that the default configuration
of the buildsystem never causes a build failure because of this.
Change-Id: Ib1a5c788269949d8de95d1da2cb0c32a65bf13f2 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117134929.5317-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28061.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
NTLM: increase size of phase 2 response we can handle
With NTLMv2 the target information buffer can be rather large
even with normal domain setups.
In my test setup it was 152 bytes starting at offset 71.
Overall the base64 encode phase 2 response was 300 byte long.
The linked documentation has 98 bytes at offset 60. 128 byte
is clearly too low.
While here improve the error messaging, so that if the buffer
is too small at least one can determine that in the log.
Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117090840.32621-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28040.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 16 Jan 2024 21:41:52 +0000 (22:41 +0100)]
Add test_ssl unit test and test export of PEM to file
This introduces a number of mock function to be able to compile
ssl_verify_*.c and ssl_mbedtls.c/ssl_openssl.c into a unit and adds
quite a number of files to that unit. But it allows similar unit tests
(in term of dependencies) to be added in the future.
Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116214152.27316-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28028.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 16 Jan 2024 13:18:31 +0000 (14:18 +0100)]
Use mingw compile definition also to unit tests
Currently we only apply the defines for windows APIs and Unicode to
OpenVPN itself. We should rather treat the unit tests the same as
our main binary to reduce potential differences.
Change-Id: Ie5aa643ab6190262f7c8b9e614bedb398e85859b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240116131831.31217-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28019.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 16 Jan 2024 10:15:56 +0000 (11:15 +0100)]
Implement the --tls-export-cert feature
This is a re-implementation of the --tls-export-cert feature. This
was necessary to due to missing approval to re-license the old
(now removed) code. The re-implementation is based on the following
description of the feature provided by David:
Add an option to export certificate in PEM format of the remote
peer to a given directory.
For example: --tls-export-cert /var/tmp
This option should use a randomised filename, which is provided via a
"peer_cert" environment variable for the --tls-verify script or the
OPENVPN_PLUGIN_TLS_VERIFY plug-in hook.
Once the script or plugin call has completed, OpenVPN should delete
this file.
Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116101556.2257-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28014.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 8 Jan 2024 17:13:49 +0000 (18:13 +0100)]
Move get_tmp_dir to win32-util.c and error out on failure
Currently we only warn in get_tmp_dir fails and set o->tmp_dir to
a null pointer. This will not be caught by check_file_access_chroot
either since that ignores NULL pointers but other parts of OpenVPN
will assume that tmp_dir is set to a non-NULL string.
Also move get_tmp_dir to win32-util.c to use it in unit tests.
Change-Id: I525ccf7872880367b248ebebb0ddc83551498042 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240108171349.15871-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27964.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 5 Jan 2024 13:57:42 +0000 (14:57 +0100)]
Fix IPv6 route add/delete message log level
We have D_ROUTE for route addition/deletion messages, which prints at
loglevel 3. Use that for IPv6, like we do for IPv4 to reduce terminal
spam for non-legacy-networking setups. Prvious code would print the
messages at --verb 1.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240105135742.21174-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27954.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Jan 2024 14:05:40 +0000 (15:05 +0100)]
Make it more explicit and visible when pkg-config is not found
Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.
On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.
When found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO
not found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (not found) installed? Must be version 3.4.0 or newer for DCO
On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:
checking for pkg-config... no
configure: error: pkg-config is required
Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240105140540.14757-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27939.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 4 Jan 2024 14:02:14 +0000 (15:02 +0100)]
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240104140214.32196-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 1 Jan 2024 09:27:14 +0000 (10:27 +0100)]
get_default_gateway() HWADDR overhaul
commit f13331005d5a7 (gerrit/454) most painfully works around the limitations
of the SIOCGIFCONF API, with struct member access on an unaligned buffer,
possibly overrunning sockaddr structures, etc. - and the result still did
not work on OpenSolaris and OpenBSD (no AF_LINK in the returned elements).
Reading through OpenBSD "ifconfig" source, I found getifaddrs(3), which
is exactly what we want here - it works on FreeBSD, NetBSD, OpenBSD and
MacOS, and all returned pointers are properly aligned, so the code gets
shorter, easier to read, and UBSAN is still happy.
OpenSolaris does have getifaddrs(3), but (surprise) it does not work, as
in "it does not return AF_LINK addresses". It does have SIOCGIFHWADDR,
instead, and "man if_tcp" claims "should behave in a manner compatible
with Linux" - so TARGET_SOLARIS gets a copy of the Linux code now (works).
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101092714.18992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27891.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 1 Jan 2024 09:40:54 +0000 (10:40 +0100)]
OpenBSD: repair --show-gateway
OpenBSD route sockets do not want to be passed RTA_IFP on RTM_GET
- if we do this, we get back EINVAL.
On other platforms, if we do not request RTA_IFP, we will not get
back interface information for queried routes - on OpenBSD, RTA_IFP
comes back always...
So we need to #ifdef this, RTA_IFP on all platforms except OpenBSD.
(Found this fix in OpenBSD's ports tree, in their patches for OpenVPN
2.6.8 - but they just remove RTA_IFP, no #ifdef, so we can't just apply
their patch)
While at it, add M_ERRNO to the "write to routing socket" error message.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240101094054.38869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27892.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 31 Dec 2023 17:34:31 +0000 (18:34 +0100)]
Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
The undefined behaviour USAN clang checker found this.
This fix is a bit messy but so are the original structures.
Since the API on Solaris/Illuminos does not return the AF_LINK
sockaddr type we are interested in, there is little value in
fixing the code on that platform to iterate through a list
that does not contain the element we are looking for.
Add includes stddef.h for offsetof and integer.h for max_int.
Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231231173431.31356-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27885.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Due to the limitation of the protocol it is not
considered secure. Better to use basic auth instead
of a false sense of security. NTLM v2 remains
supported for now.
Change-Id: I0dcb2dac4136f194da7050a8ea8495e9faba9dd9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231230143733.4426-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27862.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
yatta [Thu, 19 Oct 2023 17:12:13 +0000 (01:12 +0800)]
fix(ssl): init peer_id when init tls_multi
When openvpn run in UDP server mode, if ssl connections reach the
max clients, the next connection would be failed in `multi_create_instance`
and the half connection will be close in `multi_close_instance`, which
may lead array `m->instances[0]` covered unexpectedly and make the
first connection interrupt, this patch fix this problem by init `peer_id`
with `MAX_PEER_ID` in `tils_multi_init`.
Signed-off-by: yatta <ytzhang01@foxmail.com Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 13 Dec 2023 10:53:08 +0000 (11:53 +0100)]
Extend the error message when TLS 1.0 PRF fails
This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)
are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or
newer.
Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231213105308.121460-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 20 Dec 2023 13:36:37 +0000 (14:36 +0100)]
tun.c: don't attempt to delete DNS and WINS servers if they're not set
Commits
1c4a47f7 ("wintun: set adapter properties via interactive service") 18826de5 ("Set WINS servers via interactice service")
added functionality of add/remove DNS/WINS via interactive
service, which is used mostly by dco-win and wintun (tap-windows6
normally uses DHCP). There is a check in code - if DNS/WINS addresses
are not pushed, nothing is added.
However, due to bug we always attempted to remove DNS/WINS,
even if nothing was added. Removing WINS, for example, could take
up to 3 seconds.
This change fixes this by improving check "has DNS/WINS been pushed?".
While on it, convert do_XXX_service() functions to "void" from "bool",
since we never check their return values.
Change-Id: I21a36d24f8e213c780f55acbe3e4df555c93542a Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231220133637.60996-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27843.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 20 Dec 2023 12:36:59 +0000 (13:36 +0100)]
cmake: create and link compile_commands.json file
CMake has support to create a json file which contains exact information
how each file in the project is compiled. This file can be consumed by
clangd, which in turn provides precise symbol information to IDEs for
better code navigation and contextual information.
I use it with vscode to be able to quickly switch between native Linux and
mingw builds and have the symbols info change dynamically with it. So
handy that I think it is useful for others as well.
Bump required CMake version for CREATE_LINK.
Change-Id: Ib14c1161b4b0c9df797b9932ad14739e202cea64 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231220123659.55542-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27840.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Serial mode is the old one and offers much less options for
running the tests. Generally our tests seem to work fine
with the newer parallel mode. The only reason we stuck with
serial_tests seems to be that we didn't like that it doesn't
output the test output by default. We could fix that with a
custom test driver. But will put that into a separate commit.
Change-Id: Ic7265d89142637b0963a6847c6beb06d9163bbb1 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231214111635.237429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27812.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 22 Nov 2023 19:00:57 +0000 (20:00 +0100)]
Remove superfluous x509_write_pem()
After removing --tls-export-cert, this function was left in the code
base with no other users. This was an oversight in the previous
change. Removing it to avoid leaving dead code behind.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122190057.120384-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27561.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 22 Nov 2023 14:31:01 +0000 (15:31 +0100)]
Remove --tls-export-cert
As OpenVPN 2.6+ is doing some adoptions to the license text, all
prior contributors need to accept this new text. Unfortunately, Mathieu
Giannecchini who implemented the --tls-export-cert feature did not
respond at all. Without an explicit acceptance we need to remove this
feature to avoid potential legal complications.
If this is still a wanted feature, it will need to be re-implemented
from scratch.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122143101.58483-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27557.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 28 Nov 2023 10:37:04 +0000 (11:37 +0100)]
Rename state_change to continue_tls_process
The name state_change is more confusing than helpful as it not really
indicates if there was a state change but rather if processing should
be continued. There even some states that are definitively state changes
(setting to_link buffer) that require continue_tls_process to be set
to false.
Change-Id: Ib6d713f2eb08a4c39d97de3e1a4a832cedc09585 Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103704.61046-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27571.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 28 Nov 2023 10:39:50 +0000 (11:39 +0100)]
Remove compat versionhelpers.h and remove cmake/configure check for it
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."
Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 28 Nov 2023 10:43:59 +0000 (11:43 +0100)]
Fix check_session_buf_not_used using wrong index
The inner loop used i instead of j when iterating through the buffers.
Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds. So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Wed, 15 Nov 2023 15:17:40 +0000 (16:17 +0100)]
Disable TLS 1.3 support with mbed TLS
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 15 Nov 2023 12:06:23 +0000 (13:06 +0100)]
Make --dns options apply for tap-windows6 driver
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixes OpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 15 Nov 2023 10:33:31 +0000 (11:33 +0100)]
Do not check key_state buffers that are in S_UNDEF state
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
platform.c: Do not depend Windows build on HAVE_CHDIR
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixes OpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 7 Nov 2023 14:17:55 +0000 (15:17 +0100)]
Remove CMake custom compiler flags for RELEASE and DEBUG build
This overwrites the default that cmake automatically sets. In the
case of debug builds, this breaks debugging as -O1 already optimises
many variables away.
Change-Id: I3ca6965799b23d542ababc3e38880317cb46a3ac Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231107141755.30559-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231107141755.30559-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 27 Oct 2023 12:19:37 +0000 (14:19 +0200)]
Fix using to_link buffer after freed
When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 57a5cd1e12f193927c9b7429f8778fec7e04c50a)
Arne Schwabe [Wed, 25 Oct 2023 15:46:24 +0000 (17:46 +0200)]
Double check that we do not use a freed buffer when freeing a session
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cd4d819c99266fa727c294225cafdb4ae331d02e)
Arne Schwabe [Thu, 19 Oct 2023 13:14:33 +0000 (15:14 +0200)]
Remove saving initial frame code
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1cfca659244e362f372d9843351257f456392a2f)
Max Fillinger [Wed, 25 Oct 2023 12:18:30 +0000 (14:18 +0200)]
Add support for mbedtls 3.X.Y
Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:
* Netscape certificate type
* key usage (you can check key usage, but not get the raw bytes)
I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.
Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.
Change-Id: I445a93e84dc54b865b757038d22318ac427fce96 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork
Since we're trying to use Gerrit for patch reviews, but the actual
merge process is still implemented against the ML and Patchwork,
I wrote a script that attempts to bridge the gap.
It extracts all relevant information about a patch from Gerrit
and converts it into a mail compatible to git-am. Mostly this
work is done by Gerrit already, since we can get the original
patch in git format-patch format. But we add Acked-by information
according to the approvals in Gerrit and some other metadata.
This should allow the merge to happen based on this one mail
alone.
v3:
- handle missing display_name and email fields for reviewers
gracefully
- handle missing Signed-off-by line gracefully
v4:
- use formatted string consistently
Change-Id: If4e9c2e58441efb3fd00872cd62d1cc6c607f160 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022105919.21779-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27279.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 22 Oct 2023 10:57:56 +0000 (12:57 +0200)]
Add undefined and abort on error to clang sanitize builds
The -fno-sanitize-recover=all flag ensures that for all errors we actually
abort the tests in the automated testing and not just print some errors in red
that nobody sees. Also add the undefined tests to catch more bugs.
For libreSSL we do not add the udefined behaviour as we have (even with the
latest LibreSSL version) an undefined behaviour in LibreSSL itself.
Change-Id: I204b396dea9f22d68e8e091d181a85ffebde4c17 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231022105756.21080-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27278.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 22 Oct 2023 08:27:40 +0000 (10:27 +0200)]
dco: warn if DATA_V1 packets are sent to userspace
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixes OpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Half of them used unsigned int, the other half size_t.
Standardize on one. Could've also standardized on the
other, both are much too big for the expected numbers
anyway.
Add a new utility function clamp_size_to_int for
cases we need to change from size_t to int (there
are a lot of those all over our codebase).
Resolves some -Wconversion warnings.
Change-Id: Ic996eca227d9e68279a454db93fcbc86a7bd0380 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008104022.20200-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008104022.20200-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
inet_ntoa is officially deprecated and in some places
its use already causes warnings (e.g. Fedora submissions).
Since we mostly use inet_ntop already, just convert the
remaining usages to that.
Change-Id: I052bebe720ddf26340827f25b94705945e470bfa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008103415.19625-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008103415.19625-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 6 Oct 2023 11:19:10 +0000 (13:19 +0200)]
Remove openssl engine method for loading the key
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
Since in the end this always ends up as an uint16_t
anyway, just make the conversion much earlier. Cleans
up the code and removes some -Wconversion warnings.
v2:
- proper error handling in options.c
v4:
- also introduce a minimum mssfix
Change-Id: Id8321dfbb8ad8d79f4bb2a9da61f8cd6b6c6ee26 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231009105151.34074-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231009105151.34074-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 9 Oct 2023 10:57:14 +0000 (12:57 +0200)]
Add warning for the --show-groups command that some groups are missing
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 9 Oct 2023 10:58:32 +0000 (12:58 +0200)]
Remove ability to use configurations without TLS by default
OpenVPN 2.6 already warned about this feature being removed. OpenVPN
2.7 will with this change no longer accept these configurations without
having a --allow-deprecated-insecure-static-crypto added to the command
line or the configuration itself. This will serve as a last and final
warning for people who missed the warning message in OpenVPN 2.6.
This commit also removes the documentation for --secret and the static key
mode.
Change-Id: I4f29953b91cf8e8daf2c9503da44073ad96d0ff5 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105832.34762-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27194.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sun, 1 Oct 2023 17:49:20 +0000 (13:49 -0400)]
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html Signed-off-by: Gert Doering <gert@greenie.muc.de>