David Sommerseth [Wed, 22 Nov 2023 19:00:57 +0000 (20:00 +0100)]
Remove superfluous x509_write_pem()
After removing --tls-export-cert, this function was left in the code
base with no other users. This was an oversight in the previous
change. Removing it to avoid leaving dead code behind.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122190057.120384-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27561.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 22 Nov 2023 14:31:01 +0000 (15:31 +0100)]
Remove --tls-export-cert
As OpenVPN 2.6+ is doing some adoptions to the license text, all
prior contributors need to accept this new text. Unfortunately, Mathieu
Giannecchini who implemented the --tls-export-cert feature did not
respond at all. Without an explicit acceptance we need to remove this
feature to avoid potential legal complications.
If this is still a wanted feature, it will need to be re-implemented
from scratch.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231122143101.58483-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27557.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 28 Nov 2023 10:37:04 +0000 (11:37 +0100)]
Rename state_change to continue_tls_process
The name state_change is more confusing than helpful as it not really
indicates if there was a state change but rather if processing should
be continued. There even some states that are definitively state changes
(setting to_link buffer) that require continue_tls_process to be set
to false.
Change-Id: Ib6d713f2eb08a4c39d97de3e1a4a832cedc09585 Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103704.61046-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27571.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 28 Nov 2023 10:39:50 +0000 (11:39 +0100)]
Remove compat versionhelpers.h and remove cmake/configure check for it
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."
Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 28 Nov 2023 10:43:59 +0000 (11:43 +0100)]
Fix check_session_buf_not_used using wrong index
The inner loop used i instead of j when iterating through the buffers.
Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds. So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Reynir Björnsson [Thu, 26 Oct 2023 14:55:32 +0000 (16:55 +0200)]
protocol_dump: tls-crypt support
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Wed, 15 Nov 2023 15:17:40 +0000 (16:17 +0100)]
Disable TLS 1.3 support with mbed TLS
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 15 Nov 2023 12:06:23 +0000 (13:06 +0100)]
Make --dns options apply for tap-windows6 driver
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixes OpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 15 Nov 2023 10:33:31 +0000 (11:33 +0100)]
Do not check key_state buffers that are in S_UNDEF state
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
platform.c: Do not depend Windows build on HAVE_CHDIR
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixes OpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 7 Nov 2023 14:17:55 +0000 (15:17 +0100)]
Remove CMake custom compiler flags for RELEASE and DEBUG build
This overwrites the default that cmake automatically sets. In the
case of debug builds, this breaks debugging as -O1 already optimises
many variables away.
Change-Id: I3ca6965799b23d542ababc3e38880317cb46a3ac Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231107141755.30559-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231107141755.30559-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 27 Oct 2023 12:19:37 +0000 (14:19 +0200)]
Fix using to_link buffer after freed
When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 57a5cd1e12f193927c9b7429f8778fec7e04c50a)
Arne Schwabe [Wed, 25 Oct 2023 15:46:24 +0000 (17:46 +0200)]
Double check that we do not use a freed buffer when freeing a session
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cd4d819c99266fa727c294225cafdb4ae331d02e)
Arne Schwabe [Thu, 19 Oct 2023 13:14:33 +0000 (15:14 +0200)]
Remove saving initial frame code
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1cfca659244e362f372d9843351257f456392a2f)
Max Fillinger [Wed, 25 Oct 2023 12:18:30 +0000 (14:18 +0200)]
Add support for mbedtls 3.X.Y
Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:
* Netscape certificate type
* key usage (you can check key usage, but not get the raw bytes)
I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.
Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.
Change-Id: I445a93e84dc54b865b757038d22318ac427fce96 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork
Since we're trying to use Gerrit for patch reviews, but the actual
merge process is still implemented against the ML and Patchwork,
I wrote a script that attempts to bridge the gap.
It extracts all relevant information about a patch from Gerrit
and converts it into a mail compatible to git-am. Mostly this
work is done by Gerrit already, since we can get the original
patch in git format-patch format. But we add Acked-by information
according to the approvals in Gerrit and some other metadata.
This should allow the merge to happen based on this one mail
alone.
v3:
- handle missing display_name and email fields for reviewers
gracefully
- handle missing Signed-off-by line gracefully
v4:
- use formatted string consistently
Change-Id: If4e9c2e58441efb3fd00872cd62d1cc6c607f160 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022105919.21779-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27279.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 22 Oct 2023 10:57:56 +0000 (12:57 +0200)]
Add undefined and abort on error to clang sanitize builds
The -fno-sanitize-recover=all flag ensures that for all errors we actually
abort the tests in the automated testing and not just print some errors in red
that nobody sees. Also add the undefined tests to catch more bugs.
For libreSSL we do not add the udefined behaviour as we have (even with the
latest LibreSSL version) an undefined behaviour in LibreSSL itself.
Change-Id: I204b396dea9f22d68e8e091d181a85ffebde4c17 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231022105756.21080-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27278.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 22 Oct 2023 08:27:40 +0000 (10:27 +0200)]
dco: warn if DATA_V1 packets are sent to userspace
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixes OpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Half of them used unsigned int, the other half size_t.
Standardize on one. Could've also standardized on the
other, both are much too big for the expected numbers
anyway.
Add a new utility function clamp_size_to_int for
cases we need to change from size_t to int (there
are a lot of those all over our codebase).
Resolves some -Wconversion warnings.
Change-Id: Ic996eca227d9e68279a454db93fcbc86a7bd0380 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008104022.20200-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008104022.20200-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
inet_ntoa is officially deprecated and in some places
its use already causes warnings (e.g. Fedora submissions).
Since we mostly use inet_ntop already, just convert the
remaining usages to that.
Change-Id: I052bebe720ddf26340827f25b94705945e470bfa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008103415.19625-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008103415.19625-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 6 Oct 2023 11:19:10 +0000 (13:19 +0200)]
Remove openssl engine method for loading the key
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
Since in the end this always ends up as an uint16_t
anyway, just make the conversion much earlier. Cleans
up the code and removes some -Wconversion warnings.
v2:
- proper error handling in options.c
v4:
- also introduce a minimum mssfix
Change-Id: Id8321dfbb8ad8d79f4bb2a9da61f8cd6b6c6ee26 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231009105151.34074-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231009105151.34074-1-frank@lichtenheld.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 9 Oct 2023 10:57:14 +0000 (12:57 +0200)]
Add warning for the --show-groups command that some groups are missing
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 9 Oct 2023 10:58:32 +0000 (12:58 +0200)]
Remove ability to use configurations without TLS by default
OpenVPN 2.6 already warned about this feature being removed. OpenVPN
2.7 will with this change no longer accept these configurations without
having a --allow-deprecated-insecure-static-crypto added to the command
line or the configuration itself. This will serve as a last and final
warning for people who missed the warning message in OpenVPN 2.6.
This commit also removes the documentation for --secret and the static key
mode.
Change-Id: I4f29953b91cf8e8daf2c9503da44073ad96d0ff5 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105832.34762-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27194.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sun, 1 Oct 2023 17:49:20 +0000 (13:49 -0400)]
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
GHA: new workflow to submit scan to Coverity Scan service
Not on every push due to submit limits.
Use caching to not submit a scan for the same git commit
twice. Since we have many days without pushes to master
this saves a lot of Github and Coverity resources.
v2:
- add caching to not submit redundant scans
Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230911110735.34491-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 22 Sep 2023 10:50:55 +0000 (12:50 +0200)]
Warn user if INFO control command is too long
"INFO_PRE,..." command length is limited to 256 bytes. If the server
implementation pushes command which is too long, warn the user and
don't send the truncated command to a management client.
Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922105055.37969-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are based on review comments for the 2.6 backport.
But since they apply to the original master implementation
as well, I address them in this separate patch.
- Add documentation to contrib/cmake/*.py
- Fix grammar in README.cmake.md
- Update a TODO in CMakeLists.txt to better reflect
the status quo
- Fix indentation in unit_tests' Makefile.am
Change-Id: I4e16767ee221e1aefdd18d13b3411c27d8dd844a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/342
Message-Id: <20230919155635.708557-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27043.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: fix crash when --multihome is used with --proto tcp
Although it's a combination of options that is not really useful,
when specifying --multihome along with --proto tcp and DCO is enabled,
OpenVPN will crash while attempting to access c2.link_socket_actual
(NULL for the TCP case) in order to retrieve the local address (in
function dco_multi_get_localaddr())
Prevent crash by running this code only if proto is UDP.
The same check is already performed in socket.c/h for the non-DCO
case.
Github: fixes OpenVPN/openvpn#390
Change-Id: I61adc26ce2ff737e020c3d980902a46758cb23e5 Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230815231555.6465-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26953.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
configure: disable engines if OPENSSL_NO_ENGINE is defined
Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.
Signed-off-by: orbea <orbea@riseup.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230909134956.5902-1-orbea@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26994.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 14 Aug 2023 06:04:09 +0000 (08:04 +0200)]
Make received OCC exit messages more visible in log.
Currently, OCC exit messages are only logged at some high debug level
(and if OpenVPN compiled with DEBUG), while control-channel EEN messages
are logged on verb 1. Make this consistent, both in wording and in
log level.
Both messages are prefixed with the "channel" where the exit message
came in.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230814060409.50742-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26949.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 11 Aug 2023 12:15:03 +0000 (14:15 +0200)]
show extra info for OpenSSL errors
This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command
openvpn --providers vollbit
will print out (on macOS):
OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)
Patch v2: Format message more like current messages
Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The code was not very clear if we accept the base64 decode if the
NTLM challenge was truncated or not. Move the related code lines
closer to where buf is first used and comment that we are not concerned
about any truncation.
If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect. The
buffer size is fixed and known to be in a cleared state before the
decode starts.
Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26919.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sat, 28 Jan 2023 21:59:01 +0000 (16:59 -0500)]
signal_reset(): combine check and reset operations
- "if (sig == X) signal_reset(sig)" now becomes
"signal_reset(sig, X)" so that the check and assignment
can be done in one place where signals are masked.
This is required to avoid change of signal state between
check and reset operations.
- Avoid resetting the signal except when absolutely necessary
(resetting has the potential of losing signals)
- In 'pre_init_signal_catch()', when certain low priority signals
are set to SIG_IGN, clear any pending signals of the same
type. Also, reset signal at the end of the SIGUSR1 and
SIGHUP loops where their values are checked instead of later. This
avoids the need for 'signal_reset()' after SIGHUP or in 'init_instance()'
which could cause a signal like SIGTERM to be lost.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230128215901.2207208-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26088.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 27 Jul 2023 15:47:06 +0000 (18:47 +0300)]
Set WINS servers via interactice service
At the moments WINS servers are set either:
- via DHCP, which works only for tap-windows6 driver
- via netsh when running without interactice service
This means that in 2.6 default setup (interactive service and dco)
WINS is silently ignored.
Add WINS support for non-DHCP drivers (like dco) by passing
WINS settings to interactive service and set them there with
netsh call, similar approach as we use for setting DNS.
Selva Nair [Sat, 28 Jan 2023 21:59:00 +0000 (16:59 -0500)]
Improve signal handling using POSIX sigaction
Currently we use the old signal API which follows system-V or
BSD semantics depending on the platform and/or feature-set macros.
Further, signal has many weaknesses which makes proper masking
(deferring) of signals during update not possible.
Improve this:
- Use sigaction to properly mask signals when modifying.
Notes:
Updating signal_reset() is handled in a follow up patch
SIG_SOURCE_CONNECTION_FAILED is retained in a hackish way. This value
has the same meaning as SIG_SOURCE_SOFT everywhere except where the
signal is printed. Looks cosmetic --- could be eliminated?
In pre_init_signal_catch() we ignore some unix signals, but the same
signals from management are not ignored though both are treated as "HARD"
signals. For example, during auth-user-pass query, "kill -SIGUSR1 <pid>"
will be ignored, but "signal SIGUSR1" from management interface will
cause M_FATAL and exit. This is the current behaviour, but could be improved?
This patch was originally submitted as 5/5 of the signals series. Now this
is 1/2 of a new series with signal_reset changes moved to 2/2
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230128215901.2207208-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26087.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 24 May 2023 13:24:24 +0000 (15:24 +0200)]
Implement using --peer-fingerprint without CA certificates
This is implements --peer-fingerprint command to support OpenVPN
authentication without involving a PKI.
The current implementation in OpenVPN for peer fingerprint has been already
extensively rewritten from the original submission from Jason [1]. The
commit preserved the original author since it was based on Jason code/idea.
This commit is based on two previous commits that prepare the infrastructure
to use a simple to use --peer-fingerprint directive instead of using
a --tls-verify script like the v1 of the patch proposed. The two commits
preparing this are:
- Extend verify-hash to allow multiple hashes
- Implement peer-fingerprint to check fingerprint of peer certificate
These preceding patches make this actual patch quite short. There are some
lines in this patch that bear some similarity to the ones like
if (!preverify_ok && !session->opt->verify_hash_no_ca)
vs
if (!preverify_ok && !session->opt->ca_file_none)
But these similarities are one line fragments and dictated by the
surrounding style and program flow, so even a complete black box
implementation will likely end up with the same lines.
Arne Schwabe [Wed, 12 Jul 2023 09:55:29 +0000 (11:55 +0200)]
Check if the -wrap argument is actually supported by the platform's ld
This avoids build errors on macOS. Also the test_tls_crypt command works
just fine on FreeBSD with its linkers, so do not make that test Linux only.
Patch v2: allow running with old cmake version (cmake 3 on RHEL7 with EPEL
is only 3.17)
Patch v3: add OPTIONAL keyword to Incldue required by some cmake versions
Change-Id: Id26676bdc576c7d3d6726afa43fe6c7a397c579b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230712095529.570306-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26850.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 Jul 2023 09:54:12 +0000 (11:54 +0200)]
Mock openvpn_exece on win32 also for test_tls_crypt
This function is needed to commpile on win32 as run_command.c defines it
on Unix Linux but on windows it is defined in win32.c which pulls in too
many other unresolvable symbols.
Patch v2: Also add mock_win32_execve.c to automake files
Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230712095412.570106-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26849.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 Jul 2023 09:46:20 +0000 (11:46 +0200)]
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
Android has no facility nor need one to delete routes as routes are
automatically cleaned up when the tun interface is closed. Also adjust
the IPv4 message to be only shown and verb 7 and rephrase the message.
Change-Id: If8f920d378c31e9ea773ce1f56f3df50f1ec36cd Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230712094620.569273-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26848.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 14 Jul 2023 11:18:02 +0000 (14:18 +0300)]
manage.c: document missing KID parameter
Commit a261e173 ("Make sending plain text control message session
aware") added KID parameter to "client-pending-auth" management command,
but forgot to mention it in the output of management help.
Change-Id: I201bdaa5fe4020d15a9dd1674aba5e0c45170731 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230714111802.1773-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26856.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 10 Jul 2023 11:21:22 +0000 (14:21 +0300)]
tun.c: enclose DNS domain in single quotes in WMIC call
This is needed to support domains with hyphens.
Not using double quotes here, since our code replaces
them with underbars (see
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).
Github: fixes OpenVPN/openvpn#363
Change-Id: Iab536922d0731635cef529b5caf542f637b8d491 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230710112122.576-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26841.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 22 May 2023 09:12:31 +0000 (11:12 +0200)]
Print a more user-friendly error when tls-crypt-v2 client auth fails
While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.
Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 22 May 2023 10:11:38 +0000 (12:11 +0200)]
Fix CR_RESPONSE mangaement message using wrong key_id
the management interface expects the management key id instead
of the openvpn key id. In the past they often were the same for low ids
which hid the bug quite well.
Also do not pick uninitialised keystates (management key_id is not valid
in these).
Patch v2: do not add logging
Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe Signed-off-by: Arne Schwabe <arne@rfc2549.org> Tested-By: Jemmy Wang
Github: fixes OpenVPN/openvpn#359 Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230522101138.2842378-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26719.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When cross compiling for Windows with Ubuntu 23.04 mingw complains about
route.c:344:26: warning: ‘special.S_un.S_addr’ may be used uninitialized
which is wrong technically. However the workaround isn't really
intrusive and while there are other warnings caused by libtool, the
cmake mingw build completes with -Werror now.
Change-Id: I8a0f59707570722eab41af2db76980ced04e6d54 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230706171922.752429-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
CMake: Support doc builds on Windows machines that do not have .py file association
On Windows we might need to call python because .py files are not
directly executable. This is true e.g. for GHA runners.
For now we assume that rst2html and rst2man can be handled in the same
way and do not test both of them.
Commit e8881ec6dd63bd80ce05202573eac54ab8657fcb unconditionally
used $PYTHON, but that broke build on systems where the default
python can't be used and we need to respect the shebang.
Commit 5dbec1c019d14880ae7bf364b062d3589c7fd9e7 unconditionally
did not use $PYTHON, but that broke build on the aformentioned
GHA runners.
This commit tries to establish a solution that works for both
systems.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230704130902.105585-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26813.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 27 Nov 2022 08:59:33 +0000 (09:59 +0100)]
fix warning with gcc 12.2.0 (compiler bug?)
Changing the argument of check_malloc_return from const void* to void*
removes the warning from gcc 12.2.0:
In file included from ../../../openvpn-git/src/openvpn/crypto_openssl.c:40:
../../../openvpn-git/src/openvpn/buffer.h: In function ‘hmac_ctx_new’:
../../../openvpn-git/src/openvpn/buffer.h:1030:9: warning: ‘ctx’ may be
used uninitialized [-Wmaybe-uninitialized]
1030 | check_malloc_return((dptr) = (type *)
malloc(sizeof(type))); \
| ^~~~~~~~~~~~~~~~~~~
../../../openvpn-git/src/openvpn/buffer.h:1076:1: note: by argument 1 of
type ‘const void *’ to ‘check_malloc_return’ declared here
1076 | check_malloc_return(const void *p)
| ^~~~~~~~~~~~~~~~~~~
This more a quick fix/heads up for other people encountering the issue
on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in
our code or a compiler bug.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221127085933.3487177-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25549.html Signed-off-by: Gert Doering <gert@greenie.muc.de>