Max Fillinger [Wed, 10 Aug 2022 15:30:06 +0000 (17:30 +0200)]
Don't "undo" ifconfig on exit if it wasn't done
When running with --ifconfig-noexec, OpenVPN does not execute ifconfig,
but on exit, it still tries to "undo" the configuration it would have
done. This patch fixes it by extracting an undo_ifconfig() function from
close_tun(). The undo function is called before close_tun(), but only if
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
v4: Move undo_ifconfig{4,6}() out of #ifdef TARGET_LINUX.
v5: Keep ctx argument in close_tun().
v6: Fix bug in non-Linux non-Windows version of undo_ifconfig_ipv6
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220810153006.18860-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24860.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).
However, in this case, the status of management-def-auth
(ks->mda_status) stays at its default value of ACF_PENDING
and will never change. This causes TLS keys to go out of sync
and an eventual client disconnect.
Further, a message saying username/password authentication is
"deferred" gets logged which is misleading.
For example:
test/127.0.0.1:35874 TLS: Username/auth-token authentication
succeeded for username 'test'
followed by
test/127.0.0.1:35874 TLS: Username/Password authentication
deferred for username 'test' [CN SET]
Fix by setting ks->mda_status to ACF_DISABLED, and do not
set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true.
Also log a warning message when token is marked as expired on
missing the reneg window.
At the moment dco-win doesn't support --persist-tun and --server,
so check for these options at startup time.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220819065250.222590-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25014.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win: introduce low-level code for handling ovpn-dco-win in Windows
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220813204224.22576-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24919.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: move availability check to the end of check_option_conflict() function
To better arrange the order DCO option conflict messages are printed, we
decided to first perform all needed checks on provided options and, only
at the end, if no conflict was detected, to check if DCO is really
available on the system.
This way a user gets prompted with all warnings about their
configuration first and, when everything is fixed, they will see if DCO
is available or not.
While at it, compress the first check in just one if to make the code
simpler.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220802130312.18871-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24783.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win: ensure the DCO API is not used when running on Windows
On Windows the high level API should still use the link_socket object to
read and write packets. For this reason, even if dco_installed is true,
we still need to rely on the classic link_socket object.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220814085117.7128-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24929.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: turn platform config checks into separate function
All the checks in there are only relevant during startup, and
specifically the capability check might cause issues when checking a CCD
config later at runtime.
So move them to their own function and call it only during startup. Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220817210857.1558-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24969.html
Arne Schwabe [Wed, 17 Aug 2022 07:59:25 +0000 (09:59 +0200)]
Rename OPT_P_IPWIN32 to OPT_P_DHCPDNS and include --dns in it
The dns options are very similar to dhcp-option and should fall
under the same option mask. For that rename the OPT_P_IPWIN32 mask
to OPT_P_DHCPDNS and include dns in it.
This effects currently route-nopull which block all host side
network/dns configuration but did not block the new dns option. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220817075925.815184-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24946.html
Arne Schwabe [Wed, 17 Aug 2022 13:53:48 +0000 (15:53 +0200)]
Fix IV_PLAT_VER and UV_ variables sent without push-peer-info
Commit 8c72d7981 changed the push_peer_info_detail to have an
additional level for P2P NCP and shifting most of the other levels
with 1. The check for UV_ and IV_PLAT_VER was not changed accordingly.
Fixes: 8c72d7981 ("Support NCP in pure P2P VPN setups") Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220817135348.844178-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24956.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: disable DCO if --user specified but unable to retain capabilities
If run under network manager, OpenVPN starts with uid=0 and
'--user nm-openvpn', but is lacking the CAP_SETPCAP capabilities
to retain CAP_NET_ADMIN after dropping root privileges.
In DCO mode, OpenVPN must have CAP_NET_ADMIN today, always, otherwise
TLS renegotiation / key rotation will not be possible.
So, check at startup, if --user is specified, if CAP_NET_ADMIN is
permitted and CAP_SETPCAP is available. If either of the capabilities
is missing, disable DCO. Traditional tun/tap works with "uid=0 on
tun open, and setuid() afterwards".
Long-Term, get NM to enable OpenVPN to run with CAP_NET_ADMIN.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org> Tested-By: Bernhard Schmidt <berni@birkenwald.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220817131817.467-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24952.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In the case of the Microsoft action, this fixes security relevant issues
according to their release notes:
https://github.com/microsoft/setup-msbuild/releases
Unfortunately they don't appear to be following the usual scheme of v1
referring to all v1.x.x, but instead v1 just points to v1.0.0.
The primary change with all the Github-Provided actions is the switch to a
more up-to-date NodeJS version (16). Not all that relevant when you just
use the action as is, but on top of that, the old versions are in
low-maintenance mode, and basically are considered obsolete.
Github is actively migrating people to the latest ones via dependabot
wherever they can. Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220817132302.538-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24954.html
Lev Stipakov [Sun, 14 Aug 2022 21:53:03 +0000 (23:53 +0200)]
tun: properly handle device interface list
Device interface is a path which is used by userspace
to access device. A driver can create one or more device
interfaces and specify "reference string", so that userspace
could enumerate all device interfaces in the list and pick
the corrct one which ends with reference string.
Before our code had an assumption that either driver
creates only one device interface or the "right" interface
is alwways first in the list. As it turned out, that assumtion
does not always hold, so here we iterate through all device
interfaces in the list.
In follow-up dco-win patch we pick the device interface
from the list which ends with specific reference string.
v3: change allocation to use regular gc_malloc() instead of buffer.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220814215303.305-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24938.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 13 Aug 2022 12:44:38 +0000 (14:44 +0200)]
Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch.
commit f08fcc2f1eb159 has a few whitespace errors that uncrustify
complained on merge, but due to git handling mistakes, these were not
properly included in the actual commit. Fix.
The current condition checking if the TUN interface was preserved is
dependant on the platform being Android or not. This makes the code
reasonably ugly, especially because uncrustify can't indent properly.
On top of that, we will require an extra condition only for windows+DCO,
which will make the check even uglier.
For this reason, factor out the check in a separate function which can
keep the ifdefs craziness well hidden, while do_open_tun becomes
(a bit) cleaner.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220812130657.29899-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24884.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Linux builds need this now in order to retain capabilities when dropping
root privileges. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220811113422.451-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24870.html
Gert Doering [Thu, 11 Aug 2022 11:26:58 +0000 (13:26 +0200)]
Apply uncrustify changes that were forgotten in the last patch.
commit 2e359a088226ab1e5 has a few whitespace errors that uncrustify
complained on merge, but due to git handling mistakes, these were not
properly included in the actual commit. Fix.
Linux: Retain CAP_NET_ADMIN when dropping privileges
On Linux, when dropping privileges, interaction with
the network configuration, such as tearing down routes
or ovpn-dco interfaces will fail when --user/--group are
used.
This patch sets the CAP_NET_ADMIN capability, which grants
the needed privileges during the lifetime of the OpenVPN
process when dropping root privileges.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org> Reviewed-By: David Sommerseth <davids@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220514103717.235-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24360.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Other platforms may need more complex logic to decide whether a cipher
is supported or not, therefore turn hardcoded list into a function that
can be implemented by each platform independently.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220807100404.8618-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24835.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: disable DCO if --allow-compress yes/asym was specified
Allowing compression means that we may accept a pushable compress
setting.
This scenario can't work with DCO therefore disable it when compression
is allowed.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220807095329.28819-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24834.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 28 Jul 2022 11:17:12 +0000 (14:17 +0300)]
openvpnmsica: remove OpenVPNService state check code
This code reads the state of OpenVPNService,
such as startup mode and running, and sets MSI
property value. If that property is set, installer
selects OpenVPNService as a feature to be installed.
This has been superseded by change in installer:
https://github.com/OpenVPN/openvpn-build/pull/261
which, in addition to checking the state of OpenVPNService,
applies that state to the newly installed service.
- by default, OpenVPNService feature is now checked
and service is installed
- in clean installation, service startup mode is set to "manual"
and service is not started
- in upgrade, installer preserves the service state, such
as startup mode and started/stopped
With all those changes to installer, we don't need this code
in openvpnmsica.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20220728111712.94-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24752.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
To increase the reproducibility of builds
we shouldn't use __DATE__. However, for
the development builds there is some demand
for leaving this in.
So as suggested by Gert Doering go for a
compromise where we only use __DATE__ if
we also include the git information. This
will remove this information from release
builds, but not from builds done directly
from the git checkout.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220804150301.62856-2-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24807.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: perform pull options check only if we pulled any option
The do_deferred_options() function is invoked also on the server side in
order to process all negotiated bits.
However, in this case we should not perform any pull options check, as
it's required only on the client side.
Move check within the "if (options.pull)" block to ensure we perform the
check only when required.
Reported-By: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220805150837.8169-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24824.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: implement dco support for p2mp/server code path
This change introduces ovpn-dco support along the p2mp/server code path.
Some code seems to be duplicate of the p2p version, but details are
different, so it couldn't be shared.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220805064555.13385-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24811.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 4 Aug 2022 08:25:02 +0000 (10:25 +0200)]
Break 'try 256 dco devices' loop on EPERM
If we get a permission denied error on one DCO device, trying 255 more
times will not succeed, and just fill the log file with errors.
Also, remove the msg() call there because it was at debug level
(needed --verb 4 to be seen), didn't see the correct errno, and the
sitnl code already prints the error.
v2: use "else if"
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220804082502.1750074-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24799.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
push: fix compilation with --disable-management and --enable-werror
The authfail_extended and buf variables are only used when
ENABLE_MANAGEMENT is defined. However, they are currently declared
outside of any ifdefs, thus triggering a warning.
Move the declaration of these 2 down, right before their usage (within
the existing "#ifdef ENABLE_MANAGEMENT" block.
Fixes: ("Cleanup receive_auth_failed and simplify method") Cc: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220803154049.1213-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24792.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
DCO will try to install keys upon generating them, however, this happens
when parsing pushed cipher options (due to NCP).
For this reason we need to postpone parsing pushed cipher options to
*after* the tunnel interface has been opened, otherwise we would have
no DCO netdev object to operate on.
At the same time we split the parsing code, so that we can ensure that
the NEW_PEER call can happen after the received peer-id has been parsed
(it is required by all DCO API calls).
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220803095012.24975-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24789.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: periodically check and possibly rotate/delete keys
Data channel keys are periodically regenerated and installed in ovpn-dco.
However, there is a certain moment when keys are rotated in order
to elect the new primary one.
Check the key status in userspace so that kernelspace can be informed as
well when rotations happen.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220802151604.2801-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24785.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Allow a few levels of recursion in virtual_output_callback()
Without this, replies to commands from the management client
are sometimes lost if the server is writing when a command
comes in and leads to a recursive call to this function.
For some reason I've not been able to trigger this on Linux,
but it does sometimes happen on Windows during intense write
activity by openvpn.exe sending log lines to the management
client.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220728034508.15180-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24751.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not skip ERROR:/SUCCESS: response from management interface
Generally we expect a response of SUCCESS: or ERROR: to every
command sent to the management interface. But, while in
the management-hold state, sending "signal foo" returns only
the following reply (with foo = SIGHUP, SIGUSR1 etc.):
>HOLD:Waiting for hold release:0
Fix by always responding
ERROR: signal 'foo' is currently ignored"
followed by the above line.
Though this is seldom seen in practice[*], such violation of the
protocol could stall clients like the GUI. So fix it.
[*] One way this happens is with SIGHUP sent before the daemon
is on hold state which it enters before the SIGHUP is received.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220728034508.15180-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24750.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The DCO logic is unable to proceed without --dev argument, therefore
just disable DCO if no --dev was specified by the user.
Right now, calling openvpn with DCO enabled (default) and no --dev
specified leads to a crash, because --dev is assumed to always be there.
Reported-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220801150812.32561-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24772.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 29 Jul 2022 12:37:48 +0000 (14:37 +0200)]
Extract check_session_cipher into standalone function
This allow the code later to check if the cipher is okay to use and
update it for the calculation for the max MTU size.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v2: Name function check_session_cipher to better reflect its
function Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220729123748.3267207-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24766.html
dco: initialize context and save pointer in TLS object
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-By: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220720123021.24281-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24714.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: introduce open_tun_dco_generic() to open dynamic or fixed-name DCO devices
This function is similar to the essence of open_tun_generic(), but
calling open_tun_dco() instead of trying to do a file open on
"/dev/%s"
Previous attempts to save code duplication by including this into
open_tun_generic() created additional #ifdef plus confusing call
paths. So this is a clean new function, leaving the door open for
a cleanup of open_tun_generic().
Also, introduce tun_dco_enabled(tt) to avoid the negative
"!tt->options.disable_dco" calls.
v11:
- add new function open_tun_dco_generic() for Linux (and FreeBSD, later)
instead of lumping this into open_tun_generic()
- pick up tun_dco_enabled() from a later patch in the series
(easier to bring this in right now than to convert the code back
and then patch it again later)
Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220721182425.1569798-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24717.html
Gert Doering [Sat, 23 Jul 2022 12:19:09 +0000 (14:19 +0200)]
Fix error message about extended errors for IPv4-only sockets.
The new code to enable IPv6 extended error reporting will cause
an error ("Protocol not available (errno=92)") if trying to enable
that setsockopt() option on an IPv4-only socket.
Fix: pass sock->info.af to set_sock_extended_error_passing(), only
apply to AF_INET6 sockets.
To make that work, ensure that sock->info.af is set to not only
the value coming from config (which might be AF_UNSPEC) but to the
actual value used in socket creation (credits: Arne Schwabe).
Add comments to make explicit that the asymmetry here (IPv4 extended
socket error reporting is enabled on all sockets) is intentional.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220723121909.21943-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24731.html
The correct errno can get overwritten by the call to
format_extended_socket_error() which may set errno to EAGAIN
losing the original error and cause to bypass the error reporting
below. Fix by reading the errno of interest at the top of the
function.
Reported by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220722204007.7537-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24728.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Jul 2022 13:02:24 +0000 (15:02 +0200)]
Error out if both remap-usr1 SIGHUP and config stdin are used
OpenVPN for Android uses config stdin to avoid writing the config
file containing private keys to 'disk'. However using stdin means
that config cannot be reread using SIGHUP. While there might be other
corner cases that trigger SIGHUP, this is an obvious one, so we
error out if we detect this misconfiguration.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220722130224.2442759-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 24 Jun 2022 08:38:01 +0000 (10:38 +0200)]
tun: extract close_tun_handle into its own fucntion and print correct type
This moves closing the tun handle into its own function and also prints
the adapter type we are operating on, instead hardcoding it to
tap-windows.
While at it, set the handle to NULL after closing, to prevent a double
close due to multiple invocations of this helper.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220624083809.23487-18-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24527.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This helper encloses the (simple) logic used by OpenVPN to determine if
the name passed to --dev has to be considered a fixed interface name or
just a pattern.
Having a helper is useful because when this logic is required elsewhere,
we can just re-use this logic without duplicating the code (which may
mean introducing bugs if a future logic change should not update all
spots).
The logic is actually fairly simple: check if the name contains a number
(i.e. tun0). If so, consider the name a fixed device name.
While at it make has_digit() accept a signed argument because strings
are normally signed (also isdigit() accepts a signed argument).
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220712221655.19333-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24676.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This new API can be used to retrieve the type of a specific interface.
It's mostly platform dependant, but right now expected values are
"ovpn-dco", "tun" or "tap".
Other values are possible too, but they are not of interest to us.
This commit also extends the networking unit-test by using the newly
introduced API in conjunction with iface_new and iface_del.
The t_net.sh script has been slightly adapted to allow running these
tests in standalone (as they don't require any iproute2 counterpart).
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220713124332.16147-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24688.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
If 'max-clients' is set multi_create_instance() can return NULL (for any
client that would take us over the client limit).
If mi is NULL we don't add it to the hash map, but we do potentially
dereference it to increment the session count.
Do not attempt to do so if 'mi == NULL'.
Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220713083404.13227-2-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24678.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When using DCO iroutes and routes all live in the same routing table,
However, the latter should always come after the former.
for this reason assign a default metric of 200 to routes. iroutes will
later get a metric of 100.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220628185623.1734-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24599.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
tls-crypt-v2: bail out if the client key is too small
The tls-crypt-v2 key should be at least 2 bytes long in order to read
the actual length. Bail out if the key is too short.
This looks like it could be abused to trigger a read of uninitialized
memory, but after close checking it won't:
We read from BEND(), so this is defined for TCP since the minimum
length there is 3 bytes (pkt len + opcode)
For UDP we might read past the beginning of the packet but since they
are buffers coming from the packet stack we have the headroom/tailroom,
so might read some random data (but not out of bound!).
So we copy some more or less random number into net_len/wkc_len but without
actually reading from undefined memory.
The next line will then almost definitively fail (buf_advance()).
While at it improve the error message a bit.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220628094144.17471-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24580.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 13 May 2022 09:37:40 +0000 (11:37 +0200)]
signal --dns support in peer info
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220513093740.1091639-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24350.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 May 2022 01:24:57 +0000 (03:24 +0200)]
dns: also (re)place foreign dhcp options in env
Override DNS related foreign_options with values set by the --dns
option. This is done so that scripts looking for these options continue
to work if only --dns option were pushed, or the values in the
--dhcp-options differ from what's pushed in --dns.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220527012457.1819262-5-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24432.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 24 May 2022 09:19:16 +0000 (12:19 +0300)]
Set o->use_peer_id flag for p2p mode
There are two flags to indicate peer-id usage, one is
in tls_multi struct and another one is in options.
For P2P mode we don't set this flag in options,
which is used in MTU calculation. As a result,
automatically calculated MSS value in P2P mode is wrong,
Fix by bring use_peer_id flag in options and tls_multi
into sync for P2P.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220524091916.145-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24430.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Martin Janů [Fri, 10 Jun 2022 12:04:05 +0000 (12:04 +0000)]
Update the replay-window backtrack log message
The man pages reference a logging message which has been rephrased
in ac1310528a248c99e039e7afaf48724ad1b7f10e. This commit updates the
man page message to reflect the change for improved grep-ability.
Signed-off-by: Martin Janů <martin.janu@protonmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <SVrvuTydxR6Qs_mvwvG7mqT8iLV0inlcCMXoenZTMI8M0LkosV4pZsH9m_XCTwcRWAPN5H8Zdro0ubhJrnSp6v5KC2ZNAL9So0Y2SKiSe7g=@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24472.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 May 2022 01:24:56 +0000 (03:24 +0200)]
rename foreign_option() and move it up
Add setenv_ prefix to foreign_option funtion so it is more obvious what
it does. Move it further up within options.c, so it is defined before
all future callers. Also declare all argv strings const.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220527012457.1819262-4-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24436.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 May 2022 01:24:54 +0000 (03:24 +0200)]
remove foreign_option() call for IPv6 DNS servers
The call survived since the initial commit 94bfc256d, where it was added
as a fallback, since no IPv6 DNS server handling was implemented at the
time. Now there's dhcp_option_dns6_parse() which adds the servers to the
tuntap options, just like how it is done with the v4 servers.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220527012457.1819262-2-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24433.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 23 May 2022 10:35:46 +0000 (12:35 +0200)]
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Since we used the OpenSSL <=1.1 names as part of our OCC message, they
are now unfortunately part of our wire protocol.
OpenSSL 3.0 will still accept the "old" names so we do not need to use
this translation table for forward lookup, only for returning the name
with md_kt_name()
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220523103546.3425388-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24423.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 16 May 2022 10:48:07 +0000 (12:48 +0200)]
Implement ED448 and ED25519 support in xkey_provider
OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
Instead of belonging to the elliptic curve type or to a common Edwards
curve type, ED448 and ED25519 have each their own type.
Also, OpenSSL expects signatures using these curves to be done with the
EVP_DigestSign API instead of the EVP_Sign API but using md=NULL.
This has been tested using a "fake" external key that used a normal
software key instead of a hardware implementation but that makes no
difference from the perspective of xkey_provider/management interface.
Patch v2: remove name functions from ed448/ed25519, ensure md is NULL
for ed448/ed25519 and handle NULL/none better in general.
Patch v3: do not pass NULL as string for the OSSL params.
Heiko Hund [Tue, 17 May 2022 21:01:21 +0000 (23:01 +0200)]
pre-commit: uncrustify based on staged changes
Previously the generated patch was based on the file(s) in the working
directory. This is a problem if you have not to be commited changes
there and these changes fix formatting issues that exist in the staging
area. This effectively circumventes the script from rejecting the
commit.
An example:
git add file.c
git commit
... pre-commit hooks complains about formatting ...
... you fix the file manually, forget to git add ...
git commit
... succeeds, even though the commit still has issues ...
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220517210121.1312072-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24376.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
