Lev Stipakov [Wed, 30 Oct 2019 12:44:59 +0000 (14:44 +0200)]
Fix broken fragmentation logic when using NCP
This is the 2.4 backport of master patch (commit d22ba6b).
NCP negotiation replaces worst case crypto overhead
with actual one in data channel frame. That frame
params are used by mssfix. Fragment frame still contains
worst case overhead.
Without this patch, fragmentation logic incorrectly uses
max crypto overhead when calculating packet size. It exceeds
fragment size and openvpn peforms fragmentation:
> sudo tcpdump port 1194
13:59:06.956394 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 652
13:59:06.956489 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 648
This patch fixes fragmentation calculation by
setting actual crypto overhead, and no unnecessary
fragmentation is performed:
> sudo tcpdump port 1194
13:58:08.685915 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 1272
13:58:08.686007 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP,
length 1272
Trac #1140
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1572439499-16276-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18975.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
Commit ("openssl: Fix compilation without deprecated OpenSSL 1.1 APIs")
has removed the cipher_ctx_cleanup() API, as it is not anymore required
to be a distinct call. However, while doing so it also touched the
mbedtls backend in a wrong way causing a systematic segfault upon
connection.
Basically mbedtls_cipher_free(ctx) was moved from the defunct
cipher_ctx_cleanup()
to md_ctx_free(), while it was supposed to go into cipher_ctx_free().
This was clearly wrong as also the type of the ctx variable was not
correct anymore.
Fix this mistake by actually moving mbedtls_cipher_free(ctx) to
cipher_ctx_free().
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190816204945.7937-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18781.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2a74fc3f66bb9f73fc957719d187256922ca003f)
openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.
EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of
earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part
of _free.
Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API
everywhere.
Also removed initialisation with OpenSSL 1.1 as it is no longer
needed and causes compilation errors when disabling deprecated APIs.
Same with SSL_CTX_set_ecdh_auto as it got removed.
Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup
Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Rosen Penev <rosenp@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190724152934.9884-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8a01147ff77e4ae2e377744b89fbe4b6841b2bb0)
Gert Doering [Wed, 9 Oct 2019 09:52:00 +0000 (11:52 +0200)]
Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
The "route add" code always used "metric 0" on OpenSolaris, because
(on tun interfaces) it was required to make the route work on
"non-ethernet" interfaces (connected, no NDP).
This breaks routes via tap interfaces on recent Solaris versions
(tested on OpenIndiana 2019) - there, routes only work if metric
is != 0 (or just not set). Otherwise it tries to map the gateway
address to a local address and fails.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18906.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 01b3a48c29df6dc4bade3d8fb7903346a3f77887)
Gert Doering [Sun, 20 Oct 2019 15:00:39 +0000 (17:00 +0200)]
Force combinationation of --socks-proxy and --proto UDP to use IPv4.
Our current socks.c code does not handle IPv6 + UDP mode (socket
negotiated with server is IPv4-only, addresses passed in the
packets are IPv4-only). If this combination is specified, print
an explanatory message and force IPv4-only.
While at it, extend socks.c code to print address+port of auxiliary
UDP connection to SOCKS server (helps debugging).
Trac: #1221
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191020150039.21516-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18952.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 57623b4e40e68de983b9dfd82914dadcbe096f7b)
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
Mapping of OpenSSL hash algorithm types to CNG is moved
to a function for code-reuse.
To test, both the server and client should be built with
OpenSSL 1.1.1 and use TLS version >= 1.2
Tested on Windows 7 client against a Linux server.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1564346061-5683-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18715.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Matthias Andree [Sun, 18 Aug 2019 11:18:11 +0000 (13:18 +0200)]
Fix regression, reinstate LibreSSL support.
OpenVPN 2.4.6 could be compiled with LibreSSL, 2.4.7 cannot. This was
broken
since 9de7fe0a "Add support for tls-ciphersuites for TLS 1.3".
This patch avoids using TLS 1.3 directly, be it that OpenSSL was compiled
without TLS 1.3 support, or LibreSSL was used.
This patch was based on an OpenBSD patch by
Jeremie Courreges-Anglas <jca@openbsd.org>, see
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/openvpn/patches/patch-s
rc_openvpn_ssl_openssl_c
but was revised to be more obvious and check actual feature macros,
do not rely on current LibreSSL implementation details alone.
Franco Fichtner reports that OPNsense has been a long-time user
of LibreSSL without reported breakage, see also:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238382#c10
Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190818111811.8853-2-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18790.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 15 Aug 2019 15:53:19 +0000 (17:53 +0200)]
Increase listen() backlog queue to 32
For reasons historically unknown, OpenVPN sets the listen() backlog
queue to "1", which signals the kernel "while there is one TCP connect
waiting for OpenVPN to handle it, refuse all others" - which, on
restarting a busy TCP server, will create connection issues.
The exact "best" value of the backlog queue is subject of discussion,
but for a server that is not extremely busy with many connections
coming in in parallel, there is no real difference between "10" or "500",
as long as it's "more than 1".
Found and debugged by "mjo" in Trac.
Trac: #1208
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190815155319.28249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6d8380c78bf77766454b93b49ab2ebf713b0be48)
Hilko Bengen [Mon, 18 Feb 2019 15:31:28 +0000 (16:31 +0100)]
Do not set pkcs11-helper 'safe fork mode'
From the pkcs11-helper API documentation about pkcs11h_setForkMode():
> This funciton is releavant if PKCS11H_FEATURE_MASK_THREADING is
> set. If safe mode is on, the child process can use the loaded
> PKCS#11 providers but it cannot use fork(), while it is in one of
> the hooks functions, since locked mutexes cannot be released.
As far as I can tell, pkcs11-helper functionality is not used in a
child process that is created after initialization. Even if OpenVPN is
turned into a daemon, the pkcs11-helper library is only initialized
after calling possibly_become_daemon(), i.e. in the child process. All
other uses of fork() are immediately followed by an exec()
This simple change fixes the symptoms described in both
<https://community.openvpn.net/openvpn/ticket/538> (hang on password
prompt when systemd support is enabled) and
<https://community.openvpn.net/openvpn/ticket/1157> (hang on
initialization with newer versions of pkcs11-helper).
I have successfully tested that this makes the described symptoms go
away. For this, I used a YubiKey NEO on Debian/stable, a rebuild of
OpenVPN 2.4.6 and two versions of libpkcs11-helper:
- libpkcs11-helper 1.21-1 from Debian/stretch
- a backport of libpkcs11-helper 1.25-1 from Debian/buster Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190218153129.3818-1-bengen@hilluzination.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18218.html
Gert Doering [Fri, 5 Jul 2019 13:00:01 +0000 (15:00 +0200)]
repair windows builds (2.4)
commit 0c1cc8d65539f removed "DWORD len;" from service_enable_dhcp(),
but that variable is far from "unused" - breaking compilation.
The problem here was that it's a larger "cleanup compiler warnings"
patch which was fully correct for master, but this particular function
looks different in release/2.4 because the whole iservice call
refactoring patch isn't in release/2.4 - so master does not need the
DWORD len, but release/2.4 does.
More care needed with "warning cleanup"...
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190705130001.30741-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18652.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Jul 2019 11:42:43 +0000 (13:42 +0200)]
Remove -no-cpp-precomp flag from Darwin builds
GCC 9 no longer accepts this flag and trying to find out what it does do
leads to an article
"-no-cpp-precomp: the compiler flag that time forgot"
that also no longer on the Internet. And most other things are
PRs/commits from over ten years ago that remove the flag since it
is no longer needed. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190705114243.9481-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18650.html
Michal Soltys [Tue, 9 Apr 2019 14:34:38 +0000 (16:34 +0200)]
man: correct the description of --capath and --crl-verify regarding CRLs
The man page states that when using --capath, the user is required to
provide CRLs for CAs. This is not true and providing CRLs is optional -
both in case of --capath as well as --crl-verify options. When relevant
CRL is not found OpenVPN simply logs the warning in the logs while
allowing the connection, e.g.:
VERIFY WARNING: depth=0, unable to get certificate CRL
This patch clarifies the behavior.
Signed-off-by: Michal Soltys <soltys@ziu.info> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190409143438.25348-2-soltys@ziu.info>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18343.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b3cfc43da3583ae8aa761beb29f016311b2ba64f)
Lev Stipakov [Tue, 30 Oct 2018 08:53:35 +0000 (10:53 +0200)]
Fix various compiler warnings
This patch fixes "unused variable/unreferenced format parameter"
warnings in different places, kudos to Visual Studio compiler
for discoveing some of those.
This also also removes unneeded uninit_management_callback_multi()
wrapper.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540889615-24868-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17855.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 91ba1add2f8f231a7ccf4557cdd593547e625723)
The mock_msg.h file was not enlisted in the _SOURCES lists in
Makefile.am for the unit tests. This caused the mock_msg.h file to not
be present in the .tar.gz file created by 'make dist'.
This was not noticed earlier as we haven't really tried much to run git
clone of the cmocka project manually in vendor/ from an unpacked
tarball.
With this fix the cmocka unit tests can also run from tarballs, with
manually extracting/fetching the cmocka source code in vendor/cmocka.
Signed-off-by: David Sommerseth <davids@openvpn.net> Cc: Steffan Karger <steffan.karger@foxcrypto.com>
----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----
How to test:
- Create a tarball: make distcheck (or just 'dist')
- Extract openvpn-2.4.*.tar.gz in a clean directory
- cd openvpn-2.4.*/vendor
- git clone https://git.cryptomilk.org/projects/cmocka.git
- cd ..
- ./configure
- make check
- Observe that the cmocka unit tests ran as expected
Depending on the CMake version, you might want to check out cmocka git
commit b2732b52202ae48f; which is the one we use in the git submodule. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190507200434.24931-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18430.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 12 Apr 2019 20:20:20 +0000 (22:20 +0200)]
docs: Update INSTALL
The INSTALL file contained several minor errors, typos and was generally
not up-to-date in regards to what ./configure provides today. In
addition, several URL references have moved around to new homes.
This is just a backport of git master 6099ab67122429c0 adjusting for the
slight changes in release/2.4. The contents is the same as git master,
as it is still valid for v2.4.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190412202020.24045-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18364.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ubuntu Trusty reaches End of Life on April 30, 2019
Let us switch to xenial. Also, it simplifies mingw builds.
We do not need to add xenial mingw manually anymore
David Sommerseth [Wed, 20 Feb 2019 13:19:06 +0000 (14:19 +0100)]
cleanup: Remove RPM openvpn.spec build approach
Linux packaging is quite a comprehensive task these days, with many
Linux distributions and each with their own packaging guidelines. In
addition OpenVPN is packaged for most important Linux distributions
already.
The OpenVPN developers is not capable of keeping track of how all the
various recommend packaging guidelines evoloves and our RPM build
process is no longer consistent with guidelines from Fedora, RHEL or
SUSE packaging. We also don't receive any updates improving this
situation. Most likely due to packaging being handled fairly well by
the Linux distributions directly.
In addition comes systemd into play, which more and more Linux
distributions embraces - and even our own RPM openvpn.spec file didn't
account for that move.
This removes all RPM related packaging files and updates the INSTALL
file with pointers to several popular Linux distributions with
accessible information of the OpenVPN packages they provide. Linux
distributions is most likely much better at keeping the packaging
up-to-shape much better than we.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190220131906.22970-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18222.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 57ec6cec85b92e6af35a7871d105d84a753d6549)
Selva Nair [Fri, 1 Mar 2019 05:32:24 +0000 (00:32 -0500)]
Better error message when script fails due to script-security setting
- Add a new return value (-2) for openvpn_execve() when external
program execution is not allowed due to a low script-security
setting.
- Add a corresponding error message
Errors and warnings in such cases will now display as
"WARNING: failed running command (<cmd>) :" followed by
"disallowed by script-security setting" on all platforms
instead of the current
"external program did not execute -- returned error code -1"
on Windows and
"external program fork failed" on other platforms.
The error is FATAL for some scripts and that behaviour is unchanged.
This helps the Windows GUI to detect when a connection failure
results from a safer script-security setting enforced by the GUI,
and show a relevant message.
Note: Same as commit 01a3c876d4911 in master except for
script_security() --> script_security and context change:
run_command.[ch] --> misc.[ch]
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1551418344-16317-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18259.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Thomas Quinot [Fri, 1 Feb 2019 20:43:48 +0000 (21:43 +0100)]
Fix documentation of tls-verify script argument
The second argument is the entire subject DN, not just the CN. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190201204348.22326-1-openvpn-devel=lists.sourceforge.net@thomas.quinot.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18195.html
Selva Nair [Tue, 22 Jan 2019 15:50:32 +0000 (10:50 -0500)]
White-list pull-filter and script-security in interactive service
This allows the Windows GUI to use these options on the command
line without triggering user authorization errors.
Useful for
(i) ignoring certain pushed options such as "route-method" which
could otherwise bypass the interactive service
(ii) enforcing a safer script-security setting from the GUI
See also:
https://github.com/OpenVPN/openvpn-gui/issues/235#issuecomment-456142928
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1548172232-11268-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18154.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0d94d433438f239ff7cf0749f765a503c698f5e8)
Simon Rozman [Tue, 16 Oct 2018 10:26:27 +0000 (12:26 +0200)]
Detect TAP interfaces with root-enumerated hardware ID
This patch extends the TAP interface enumerating to detect the TAP
interfaces registered using "root\tap0901" hardware ID. Before, only TAP
interfaces with legacy "tap0901" HWID were detected by openvpn.exe.
The openvpnmsica.dll and tapctl.exe install TAP interfaces using root-
enumerated HWIDs, and were not detected by openvpn.exe. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181016102627.18676-5-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17762.html
Gert Doering [Fri, 7 Dec 2018 12:33:03 +0000 (13:33 +0100)]
Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
For whatever reason, this function never printed port numbers for
IPv6 addresses (but it did for IPv4) - which creates a bit of
confusion for IPv6-mapped v4 addresses on a dual stack socket,
that will have ports numbers printed or not, depending on whether
it's a dual-stack v6 socket or single-stack v4.
This will not(!) add printing of port numbers for "proper" v6
addresses yet, because that might have adverse side effects to address
parsing elsewhere.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181207123303.70827-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17996.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4543b13b8540836f6faf67a03b5358bb8bb94a4a)
Arne Schwabe [Wed, 10 Oct 2018 14:30:51 +0000 (16:30 +0200)]
Fallback to password authentication when auth-token fails
Under some circumstances, the auth-token stored by a client may not
be valid anymore.
For example, if the server is restarted, the client will try to
reconnect and resend the old token during authentication. Unfortunately
this attempt will fail, because the server does not keep track of tokens
used during previous runs.
With the current behaviour, depending on how auth-retry was configured,
the client will either just quit, prompt the user for username and password
as the original values are overwritten by the token, or endelessly fail
authentication by sending the old token over and over.
This patch changes the behaviour of the client so that, upon failed
authentication using a token, it will drop the token, perform a soft
restart (USR1) and attempt re-authenticating with the original password
provided by the user if auth-nocache was not specified.
Patch V3: remove all server changes, include only minimal non
intrusive client changes that only improve error recovery but don't
change overall behaviour.
Patch V4: forget add push.c to git index, now also included
Patch V5: is fixing overlong lines and one minor style problem.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181010143051.27163-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e61b401ac50d2a9cfabf0289811ad14cf3bd2751)
Arne Schwabe [Wed, 26 Sep 2018 12:01:59 +0000 (14:01 +0200)]
Add message explaining early TLS client hello failure
In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
TLS 1.0 only without setting tls-version-min.
We currently log only
OpenSSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
which indicates the right technical error but is not very helpful to a
person without deep knowledge in SSL/TLS and OpenVPN's TLS version
history.
This commit adds a hopefully helpful message and also tells users how
to fix the old Debian 8 clients. The error message will be displayed on
the server side only.
Note that connecting with an OpenSSL 1.1.1 client to a TLS 1.0 only
server works fine.
This behaviour is also not specific to OpenVPN. Using an openssl s_client
with the -tls1 option against an openssl s_server exhibits the same
behaviour.
Patch V2: fixed message grammar, use tls-version-min 1.0 and clarify
2.3.6 and older to be actually between 2.3.2 and 2.3.6
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180926120159.19874-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17491.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit d31946881a561217d926c5e7a965af12a0a2eaf6)
bufferlist_* functions have no documentation whatsoever and the name is
not always enough to fully understand what the function is doing.
For this reason and for the sake of having better documented code, add
function doc in buffer.h.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181010083731.31132-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17701.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e72b2f2ce062c76c6ab658b7ae961f8b81cba307)
Arne Schwabe [Thu, 11 Oct 2018 22:06:39 +0000 (00:06 +0200)]
Use right function to set TLS1.3 restrictions in show-tls
The last version of the patch used the TLS1.2 version
tls_ctx_restrict_ciphers to set the restrictions for both
TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
for TLS1.3.
Also fix minor style problem while I am touching the function Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181011220639.7316-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html
Arne Schwabe [Wed, 10 Oct 2018 15:36:24 +0000 (17:36 +0200)]
Add better support for showing TLS 1.3 ciphersuites in --show-tls
--show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The listed ciphers
are only valid in either --tls-cipher or --tls-ciphersuites, but it's
not clear which is which. This is confusing and not really helpful.
This patch modifies show-tls to show separate lists for TLS 1.2 and
TLS 1.3.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181010153624.27957-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17723.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7aeabadd69fca0071152c42d58fee0b565f01eb3)
Lev Stipakov [Thu, 11 Oct 2018 11:51:42 +0000 (14:51 +0300)]
options.c: fix broken unary minus usage
In Visual Studio when unary minus is applied to unsigned,
result is still unsigned. This means that when we use result
as function formal parameter, we pass incorrect value.
Fix by introducing frame_remove_from_extra_frame(),
which makes code semantically more clear and eliminates
the need in negative value and cast.
Since GCC didn't complain (and users too :), it probably performed
cast to signed automatically.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539258702-15427-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17739.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ed31cf2ab718d879615dea81e6a17d26537ab43a)
Arne Schwabe [Sun, 7 Oct 2018 21:55:39 +0000 (23:55 +0200)]
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Samy Mahmoudi [Sun, 7 Oct 2018 22:35:47 +0000 (00:35 +0200)]
man: correct a --redirection-gateway option flag
Replace "servers" with "peers" in the description
of the --redirection-gateway option flag local. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007223544.GA2246@t520.my.lan>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17630.html
Steffan Karger [Sun, 7 Oct 2018 17:52:15 +0000 (19:52 +0200)]
Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
Like 'proto', a mismatch in key-method, keydir or tls-auth would fail
before we ever get to the point where we can print this warning.
This prepares for removing these from the occ string later on, but also
prepares for tls-crypt-v2, which allows a server to support tls-auth and
tls-crypt-v2 connections in parallel. Such a server will send 'keydir'
and 'tls-auth' in the occ string. This change removes the spurious
warnings about that in the client log.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007175215.25009-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17618.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3baae9ba52187166b7d0b05901732666477a2acb)
Gert Doering [Sun, 19 Aug 2018 20:07:03 +0000 (22:07 +0200)]
Fix combination of --dev tap and --topology subnet across multiple platforms.
--topology should have no effect in tap mode (tap is always "subnet"),
but due to the way options are checked, setting "topology subnet" caught
an improper branch on all non-linux and non-win32 platforms.
Easily tested by adding "--topology subnet" to a "--dev tap" t_client
test.
Tested, verified, and fixed on FreeBSD 10.4, NetBSD 7.0.1, OpenBSD 6.0,
and OpenSolaris 10. Compile-tested on MacOS X.
Trac: #1085
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20180819200703.20362-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17414.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sat, 6 Oct 2018 00:08:15 +0000 (20:08 -0400)]
Pass the hash without the DigestInfo header to NCryptSignHash()
In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets
the hash with the DigestInfo prepended. Signing this using
NCryptSignHash() with hash algorithm id set to NULL works in most cases.
But when using some hardware tokens, the data gets interpreted as the pre
TLS 1.2 MD5+SHA1 hash and is silently truncated to 36 bytes.
Avoid this by passing the raw hash to NCryptSignHash() and let it
add the DigestInfo.
To get the raw hash we set the RSA_sign() method in the rsa_method
structure. This callback bypasses rsa_priv_enc() and gets called with
the hash type and the hash.
- Move setting RSA_sign method from ssl_ctx_set_rsakey() to its
right place in SSL_CTX_use_CryptoAPI_certificate(). The former
function is only in master and appeared when the code was
refactored for EC cert support.
- Remove the stale comment about NULL hash algorithm pointed out by Gert.
Except for the context change of one hunk, the patch is the same as
for master and nothing extra is pulled-in.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538784495-24988-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17579.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 5 Oct 2018 13:58:49 +0000 (15:58 +0200)]
Fix --disable-crypto build
Commit d2ff5164 was fine for the master branch, but broke the 2.4 build if
the --disable-crypto configure options was used (which is removed in the
master branch).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181005135849.28718-1-steffan@karger.me>
URL: https://www.mail-archive.com/search?l=mid&q=20181005135849.28718-1-steffan@karger.me Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 2 Oct 2018 20:01:13 +0000 (16:01 -0400)]
Enable dhcp on tap adapter using interactive service
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac: #1111
Tested on Windows 7
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17517.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b4fc8bbd6b1d0211dd6982c4accedfbe4ae7e3ed)
Arne Schwabe [Fri, 5 Oct 2018 12:23:30 +0000 (14:23 +0200)]
Add OpenSSL compat definition for RSA_meth_set_sign
Commit 6b495dc4c5cfc118091ddc9c19330b3c9e3e3dff introduced
RSA_meth_set_sign, which is OpenSSL 1.1.0 and newer. Add a compatibility
definition. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181005122330.31431-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181005122330.31431-1-arne@rfc2549.org
Lev Stipakov [Thu, 20 Sep 2018 13:12:34 +0000 (16:12 +0300)]
Refactor NCP-negotiable options handling
NCP negotiation can alter options. On reconnect
client sends possibly altered options while server
expects original values. This leads to warnings
in log and, if server uses --opt-verify, breaks
reconnect.
Fix by decouple setting/unsetting NCP options from
the state of TLS context. At startup (and once per sighup)
we load original values to c->c1, which persists over
sigusr1 (restart). When tearing tunnel down we restore
(possibly altered) options back to original values.
Trac: #1105
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1537449154-26879-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17477.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5fa25eeb7fefdbb17ad639d72fe46f393989159f)
systemd: extend CapabilityBoundingSet for auth_pam
Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
openvpn[1111]: sudo: unable to send audit message
openvpn[1111]: sudo: pam_open_session: System error
openvpn[1111]: sudo: policy plugin failed session initialization
See links from https://community.openvpn.net/openvpn/ticket/918 for
more.
auth_pam is a common use case and capabilties for it should be allowed
by the .service file.
Fixes: #918 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a564781cfd9912d0f755394d1fa610706d93e707)
Steffan Karger [Wed, 29 Aug 2018 13:49:43 +0000 (15:49 +0200)]
Fix memory leak after sighup
The c.es env_set is (re)allocated for each "sighup loop iteration", while
it was free'd only once at process shutdown. Move the env_set_destroy()
call to match the same level as the env_set_create() call to fix that.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1535550583-21825-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17429.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7170bef507bfe74ceb4a12f8f10df4d2d6ad39c9)
Steffan Karger [Wed, 29 Aug 2018 12:04:46 +0000 (14:04 +0200)]
mbedtls: print warning if random personalisation fails
... instead of when it doesn't fail. Looks like 'someone' mixed up the
mbedtls return style (0 means success) with the openvpn internal return
style (true means success).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1535544286-29638-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17428.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dd1da0e485a3d161feb5230b6aa57df11ea72705)
Selva Nair [Tue, 21 Nov 2017 01:43:25 +0000 (20:43 -0500)]
Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- This is an opaque pointer so the change should not affect
existing plugins. But it makes the code consistent and clears up
the documentation as the handle pointer is treated as of type
"openvpn_plugin_handle_t" in the rest of the code.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1511228605-23207-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15908.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a2f43c2d6f086e7aa8b6160793f0c462ee9d6aa7)
Simon Rozman [Thu, 19 Apr 2018 11:23:13 +0000 (13:23 +0200)]
Add Interactive Service developer documentation
The OpenVPN Interactive Service documentation from
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
upgraded with a description of the client-service communication flow,
service registry configuration, and non-default instance installation.
Steffan Karger [Sun, 3 Jun 2018 10:11:56 +0000 (12:11 +0200)]
man: add security considerations to --compress section
As Ahamed Nafeez reported to the OpenVPN security team, we did not
sufficiently inform our users about the risks of combining encryption
and compression. This patch adds a "Security Considerations" paragraph
to the --compress section of the manpage to point the risks out to our
users.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1528020718-12721-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16919.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a59fd1475089eda4c89942d345070bb942180223)
Gert Doering [Sat, 14 Apr 2018 07:26:17 +0000 (09:26 +0200)]
Fix potential double-free() in Interactive Service (CVE-2018-9336)
Malformed input data on the service pipe towards the OpenVPN interactive
service (normally used by the OpenVPN GUI to request openvpn instances
from the service) can result in a double free() in the error handling code.
This usually only leads to a process crash (DoS by an unprivileged local
account) but since it could possibly lead to memory corruption if
happening while multiple other threads are active at the same time,
CVE-2018-9336 has been assigned to acknowledge this risk.
Fix by ensuring that sud->directory is set to NULL in GetStartUpData()
for all error cases (thus not being free()ed in FreeStartupData()).
Rewrite control flow to use explicit error label for error exit.
Discovered and reported by Jacob Baines <jbaines@tenable.com>.
Gert van Dijk [Sat, 11 Nov 2017 16:11:21 +0000 (17:11 +0100)]
manpage: improve description of --status and --status-version
Signed-off-by: Gert van Dijk <gert@gertvandijk.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171111161122.30087-1-gert@gertvandijk.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15818.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 308c9d7f001a97daebcccf503f255947c0e09183)
Selva Nair [Tue, 6 Mar 2018 06:09:28 +0000 (01:09 -0500)]
Avoid overflow in wakeup time computation
Time interval arithmetic can overflow especially when user
defined intervals are involved. E.g., see Trac #922.
Avoid this by reordering the arithmetic operation in
event_timeout_trigger(). Also avoid unnecessary casting of time
variable to int.
Time until wakeup is now calculated like:
time_t wakeup = (last - now) + delay
Here delay is of type int, but is +ve by construction. Time backtrack
protection in OpenVPN ensures (last - now) <= 0. Then the above
expression cannot overflow (provided time_t is at least as large
as int).
A similar expression in interval.h is also changed.
(This patch grew out of patch 168 by Steffan Karger.)
Steffan Karger [Thu, 4 Jan 2018 12:07:50 +0000 (13:07 +0100)]
Check for more data in control channel
If control channel packets arrive quickly after each other, or out of
order, there might be more data available than we can read in one
tls_process() call. If that happened, and no further control channel
packet arrived (e.g. because the last two packets arrived out-of-order),
we would wait for 16 second ("coarse timer") before we would read the
remaining data. To avoid that, always schedule ourself again if there
was control channel data, to check whether more data is available.
For mbedtls, we could implement a slightly more elegant "is there more
data?" function, instead of blindly rescheduling. But I can't find a way
to implement that for OpenSSL, and the current solution is very simple and
still has quite low overhead.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1515067670-13094-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16151.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit b00d56e1b0cf4d71dc4944ef14ea7eca2fc8c519)
Joost Rijneveld [Wed, 28 Feb 2018 13:52:40 +0000 (14:52 +0100)]
Make return code external tls key match docs
In tls_ctx_use_external_private_key, the return codes were inverted
compared to what is documented in ssl_backend.h (and what can
reasonably be expected). Internally the return code is never checked,
so this did not directly result in any change of behavior. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228135240.22945-1-joost@joostrijneveld.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16577.html
Simon Matter [Fri, 2 Mar 2018 07:49:31 +0000 (08:49 +0100)]
Add missing #ifdef SSL_OP_NO_TLSv1_1/2
Release/2.4 supports older OpenSSL versions than master, so when
cherrypicking f8a92a4393a -> 2d705accea3e53 these code bits should
have received an #ifdef to ensure compatibility (as done for the
same define in other places in 2.4 already). Add them now.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <52e860ea74ac958309368374049f14bd.squirrel@webmail.bi.invoca.ch>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16588.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 28 Feb 2018 13:19:18 +0000 (14:19 +0100)]
management: Warn if TCP port is used without password
It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.
Thus issue a warning that this configuration is strongly discouraged.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16574.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4db7715a3aa62f2e8d8234c1852fb141f62318e2)
Steffan Karger [Wed, 1 Nov 2017 22:03:41 +0000 (23:03 +0100)]
Don't throw fatal errors from create_temp_file()
This function is called in response to connecting clients, and can fail
when I/O fails for some (possibly temporary) reason. In such cases we
should not exit the process, but just reject the connecting client.
This commit changes the function to actually return NULL on errors, and
(where needed) changes the callers to check for and handle errors.
Since the tls-crypt-v2 metadata code also calls create_temp_file() when
clients connect, I consider this a prerequisite for tls-crypt-v2.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20171101220342.14648-4-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15701.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3e0fd2b0471cf4e53959902ca10d88db7a1ef916)
David Sommerseth [Wed, 28 Feb 2018 13:19:17 +0000 (14:19 +0100)]
man: Reword --management to prefer unix sockets over TCP
It is more secure to use unix sockets instead of TCP ports for the
management interface, so reword it and provide some details why TCP is
not recommended.
Also re-arranged this section to be somewhat easier to read and clearer
on a few related details.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-2-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ec100d7e4ce7aaeb731c22b0d86826bf295df6cd)
Steffan Karger [Wed, 7 Feb 2018 12:22:46 +0000 (13:22 +0100)]
mbedtls: don't use API deprecated in mbed 2.7
The void-returning mbedtls_sha256() was deprecated in mbed TLS 2.7.
Use our own md_full() abstraction instead.
(The new function can theoretically fail, but only in case of highly
unlikely digest function failures. The personalisation on random using
the certificate is a best-effort measure, so we simply log a warning and
skip the personalisation if such highly unlikely errors occur.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1518006166-14285-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16445.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f22e89bd2311d3cab511e574746c6f82f1fa1a54)
Selva Nair [Thu, 22 Feb 2018 04:33:37 +0000 (23:33 -0500)]
Fix format spec errors in Windows builds
- Correct an instance of %s used for wchar_t * (should be %ls)
and some %d for DWORD or %lu for int.
- Cast socket descriptor to (int) during i/o as its unsigned int
or int64 in Windows but signed int in other platforms.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1519274017-19921-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=1519274017-19921-1-git-send-email-selva.nair@gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 20 Feb 2018 20:25:08 +0000 (21:25 +0100)]
Get rid of ax_check_compile_flag.m4
The macro was too new for some of the platforms we still support. In
particular, centos/rhel 6 and opensolaris 10. To work around that, we
introduce our own simpler and more tailored ACL_CHECK_ADD_COMPILE_FLAGS
macro, that not only checks but also sets the flags in CFLAGS if it is
accepted. Since this doesn't use new-and-shine autoconf features, it
should also work on the legacy platforms.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180220202508.16201-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16515.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6a5d10e96b9ad2f9a9472aeee8cdb7c02fe4d050)
Selva Nair [Wed, 21 Feb 2018 05:38:30 +0000 (00:38 -0500)]
Adapt to RegGetValue brokenness in Windows 7
- RegGetValue with flags = RRF_RT_REG_SZ|RRF_RT_REG_EXPAND_SZ
fails in Windows 7 with an "invalid parameter" error.
Fix by using RRF_RT_REG_SZ alone.
Note: This is not a regression as in no released version did the
service support expandable strings (ones with embedded %FOO%) in
the registry. However, the GUI does expand such strings. The two
can be made consistent by explicitly expanding the strings -- that
is left for a future patch.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1519191510-3826-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16513.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7de0ee4f6f6f44fab48717e4cc2073ff4e8580f6)
Selva Nair [Wed, 24 Jan 2018 17:31:45 +0000 (12:31 -0500)]
Use lowest metric interface when multiple interfaces match a route
Currently a route addition using IPAPI or service is skipped if the
route gateway is reachable by multiple interfaces. This changes that
to use the interface with lowest metric. Implemented by
(i) Do not over-write the return value with TUN_ADAPTER_INDEX_INVALID in
windows_route_find_if_index() if multiple interfaces match a route.
(ii) Select the interface with lowest metric in adapter_index_of_ip()
instead of the first one found when multiple interfaces match.
Reported by Jan Just Keijser <janjust@nikhef.nl>
Signed-off-by: Selva Nair <selva.nair@gmail.com> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1516815105-17882-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16347.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3854d4040e0d6fd2a58292e8bb1c1fbae5c17bb1)
Selva Nair [Sat, 18 Nov 2017 17:40:58 +0000 (12:40 -0500)]
Make most registry values optional
Not all installations need registry values such as log_dir and
config_dir especially if automatic service is not in use.
This patch provides reasonable defaults for registry values.
- Read the default value of HKLM\Software\PACKAGE_NAME to get the
install path and construct defaults for exe_path, config_dir,
log_dir from it. Use "ovpn", "0", NORMAL_PRIORITY as the defaults
for config file extension, log-append flag and process priority.
The only remaining required registry entry is the root key (usually
HKLM\Software\OpenVPN) whose default value should be set to the
installation path.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1511026858-23281-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15892.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit db04bca6729e9fe1ea60f0b3bd0329244a6ed611)
Selva Nair [Sat, 18 Nov 2017 17:40:57 +0000 (12:40 -0500)]
Ensure strings read from registry are null-terminated
- Strings stored in registry are not guaranteed to be null-terminated.
So, use RegGetValue() instead of RegQueryValueEx() as the former
adds null termination to the returned string if missing.
(Needs Windows Vista+)
- While at it also add a default value parameter to GetRegString()
to process optional registry values (such as ovpn_admin_group)
without causing an otherwise confusing error logged to the
eventlog[*].
[*] see Trac: #892
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1511026858-23281-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15893.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b1263b06db40f21a8fd20e0efd0c12e37ce89a2c)
Arne Schwabe [Wed, 31 Jan 2018 09:53:00 +0000 (10:53 +0100)]
show the right string for key-direction
V2: print also a nice string if direction is not set
V3: really include V2 changes Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1517392380-21597-1-git-send-email-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16415.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7f7f00da88eeea847da57f4f34c66c1f4a935a73)
Steffan Karger [Thu, 1 Feb 2018 15:45:21 +0000 (16:45 +0100)]
Enable stricter compiler warnings by default
This by default enables the compiler warnings one could previously
enable using the --enable-strict configure option. I think it is
okay to do so now, because we've taken care of many warnings in the
more standard builds. (Most of those were totally harmless, but they
prevented us from spotting new more serious mistakes.)
The --enable-strict flag now enables two extra warning flags that I
think can be useful:
-Wsign-compare warns when the compiler promotes a signed type to
unsigned before comparing, which can lead to unexpected behaviour.
-Wuninitialized adds extra warnings about usage of uninitialized variables
or struct elements.
Steffan Karger [Sun, 11 Feb 2018 10:19:29 +0000 (11:19 +0100)]
Log pre-handshake packet drops using D_MULTI_DROPPED
We have a debug level packets dropped by the TLS layer - use that for this
packet drop too. This changes this message from 'verb 3' to 'verb 4'
(which should result in less user reports about this almost always
harmless warning).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180211101929.4535-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16477.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c215c58f2393e881e16f9805549316a1e257a682)
projects / thirdparty / openvpn.git / log
