Selva Nair [Wed, 26 Oct 2022 18:55:43 +0000 (14:55 -0400)]
Purge auth-token as well while purging passwords
Starting from commit e61b401a auth-token is saved in a separate struct
from auth-user-pass and is not cleared when ssl_purge_auth() is called.
This makes "forget-passwords" sent to the management
interface or "--management-forget-disconnect" option not to work
as expected.
Purging caused by --auth-nocache is not affected
(auth-token is retained in that case as it should be).
Use case:
For Pre-Logon access and persistent connections on Windows, use of
"forget-passwords" before disconnect is probably the only way to
ensure that no credentials are left behind. Note that openvpn.exe
continues to run after disconnect in these cases.
Also, the original intent of "forget-passwords" appears to be to
clear all "passwords" that can be used to reconnect.
v2:
- call ssl_clean_auth_token() directly from manage.c instead
of amending ssl_purge_auth()
- Add a comment that ssl_purge_auth() does not clear auth-token
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221026185543.5378-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25460.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ecad4839caf4c2fab9c6627ceeca9b9cb32e8929)
Selva Nair [Sun, 23 Oct 2022 19:51:05 +0000 (15:51 -0400)]
Ensure --auth-nocache is handled during renegotiation
Currently, clearing auth_user_pass struct is delayed until
push-reply processing to support auth-token. This results in
username/password not purged after renegotiations that may
not accompany any pushed tokens -- say, when auth-token is not
in use.
Fix by always clearing auth_user_pass soon after it is used,
instead of delaying the purge as in pre-token days. But, when
"pull" is true, retain the username in auth_token in anticipation
of a token that may or may not arrive later.
Remove ssl_clean_user_pass() as there is no delayed purge any
longer -- auth-nocache handling is now done immediately after
writing username/password to the send-buffer.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221023195105.31714-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25452.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3a4fb17d103be37599d72d072bbee42cc121a39d)
Arne Schwabe [Thu, 17 Feb 2022 18:22:34 +0000 (19:22 +0100)]
Fix OpenVPN querying user/password if auth-token with user expires
The problematic behaviour happens when starting a profile without
auth-user-pass and then connecting to a server that pushes auth-token.
When the auth token expires OpenVPN asks for auth User and password
again (but it shouldn't).
The problem is that the auth_user_pass_setup sets
auth_user_pass_enabled = true; This function is called from two places.
In ssl.c it is only called with an auth-token present or that
variable already set. The other one is init_query_passwords.
Move setting auth_user_pass_enabled to the second place to ensure it is
only set if we really want passwords.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221009130805.1556517-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry-picked from commit 7d291e10bccd1d6b9e584307fb5fe3ebfb114ec9)
Arne Schwabe [Thu, 8 Sep 2022 16:14:35 +0000 (18:14 +0200)]
Change command help to match man page and implementation
Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220908161435.327109-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25151.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2b4f3ea880377401275baf965ff603f30cde36f1)
Allow a few levels of recursion in virtual_output_callback()
Without this, replies to commands from the management client
are sometimes lost if the server is writing when a command
comes in and leads to a recursive call to this function.
For some reason I've not been able to trigger this on Linux,
but it does sometimes happen on Windows during intense write
activity by openvpn.exe sending log lines to the management
client.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220728034508.15180-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24751.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4dfd592ff1ee18aa4859264c8a341dfa1a291988)
When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).
However, in this case, the status of management-def-auth
(ks->mda_status) stays at its default value of ACF_PENDING
and will never change. This causes TLS keys to go out of sync
and an eventual client disconnect.
Further, a message saying username/password authentication is
"deferred" gets logged which is misleading.
For example:
test/127.0.0.1:35874 TLS: Username/auth-token authentication
succeeded for username 'test'
followed by
test/127.0.0.1:35874 TLS: Username/Password authentication
deferred for username 'test' [CN SET]
Fix by setting ks->mda_status to ACF_DISABLED, and do not
set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true.
Also log a warning message when token is marked as expired on
missing the reneg window.
Do not skip ERROR:/SUCCESS: response from management interface
Generally we expect a response of SUCCESS: or ERROR: to every
command sent to the management interface. But, while in
the management-hold state, sending "signal foo" returns only
the following reply (with foo = SIGHUP, SIGUSR1 etc.):
>HOLD:Waiting for hold release:0
Fix by always responding
ERROR: signal 'foo' is currently ignored"
followed by the above line.
Though this is seldom seen in practice[*], such violation of the
protocol could stall clients like the GUI. So fix it.
[*] One way this happens is with SIGHUP sent before the daemon
is on hold state which it enters before the SIGHUP is received.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220728034508.15180-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24750.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 579b78e22feab7fe7cc627355cbb270cd91aebb4)
tls-crypt-v2: bail out if the client key is too small
The tls-crypt-v2 key should be at least 2 bytes long in order to read
the actual length. Bail out if the key is too short.
This looks like it could be abused to trigger a read of uninitialized
memory, but after close checking it won't:
We read from BEND(), so this is defined for TCP since the minimum
length there is 3 bytes (pkt len + opcode)
For UDP we might read past the beginning of the packet but since they
are buffers coming from the packet stack we have the headroom/tailroom,
so might read some random data (but not out of bound!).
So we copy some more or less random number into net_len/wkc_len but without
actually reading from undefined memory.
The next line will then almost definitively fail (buf_advance()).
While at it improve the error message a bit.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220628094144.17471-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24580.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 462339a45089ef655faf02232d7d792def9b8afb)
Martin Janů [Fri, 10 Jun 2022 12:04:05 +0000 (12:04 +0000)]
Update the replay-window backtrack log message
The man pages reference a logging message which has been rephrased
in ac1310528a248c99e039e7afaf48724ad1b7f10e. This commit updates the
man page message to reflect the change for improved grep-ability.
Signed-off-by: Martin Janů <martin.janu@protonmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <SVrvuTydxR6Qs_mvwvG7mqT8iLV0inlcCMXoenZTMI8M0LkosV4pZsH9m_XCTwcRWAPN5H8Zdro0ubhJrnSp6v5KC2ZNAL9So0Y2SKiSe7g=@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24472.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98cbd2914cb728bfaa6ce36a968e944555c57d53)
Arne Schwabe [Fri, 3 Jun 2022 09:52:19 +0000 (11:52 +0200)]
Allow running a default configuration with TLS libraries without BF-CBC
Modern TLS libraries might drop Blowfish by default or distributions
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
options with BF-CBC compatible strings. To avoid requiring BF-CBC
for this, special this one usage of BF-CBC enough to avoid a hard
requirement on Blowfish in the default configuration.
This patch is cherry-picked from 79ff3f79 and the missing
ciphername = "none"; has been added in the OCC code.
Due to uncrustify complains, a few extra whitespace fixes had to be
done to options.c.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220603095219.637361-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 23 May 2022 10:35:45 +0000 (12:35 +0200)]
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Since we used the OpenSSL <=1.1 names as part of our OCC message, they
are now unfortunately part of our wire protocol.
OpenSSL 3.0 will still accept the "old" names so we do not need to use
this translation table for forward lookup, only for returning the name
with md_kt_name()
Arne Schwabe [Tue, 19 Oct 2021 18:31:22 +0000 (20:31 +0200)]
Add message when decoding PKCS12 file fails.
Currently we never display the OpenSSL error stack when decoding a
PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure
might not be a wrong password but can actually be an unsupported encoding,
seeing the error stack is really helpful (example from OpenSSL 3.0):
Arne Schwabe [Fri, 13 May 2022 08:36:35 +0000 (10:36 +0200)]
Remove dependency on BF-CBC existance from test_ncp
The test_check_ncp_ciphers_list test assumed that BF-CBC is always
available, which is no longer the case with OpenSSL 3.0. Rewrite the
test to not rely on BF-CBC to be available.
Arne Schwabe [Thu, 12 May 2022 12:14:28 +0000 (14:14 +0200)]
Fix allowing/showing unsupported ciphers and digests
This is a minimal version to hide the non-supported ciphers in these
show-cipher/show-digests listings. It also adds code to the kt_md_get/
kt_cipher_get functions to error out early instead of getting an ugly
backtrace with OpenSSL errors later when actually trying to use the
ciphers.
This allows make check to work again on with OpenSSL 3.0.
The changes are kept minimal to avoid pulling in all the other refactoring
for OpenSSL 3.0.
This commit is partly cherry-picked from ab3f32b9.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220512121429.2096164-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24334.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine
tests fail otherwise and it is good to have the same behaviour as in
master/2.6
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
compiler warnings which in turn also break -Werror.
By using --with-openssl-engine=no or --with-openssl-engine=yes engine
support can be forced on or off. If it is enabled but not detected an
error will be thown.
This commit cleans up the configure logic a bit and removes the
ENGINE_cleanup checks as we can just assume that it will be also
available as macro or function if the other engine functions are
available. Before the cleanup we would only check for the existance
of engine.h if ENGINE_cleanup was not found.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220512121429.2096164-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24332.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 4 May 2022 09:13:05 +0000 (12:13 +0300)]
Fix M_ERRNO behavior on Windows
We use M_ERRNO flag in logging to display error code
and error message. This has been broken on Windows,
where we use error code from GetLastError() and
error description from strerror(). strerror() expects
C runtime error code, which is quite different from
last error code from WinAPI call. As a result, we got
incorrect error description.
The ultimate fix would be introducing another flag
for WinAPI errors, like M_WINERR and use either that or
M_ERRNO depends on context. However, the change would be
quite intrusive and in some cases it is hard to say which
one to use without looking into internals.
Instead we stick to M_ERRNO and in Windows case we
first try to obtain error code from GetLastError() and
if it returns ERROR_SUCCESS (which is 0), we assume that
we have C runtime error and use errno. To get error
description we use strerror_win32() with GetLastError()
and strerror() with errno.
strerror_win32() uses FormatMessage() internally, which
is the right way to get WinAPI error description.
This commit is the backport of 54800aa975418fe3570f3206a5f9b277dc59bd47,
adjusted for the different code base related to socket errors (print
socket file descriptor) in x_check_status().
Arne Schwabe [Fri, 29 Oct 2021 11:24:07 +0000 (13:24 +0200)]
Add insecure tls-cert-profile options
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it
necessary to reallow them in certain deployments. Currently this works
by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0".
Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)
On most systems limits.h is pulled in by some other header and thus no
error is ever triggered, but it's possible to find the right environment
which lackis this and prevents compiling auth-pam.c (possibly when using
LibreSSL).
Include the header explicitly as it includes the definition of PATH_MAX.
(note that this bug is fixed in Gentoo since 2020 by including a custom
patch, but apparently the issue was never reported upstream)
Reported-by: Michelangelo Scopelliti <kernelpanic@gmx.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220421131909.32053-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24136.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0fed64a91d894b46105bf7e8b16edea4d90ab70c)
t_net.sh: delete dummy iface using iproute command
A dummy interface cannot be deleted using --rmtun because openvpn tries
to send some ioctl (i.e. TUNSETPERSIST) which is not supported by this
device type. This results in the following error:
2022-04-07 09:59:29 Cannot ioctl TUNSETPERSIST(0) ovpn-dummy0: Bad file
descriptor (errno=9)
2022-04-07 09:59:29 Exiting due to fatal error
and the interface is not deleted.
Use iproute to generically delete an interface.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407081555.25228-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24086.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 976e6caf0e161d3c787e1378cec44608c17b292a)
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
openvpn_execve_check() expects a set of flags as third argument and not
a loglevel. For this reason, if no FATAL behaviour is expected, we
should simply pass 0. openvpn_execve_check() will then pick the
appropriate loglevel on its own.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407201411.22486-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24090.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 545f6bdea30e04a09b118c4e1faf6523544fd935)
Lev Stipakov [Thu, 17 Mar 2022 13:57:28 +0000 (15:57 +0200)]
vcpkg-ports: remove openssl port
We've added functionality to openvpn-build
f83f21ef "windows-msi: add ability to specify port overlays in
openvpn-build"
(which is used for release building) to use overlay ports, which
enables us to build releases with updated ports (like openssl)
without making changes to openvpn repo. This means that openssl port
overlay from this repo could be removed.
Developers can still use openvpn repo for Windows development and
use whatever openssl version is provided by vcpkg official repo. When
we need to build a release and the latest openssl is not there, we add
port overlay to openvpn-build.
While on it, bump vcpkg commit id in github actions.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220317135728.183-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23993.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Mon, 22 Mar 2021 07:43:59 +0000 (08:43 +0100)]
tapctl: Resolve MSVC C4996 warnings
wcsncat() was declared unsafe in favour of wcsncat_s(). However, the
string concatenation follows the string length check, making wcsncat()
safe too. Code analysis is just not smart enough (yet) to detect this.
The code was refactored to use wcscat_s() MSVC is considering as "safe".
Signed-off-by: Simon Rozman <simon@rozman.si> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210322074359.527-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e5e9a07e8baee4065b7dfd65736bfa77b8329cfc)
preprocessor definitions. I don't feel like replacing strdup (which is
correct POSIX function) and inet_ntoa (we always pass IPv4 address to
it, inet_ntop will make code more complex)
Above issues were discovered by bitskim.
Before applying this patch, this one must be applied from master:
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
With the introduction of SITNL two occurrences of ETH_ALEN
were introduced in the code. This define exists on Linux in
the linux/if_ether.h header, however the latter is included
in linux/if_tun.h which may or may not exist (depending on
how old your system is).
If the system lacks if_tun.h then the compilation fails because
ETH_ALEN cannot be found.
For this reason, swap ETH_ALEN with OPENVPN_ETH_ALEN which is
already used in other places of the code.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220223080628.4773-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23882.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8d487b4cc5b896cff5277adef6dd491b5918381f)
Lev Stipakov [Wed, 16 Mar 2022 13:54:11 +0000 (15:54 +0200)]
vcpkg-ports\pkcs11-helper: shorten patch filename
"make dist" uses 'tar -o' which breaks on long filenames:
tar:
openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind
icate-OpenSSL-EC-support.patch:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
and then "make dist" continues.
Make filename shorter to make tar happy.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316135411.217-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2047522286f179cac09bd7615bf845d67a5dc1c8)
Lev Stipakov [Wed, 16 Mar 2022 08:09:12 +0000 (10:09 +0200)]
vcpkg-ports: add openssl 1.1.1n
Since vcpkg official repo doesn't have openssl 1.1.1n yet,
add own port - just copy files from vcpkg\ports\openssl (excluding
unix and uwp directories) and replace 1.1.1m with 1.1.1n, not
forgetting about SHA512.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316080912.118-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23972.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
Gert Doering [Tue, 22 Feb 2022 11:38:32 +0000 (12:38 +0100)]
Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work:
- setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
- "extended error reporting" (setsockopt(IP_RECVERR) and
then via mtu.c/format_extended_socket_error()) to react on
"packet too big" errors on sendto() / sendmsg()
Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).
Thus, the "non-helpful" socket error message turns into:
2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery
... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Trac: #1452
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4225114b96723bdecd68398f7a89765879b31b5d)
doc/options: clean up documentation for --proto and related options
The family specific options were generally omitted.
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net> Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220215145425.1989-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23798.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ba9a07a69db3ddb63fceac05b92a000d9b1c805e)
Lev Stipakov [Tue, 8 Feb 2022 11:49:05 +0000 (13:49 +0200)]
msvc: cleanup
Remove unused macros for dependency directories,
since dependencies are handled by vcpkg.
Remove unused .bat files.
Reported-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220208114905.100-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ff5723c4ddfee28564500d28a1bd78766171ea3e)
Gert Doering [Fri, 4 Feb 2022 11:42:01 +0000 (12:42 +0100)]
Repair --inactive with 'bytes' argument larger 2Gbytes.
--inactive has an optional 2nd parameter specifiying the number of
bytes that need to be sent/received in the given time window. This
was parsed with atoi(), stored in an 32bit int. atoi() overflows at
2Gbyte (signed int), which makes gcc return "0" and MSVC "2^31-1"
for the value reported in the ticket (10G) - so on gcc, this was
behaving like "not set", while windows builds after 2.5.4 honoured
this setting, and aborted (unexpectedly) due to "not enough traffic".
Fix by increasing word length of all involved variables to int64_t.
While add it, add option printer SHOW_LONG(), and print variable.
This has the potential to break existing setups where this value is
set unreasonably high, thus "impossible to achieve in the interval",
but which was never noticed before due to "overflow, 0, ignored".
Thus, print WARNING if a value >INT_MAX (2Gbyte) is configured.
v2: use atoll(), as atol() is limited to INT_MAX on MSVC, and PRi64
for format string. Rename SHOW_LONG() to SHOW_INT64().
Trac: #1448
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220204114201.5632-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cae1a7fcf14e6ded34ab5a1e8842c3034cc89608)
strcasecmp() was initially declared in string.h and subsequently moved
to strings.h. For historical reasons it still exists in string.h, but
would require _DEFAULT_SOURCE to be defined.
Due to the above, just include strings.h as currently dictated by the
manpage.
Fixes the following warning:
keying-material-exporter-demo/keyingmaterialexporter.c:155:14: warning:
implicit declaration of function strncasecmp’; did you mean ‘strncmp’?
[-Wimplicit-function-declaration]
155 | if (!strncasecmp(objbuf, "CN", 2))
| ^~~~~~~~~~~
| strncmp
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220203082620.8186-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23702.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d93a2b6160759d42d3fbaecc7fc868a7120221ef)
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220126124329.14784-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23663.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 7 Jan 2022 12:35:50 +0000 (14:35 +0200)]
auth_token.c: add NULL initialization
This fixes
error C4703: potentially uninitialized local pointer variable
'b64output' used
found by arm64 msvc compiler with SDL enabled.
Not sure why this is not triggered on x86/x64.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220107123550.188-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23511.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4b6073b8253dafeb425361fb55bab0f2cdc5474f)
Arne Schwabe [Mon, 13 Dec 2021 15:09:50 +0000 (16:09 +0100)]
Move deprecation of SWEET32/64bit block size ciphers to 2.7
We originally wanted to deprecated these ciphers (especially BF-CBC) with
2.6 but currently these ciphers are still too widespread to make this
transition for 2.6.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213150950.3993881-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23402.html
Lev Stipakov [Mon, 13 Dec 2021 13:58:14 +0000 (15:58 +0200)]
config-msvc.h: indicate key material export support
MSVC build uses OpenSSL from vcpkg, which at the moment
is 1.1.1l. Key material export was added to 1.1.1, so it is safe
to indicate its support unconditionally.
2.5 does not have tls-ekm yet, but it has the generic keying material
exporter framework, which was only enabled in MinGW builds. Fix.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213135814.265-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23395.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 7 Dec 2021 13:04:36 +0000 (14:04 +0100)]
Move '--push-peer-info' documentation from 'server' to 'client options'
While --push-peer-info can be configured on the server, it's not really
intended for that, and it ended in the "SERVER OPTIONS" section by
mishap. Fix that.
Reported-by: Stella Ashburne <rewefie@gmx.com> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211207130436.22187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23325.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 883cd6f4031ef9920580f0862594acbb45e4b0b8)
Lev Stipakov [Wed, 24 Nov 2021 10:08:38 +0000 (12:08 +0200)]
vcpkg/pkcs11-helper: compatibility with latest vcpkg
Starting from commit 21b2dbd3 "[scripts-audit] nmake buildsystem"
vcpkg has removed NO_DEBUG support from nmake buildsystem
and now builds debug variant unconditionally. Debug flags contradict
build options hardcoded in pkcs11 nmake script (like /O2).
Remove hardcoded release options and other options which
are (also) set by vcpkg nmake buildsystem.
Bump vcpkg commit in GitHub actions.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211124100838.861-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23253.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e832658a6d7a78c97fc53a78faeda31419583529)
Lev Stipakov [Wed, 24 Nov 2021 16:03:47 +0000 (18:03 +0200)]
ring_buffer.h: fix GCC warning about unused function
With register_ring_buffers() being declared as "static" in header file,
all translation units, which include that header, got a copy of that
function.
This causes GCC warning
warning: "register_ring_buffers" defined but not used [-Wunused-function]
when compiling C files which include header, but don't use function.
Add "inline" keyword to silence this warning.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211124160347.1245-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 71371f04afa6eba3ea02a67590a70e018cf203e5)
Lev Stipakov [Fri, 19 Nov 2021 01:55:48 +0000 (03:55 +0200)]
Load OpenSSL config on Windows from trusted location
Commits
- 92535b6 ("contrib/vcpkg-ports: add openssl port with
--no-autoload-config option set (CVE-2121-3606)")
- 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows
(CVE-2121-3606)")
disabled OpenSSL config loading functionality, which could be
exploited by loading config from untrusted locations.
This feature might be useful for some users. This brings it back
and sets OpenSSL enviroment variables
OPENSSL_CONF, OPENSSL_ENGINES, OPENSSL_MODULES
which are used to load config, engines and modules, to a trusted location.
The location is constructed based on installation path, read from registry
on startup.
If installation path cannot be read, Windows\System32 is used as a
fallback.
While on it, remove unused "bool impersonate_as_system();" declaration.
Trac: #1296
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20211119015548.687-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23248.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23e6aaef149bd31a7e80af28ee1e3658d2810d4f)
In 2da29362 (Improve the documentation for --dhcp-option, 2020-08-16),
`foreign_option_{n}` became plural between the first and second versions
of the patch. Correct it.
Signed-off-by: Todd Zullinger <tmz@pobox.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211122114104.4814-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23217.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit aee54a47142c13a29c2b59142e944fd448a406d9)
doc link-options.rst: Use free open-source dynamic-DNS provider URL
Trac: #1417
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211103202014.1121244-2-tincantech@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2c2e13d9ecdd1364c6a05ad77cea2840c015aa56)
Gert Doering [Wed, 17 Nov 2021 06:44:42 +0000 (07:44 +0100)]
Include --push-remove in the output of --help.
"push-remove" has been in OpenVPN since 2.4, but managed to stay hidden
from the "--help" output. Add.
Reported-by: mike tancsa <mike@sentex.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20211117064442.15899-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23194.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2a555c3aafcc8cf238a803d25971938ed75b518d)
For subnet topology use "offset 0" as default for
calculating DHCP server address, which makes it equal
to the network address.
There is no know reason why non-zero default offset
is needed. Besides, offset -1 breaks subnet /30 case,
which in some cases is pushed by OpenVPN Cloud product.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211109015927.311-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23156.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7df6583d76fc2ff485186ede75f00c9b7dc3e42c)
Selva Nair [Sat, 23 Oct 2021 00:07:06 +0000 (20:07 -0400)]
Ensure the current common_name is in the environment for scripts
When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.
However, "common_name" goes through the cycle of being
"CN", then "username" during every reauth (renegotiation).
As the client-connect script is not called during reneg, the changed
value never gets back into the env. The end result is that the
disconnect script gets "common_name=<CN>" instead of the username.
Unless no reneg steps have happened before disconnect.
(For a more detailed analysis see
https://community.openvpn.net/openvpn/ticket/1434#comment:12)
Fix by adding common_name to env whenever it changes.
Trac: #1434
Very likely applies to #160 as well, but that's too old and
some of the relevant code path has evolved since then.
Same as commit fa5ab2438a in master, except for the context change
due to PF.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211023000706.25016-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23050.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ENABLE_DEBUG is on, but I do not think we want it in production build
(removed).
S_IRGRP is not defined but seems to be used. I have added it, remove if
not required.
This define is based on mingw and matches MS docs on <filesystem>
(https://docs.microsoft.com/en-us/cpp/standard-library/filesystem-enumerati
ons?view=msvc-160)
Trac: #1430
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20211015184733.16988-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22943.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 6 Oct 2021 09:07:09 +0000 (12:07 +0300)]
Fix loading PKCS12 files on Windows
Starting from 2.5.4 we have switched to MSVC builds,
including dependencies such as OpenSSL.
When we link with natively-built OpenSSL .DLLs
(not cross compiled with MinGW), we are expected to include
applink.c, which provides glue between OpenSSL BIO layer
and compiler run-time. This doesn't apply to ARM64.
Failure to do that results in "no OPENSSL_Applink" fatal error
when calling, for example, d2i_PKCS12_fp(), which we do when
loading PKCS12 files.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211006090709.200-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22920.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit af5de933a0633436e0fe00c42464f4a7ab5ac509)
Lev Stipakov [Sun, 26 Sep 2021 06:10:46 +0000 (09:10 +0300)]
GitHub Actions: remove Ubuntu 16.04 environment
Starting from 20th of September, GitHub has removed Ubuntu 16.04
environment from Actions. Safely remove it from our build script
where we already have Ubuntu 18.04 and 20.04.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210926061046.212-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22904.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3b16d7a35a2fd1ee4a70418fddc7c1dd9539dc3)
networking: add networking API net_addr_ll_set() and use it on Linux
When running in TAP mode we may need to set the LL address of the
interface, if requested by the user.
This operation was overlooked when implementing the networking API and
it still relies on iproute/net-tools being installed.
Basically this means that when compiling OpenVPN on a system without
iproute2/net-tools and the user uses the "lladdr" config directive,
OpenVPN will fail to se the LL address of the interface.
With this patch a new API is introduced, it is implemented for both
SITNL and iproute2 backends, and called on Linux (this is a combination
of three patches in master).
Reported-by: Jan Hugo Prins <jprins@betterbe.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Tested-by: Jan Hugo Prins <jprins@betterbe.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210903161113.30498-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22792.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98f524cbd58d24d09dee26160d7386d710c3564f)
(cherry picked from commit cb5d29461e6e734a2250b984b8423d39f7b9ddaa)
(cherry picked from commit 7205cdd8508be0ec9a83ea2e012e2a495157cad0)
On some systems the rst2{man,html} executables may have a slightly
different name, like rst2{man,html}.py.
Add this name variation to the Generic Programs check.
This specific variation is found on Gentoo Linux.
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210827144807.27004-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22777.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b61d1988582feb2e1ed1cf9e62700f484e0bc150)
The IV_HWADDR description was only partially correct, as there are more
implementations using other values than the MAC address of the default
gateway.
The intention of this value is to provide a unique identifier of the
client and on some platforms this is not possible to retrieve other than
to generate this information.
The 64 bytes limitation is an arbitrary value, it is not enforced by
OpenVPN 2.x. But it was considered a good idea to at least have some
reasonable upper limit of how long this string can be, at least for
those implementing support for this information.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210709134849.161728-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22625.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 51d85a9d287f44c373eaa514c6a52e1078c27c43)
David Sommerseth [Wed, 30 Jun 2021 18:51:34 +0000 (20:51 +0200)]
doc: Use generic rules for man/html generation
Prior to this patch, the Makefile.am needs to be modified multiple
places to add a new man or HTML page to be generated. Since it is not
too often we modify this, it is easy to miss these finer details.
This changes the man and HTML generator rules to be more generic and use
variables as many places as possible. Also moved all the lines which
should not need to be changed as much towards the bottom-half of the
file.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210630185134.144826-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22604.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 37cf98fa224a2ae5fc5cfa380bdb291e90d6413d)
projects / thirdparty / openvpn.git / log
