Gert Doering [Sun, 20 Oct 2019 15:00:39 +0000 (17:00 +0200)]
Force combinationation of --socks-proxy and --proto UDP to use IPv4.
Our current socks.c code does not handle IPv6 + UDP mode (socket
negotiated with server is IPv4-only, addresses passed in the
packets are IPv4-only). If this combination is specified, print
an explanatory message and force IPv4-only.
While at it, extend socks.c code to print address+port of auxiliary
UDP connection to SOCKS server (helps debugging).
Trac: #1221
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191020150039.21516-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18952.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 9 Oct 2019 12:00:43 +0000 (14:00 +0200)]
OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts.
t_client.sh relies on "echo -e" and "echo -n" to produce nicely
looking output, which fails on Solaris /bin/sh - force SHELL=/bin/bash
on recent-enough Solaris variants that have it.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20191009120043.22692-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18914.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 9 Oct 2019 09:52:00 +0000 (11:52 +0200)]
Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
The "route add" code always used "metric 0" on OpenSolaris, because
(on tun interfaces) it was required to make the route work on
"non-ethernet" interfaces (connected, no NDP).
This breaks routes via tap interfaces on recent Solaris versions
(tested on OpenIndiana 2019) - there, routes only work if metric
is != 0 (or just not set). Otherwise it tries to map the gateway
address to a local address and fails.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18906.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 9 Oct 2019 09:51:59 +0000 (11:51 +0200)]
repair tap mode on OpenSolaris/OpenIndiana
commit 611fcbc48 joined the two distinct calls for "add ipv6 address
to tap interface" and "set MTU" for Solaris - but due to peculiarities
on how this platform handles IPv6 addresses ("ifconfig addif" creates
a new "tap0:1" subinterface with the new address - which does not have
a distinct MTU) this does not work.
un-join calls again.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18905.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 17 Sep 2019 12:33:21 +0000 (14:33 +0200)]
Implement unit tests for auth-gen-token
The unit test is breaking the 80 char limit in some places
but the remaining lines it breaks the limit I feel
forcing the 80 char limit will impair readibility
Patch V2: adapt unit tests to other V2 patches
Patch V4: Resolve rebase conflicts
Patch V5: Add \ lost in rebase that broke compilation
Patch V7: Fix unit test failure, try to stay below 80 Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917123321.15993-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18821.html
David Sommerseth [Fri, 27 Sep 2019 22:45:35 +0000 (00:45 +0200)]
auth-token: Fix compiler complaints with --disable-management
When building with --disable-management, the compiler complains with
implicit declaration of function ‘ssl_clean_auth_token’. This is due to
the ssl_clean_auth_token() function being declared inside an #ifdef
ENABLE_MANAGEMENT fence where it should not be.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18873.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 27 Sep 2019 22:45:34 +0000 (00:45 +0200)]
auth-token: Fix building with --disable-server
The final patches of the auth-token hmac support patches had a typo in
the P2MP_SERVER fencing breaking --disable-server builds. It used #if
instead of #ifdef.
While at it, also fix another missing P2MP_SERVER fencing causing the
compiler to complain about an unused variable in push.c
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-2-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18875.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 17 Sep 2019 12:11:15 +0000 (14:11 +0200)]
Sent indication that a session is expired to clients
This allows OpenVPN 3 core to fall back to the original authentication
method.
This commit changes man_def_auth_set_client_reason to
auth_set_client_reason since it now used in more contexts.
Also remove a FIXME about client_reason not being freed, as it is freed
in tls_multi_free with auth_set_client_reason(multi, NULL);
Patch V4: Rebase on master
Patch V7: Rebase on master Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121115.13966-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18820.html
Arne Schwabe [Tue, 17 Sep 2019 12:10:39 +0000 (14:10 +0200)]
Implement a permanent session id in auth-token
This allows an external authentication method
(e.g. management interface) to track the connection and distinguish a
reconnection from multiple connections.
Addtionally this now also checks to workaround a problem with
OpenVPN 3 core that sometimes uses a username hint from the config
instead of using an empty username if the token would be valid
with an empty username. Accepting such token can be only done
explicitly when the external-auth keyword to auth-gen-token is present.
Patch V2: Add Empty variants to work around behaviour in openvpn 3
Patch V3: document the behaviour of external-auth better in the man page,
rename 'auth' parameter to 'external-auth'
Patch V4: Rebase on current master
Patch V6: Fix tls_lock_username rejecting clients with empty username
when explicitly accepting them with external-auth
Patch V7: Fix compiling with disable-server
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121039.13791-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18819.html
Arne Schwabe [Tue, 17 Sep 2019 12:10:04 +0000 (14:10 +0200)]
Rewrite auth-token-gen to be based on HMAC based tokens
The previous auth-token implementation had a serious problem, especially
when paired with an unpatched OpenVPN client that keeps trying the
auth-token (commit e61b401a).
The auth-token-gen implementation forgot the auth-token on reconnect, this
lead to reconnect with auth-token never working.
This new implementation implements the auth-token in a stateles variant. By
using HMAC to sign the auth-token the server can verify if a token has been
authenticated and by checking the embedded timestamp in the token it can
also verify that the auth-token is still valid.
Using the new config directive auth-gen-token-secret instead of
extending auth-gen-token (--auth-gen-token [lifetime] [secret-key]) was
chosen to allow inlining the secret key.
Patch V2: cleaned up code, use refactored read_pem_key_file function
Patch V3: clarify some design decision in the commit message
Patch V4: Use ephermal_generate_key
Patch V5: Use C99 PRIu64 instead of %lld int printf like statement,
fix strict aliasing
Patch V6: Rebase on master
Patch V7: fix compiling with --disable-server
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121004.13685-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18818.html
t_net.sh: execute sleep after checking exit code of previous command
Ensure to check the exit code of the mktun command *before* running
sleep, otherwise '$?' will resolve to the exit code of sleep itself,
thus nullifying the check.
Reported-by: Steffan Karger <steffan@karger.me> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190919202257.19405-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18845.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_net.sh: wait for NO-CARRIER bit to settle before starting test
Interfaces of type tun are marked as NO-CARRIER when no process is
attached to them. However, this bit gets set with some delay after
creation.
For this reason, it is better to wait for the bit to settle before
starting any test, otherwise any timing influence on the test may lead
to inconsistencies due to the NO-CARRIER bit randomly being or not in
the snapshot output taken by t_net.sh.
This patch add a 'sleep 1' command right after creation of the
interface, to give the NO-CARRIER bit a chance to settle.
This issue has been witnessed on a buildbot that is
apparently slowler than average to run the unit tests.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190919072820.9913-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20190919072820.9913-1-a@unstable.cc Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 9 Sep 2019 08:57:16 +0000 (11:57 +0300)]
tun.h: remove TUN_PASS_BUFFER define
Since the very beginning this define has only
been used together with _WIN32 and code wrapped into it
uses Win32 API, so it could be safely removed and
replaced with _WIN32.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1568019436-28527-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18808.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 6 Sep 2019 15:40:37 +0000 (18:40 +0300)]
tun.h: change tun_set() return value type to void
This function's return value is never used, so make it void.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1567784437-25922-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18804.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the new networking APIs, each implementation handles garbage
collection internally and therefore does not require a gc object to be
provided by the outer layer.
However, there are a few cases where a garbage collector is still required.
In close_tun() move the declaration and cleanup of gc to the
area where it is used and simplify the surrounding code a bit.
While at it, fix a typo in a nearby ifdef comment.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18726.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: extend API for better memory management
Networking backend implementations may need to allocate dynamic
resources that require an explicit free/release.
Since these cleanup are perfomed not very often, and only at specific
times, it makes sense to have the upper layer signal when it's the right
time to do so, by means of a new API call.
For this purpose two news APIs have been implemented:
- net_ctx_free() to release all backend specific resources. Expected to
be called at application cleanup time;
- net_ctx_reset() to let backends release temporary resources (i.e.
reset garbage collectors). To be invoked after routines that
are expected to allocate memory (i.e. tun setup or shutdown).
In this patch related implementations for iproute2 and sitnl are also
provided.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190816202654.19388-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18780.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
Commit ("openssl: Fix compilation without deprecated OpenSSL 1.1 APIs")
has removed the cipher_ctx_cleanup() API, as it is not anymore required
to be a distinct call. However, while doing so it also touched the
mbedtls backend in a wrong way causing a systematic segfault upon
connection.
Basically mbedtls_cipher_free(ctx) was moved from the defunct
cipher_ctx_cleanup()
to md_ctx_free(), while it was supposed to go into cipher_ctx_free().
This was clearly wrong as also the type of the ctx variable was not
correct anymore.
Fix this mistake by actually moving mbedtls_cipher_free(ctx) to
cipher_ctx_free().
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190816204945.7937-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18781.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.
EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of
earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part
of _free.
Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API
everywhere.
Also removed initialisation with OpenSSL 1.1 as it is no longer
needed and causes compilation errors when disabling deprecated APIs.
Same with SSL_CTX_set_ecdh_auto as it got removed.
Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup
Gert Doering [Thu, 15 Aug 2019 15:53:19 +0000 (17:53 +0200)]
Increase listen() backlog queue to 32
For reasons historically unknown, OpenVPN sets the listen() backlog
queue to "1", which signals the kernel "while there is one TCP connect
waiting for OpenVPN to handle it, refuse all others" - which, on
restarting a busy TCP server, will create connection issues.
The exact "best" value of the backlog queue is subject of discussion,
but for a server that is not extremely busy with many connections
coming in in parallel, there is no real difference between "10" or "500",
as long as it's "more than 1".
Found and debugged by "mjo" in Trac.
Trac: #1208
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190815155319.28249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
sitnl: harden strncpy() by forcing arguments to have the same length
At the moment a strcpy() (without length check!) is performed between a
string long IFNAMSIZ bytes and one of 16 bytes. This is ok right now
because IFNAMSIZ is defined as 16, however this bit is not under our
control and may change in he future without us being warned.
For this reason, force both strings to use IFNAMSIZ as size and, since
this constant may not exist on every platform, ensure it is always
defined.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18722.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 15 Aug 2019 12:10:52 +0000 (14:10 +0200)]
Fix check if iface name is set
Clang/Android complained
warning: address of array 'rgi6->iface' will always evaluate to 'true'
[-Wpointer-bool-conversion]
if (rgi6->iface)
iface is a char[16]; So its pointer is always true.
we do a CLEAR(rgi6) always before setting this struct and strcpy the
name into iface. So using strlen instead of checking for the pointer
should be the right fix.
Patch V2: use if(strlen > 0) instead of if(strlen)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20190815121053.18433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20190815121053.18433-1-arne@rfc2549.org Signed-off-by: Gert Doering <gert@greenie.muc.de>
Hilko Bengen [Mon, 18 Feb 2019 15:31:28 +0000 (16:31 +0100)]
Do not set pkcs11-helper 'safe fork mode'
From the pkcs11-helper API documentation about pkcs11h_setForkMode():
> This funciton is releavant if PKCS11H_FEATURE_MASK_THREADING is
> set. If safe mode is on, the child process can use the loaded
> PKCS#11 providers but it cannot use fork(), while it is in one of
> the hooks functions, since locked mutexes cannot be released.
As far as I can tell, pkcs11-helper functionality is not used in a
child process that is created after initialization. Even if OpenVPN is
turned into a daemon, the pkcs11-helper library is only initialized
after calling possibly_become_daemon(), i.e. in the child process. All
other uses of fork() are immediately followed by an exec()
This simple change fixes the symptoms described in both
<https://community.openvpn.net/openvpn/ticket/538> (hang on password
prompt when systemd support is enabled) and
<https://community.openvpn.net/openvpn/ticket/1157> (hang on
initialization with newer versions of pkcs11-helper).
I have successfully tested that this makes the described symptoms go
away. For this, I used a YubiKey NEO on Debian/stable, a rebuild of
OpenVPN 2.4.6 and two versions of libpkcs11-helper:
- libpkcs11-helper 1.21-1 from Debian/stretch
- a backport of libpkcs11-helper 1.25-1 from Debian/buster Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190218153129.3818-1-bengen@hilluzination.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18218.html
route.c: use sitnl to implement get_default_gateway_ipv6()
get_default_gateway_ipv6() has always been implemented using
netlink, however, now that we have sitnl, we can re-use the
latter and get rid of the netlink code from route.c.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190715144609.19616-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18667.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Jul 2019 11:42:43 +0000 (13:42 +0200)]
Remove -no-cpp-precomp flag from Darwin builds
GCC 9 no longer accepts this flag and trying to find out what it does do
leads to an article
"-no-cpp-precomp: the compiler flag that time forgot"
that also no longer on the Internet. And most other things are
PRs/commits from over ten years ago that remove the flag since it
is no longer needed. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190705114243.9481-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18650.html
Arne Schwabe [Thu, 13 Jun 2019 13:48:30 +0000 (15:48 +0200)]
Add generate_ephemeral_key that allows a random ephermal key
This is useful for features that can use enither a persistent
or an ephemeral key.
Patch V2: Move the functionality of generating a random key into a
separate function that acts as wrapper for pem_read_key_file
Patch V4: Move wrapper functionality to caller and leave only generate
epehermal key functionality in the new function Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190613134834.5709-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18527.html
Arne Schwabe [Thu, 13 Jun 2019 13:48:29 +0000 (15:48 +0200)]
Implement --genkey type keyfile syntax and migrate tls-crypt-v2
This unifies our key generation and also migrates the generation
of the tls-crypt-v2 keys. Since tls-crypt-v2 is not included in any
released version, we remove the the old syntax without compatibility.
PATCH V4: Introduce warning/error when using --secret with --genkey
Update non code usages to use new --genkey syntax Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190613134834.5709-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18524.html
Gert Doering [Sun, 23 Jun 2019 18:32:10 +0000 (20:32 +0200)]
Remove cmocka submodule, rely on system-wide installation instead.
We used to ship git submodule instructions to build a local copy of
cmocka in vendor/cmocka/ and use that (if cmake is installed) to build
unit tests. With the network test driver this turns out to be a
LD_LIBRARY_PATH vs. SUDO complication which is really outweighing the
benefit of a local build today - so, use the system-wide installation
if available (querying pgk-config). Do not build unit-tests otherwise.
v2: (inspired by patch from David Sommerseth)
introduce "configure --disable-unit-test" switch
simplify configure.ac logic
use CMOCKA_LIBS and CMOCKA_INCLUDE (set by PKG_CHECK)
v3:
repair conflict with commit 7473f326366fbceb
CMOCKA_INCLUDE is not correct, must be CMOCKA_CFLAGS (see config.status)
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190623183210.6005-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18570.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michal Soltys [Tue, 9 Apr 2019 14:34:38 +0000 (16:34 +0200)]
man: correct the description of --capath and --crl-verify regarding CRLs
The man page states that when using --capath, the user is required to
provide CRLs for CAs. This is not true and providing CRLs is optional -
both in case of --capath as well as --crl-verify options. When relevant
CRL is not found OpenVPN simply logs the warning in the logs while
allowing the connection, e.g.:
VERIFY WARNING: depth=0, unable to get certificate CRL
This patch clarifies the behavior.
Signed-off-by: Michal Soltys <soltys@ziu.info> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190409143438.25348-2-soltys@ziu.info>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18343.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
1) Building the networking unit-test when SITNL is not enabled does not
make much sense right now.
Make compilation dependent on having SITNL configured.
2) Remove some no-op mock_msg function calls.
3) Remove obsolete comment and declarations
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190618163435.26431-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18556.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_net.sh: properly perform sudo check and print test steps
The current script is performing a test on the "kill" command, but this
is not useful to the t_net.sh script as it never really executes it.
Rather test that "sudo <unit-test-binary>" really works.
<unit-test-binary> has to be added to the sudoers file if this test
has to be performend unattanded. The path is:
./unit_tests/openvpn/networking_testdriver
On top of that, print a simple OK for every test that is succesful.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190615230213.14888-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18548.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_net.sh: make bash dep explicit and run only if SITNL is compiled
The t_net script currently has #!/bin/sh but it implicitly assume to
be using bash.
This is fine on most distros, but some do not have sh pointing to bash
by default, thus breaking the script.
Explicitly use bash to avoid failures.
On the other hand, run this unit-test only if SITNL was enabled at
compile time. This test was designed with SITNL in mind and it is
not yet ready for other backends.
Running only when SITNL is enabled implies running on Linux only
therefore we are guaranteed that bash will always work.
While at it, also add a comment as of why the t_client.rc file is
sourced.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190615230213.14888-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18547.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 8 Jun 2019 07:56:22 +0000 (09:56 +0200)]
Copy one byte less in strncpynt()
While the existing code is not wrong and will never cause an overflow,
it will copy (on a too-long source string) "maxlen" bytes to dest, and
then overwrite the last byte just copied with "0" - which causes a
warning in gcc 9 about filling the target buffer "up to the end,
with no room for a trailing 0 anymore".
Reducing the maximum bytes-to-be-copied to "maxlen -1", because the
last byte will be stamped with 0 anyway.
v2: do not ASSERT() on "maxlen == 0", but move the strncpy() call inside
the if() clause - so "just do nothing" on maxlen == 0, as before.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20190608075622.11589-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18502.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 10 May 2019 12:11:08 +0000 (14:11 +0200)]
Write key to stdout if filename is not given
This change is preperation for changing the way --genkey works. Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190510121114.30468-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18445.html
This patch introduces a new unit test that is not executed
by the cmocka framework, but rather used by a new t_net.sh
bash script.
The idea behind this test is to ensure that invoking sitnl
functions or running iproute commands leads to the same
networking (interface and routing table) state.
To achieve this, the t_net.sh script first runs a binary
implemented invoking sitnl functions and then takes a
"screenshot" of the state. Subsequently a series of
iproute commands, expected to mimic exactly the same behaviour
as the sitnl functions invoked before, are executed.
The final state is then compared with the screenshot
previously taken.
If no mismatching is found, the test is passed.
The current unit_test, however, does not cover all the
sitnl functionalities and it is expected to be extended
in the future.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181219050118.6568-7-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18027.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch introduces a tiny netlink interface, optimized
for the openvpn use case.
It basically exposes all those operations that are currently
handled by directly calling the /sbin/ip command (or even
ifconfig/route, if configured).
By using netlink, openvpn won't need to spawn new processes
when configuring the tun interface or routes.
This new approach will also allow openvpn to be granted
CAP_NET_ADMIN and be able to properly work even though it
dropped the root privileges (currently handled via workarounds).
By moving this logic into the sitnl module, tun.c and route.c
also benefit from some code simplification
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181219050118.6568-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18030.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 24 May 2019 09:02:36 +0000 (11:02 +0200)]
Fix poll.h logic in syshead.h
Commit 62063162 change the include from sys/poll.h to just poll.h but
forgot to also change all occurrences of HAVE_SYS_POLL_H to HAVE_POLL_H. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190524090236.10760-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18475.html
Lev Stipakov [Tue, 30 Oct 2018 08:53:35 +0000 (10:53 +0200)]
Fix various compiler warnings
This patch fixes "unused variable/unreferenced format parameter"
warnings in different places, kudos to Visual Studio compiler
for discoveing some of those.
This also also removes unneeded uninit_management_callback_multi()
wrapper.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540889615-24868-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17855.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 8 May 2019 13:52:20 +0000 (15:52 +0200)]
tests: remove dependency on base64
Triggered by the report from Ilya, that if base64 is missing, the tests
would still report success:
Testing tls-crypt-v2 key generation (max length
metadata)..../t_lpback.sh: base64: not found
OK
PASS: t_lpback.sh
The easiest way to fix that, is to remove the dependency on base64 (which
is it's current form wouldn't work on OSX anyway, because their base64
doesn't understand "-w0").
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <E1hON0G-0007yB-3H@sfs-ml-4.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1hON0G-0007yB-3H@sfs-ml-4.v29.lw.sourceforge.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 17 Apr 2019 20:30:15 +0000 (22:30 +0200)]
build: Package missing mock_msg.h
The mock_msg.h file was not enlisted in the _SOURCES lists in
Makefile.am for the unit tests. This caused the mock_msg.h file to not
be present in the .tar.gz file created by 'make dist'.
This was not noticed earlier as we haven't really tried much to run git
clone of the cmocka project manually in vendor/ from an unpacked
tarball.
With this fix the cmocka unit tests can also run from tarballs, with
manually extracting/fetching the cmocka source code in vendor/cmocka.
Signed-off-by: David Sommerseth <davids@openvpn.net>
----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----
How to test:
- Create a tarball: make distcheck (or just 'dist')
- Extract openvpn-2.5_git.tar.gz in a clean directory
- cd openvpn-2.5_git/vendor
- git clone https://git.cryptomilk.org/projects/cmocka.git
- ./configure
- make check
- Observe that the cmocka unit tests ran as expected
Depending on the CMake version, you might want to check out cmocka git
commit b2732b52202ae48f; which is the one we use in the git submodule. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190417203015.1903-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18380.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
configure.ac: fix compile-time error in argv_testdriver
allow run tests when lzo is installed to non default directory Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190411074519.9982-2-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18357.html
David Sommerseth [Wed, 27 Mar 2019 12:06:04 +0000 (13:06 +0100)]
docs: Update INSTALL
The INSTALL file contained several minor errors, typos and was generally
not up-to-date in regards to what ./configure provides today. In
addition, several URL references have moved around to new homes.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190327120604.21101-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18307.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ilya Shipitsin [Mon, 11 Mar 2019 13:36:19 +0000 (18:36 +0500)]
travis-ci: change trusty image to xenial
Ubuntu Trusty reaches End of Life on April 30, 2019
Let us switch to xenial. Also, it simplifies mingw builds.
We do not need to add xenial mingw manually anymore
Stefan Strogin [Mon, 25 Feb 2019 18:35:31 +0000 (20:35 +0200)]
Use correct ifdefs for LibreSSL support
- TLS 1.3 is not ready yet in LibreSSL. Also there is a theoretical
possibility of OpenSSL >=1.1.1 built without TLS 1.3 support.
- EC_KEY_METHOD API and SSL_get1_supported_ciphers are added into LibreSSL
master (not yet released in 2.9.0).
- Some methods that are available since LibreSSL 2.7.0 were thrown away
in ssl_openssl.c regardless of LibreSSL version. Use them with newer
LibreSSL.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190225183531.27399-1-stefan.strogin@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 21 Feb 2019 00:46:22 +0000 (19:46 -0500)]
Better error message when script fails due to script-security setting
- Add a new return value (-2) for openvpn_execve() when external
program execution is not allowed due to a low script-security
setting.
- Add a corresponding error message
Errors and warnings in such cases will now display as
"WARNING: failed running command (<cmd>) :" followed by
"disallowed by script-security setting" on all platforms
instead of the current
"external program did not execute -- returned error code -1"
on Windows and
"external program fork failed" on other platforms.
The error is FATAL for some scripts and that behaviour is unchanged.
This helps the Windows GUI to detect when a connection failure
results from a safer script-security setting enforced by the GUI,
and show a relevant message.
v2 changes as suggested by <davds@openvpn.net>
- define macros for return values of openvpn_execve()
- replace if/else by switch() in system_error_message()
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1550709982-19319-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 20 Feb 2019 13:19:06 +0000 (14:19 +0100)]
cleanup: Remove RPM openvpn.spec build approach
Linux packaging is quite a comprehensive task these days, with many
Linux distributions and each with their own packaging guidelines. In
addition OpenVPN is packaged for most important Linux distributions
already.
The OpenVPN developers is not capable of keeping track of how all the
various recommend packaging guidelines evoloves and our RPM build
process is no longer consistent with guidelines from Fedora, RHEL or
SUSE packaging. We also don't receive any updates improving this
situation. Most likely due to packaging being handled fairly well by
the Linux distributions directly.
In addition comes systemd into play, which more and more Linux
distributions embraces - and even our own RPM openvpn.spec file didn't
account for that move.
This removes all RPM related packaging files and updates the INSTALL
file with pointers to several popular Linux distributions with
accessible information of the OpenVPN packages they provide. Linux
distributions is most likely much better at keeping the packaging
up-to-shape much better than we.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190220131906.22970-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18222.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Sun, 24 Feb 2019 18:16:21 +0000 (19:16 +0100)]
Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only
Note: Hardware ID check is used selectively. When naming the adapter, we
still need to check all existing adapters to prevent duplicate names.
When listing or removing adapters by name, the operation is limited to
TUN-Windows6 adapters only.
This patch follows Gert's recommendations from [openvpn-devel].
Signed-off-by: Simon Rozman <simon@rozman.si>
Message-ID: <20190120130813.GY962@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190224181621.27020-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18234.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Sun, 24 Feb 2019 18:14:00 +0000 (19:14 +0100)]
Add NULL checks
Extra NULL checks were added after malloc() calls to display out-of-
memory error and try to exit gracefully.
Function msica_op_create_*() now return NULL in out-of-memory condition
too. Since their output is directly used in msica_op_seq_add_head() and
msica_op_seq_add_tail() functions, later were extended to check for NULL
pointer arguments.
This patch follows Gert's recommendations from [openvpn-devel].
Signed-off-by: Simon Rozman <simon@rozman.si>
Message-ID: <20190117155829.GA92142@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190224181400.42524-1-simon@rozman.si 20190117155829.GA92142@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18231.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Thomas Quinot [Fri, 1 Feb 2019 20:43:48 +0000 (21:43 +0100)]
Fix documentation of tls-verify script argument
The second argument is the entire subject DN, not just the CN. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190201204348.22326-1-openvpn-devel=lists.sourceforge.net@thomas.quinot.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18195.html
Selva Nair [Wed, 30 Jan 2019 15:53:20 +0000 (10:53 -0500)]
Handle PSS padding in cryptoapicert
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
To test this code path, both the server and client should
be built with OpenSSL 1.1.1 and use TLS version >= 1.2
Tested on Windows 7 client against a Linux server.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1548863600-491-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18188.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 22 Jan 2019 15:03:28 +0000 (16:03 +0100)]
Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file
The function is fairly generic and to avoid duplicating the same
functionality move the function to crypto.c and change fixed string to
be the same as the pem_name parameter.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190122150333.1061-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20190122150333.1061-1-arne@rfc2549.org
Simon Rozman [Wed, 19 Dec 2018 20:26:11 +0000 (21:26 +0100)]
Detect missing TAP driver and bail out gracefully
When no TUN/TAP driver is installed a interface cannot be created. This
patch detects this condition and bails out with an error message.
This also fixes a typo in one of the error messages. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181219202611.2144-4-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18038.html
Steffan Karger [Sat, 19 Jan 2019 10:34:00 +0000 (11:34 +0100)]
Fix tls-auth/crypt in connection blocks with --persist-key
If --persist-key was used, we would always try to pre-load the 'global'
tls-auth/crypt file. That would result in using the wrong key (leading
to a failed connection) or en error is there was to 'global' key:
Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null))
Sat Jan 19 11:09:01 2019 Exiting due to fatal error
Fix that by loading loading the key from the current connection entry.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190119103400.12887-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 22 Jan 2019 13:41:03 +0000 (15:41 +0200)]
crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer
OpenSSL's version of crypto_pem_encode() uses PEM_write_bio()
function to write PEM-encoded data to BIO object. That method doesn't
add NUL termanator, unlike its mbedTLS counterpart
mbedtls_pem_write_buffer().
The code which uses PEM data treats it as a string, so missing NUL
terminator makes sanitizer to compain.
Fix by adding a NUL terminator.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1548164463-13366-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18141.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 22 Jan 2019 15:50:32 +0000 (10:50 -0500)]
White-list pull-filter and script-security in interactive service
This allows the Windows GUI to use these options on the command
line without triggering user authorization errors.
Useful for
(i) ignoring certain pushed options such as "route-method" which
could otherwise bypass the interactive service
(ii) enforcing a safer script-security setting from the GUI
See also:
https://github.com/OpenVPN/openvpn-gui/issues/235#issuecomment-456142928
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1548172232-11268-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18154.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Wed, 19 Dec 2018 20:26:08 +0000 (21:26 +0100)]
Make DriverCertification MSI property public
Making DriverCertification public (containing only upper-case letters)
allows the property set by FindSystemInfo custom action to be passed
from InstallUISequence sequence to InstallExecuteSequence. This
eliminates the need to execute FindSystemInfo in both sequences. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181219202611.2144-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18037.html
Simon Rozman [Tue, 27 Nov 2018 00:28:08 +0000 (01:28 +0100)]
Add a MSI custom actions to close and relaunch OpenVPN GUI
This custom actions are used by MSI setup to close OpenVPN GUI before
performing an upgrade and relaunch it afterwards. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181127002808.19200-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17959.html
Simon Rozman [Wed, 21 Nov 2018 16:36:53 +0000 (17:36 +0100)]
Add detection of active VPN connections for MSI packages
This patch adds a simple up/down detection for each TAP interface found.
All "up" TAP interface IDs are listed as an `ACTIVETAPINTERFACES` MSI
property.
This allows MSI packages to test for active VPN connections on updates. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181121163653.4904-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17942.html
Simon Rozman [Mon, 12 Nov 2018 12:22:44 +0000 (13:22 +0100)]
Delete TAP interface before the TAP driver is uninstalled
The previous version of MSI installer did:
- Execution Pass: rename the TAP interface to some temporary name
- Commit/Rollback Pass: delete the TAP interface / rename the interface
back to original name
However, the WiX Toolset's Diffx extension to install and remove drivers
removed the TAP driver between the execution and commit passes. The TAP
driver removal makes all TAP interfaces unavailable and our custom
action couldn't find the interface to delete any more.
While the system where OpenVPN was uninstalled didn't have any TAP
interfaces any more as expected behaviour, the problem appears after
reinstalling the OpenVPN. Some residue TAP interface registry keys
remain on the system, causing the TAP interface to reappear as "Ethernet
NN" interface next time the TAP driver is installed. This causes TAP
interfaces to accumulate when cycling install-uninstall-install...
Therefore, it is better to remove the TAP interfaces before the TAP
driver is removed, and reinstall the TAP interface back should the
rollback be required. Though it won't be exactly the same interface
again.
I wonder if the WiX Diffx extension supports execute/commit/rollback
feature of MSI in the first place. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181112122246.13556-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17906.html
Simon Rozman [Mon, 12 Nov 2018 12:22:46 +0000 (13:22 +0100)]
Make MSI custom action debug pop-up more informative
Each MSI custom action pops-up a message box in the _DEBUG version
before commencing execution. This opens a time window for developer to
attach debugger to the msiexec.exe process, set the breakpoints before
custom action proceeds with execution.
While those pop-up dialogs are targeted to a limited audience, they were
very sparse. With this patch, they become more informative and they also
provide PID of the msiexec.exe process to attach debugger to. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181112122246.13556-3-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17907.html
projects / thirdparty / openvpn.git / log
