Gert Doering [Fri, 13 May 2022 10:15:26 +0000 (12:15 +0200)]
Pass proper sockaddr_* structure for IPv6 socket errors.
commit 043c67f363429 enhances format_extended_socket_error() by
recognizing IPv6 extended socket errors, but neglected to change
the "sockaddr_in" buffer passed to recvmsg() to "sockaddr_storage".
According to documentation, recvmsg() should not have overrun
that buffer (we pass the size of the struct), but according to
ASAN it does... so, pass a pointer to the correct structure.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220513101526.11486-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24352.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 3 May 2022 00:28:40 +0000 (03:28 +0300)]
Fix M_ERRNO behavior on Windows
We use M_ERRNO flag in logging to display error code
and error message. This has been broken on Windows,
where we use error code from GetLastError() and
error description from strerror(). strerror() expects
C runtime error code, which is quite different from
last error code from WinAPI call. As a result, we got
incorrect error description.
The ultimate fix would be introducing another flag
for WinAPI errors, like M_WINERR and use either that or
M_ERRNO depends on context. However, the change would be
quite intrusive and in some cases it is hard to say which
one to use without looking into internals.
Instead we stick to M_ERRNO and in Windows case we
first try to obtain error code from GetLastError() and
if it returns ERROR_SUCCESS (which is 0), we assume that
we have C runtime error and use errno. To get error
description we use strerror_win32() with GetLastError()
and strerror() with errno.
strerror_win32() uses FormatMessage() internally, which
is the right way to get WinAPI error description.
Gert Doering [Tue, 22 Feb 2022 14:35:14 +0000 (15:35 +0100)]
Implement --mtu-disc for IPv6 UDP sockets.
Commit 4225114b96 repaired "--mtu-disc yes" brokenness for IPv4 UDP sockets
(caused by autoconf/ifdef issues). This patch adds new functionality
to do --mtu-disc for IPv6 sockets as well.
Half of it (setsockopt(IPV6_MTU_DISCOVER)) was already there, but
receiving of detailed socket errors was missing the enablement of
setsockopt(IPV6_RECVERR) and parsing of IPPROTO_IPV6/IPV6_RECVERR
messages received.
With that, we now get (sending over a route with "mtu 1300"):
2022-02-22 15:28:07 write UDPv6 [EMSGSIZE Path-MTU=1300]: Message too long
(fd=3,code=90)
2022-02-22 15:28:07 Note adjusting 'mssfix 1400 mtu' to 'mssfix 1300 mtu'
according to path MTU discovery
2022-02-22 15:28:07 Note adjusting 'fragment 1400 mtu' to 'fragment 1300
mtu' according to path MTU discovery
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222143514.3480-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23879.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 6 May 2022 13:28:35 +0000 (15:28 +0200)]
Add uncrustify check to github actions
This adds checking if the code style is still clean github actions with the
exact version of uncrustify that is required and might also be helpful for
external commiters to get notified about code style problem when running
the Github actions on their own repository.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220506132836.1318985-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24300.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 3 May 2022 11:29:00 +0000 (13:29 +0200)]
Extract read_incoming_tls_plaintext into its own function
This makes the tls_process_state function a bit easier to read
and allows extending the read_incoming_tls_plaintext function
later without making tls_process_state even longer.
Patch v2: fix compile error.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220503112900.933975-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:48 +0000 (16:29 +0200)]
Optimise three-way handshake condition for S_PRE_START to S_START
We move to the S_START when we have finished the three-way handshake. After
the three way handshake is done, the client will send the TLS Client Hello
packet.
Currently we consider the three way handshake only complete if all
outgoing packets have been acked (which in this case is the one
HARD_RESET_CLIENT or HARD_RESET_SERVER) and also all ACKs for incoming
packets have been sent out.
Waiting for the ack of our own packet is important as it signals that the
other side is really responding. However, the need to also send out all
ACKs for packets we received before moving to the next state breaks
piggybacking the ACKs onto the next control packet.
With this change both server and client will only send a P_CONTROL_V1 with
the TLS Client Hello and the TLS Server Hello with piggybacked ack instead
sending an P_ACK_V1 + P_CONTROL_V1, reducing the number of packets in a
handshake by 2.
This also allows the server to avoid resending P_CONTROL_HARD_RESET_V2
to complete the three-way handshake with HMAC. Only packets with
an ACK contain the remote session id that we need for HMAC session id
verification. The ACK_V1 packet that complets this three-way handshake
can get lost. But the P_CONTROL_V1 with the piggybacked ACK will get
retransmitted. This allows to put the burden of retransmission fully on
the client.
The S_GOT_KEY/S_SENT_KEY -> S_ACTIVE is similar. We do not need to wait
for the ack packet to be sent to move the state forward. This has however
no effect on actual packets since there are normally no outstanding ACKs
here.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-14-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24161.html
Arne Schwabe [Thu, 5 May 2022 13:03:48 +0000 (15:03 +0200)]
Implement HMAC based session id for tls-crypt v2
Tls-crypt v2 is more complicated to implement a proper stateless
handshake. To allow state handshake this commit does
- introduce a new packet CONTROL_WKC_V1 that repeats the wrapped
client key.
- introduce a way to negotiate the support for this packet in the
three way handshake
Details about the protocol changes are in tls-crypt-v2.txt. Optional
arguments to the tls-crypt-v2 option have been added to explicitly
allow or disallow client that do not support the stateless handshake.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v3: improve grammar, style, comments, fix unit tests
Patch v4: remove explicit flag for ability to resend WKc,
clean up comments, improve code style in some instances Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220505130348.1183195-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24287.html
Arne Schwabe [Wed, 4 May 2022 11:18:02 +0000 (13:18 +0200)]
Remove workaround for Android 4.4
Android 4.4 is now 9 years old and the main user of this API (OpenVPN
for Android) does not support this OS anymore. This workaround
is now safe to remove.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220504111802.1050648-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24276.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 4 May 2022 11:31:58 +0000 (13:31 +0200)]
Fix format specifier for printing size_t on 32bit size_t platforms
Today even 32 bit platform generally use a 64bit size_t but Android
armeabi-v7a is an expection to that and uses a 32bit size_t. Use
z as correct specifier for a size_t.
Clang complained about this:
warning: format specifies type 'unsigned long' but the
argument has type 'size_t' (aka 'unsigned int') [-Wformat]
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220504113158.1051861-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24277.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:46 +0000 (16:29 +0200)]
Extract read_incoming_tls_ciphertext into function
This makes the code a bit more structured and easier to read. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-12-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24152.html
OpenVPN currently has a bit of a weakness in its early three way handshake
A single client reset packet (first packet of the handshake) will
- trigger creating a session on the server side leading to potential
ressource exhaustion
- make the server respond with 3 answers trying to get an ACK for its
P_CONTROL_HARD_RESET_SERVER_V2 answer making it an amplification
Instead of allocating a connection for each client on the initial packet
OpenVPN will now calculate a session id based on a HMAC that serves as
verifiable cookie that can be checked for authenticity when the client
responds with it. This eliminates the amplification attack and resource
exhaustion attacks.
For tls-crypt-v2 clients the HMAC based handshake is not used yet (will
be added in one of the next patches).
Patch v2: rebase on master
patch v3: fix unit tests, improve comment/style of code
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220502154310.836947-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24262.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:41 +0000 (16:29 +0200)]
Move CRL reload to key_state_init from S_START transition
The current place that we reload is a bit more efficient since it only
triggers reload after a completed 3way handshake. On the other hand the
key_state_init is a much more logical place and with the upcoming
HMAC based UDP code and TCP code, the initialisation will only be done
after a 3way handshake.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220422142953.3805364-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24156.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:40 +0000 (16:29 +0200)]
Remove pointless indentation from tls_process.
This is probably a result from earlier code that still needed to be
C89 compatible add probably added this to allow variable decleration Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24166.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:39 +0000 (16:29 +0200)]
Move tls_process_state into its own function
This function does most of the state transitions in the TLS state
machine. Moving it into its own function removes an intention area and
makes tls_process function easier to understand as the loop is more
obvious.
This is largely just a code move with small expection. bool active is
no longer directly set but inferred from to_link->len
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24157.html
Arne Schwabe [Tue, 26 Apr 2022 13:23:23 +0000 (15:23 +0200)]
Change FULL_SYNC macro to no_pending_reliable_packets function
This changes this macro to a better named inline function. This
introduces a slight whitespace problem but the next refactoring will
move the incorrectly intended block to its own function anyway.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220426132324.76517-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24213.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:37 +0000 (16:29 +0200)]
Extract session_move_pre_start as own function, use local buffer variable
This changes the C90 struct buffer declaration to a C99 style one. Also
move the state transition from S_INITIAL to S_PE_START into its own
function. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24151.html
Arne Schwabe [Fri, 22 Apr 2022 14:29:36 +0000 (16:29 +0200)]
Refactor tls-auth/tls-crypt wrapping into into own function
This allows the the wrapping to be easier reused by a function that
does not have access to a full TLS session. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24150.html
Marc Becker [Mon, 25 Apr 2022 21:58:22 +0000 (23:58 +0200)]
fix GitHub workflow working directories in MinGW builds
replace hardcoded directory names with env variable version info
bump pkcs11-helper version to 1.29.0
bump OpenSSL version to 1.1.1n
add OpenSSL version to cache key
use release file for pkcs11-helper archive
use OpenSSL URL endpoint with all/current versions
Signed-off-by: Marc Becker <becm@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220425215822.18569-1-becm@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24202.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 13:40:35 +0000 (15:40 +0200)]
Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h
This allows these functions to be relatively easily included into the
unit test without pulling ssl.c and all the dependencies of ssl.c into
a unit test.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24149.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 13:40:34 +0000 (15:40 +0200)]
Extend tls_pre_decrypt_lite to return type of packet and keep state
This allows us to keep the temporary data for a little bit longer
so we can use this to make further checks and ultimatively use the
state to craft the HMAC based RESET reply.
For now we do not use the extra information and keep behaviour
identical.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24148.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 25 Apr 2022 12:27:09 +0000 (14:27 +0200)]
Move pre decrypt lite check to its own function
This prepares for extending this function with the HMAC based session ID
check.
Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this
code path is only used in multi udp server and OpenVPN initialises the
tls_auth_standalone always for the TOP context (CF_INIT_TLS_AUTH_STANDALONE),
even for the tcp m2mp server that does not use it).
Patch v2: replace if with ASSERT
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220425122709.4148015-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24193.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:44 +0000 (16:29 +0200)]
Make buf_write_u8/16/32 take the type they pretend to take
This functions should accept the type of integer they say to write. Calling
the u32 function with an integer that is actually 32 bit unsigned gives
compiler warnings. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220422142953.3805364-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24165.html
Arne Schwabe [Fri, 22 Apr 2022 13:40:30 +0000 (15:40 +0200)]
Remove tls_init_control_channel_frame_parameters wrapper function
While calling this wrapper function is strictly more correct, these
indirection layer with tiny wrapper make the code more complex and
going through more layer than it really needs to.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24172.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 22 Apr 2022 14:29:35 +0000 (16:29 +0200)]
Remove EXPONENTIAL_BACKOFF define
We have EXPONENTIAL_BACKOFF as default forever (8c47de7, 2.1.1c,
2010). Remove the other code path that is dead code. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422142953.3805364-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422142953.3805364-1-arne@rfc2549.org
Arne Schwabe [Fri, 22 Apr 2022 13:40:38 +0000 (15:40 +0200)]
Remove inc_pid argument from reliable_mark_deleted that is always true
This is a small cleanup to remove a superfluous argument Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422134038.3801239-10-arne@rfc2549.org
Arne Schwabe [Fri, 22 Apr 2022 13:40:31 +0000 (15:40 +0200)]
Remove dead PID_TEST code
Enabling this test produces compile errors and by the looks of it the
test has been broken for many years. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220422134038.3801239-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20220422134038.3801239-3-arne@rfc2549.org
On most systems limits.h is pulled in by some other header and thus no
error is ever triggered, but it's possible to find the right environment
which lackis this and prevents compiling auth-pam.c (possibly when using
LibreSSL).
Include the header explicitly as it includes the definition of PATH_MAX.
(note that this bug is fixed in Gentoo since 2020 by including a custom
patch, but apparently the issue was never reported upstream)
Reported-by: Michelangelo Scopelliti <kernelpanic@gmx.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220421131909.32053-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24136.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The script is self installing if you call it with "install" as the first
parameter. Once installed as the pre-commit hook it will check files to
be committed according to the rules in uncrustify.conf and abort the
commit if there's formatting issues. The script produces a patch in /tmp
which can be git apply'ed to fix all issues found.
The script was originally authored by David Martin [1] and slightly
modified to fit our needs. At the time it had a 2-clause BSD license.
David Sommerseth [Wed, 20 Apr 2022 14:30:50 +0000 (16:30 +0200)]
The Great Reformatting of 2022
It was agreed it was time to do a full reformat fix-up of the whole
source tree again. Over time (since late 2016) small changes has not
adhered to our uncrustify defined coding style. This realigns to our
current standards.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220420143050.52790-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 20 Apr 2022 12:13:21 +0000 (14:13 +0200)]
dev-tools: Remove uncrustify -p
The -p option to uncrustify was providing debug information about
decisions done by uncrustify. This was useful when debugging why
certain formatting choices.
With newer versions of uncrustify the -p option can only be used on
individual files and not a list of files. Since still supporting this
would require a bigger rewrite of reformat-all.sh, it was chosen to
instead remove the usage of this option. If certain behaviours needs to
be debugged, running uncrustify on individual files directly will work
fine anyhow.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220420121322.42732-2-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24120.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_net.sh: delete dummy iface using iproute command
A dummy interface cannot be deleted using --rmtun because openvpn tries
to send some ioctl (i.e. TUNSETPERSIST) which is not supported by this
device type. This results in the following error:
2022-04-07 09:59:29 Cannot ioctl TUNSETPERSIST(0) ovpn-dummy0: Bad file
descriptor (errno=9)
2022-04-07 09:59:29 Exiting due to fatal error
and the interface is not deleted.
Use iproute to generically delete an interface.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407081555.25228-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24086.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: implement net_iface_new and net_iface_del APIs
These two new methods can be used to create and delete a tun or an
ovpn-dco interface via networking API.
Implementations for SITNL and iproute2 are provided
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407094146.7684-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24088.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
openvpn_execve_check() expects a set of flags as third argument and not
a loglevel. For this reason, if no FATAL behaviour is expected, we
should simply pass 0. openvpn_execve_check() will then pick the
appropriate loglevel on its own.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407201411.22486-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24090.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 2 Apr 2022 07:08:56 +0000 (09:08 +0200)]
networking: remove duplicate methods from networking_sitnl.c
The net_ctx_init/reset/free methods of sitnl are the same dummy
methods that are already defined for non-Linux platforms in the
networking.h header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220402070902.30282-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24054.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michael Baentsch [Tue, 29 Mar 2022 05:37:09 +0000 (07:37 +0200)]
Enable usage of TLS groups not identified by a NID in OpenSSL 3
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by providers.
This commit also removes the mapping of secp256r1 to prime256v1 for
the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.1
Signed-off-by: Michael Baentsch <info@baentsch.ch> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220329053709.19462-1-info@baentsch.ch>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24012.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 23 Mar 2022 14:34:52 +0000 (15:34 +0100)]
add support for --dns option
As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
For detailed information about the option consult the documentation in
this commit.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220323143452.1100446-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23997.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 24 Feb 2022 14:42:45 +0000 (15:42 +0100)]
Implement fixed MSS value for mssfix and use it for non default MTUs
This allows to set the MSS value inside the tunnel to a user specified
value instead of calculating it form (somewhat) dynamic encapsulation
overhead.
Also default to the MTU when tun-mtu does not have the default value
to ensure that packets are not larger than the tun-mtu. This only affects
packets that are routed via the VPN and none of the peers is an endpoint
since otherwise the peer would already set a lower MTU. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220224144245.878056-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23886.html
preprocessor definitions. I don't feel like replacing strdup (which is
correct POSIX function) and inet_ntoa (we always pass IPv4 address to
it, inet_ntop will make code more complex)
Above issues were discovered by bitskim.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220218235004.269-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23851.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 1 Mar 2022 13:50:54 +0000 (15:50 +0200)]
Fix incorrect default mssfix value in server mode
When calculating default mssfix, we take into account
protocol overhead, which usually includes 3 bytes peer-id.
Peer-id usage is indicated by options->use_peer_id flag.
In client mode it is set when applying pushed options.
In server mode it is not set and as a result mssfix value
is 3 bytes off.
Fix by setting this flag in multi.c when calculating
tunnel-specific options.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220301135054.277-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23896.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
With the introduction of SITNL two occurrences of ETH_ALEN
were introduced in the code. This define exists on Linux in
the linux/if_ether.h header, however the latter is included
in linux/if_tun.h which may or may not exist (depending on
how old your system is).
If the system lacks if_tun.h then the compilation fails because
ETH_ALEN cannot be found.
For this reason, swap ETH_ALEN with OPENVPN_ETH_ALEN which is
already used in other places of the code.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220223080628.4773-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23882.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
netmask is simply used to reflect the value of p[2], therefore
it can be dropped and p[2] can directly be used instead.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220314131356.11577-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23941.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 16 Mar 2022 13:54:11 +0000 (15:54 +0200)]
vcpkg-ports\pkcs11-helper: shorten patch filename
"make dist" uses 'tar -o' which breaks on long filenames:
tar:
openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind
icate-OpenSSL-EC-support.patch:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
and then "make dist" continues.
Make filename shorter to make tar happy.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316135411.217-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sun, 13 Mar 2022 19:31:54 +0000 (20:31 +0100)]
plugins: Remove defer/simple.c sample plugin
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-4-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23933.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 22 Feb 2022 11:38:32 +0000 (12:38 +0100)]
Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work:
- setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
- "extended error reporting" (setsockopt(IP_RECVERR) and
then via mtu.c/format_extended_socket_error()) to react on
"packet too big" errors on sendto() / sendmsg()
Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).
Thus, the "non-helpful" socket error message turns into:
2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery
... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Trac: #1452
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 14 Feb 2022 12:24:09 +0000 (14:24 +0200)]
openvpnmsica: add ovpn-dco custom actions
Add two custom actions to service ovpn-dco driver installation.
- EvaluateDriver
Runs under user privileges. Determines what action (install/uninstall)
should be performed on ovpn-dco component.
- ProcessDriver
Runs under SYSTEM privileges. Performs driver (un)installation.
During uninstall, all existing adapters with given hwid (ovpn-dco)
are removed.
The logic is inspired by custom actions from tap-windows6 installer
(https://github.com/OpenVPN/tap-windows6/tree/master/msm).
Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Simon Rozman <simon@rozman.si> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214122409.260-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.
In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220217163159.7936-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
doc/options: clean up documentation for --proto and related options
The family specific options were generally omitted.
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net> Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220215145425.1989-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23798.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
With b39725cf ("Remove md_kt_t and change crypto API to use const char*")
the logic for validating ciphers and md algorithms has been changed.
We should now *always* use md_valid() when validating a digest alg.
At the same time, add '!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe <arne@rfc2549.org> Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme <tincantech@protonmail.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220215123157.10615-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23793.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 14 Feb 2022 09:26:07 +0000 (10:26 +0100)]
Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros
The buffer overhaul simplified the frame struct to a point that these
macros are either not used anymore or are not adding any benefit in
understanding the code anymore. Replace the macros with direct member
acessses.
Patch v2: Remove all FRAME_HEADROOM macros Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214092607.3785665-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23785.html
Arne Schwabe [Mon, 14 Feb 2022 02:10:53 +0000 (03:10 +0100)]
Fix 'defined but not used' warnings with enable-small/disable-management
Some functions are only used when management is used or enable-small is
not used. Fix the ifdefs to correctly also include these helper
functions the ifdefs to avoid compile errors when using -Werror
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214021054.3750071-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23779.html
Arne Schwabe [Fri, 5 Nov 2021 15:07:42 +0000 (16:07 +0100)]
Default to --cipher BF-CBC if not set and compat-mode < 2.4.0
When we try to make a configuration compatible to a version earlier
than 2.4.0 we probably need to have a --cipher configured since NCP
is not available. In configuration where --cipher is not specified
we default to BF-CBC to support these old clients.
Note that with OpenSSL 3.0 you will also need to enable the legacy
provider otherwise we bail out since BF-CBC is no longer supported.
Also move the condition so BF-CBC gets included in the data-ciphers
list.
Patch v2: move the comment to a better place.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20211105150742.2909443-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23100.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
README.IPv6 is quite useless because IPv6 is not a second
class citizen anymore. Most of the content is "obvious" or explained in
the manpage along with other details/options.
TODO.IPv6 is old and many implemented things are still reported there
for no clear reason. Delete file and report still open items in our
tracking system.
Cc: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220207155757.22314-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23729.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 10 Feb 2022 16:26:28 +0000 (17:26 +0100)]
Update fragment and mssfix related warnings
The warning that fragment/mssfix needs also tun-mtu set to 1500 makes
little sense. Remove it completely. Instead warn if there are
incosistencies
between --fragment and mssfix.
Patch v2: clarify the mssfix and fragment mtu warning message
Patch v4: Rebase
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210162632.3309974-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23753.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 12 Feb 2022 00:33:31 +0000 (01:33 +0100)]
Add mtu paramter to --fragment and change fragment calculation
Instead relying on the link_mtu_dynamic field and its calculation
in the frame struct, add a new field max_fragment_size and add
a calculation of it similar to mssfix.
Also whenever mssfix value is calculated, we also want to calculate
the values for fragment as both options need to be calculated from
the real overhead.
Patch v2: Fix syntax in rst man page
Patch v5: fix segfault when get_ip_encap_overhead gets called early in
init_instance and note that these calls will always be
overwritten by NCP in tls_session_update_crypto_params
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220212003331.3483107-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23764.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 10 Feb 2022 16:26:26 +0000 (17:26 +0100)]
Change the default for mssfix to mssfix 1492 mtu
The current default is 1450, which translates to 1478 byte packets for udp4
and 1498 byte packets for udp6. This commit changes the mssfix default
to take the outer IP overhead into account as well and changes the target
to
1492. 1492 was picked in our community meeting for being a very common
encapsulation upper bound.
The change also disables an mssfix default if tun-mtu is set to a value
different than 1500.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210162632.3309974-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23754.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 8 Feb 2022 11:49:05 +0000 (13:49 +0200)]
msvc: cleanup
Remove unused macros for dependency directories,
since dependencies are handled by vcpkg.
Remove unused .bat files.
Reported-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220208114905.100-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 4 Feb 2022 11:42:01 +0000 (12:42 +0100)]
Repair --inactive with 'bytes' argument larger 2Gbytes.
--inactive has an optional 2nd parameter specifiying the number of
bytes that need to be sent/received in the given time window. This
was parsed with atoi(), stored in an 32bit int. atoi() overflows at
2Gbyte (signed int), which makes gcc return "0" and MSVC "2^31-1"
for the value reported in the ticket (10G) - so on gcc, this was
behaving like "not set", while windows builds after 2.5.4 honoured
this setting, and aborted (unexpectedly) due to "not enough traffic".
Fix by increasing word length of all involved variables to int64_t.
While add it, add option printer SHOW_LONG(), and print variable.
This has the potential to break existing setups where this value is
set unreasonably high, thus "impossible to achieve in the interval",
but which was never noticed before due to "overflow, 0, ignored".
Thus, print WARNING if a value >INT_MAX (2Gbyte) is configured.
v2: use atoll(), as atol() is limited to INT_MAX on MSVC, and PRi64
for format string. Rename SHOW_LONG() to SHOW_INT64().
Trac: #1448
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220204114201.5632-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: move OpenSSL specific FIPS check to its backend
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
This way we move any OpenSSL specific bit to its own
backend and directly use the new cipher_valid_reason() API in the
generic code.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23714.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: move validation logic from cipher_get to cipher_valid
With cipher validation performed in cipher_get(), a cipher is never
returned in any case if some check fails.
This prevents OpenVPN from operating on all ciphers provided by the SSL
library, like printing them to the user.
Move the validation logic to cipher_valid() so that checks are performed
only when OpenVPN really want to know if a cipher is usable or not.
Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in
API") Cc: Arne Schwabe <arne@rfc2549.org> Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23713.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:26 +0000 (17:25 +0100)]
Remove link_mtu parameter when running up/down scripts
The link mtu is no longer used and calculating a compatibility link
MTU just for scripts makes little sense as well. Replace the parameter
instead with a fixed parameter 0.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23493.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
strcasecmp() was initially declared in string.h and subsequently moved
to strings.h. For historical reasons it still exists in string.h, but
would require _DEFAULT_SOURCE to be defined.
Due to the above, just include strings.h as currently dictated by the
manpage.
Fixes the following warning:
keying-material-exporter-demo/keyingmaterialexporter.c:155:14: warning:
implicit declaration of function strncasecmp’; did you mean ‘strncmp’?
[-Wimplicit-function-declaration]
155 | if (!strncasecmp(objbuf, "CN", 2))
| ^~~~~~~~~~~
| strncmp
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220203082620.8186-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23702.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
