Lev Stipakov [Fri, 7 Jan 2022 12:35:50 +0000 (14:35 +0200)]
auth_token.c: add NULL initialization
This fixes
error C4703: potentially uninitialized local pointer variable
'b64output' used
found by arm64 msvc compiler with SDL enabled.
Not sure why this is not triggered on x86/x64.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220107123550.188-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23511.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4b6073b8253dafeb425361fb55bab0f2cdc5474f)
Arne Schwabe [Mon, 13 Dec 2021 15:09:50 +0000 (16:09 +0100)]
Move deprecation of SWEET32/64bit block size ciphers to 2.7
We originally wanted to deprecated these ciphers (especially BF-CBC) with
2.6 but currently these ciphers are still too widespread to make this
transition for 2.6.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213150950.3993881-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23402.html
Lev Stipakov [Mon, 13 Dec 2021 13:58:14 +0000 (15:58 +0200)]
config-msvc.h: indicate key material export support
MSVC build uses OpenSSL from vcpkg, which at the moment
is 1.1.1l. Key material export was added to 1.1.1, so it is safe
to indicate its support unconditionally.
2.5 does not have tls-ekm yet, but it has the generic keying material
exporter framework, which was only enabled in MinGW builds. Fix.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213135814.265-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23395.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 7 Dec 2021 13:04:36 +0000 (14:04 +0100)]
Move '--push-peer-info' documentation from 'server' to 'client options'
While --push-peer-info can be configured on the server, it's not really
intended for that, and it ended in the "SERVER OPTIONS" section by
mishap. Fix that.
Reported-by: Stella Ashburne <rewefie@gmx.com> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211207130436.22187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23325.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 883cd6f4031ef9920580f0862594acbb45e4b0b8)
Lev Stipakov [Wed, 24 Nov 2021 10:08:38 +0000 (12:08 +0200)]
vcpkg/pkcs11-helper: compatibility with latest vcpkg
Starting from commit 21b2dbd3 "[scripts-audit] nmake buildsystem"
vcpkg has removed NO_DEBUG support from nmake buildsystem
and now builds debug variant unconditionally. Debug flags contradict
build options hardcoded in pkcs11 nmake script (like /O2).
Remove hardcoded release options and other options which
are (also) set by vcpkg nmake buildsystem.
Bump vcpkg commit in GitHub actions.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211124100838.861-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23253.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e832658a6d7a78c97fc53a78faeda31419583529)
Lev Stipakov [Wed, 24 Nov 2021 16:03:47 +0000 (18:03 +0200)]
ring_buffer.h: fix GCC warning about unused function
With register_ring_buffers() being declared as "static" in header file,
all translation units, which include that header, got a copy of that
function.
This causes GCC warning
warning: "register_ring_buffers" defined but not used [-Wunused-function]
when compiling C files which include header, but don't use function.
Add "inline" keyword to silence this warning.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211124160347.1245-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 71371f04afa6eba3ea02a67590a70e018cf203e5)
Lev Stipakov [Fri, 19 Nov 2021 01:55:48 +0000 (03:55 +0200)]
Load OpenSSL config on Windows from trusted location
Commits
- 92535b6 ("contrib/vcpkg-ports: add openssl port with
--no-autoload-config option set (CVE-2121-3606)")
- 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows
(CVE-2121-3606)")
disabled OpenSSL config loading functionality, which could be
exploited by loading config from untrusted locations.
This feature might be useful for some users. This brings it back
and sets OpenSSL enviroment variables
OPENSSL_CONF, OPENSSL_ENGINES, OPENSSL_MODULES
which are used to load config, engines and modules, to a trusted location.
The location is constructed based on installation path, read from registry
on startup.
If installation path cannot be read, Windows\System32 is used as a
fallback.
While on it, remove unused "bool impersonate_as_system();" declaration.
Trac: #1296
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20211119015548.687-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23248.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23e6aaef149bd31a7e80af28ee1e3658d2810d4f)
In 2da29362 (Improve the documentation for --dhcp-option, 2020-08-16),
`foreign_option_{n}` became plural between the first and second versions
of the patch. Correct it.
Signed-off-by: Todd Zullinger <tmz@pobox.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211122114104.4814-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23217.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit aee54a47142c13a29c2b59142e944fd448a406d9)
doc link-options.rst: Use free open-source dynamic-DNS provider URL
Trac: #1417
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211103202014.1121244-2-tincantech@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2c2e13d9ecdd1364c6a05ad77cea2840c015aa56)
Gert Doering [Wed, 17 Nov 2021 06:44:42 +0000 (07:44 +0100)]
Include --push-remove in the output of --help.
"push-remove" has been in OpenVPN since 2.4, but managed to stay hidden
from the "--help" output. Add.
Reported-by: mike tancsa <mike@sentex.net> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20211117064442.15899-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23194.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2a555c3aafcc8cf238a803d25971938ed75b518d)
For subnet topology use "offset 0" as default for
calculating DHCP server address, which makes it equal
to the network address.
There is no know reason why non-zero default offset
is needed. Besides, offset -1 breaks subnet /30 case,
which in some cases is pushed by OpenVPN Cloud product.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211109015927.311-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23156.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7df6583d76fc2ff485186ede75f00c9b7dc3e42c)
Selva Nair [Sat, 23 Oct 2021 00:07:06 +0000 (20:07 -0400)]
Ensure the current common_name is in the environment for scripts
When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.
However, "common_name" goes through the cycle of being
"CN", then "username" during every reauth (renegotiation).
As the client-connect script is not called during reneg, the changed
value never gets back into the env. The end result is that the
disconnect script gets "common_name=<CN>" instead of the username.
Unless no reneg steps have happened before disconnect.
(For a more detailed analysis see
https://community.openvpn.net/openvpn/ticket/1434#comment:12)
Fix by adding common_name to env whenever it changes.
Trac: #1434
Very likely applies to #160 as well, but that's too old and
some of the relevant code path has evolved since then.
Same as commit fa5ab2438a in master, except for the context change
due to PF.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211023000706.25016-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23050.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ENABLE_DEBUG is on, but I do not think we want it in production build
(removed).
S_IRGRP is not defined but seems to be used. I have added it, remove if
not required.
This define is based on mingw and matches MS docs on <filesystem>
(https://docs.microsoft.com/en-us/cpp/standard-library/filesystem-enumerati
ons?view=msvc-160)
Trac: #1430
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20211015184733.16988-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22943.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 6 Oct 2021 09:07:09 +0000 (12:07 +0300)]
Fix loading PKCS12 files on Windows
Starting from 2.5.4 we have switched to MSVC builds,
including dependencies such as OpenSSL.
When we link with natively-built OpenSSL .DLLs
(not cross compiled with MinGW), we are expected to include
applink.c, which provides glue between OpenSSL BIO layer
and compiler run-time. This doesn't apply to ARM64.
Failure to do that results in "no OPENSSL_Applink" fatal error
when calling, for example, d2i_PKCS12_fp(), which we do when
loading PKCS12 files.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211006090709.200-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22920.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit af5de933a0633436e0fe00c42464f4a7ab5ac509)
Lev Stipakov [Sun, 26 Sep 2021 06:10:46 +0000 (09:10 +0300)]
GitHub Actions: remove Ubuntu 16.04 environment
Starting from 20th of September, GitHub has removed Ubuntu 16.04
environment from Actions. Safely remove it from our build script
where we already have Ubuntu 18.04 and 20.04.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210926061046.212-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22904.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3b16d7a35a2fd1ee4a70418fddc7c1dd9539dc3)
networking: add networking API net_addr_ll_set() and use it on Linux
When running in TAP mode we may need to set the LL address of the
interface, if requested by the user.
This operation was overlooked when implementing the networking API and
it still relies on iproute/net-tools being installed.
Basically this means that when compiling OpenVPN on a system without
iproute2/net-tools and the user uses the "lladdr" config directive,
OpenVPN will fail to se the LL address of the interface.
With this patch a new API is introduced, it is implemented for both
SITNL and iproute2 backends, and called on Linux (this is a combination
of three patches in master).
Reported-by: Jan Hugo Prins <jprins@betterbe.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Tested-by: Jan Hugo Prins <jprins@betterbe.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210903161113.30498-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22792.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98f524cbd58d24d09dee26160d7386d710c3564f)
(cherry picked from commit cb5d29461e6e734a2250b984b8423d39f7b9ddaa)
(cherry picked from commit 7205cdd8508be0ec9a83ea2e012e2a495157cad0)
On some systems the rst2{man,html} executables may have a slightly
different name, like rst2{man,html}.py.
Add this name variation to the Generic Programs check.
This specific variation is found on Gentoo Linux.
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210827144807.27004-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22777.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b61d1988582feb2e1ed1cf9e62700f484e0bc150)
The IV_HWADDR description was only partially correct, as there are more
implementations using other values than the MAC address of the default
gateway.
The intention of this value is to provide a unique identifier of the
client and on some platforms this is not possible to retrieve other than
to generate this information.
The 64 bytes limitation is an arbitrary value, it is not enforced by
OpenVPN 2.x. But it was considered a good idea to at least have some
reasonable upper limit of how long this string can be, at least for
those implementing support for this information.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210709134849.161728-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22625.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 51d85a9d287f44c373eaa514c6a52e1078c27c43)
David Sommerseth [Wed, 30 Jun 2021 18:51:34 +0000 (20:51 +0200)]
doc: Use generic rules for man/html generation
Prior to this patch, the Makefile.am needs to be modified multiple
places to add a new man or HTML page to be generated. Since it is not
too often we modify this, it is easy to miss these finer details.
This changes the man and HTML generator rules to be more generic and use
variables as many places as possible. Also moved all the lines which
should not need to be changed as much towards the bottom-half of the
file.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210630185134.144826-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22604.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 37cf98fa224a2ae5fc5cfa380bdb291e90d6413d)
Lev Stipakov [Fri, 25 Jun 2021 01:04:05 +0000 (04:04 +0300)]
Fix console prompts with redirected log
When openvpn needs to prompt user for a password
(for example, to set management interface password),
the prompt is written to standard error device.
When log is redirected to a file, that prompt is written
to that file and not to the "original" stderr. Moreover, on recent
Insider build (21390.2025) openvpn exits with fatal error
get_console_input_win32(): unexpected error: No such device or address
(errno=6)
while attempting to write that prompt.
When redirecting stdout/stderr, we use _dup2() to associate stderr
descriptor with a log file. This call closes file associated
with stderr descriptor, which might explain why it has stopped
working (original stderr is closed and WriteFile() fails) and on
older versions it appears to work "by accident" - not failing
but use redirected stderr instead of original one.
Fix by creating new file descriptor with _dup() for stderr
before redirect and use this descriptor for writing prompts.
While on it, make code a bit more C99-ish by moving variables
declaration from the beginning of the scope to the actual
initialisation.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210625010405.224-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20210625010405.224-1-lstipakov@gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 480e4cc14ff34fac72406ab1dd66290a91cc09f0)
Gert Doering [Fri, 18 Jun 2021 18:12:46 +0000 (20:12 +0200)]
Add error reporting to get_console_input_win32().
When the function setup fails due to invalid file handles, or because
WriteFile(err, ...) fails (due to file handle corruption elsewhere),
the function used to silently "return false"
Change this to print a M_WARN|M_ERRNO message.
Also, change the function style to early-return style (= large diff, but
most are indent changes only).
v2: fix spurious "}" that was left over from change to early-return.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210618181246.30769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22577.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 17 Jun 2021 06:12:26 +0000 (09:12 +0300)]
crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file. However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
CVE-2121-3606 has been assigned to acknowledge this risk.
Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).
CVE: 2121-3606 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit abd5ee9b7dc4ba85438da5d16bb7dfb31714dac7)
Selva Nair [Wed, 2 Jun 2021 19:47:39 +0000 (15:47 -0400)]
Apply the connect-retry backoff to only one side of a connection
p2p connections with both ends backing off seldom succeed
as their connection attempt durations becomes increasingly
unlikely to overlap when the retry wait time is long.
Avoid this by applying the backoff logic only on TCP clients
or the tls_client side for UDP.
Regression warning: shared secret setups are left out of the
backoff logic.
Trac: #1010, #1384
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210602194739.29488-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22485.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 063d55afeea723fc6df0af29a19df257a8ab6920)
Max Fillinger [Mon, 12 Apr 2021 17:46:17 +0000 (19:46 +0200)]
Fix build with mbedtls w/o SSL renegotiation support
In mbedtls, support for SSL renegotiation can be disabled at
compile-time. However, OpenVPN cannot be built with such a library
because it calls mbedtls_ssl_conf_renegotiation() to disable this
feature at runtime. This function doesn't exist when mbedtls was built
without support for SSL renegotiation.
This commit fixes the build by ifdef'ing out the function call when
mbedtls was built without support for SSL renegotiation.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e4bd17c86e01aaf6f809d9ea355419c86c4defdc)
Arne Schwabe [Thu, 20 May 2021 15:11:41 +0000 (17:11 +0200)]
Implement auth-token-user
When not using username and password (i.e. auth-user-pass) it can still
be desirable to provide the client with an auth-token, e.g. for allowing
a session to continue after a reconnect without requiring 2FA again.
However, without --auth-user-pass openvpn does not have a username and will
ignore any pushed auth-token command.
This patch adds support for auth-token-user to set the username that should
be used for auth-token
The spec of using auth-token-user base64-encoded-user are the ones that
OpenVPN3 already implements.
Patch V2: Improve style, fix comments and commit message
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22417.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b398aa37ca309948b481401adf0074ea5589eb2d)
Arne Schwabe [Tue, 8 Jun 2021 15:24:34 +0000 (17:24 +0200)]
Add github actions
dummy0 gives strange errors on the Ubuntu 16 runner on github actions
because
dummy already exist, so use a more unique ovpn-dummy0 name instead.
Github actions are a good alternative to travis-ci, which futrure is
questionable
at the moment without payment. The github actions also allows building on
macOS
and Windows (not included in this commit). The matrix is a bit different
than Coverity and uses different Ubuntu version with their native OpenSSL
(1.0.2, 1.1.1)/mbed TLS instead of manually compiling different OpenSSL
versions on just Ubuntu 20.04.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210608152434.1403999-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22511.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b4f658dfb018dcb22962eaa8b45ddd45c55f3003)
Lev Stipakov [Tue, 15 Jun 2021 10:43:31 +0000 (13:43 +0300)]
vcpkg-ports: restore trailing whitespaces in .patch files
Commit 36b9aa (master) / 73fbeed493c632 (release/2.5)
"contrib/vcpkg-ports: add pkcs11-helper port" has trimmed trailing
white space in .patch files and thus corrupted them.
Restore trailing whitespaces to "uncorrupt" patches.
** applied with git am --whitespace=nowarn **
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-By: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210615104331.210-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22553.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 742123498253e9a8aa0cbe12752e0e4a09b46f21)
Lev Stipakov [Mon, 7 Jun 2021 10:42:13 +0000 (13:42 +0300)]
contrib/vcpkg-ports: add pkcs11-helper port
pkcs11-helper is a dependency library used by OpenVPN.
So far it has been built only by mingw.
Since we're making MSVC build system a first class citizen,
we need to build depencencies with MSVC, which we do with vcpkg.
All dependencies are in vcpkg official repo, expect pkcs11-helper.
This provides vcpkg port for building pkcs11-helper.
To build for other arch, use x86-windows-ovpn or arm64-windows-ovpn.
Custom triplets are defines so that lz4 is linked statically and
other libraries dynamically.
Since we don't have CMake support yet, we cannot use vcpkg manifest
mode, since it doesn't work with overlay ports
(https://github.com/microsoft/vcpkg/issues/12289),
therefore this one-time manual dependency installation is required.
While on it, bump msvc-generate project target version to VS2019 and
cleanup leftovers from compat.vcxproj.filters.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210514045704.686-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22389.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 56f775fe9dacab7804109e305d652057b0c7fd3c)
Matthias Andree [Thu, 3 Jun 2021 12:30:19 +0000 (14:30 +0200)]
Fix SIGSEGV (NULL deref) receiving push "echo"
A server pushing "echo" without arguments can crash the client.
In such a situation, the code in question receives p[1] == NULL
(which was CLEAR(p)'ed above), hands it strncmp, which then
dereferences the null pointer.
Original report and analysis here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331
Fixes: Trac #1409 Reported-by: peo@nethead.se (to FreeBSD) Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210603123019.422644-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22486.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0033811e0215af76f469d78912c95a2f59813454)
Lev Stipakov [Tue, 11 May 2021 07:57:39 +0000 (10:57 +0300)]
openvpnmsica: properly schedule reboot in the end of installation
A deferred custom action can not set the reboot status via MsiSetMode.
To schedule reboot:
- get user's temp directory in immediate custom action
(EvaluateTUNTAPAdapters) which is called in the beginning of
installation and pass it to the deffered action
- in deferred action (ProcessDeferredAction) create a special empty file
in user's temp directory if reboot is required
- in the end of installation call immediate custom action
(CheckAndScheduleReboot) which checks the existence of special file
and uses MsiSetMode() to schedule reboot
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210511075739.158-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22335.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2f0e3fe1c6c57dd3989951d167e94fe4debe5405)
Arne Schwabe [Mon, 5 Apr 2021 22:14:47 +0000 (00:14 +0200)]
Ensure key state is authenticated before sending push reply
This ensures that the key state is authenticated when sending
a push reply.
This bug allows - under very specific circumstances - to trick a
server using delayed authentication (plugin or management) into
returning a PUSH_REPLY before the AUTH_FAILED message, which can
possibly be used to gather information about a VPN setup.
In combination with "--auth-gen-token" or user-specific token auth
solutions it can be possible to get access to a VPN with an
otherwise-invalid account.
CVE-2020-15078 has been assigned to acknowledge this risk.
CVE: 2020-15078 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net>
URL: non-public, embargoed Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 27 Mar 2021 18:35:44 +0000 (19:35 +0100)]
Ensure auth-token is only sent on a fully authenticated session
This fixes the problem that if client authentication is deferred, we
send an updated token before the authentication fully finished.
Calling the new ssl_session_fully_authenticated from the two places
that do the state transition to KS_AUTH_TRUE is a bit suboptimal but
a cleaner solution requires more refactoring of the involved methods
and state machines.
This bug allows - under very specific circumstances - to trick a
server using delayed authentication (plugin or management) *and*
"--auth-gen-token" into returning a PUSH_REPLY before the AUTH_FAILED
message, which can possibly be used to gather information about a
VPN setup or even get access to a VPN with an otherwise-invalid account.
CVE-2020-15078 has been assigned to acknowledge this risk.
CVE: 2020-15078 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net>
URL: non-public, embargoed Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 27 Mar 2021 17:47:24 +0000 (18:47 +0100)]
Move auth_token_state from multi to key_state
The auth-token check is tied to the username/password that is coming
via a specific SSL session, so keep the state also in the key_state
structure.
This also ensures the auth_token_state is always set to 0 on a new
session since we clear the key_state object at the start of a new
SSL session.
This is a prerequisite patch to fix 2020-15078 in the following two
commits.
2nd patch, squashed into the first one:
This also applies the changes to the auth_token_test.c. The change of
tls_session to a pointer is necessary since before that we had tls_session
not tied to the multi and had two tls_session used in the test. One
implicitly in tls_multi and one explicit one. Merge these to one.
CVE: 2020-15078 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net>
URL: non-public, embargoed Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Thu, 15 Apr 2021 09:34:54 +0000 (11:34 +0200)]
Abort if CRL file can't be stat-ed in ssl_init
Now that the path for the CRL file is handled correctly when using
chroot, there's no good reason for the file to be inaccessible during
ssl_init().
This commit ensures that the CRL file is accessed successfully at least
once, which fixes a bug where the mbedtls version of OpenVPN wouldn't
use a reloaded CRL if it initially failed to access the file.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415093454.18324-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22118.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 940619c88067d95a1c9865795624bc3822a89bd7)
Max Fillinger [Thu, 15 Apr 2021 09:12:48 +0000 (11:12 +0200)]
In init_ssl, open the correct CRL path pre-chroot
When using the chroot option, the init_ssl function can be called before
entering the chroot or, when OpenVPN receives a SIGHUP, afterwards. This
commit ensures that OpenVPN tries to open the correct path for the CRL
file in either situation.
This commit does not address key and certificate files. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415091248.18149-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22117.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 21a0b2494e7f4f1c6325b2972743158acad4f394)
Arne Schwabe [Sun, 28 Mar 2021 12:02:41 +0000 (14:02 +0200)]
Fix condition to generate session keys
When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with
the same port/ip as an existing session, it will give it the slot of the
renegotiation session (TM_UNTRUSTED). And when the authentication
succeeds it will replace the current session. In the case of a SOFT_RESET
this a renegotiation and we will generated data channel keys at the of
key_method_2_write function as key-id > 0.
For a HARD RESET the key-id is 0. Since we already have gone through
connect stages and set context_auth to CAS_SUCCEEDED, we don't
call all the connect stages again, and therefore also never call
multi_client_generate_tls_keys for this session.
This commit changes postponing the key generation to be done only if
the multi_connect has not yet been finished.
Patch V2: Explain better in the commit message why this change is done.
This is "sort of" a backport of commit a005044be9ca, except that the
master commit only got 1 of 3 hunks from the mailing list patch merged
while release/2.5 needs all 3. So this is exactly the patch as it was
sent to the list, URL below.
Trac: #1316
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210328120241.27605-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21873.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 28 Mar 2021 12:02:40 +0000 (14:02 +0200)]
Move context_auth from context_2 to tls_multi and name it multi_state
context_2 and tls_multi have the same life cycle for TLS connections
but so this move does not affect behaviour of the variable.
OpenVPN TLS multi code has a grown a lot more complex and code that
handles multi objects needs to know the state that the object is in.
Since not all code has access to the context_2 struct, the code that
does not have access is often not checking the state directly but
checks other parts of multi that have been affected from a state
change.
This patch also renames it to multi_state as this variable represents
the multi state machine status rather than just the state of the connect
authentication (more upcoming patches will move other states
into this variable).
Patch V2: also rename context_auth to multi_state, explain a bit why this
change is done.
Patch V3: Add comments for c2->multi NULL check forwarding. Fix compile
with ENABLE_ASYNC_PUSH.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210418160111.1494779-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22155.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(backported from commit 0767d5b447044e4cdcfd198058aef1f85f63bbe6)
Fix IPv4 default gateway with multiple route tables
Current default gateway selection for zero destination address just
dumps and parses all the routing tables. If any of non-main table
with default route comes first, wrong default gateway can be picked.
Since adding/removing routes currently handles only main table,
let's stick to RT_TABLE_MAIN while selecting default route too.
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp <donaldsharp72@gmail.com> Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210416120708.1532-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22130.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c7f95891a4a0aabb64e7d4f3200525c1a2fcf433)
Gert Doering [Fri, 2 Apr 2021 17:34:14 +0000 (19:34 +0200)]
Fix potential NULL ptr crash if compiled with DMALLOC
In the unlikely case that we are compiled with -DDMALLOC *and*
malloc() returns NULL, there is an uncaught memset() which would
crash then. Remove the memset(), as the right the next operation
after check_malloc_return() is a mempcy() which will overwrite
the whole memory block anyway.
Trac: #586
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210402173414.14216-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21981.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e2acfad40c0d79ce7fd431c380d7466d383bcefa)
Arne Schwabe [Thu, 1 Apr 2021 11:00:03 +0000 (13:00 +0200)]
Always disable TLS renegotiations
Renegotiations have been troublesome in the past and also the recent
OpenSSL security problem (CVE-2021-3449) is only exploitable if
TLS renegotiation is enabled.
mbed TLS disables it by default and says in the documentation:
Warning: It is recommended to always disable renegotation unless you
know you need it and you know what you're doing. In the past, there
have been several issues associated with renegotiation or a poor
understanding of its properties.
TLS renegotiation can be used to restart a session with different
parameters (e.g. now with client certs). This something that OpenVPN does
not use.
For OpenSSL 1.0.2 the workaround to disable renegotiation is rather
cumbersome. So we keep this to 1.1.1 only since 1.0.2 is on its way to
deprecation anyway.
Furthermore because of all these problems, also TLS 1.3 completely
drops support for renegotiations.
Patch V2: Improve comments and commit message
Patch V3: Only disable renegotiation where the SSL_OP_NO_RENEGOTIATION
define is available. LibreSSL, wolfSSL and OpenSSL 1.0.2 are
lacking this macro. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210401110003.19689-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21939.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9e702a5d0f1d8ca0443d95ba13fc821deaa81d48)
Arne Schwabe [Fri, 26 Mar 2021 17:57:50 +0000 (18:57 +0100)]
Cleanup print_details and add signature/ED certificate print
This commit cleans up the logic in the function a bit. It also makes it
more clear the the details printed in the second part of the message are
details about the peer certificate and not the TLS connection as such.
Also print the signature algorithm as this might help to identify
peer certificate that still use SHA1.
The new format with for TLS 1.3 and an EC certificate.
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer
certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256
Using the more generic OpenSSL functions also allows use to correctly
print details about ED certificates:
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer
certificate: 253 bit ED25519, signature: ED25519
Patch v2: Cleanup multiple calls to EVP_PKEY_id, minor code restructuring
Patch v3: Always initialise sig.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210326175750.4772-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21861.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ca57070630a1b2935ee606cc1309005b56eb925f)
Arne Schwabe [Wed, 17 Mar 2021 16:00:38 +0000 (17:00 +0100)]
Restore also ping related options on a reconnect
This fixes the issue that if a client reconnects the next connection
entries inherits the keepalive settings that were pushed or set by
the previous entry. Since UDP+PULL entries have an implicit 120s
timeout, this timeout also got applied to a TCP session after an
UDP entry.
Patch v2: rebase on master
Reported-By: Jan Just Keijser <janjust@nikhef.nl> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210317160038.25828-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21675.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5a2ed714d14acb2312d27fe40e300be96d970c27)
Simon Rozman [Mon, 22 Mar 2021 10:39:57 +0000 (11:39 +0100)]
openvpnserv: Cache last error before it is overridden
FormatMessage() sets the last error according to its own success. This
looses the original error code leading to mismatched error message and
error number when sprintfted together resulting in confusing event log
message.
Signed-off-by: Simon Rozman <simon@rozman.si> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210322103957.1234-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21789.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1e938c50930f29124909e120a29fb116d4c46576)
Arne Schwabe [Tue, 16 Mar 2021 12:44:21 +0000 (13:44 +0100)]
Avoid generating unecessary mbed debug messages
The main motivation to make this change is to avoid a crash in mbed TLS
2.25 with --verb < 8.
mbed TLS 2.25 has a nasty bug that the print function for Montgomery style
EC curves (Curve25519 and Curve448) does segfault. See also the issue
reported here: https://github.com/ARMmbed/mbedtls/issues/4208
We request always debug level 3 from mbed TLS but filter out any debug
output of level 3 unless verb 8 or higher is set. This commeit sets
the debug level to 2 to avoid this problem by makeing mbed TLS not
generatin the problematic debug output.
For the affected version to still use --verb 8 with mbed TLS 2.25 is to
restrict the EC groups to ones that do not crash the print function
like with '--tls-groups secp521r1:secp384r1:secp256r1'.
This patch has no patch on user-visible behaviour on unaffected mbed TLS
versions.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Replace magic constant with proper define. Highlight more this
avoding generating unessary debug output than crash workaround. Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20210316124421.1635-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21667.html
Greg Cox [Mon, 1 Feb 2021 07:09:49 +0000 (07:09 +0000)]
Explain structver usage in sample defer plugin.
sample-plugins/defer/simple.c uses OPENVPN_PLUGINv3_STRUCTVER settings
that may not be obvious to a new author. Add a comment to reduce
possible confusion. Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1612163389-16421-1-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21540.html
Greg Cox [Wed, 27 Jan 2021 20:21:49 +0000 (20:21 +0000)]
More explicit versioning compatibility in sample-plugins/defer/simple.c
While not required, adding openvpn_plugin_min_version_required_v1 helps
by making an example for others to copy, and helps to explicitly call
attention to the difference between the API version number and the
struct version number in v3 calls. Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1611778909-20630-2-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21508.html
Greg Cox [Wed, 27 Jan 2021 20:21:48 +0000 (20:21 +0000)]
Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
This isn't strictly required, but it modernizes the functions used.
This change makes _open the same parameter form as _func (for better
parallelism in function writing) and includes a check for the correct
struct version, as recommended by openvpn-plugin.h Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1611778909-20630-1-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21507.html
Greg Cox [Sun, 24 Jan 2021 23:46:13 +0000 (23:46 +0000)]
Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
The comments refered to parameters found in openvpn_plugin_func_v2 but not
in v3 Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1611531973-443-1-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21481.html
Gert Doering [Thu, 21 Jan 2021 17:25:36 +0000 (18:25 +0100)]
clean up / rewrite sample-plugins/defer/simple.c
If we ship something that we consider a form of documentation
"this is how to write an OpenVPN plugin" it should meet our standards
for secure and modern code. This plugin did neither.
- get rid of system() calls, especially those that enabled a
remote-root exploit if this code was used "as is"
- change logging from printf() to OpenVPN's plugin_log()
- this requires changing to openvpn_plugin_open_v3() to get
to the function pointers
- change wacky "background and sleep in the shell call" to the
double-fork/waitpid model we use in plugins/auth-pam
(copy-paste code reuse)
- OpenVPN 2.5 and later react badly to OPENVPN_PLUGIN_FUNC_ERROR
returns to OPENVPN_PLUGIN_ENABLE_PF calls (SIGSEGV crash), so
always return SUCCESS. Only hook ENABLE_PF if that functionality
is actually requested ("setenv test_packet_filter NN").
- change deeply-nested functions auth_user_pass_verify() and
tls_final() to use early-return style
- actually make defered PF setup *work* with recent OpenVPNs
(pre-creating temp files broke this, so unlink() the pre-created
file in the ENABLE_PF hook, and re-create asyncronously later)
- add lots of comments explaining why we do things this way
Security issue reported by "oxr463" on HackerOne.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210121172536.32500-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21466.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 452e016cba977cb1c109e74977029b9c0de33de2)
Gert Doering [Thu, 21 Jan 2021 13:39:29 +0000 (14:39 +0100)]
Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
Without this patch, if openpn is using a plugin that provides
OPENVPN_PLUGIN_ENABLE_PF but then fails (returns OPENVPN_PLUGIN_FUNC_ERROR),
OpenVPN will crash on a NULL pointer reference.
The underlying cause is (likely) the refactoring work regarding
CAS_SUCCEEDED etc., and that nobody adjusted the pf.c code accordingly
(it tries to sent itself a SIGUSR1, which tries to tear down the
client MI instance, but since it is not fully set up yet at this
point, things explode). Full details on the call chain in Trac...
Since we intend to remove pf in 2.6, but we still do not want OpenVPN
to ever SIGSEGV, change the requirements for the plugins to "MUST SUCCEED",
so if the plugin ENABLE_PF call fails, abort openvpn with a M_FATAL
message.
Trac: #1377
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210121133929.20186-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21464.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6a0c51baaa4d2b329183601ec35d3d16f127519e)
Gert Doering [Mon, 18 Jan 2021 16:28:50 +0000 (17:28 +0100)]
Document common uses of 'echo' directive, re-enable logging for 'echo'.
The 'echo' command can be used to signal information to an OpenVPN
GUI driving the openvpn core via management interface. Which commands
exists and their syntax has so far been mostly undocumented.
Condense the long and good discussion between Selva Nair and
Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
Jonathan, comments from Selva and Arne), with a pointer added
to doc/management-notes.txt.
Domagoj Pensa [Tue, 15 Dec 2020 17:30:04 +0000 (18:30 +0100)]
Skip DHCP renew with Wintun adapter
Wintun does not support DHCP.
Running DHCP renew with Wintun adapter fails with a logged warning.
Fixed so that DHCP renewing is called only for TAP-Windows6 adapters. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20201215173004.26170-1-domagoj@pensa.hr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21364.html
Domagoj Pensa [Thu, 24 Dec 2020 11:59:10 +0000 (12:59 +0100)]
Remove 1 second delay before running netsh
When running various netsh commands before each 1 second sleep is added.
As more netsh commands are run, especially for Wintun adapters, that can
add to a noticable delayed connecting time.
This should be safe. No problems were found in tests and all netsh
commands executed properly with delay removed. Also, no delays are used
in a similar code in interactive service and netsh command executions
are guarded with a semaphore.
Instead of removing management_sleep(1), management_sleep(0) is used as
a replacement to allow processing any pending actions on the management
interface without any wait.
Signed-off-by: Domagoj Pensa <domagoj@pensa.hr> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20201224115910.10129-1-domagoj@pensa.hr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21405.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b1a8213ee3fe35a4617608ec7653e4dffea79207)
Gert Doering [Fri, 25 Dec 2020 16:42:14 +0000 (17:42 +0100)]
Clarify --block-ipv6 intent and direction.
--block-ipv6 is a fairly special-purpose option, and only blocks packet
in the client->server direction. This is implied by not ever mentioning
the other direction in the existing documentation, but not written down.
Make this explicit, avoid confusion.
Also, point why this option exist (avoid IPv6 leakage from dual-stacked
clients around IPv4-only VPN offerings).
Trac: #1351
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Richard Bonhomme <tincanteksup@gmail.com>
Message-Id: <20201225164214.22771-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21407.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8a8ee283aa7a4b409a9dafc082a6c65b5539308b)
Domagoj Pensa [Tue, 15 Dec 2020 17:16:00 +0000 (18:16 +0100)]
Fix too early argv freeing when registering DNS
When registering DNS on Windows, argv is freed after being used in first
ipconfig command (/flushdns).
Then same argv is used uninitialized in next ipconfig command
(/registerdns)
causing heap exception and subprocess crash.
As a consequence second command is never executed and locked netcmd
semaphore is not cleanly released.
Removing argv freeing between ipconfig calls solves the problem.
This issue was introduced in commit 870e240 (argv: do fewer memory
re-allocations). After a quick glance at commit no similar problem was
spotted in rest of the argv related changes.
Signed-off-by: Domagoj Pensa <domagoj@pensa.hr> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201215171600.25534-1-domagoj@pensa.hr>
URL: https://www.mail-archive.com/search?l=mid&q=20201215171600.25534-1-domagoj@pensa.hr Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ab4688e3bd78d010ccc96adec66ab552bd009328)
projects / thirdparty / openvpn.git / log
