networking: implement net_iface_new and net_iface_del APIs
These two new methods can be used to create and delete a tun or an
ovpn-dco interface via networking API.
Implementations for SITNL and iproute2 are provided
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407094146.7684-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24088.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
openvpn_execve_check() expects a set of flags as third argument and not
a loglevel. For this reason, if no FATAL behaviour is expected, we
should simply pass 0. openvpn_execve_check() will then pick the
appropriate loglevel on its own.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220407201411.22486-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24090.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 2 Apr 2022 07:08:56 +0000 (09:08 +0200)]
networking: remove duplicate methods from networking_sitnl.c
The net_ctx_init/reset/free methods of sitnl are the same dummy
methods that are already defined for non-Linux platforms in the
networking.h header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220402070902.30282-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24054.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Michael Baentsch [Tue, 29 Mar 2022 05:37:09 +0000 (07:37 +0200)]
Enable usage of TLS groups not identified by a NID in OpenSSL 3
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by providers.
This commit also removes the mapping of secp256r1 to prime256v1 for
the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.1
Signed-off-by: Michael Baentsch <info@baentsch.ch> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220329053709.19462-1-info@baentsch.ch>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24012.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 23 Mar 2022 14:34:52 +0000 (15:34 +0100)]
add support for --dns option
As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
For detailed information about the option consult the documentation in
this commit.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220323143452.1100446-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23997.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 24 Feb 2022 14:42:45 +0000 (15:42 +0100)]
Implement fixed MSS value for mssfix and use it for non default MTUs
This allows to set the MSS value inside the tunnel to a user specified
value instead of calculating it form (somewhat) dynamic encapsulation
overhead.
Also default to the MTU when tun-mtu does not have the default value
to ensure that packets are not larger than the tun-mtu. This only affects
packets that are routed via the VPN and none of the peers is an endpoint
since otherwise the peer would already set a lower MTU. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220224144245.878056-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23886.html
preprocessor definitions. I don't feel like replacing strdup (which is
correct POSIX function) and inet_ntoa (we always pass IPv4 address to
it, inet_ntop will make code more complex)
Above issues were discovered by bitskim.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220218235004.269-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23851.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 1 Mar 2022 13:50:54 +0000 (15:50 +0200)]
Fix incorrect default mssfix value in server mode
When calculating default mssfix, we take into account
protocol overhead, which usually includes 3 bytes peer-id.
Peer-id usage is indicated by options->use_peer_id flag.
In client mode it is set when applying pushed options.
In server mode it is not set and as a result mssfix value
is 3 bytes off.
Fix by setting this flag in multi.c when calculating
tunnel-specific options.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220301135054.277-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23896.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
With the introduction of SITNL two occurrences of ETH_ALEN
were introduced in the code. This define exists on Linux in
the linux/if_ether.h header, however the latter is included
in linux/if_tun.h which may or may not exist (depending on
how old your system is).
If the system lacks if_tun.h then the compilation fails because
ETH_ALEN cannot be found.
For this reason, swap ETH_ALEN with OPENVPN_ETH_ALEN which is
already used in other places of the code.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220223080628.4773-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23882.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
netmask is simply used to reflect the value of p[2], therefore
it can be dropped and p[2] can directly be used instead.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220314131356.11577-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23941.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 16 Mar 2022 13:54:11 +0000 (15:54 +0200)]
vcpkg-ports\pkcs11-helper: shorten patch filename
"make dist" uses 'tar -o' which breaks on long filenames:
tar:
openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind
icate-OpenSSL-EC-support.patch:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
and then "make dist" continues.
Make filename shorter to make tar happy.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316135411.217-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sun, 13 Mar 2022 19:31:54 +0000 (20:31 +0100)]
plugins: Remove defer/simple.c sample plugin
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-4-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23933.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 22 Feb 2022 11:38:32 +0000 (12:38 +0100)]
Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work:
- setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
- "extended error reporting" (setsockopt(IP_RECVERR) and
then via mtu.c/format_extended_socket_error()) to react on
"packet too big" errors on sendto() / sendmsg()
Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).
Thus, the "non-helpful" socket error message turns into:
2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery
... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Trac: #1452
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 14 Feb 2022 12:24:09 +0000 (14:24 +0200)]
openvpnmsica: add ovpn-dco custom actions
Add two custom actions to service ovpn-dco driver installation.
- EvaluateDriver
Runs under user privileges. Determines what action (install/uninstall)
should be performed on ovpn-dco component.
- ProcessDriver
Runs under SYSTEM privileges. Performs driver (un)installation.
During uninstall, all existing adapters with given hwid (ovpn-dco)
are removed.
The logic is inspired by custom actions from tap-windows6 installer
(https://github.com/OpenVPN/tap-windows6/tree/master/msm).
Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Simon Rozman <simon@rozman.si> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214122409.260-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.
In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220217163159.7936-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
doc/options: clean up documentation for --proto and related options
The family specific options were generally omitted.
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net> Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220215145425.1989-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23798.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
With b39725cf ("Remove md_kt_t and change crypto API to use const char*")
the logic for validating ciphers and md algorithms has been changed.
We should now *always* use md_valid() when validating a digest alg.
At the same time, add '!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe <arne@rfc2549.org> Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme <tincantech@protonmail.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220215123157.10615-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23793.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 14 Feb 2022 09:26:07 +0000 (10:26 +0100)]
Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros
The buffer overhaul simplified the frame struct to a point that these
macros are either not used anymore or are not adding any benefit in
understanding the code anymore. Replace the macros with direct member
acessses.
Patch v2: Remove all FRAME_HEADROOM macros Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214092607.3785665-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23785.html
Arne Schwabe [Mon, 14 Feb 2022 02:10:53 +0000 (03:10 +0100)]
Fix 'defined but not used' warnings with enable-small/disable-management
Some functions are only used when management is used or enable-small is
not used. Fix the ifdefs to correctly also include these helper
functions the ifdefs to avoid compile errors when using -Werror
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220214021054.3750071-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23779.html
Arne Schwabe [Fri, 5 Nov 2021 15:07:42 +0000 (16:07 +0100)]
Default to --cipher BF-CBC if not set and compat-mode < 2.4.0
When we try to make a configuration compatible to a version earlier
than 2.4.0 we probably need to have a --cipher configured since NCP
is not available. In configuration where --cipher is not specified
we default to BF-CBC to support these old clients.
Note that with OpenSSL 3.0 you will also need to enable the legacy
provider otherwise we bail out since BF-CBC is no longer supported.
Also move the condition so BF-CBC gets included in the data-ciphers
list.
Patch v2: move the comment to a better place.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20211105150742.2909443-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23100.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
README.IPv6 is quite useless because IPv6 is not a second
class citizen anymore. Most of the content is "obvious" or explained in
the manpage along with other details/options.
TODO.IPv6 is old and many implemented things are still reported there
for no clear reason. Delete file and report still open items in our
tracking system.
Cc: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220207155757.22314-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23729.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 10 Feb 2022 16:26:28 +0000 (17:26 +0100)]
Update fragment and mssfix related warnings
The warning that fragment/mssfix needs also tun-mtu set to 1500 makes
little sense. Remove it completely. Instead warn if there are
incosistencies
between --fragment and mssfix.
Patch v2: clarify the mssfix and fragment mtu warning message
Patch v4: Rebase
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210162632.3309974-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23753.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 12 Feb 2022 00:33:31 +0000 (01:33 +0100)]
Add mtu paramter to --fragment and change fragment calculation
Instead relying on the link_mtu_dynamic field and its calculation
in the frame struct, add a new field max_fragment_size and add
a calculation of it similar to mssfix.
Also whenever mssfix value is calculated, we also want to calculate
the values for fragment as both options need to be calculated from
the real overhead.
Patch v2: Fix syntax in rst man page
Patch v5: fix segfault when get_ip_encap_overhead gets called early in
init_instance and note that these calls will always be
overwritten by NCP in tls_session_update_crypto_params
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220212003331.3483107-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23764.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 10 Feb 2022 16:26:26 +0000 (17:26 +0100)]
Change the default for mssfix to mssfix 1492 mtu
The current default is 1450, which translates to 1478 byte packets for udp4
and 1498 byte packets for udp6. This commit changes the mssfix default
to take the outer IP overhead into account as well and changes the target
to
1492. 1492 was picked in our community meeting for being a very common
encapsulation upper bound.
The change also disables an mssfix default if tun-mtu is set to a value
different than 1500.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210162632.3309974-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23754.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 8 Feb 2022 11:49:05 +0000 (13:49 +0200)]
msvc: cleanup
Remove unused macros for dependency directories,
since dependencies are handled by vcpkg.
Remove unused .bat files.
Reported-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220208114905.100-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 4 Feb 2022 11:42:01 +0000 (12:42 +0100)]
Repair --inactive with 'bytes' argument larger 2Gbytes.
--inactive has an optional 2nd parameter specifiying the number of
bytes that need to be sent/received in the given time window. This
was parsed with atoi(), stored in an 32bit int. atoi() overflows at
2Gbyte (signed int), which makes gcc return "0" and MSVC "2^31-1"
for the value reported in the ticket (10G) - so on gcc, this was
behaving like "not set", while windows builds after 2.5.4 honoured
this setting, and aborted (unexpectedly) due to "not enough traffic".
Fix by increasing word length of all involved variables to int64_t.
While add it, add option printer SHOW_LONG(), and print variable.
This has the potential to break existing setups where this value is
set unreasonably high, thus "impossible to achieve in the interval",
but which was never noticed before due to "overflow, 0, ignored".
Thus, print WARNING if a value >INT_MAX (2Gbyte) is configured.
v2: use atoll(), as atol() is limited to INT_MAX on MSVC, and PRi64
for format string. Rename SHOW_LONG() to SHOW_INT64().
Trac: #1448
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220204114201.5632-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: move OpenSSL specific FIPS check to its backend
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
This way we move any OpenSSL specific bit to its own
backend and directly use the new cipher_valid_reason() API in the
generic code.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23714.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: move validation logic from cipher_get to cipher_valid
With cipher validation performed in cipher_get(), a cipher is never
returned in any case if some check fails.
This prevents OpenVPN from operating on all ciphers provided by the SSL
library, like printing them to the user.
Move the validation logic to cipher_valid() so that checks are performed
only when OpenVPN really want to know if a cipher is usable or not.
Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in
API") Cc: Arne Schwabe <arne@rfc2549.org> Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23713.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:26 +0000 (17:25 +0100)]
Remove link_mtu parameter when running up/down scripts
The link mtu is no longer used and calculating a compatibility link
MTU just for scripts makes little sense as well. Replace the parameter
instead with a fixed parameter 0.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23493.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
strcasecmp() was initially declared in string.h and subsequently moved
to strings.h. For historical reasons it still exists in string.h, but
would require _DEFAULT_SOURCE to be defined.
Due to the above, just include strings.h as currently dictated by the
manpage.
Fixes the following warning:
keying-material-exporter-demo/keyingmaterialexporter.c:155:14: warning:
implicit declaration of function strncasecmp’; did you mean ‘strncmp’?
[-Wimplicit-function-declaration]
155 | if (!strncasecmp(objbuf, "CN", 2))
| ^~~~~~~~~~~
| strncmp
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220203082620.8186-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23702.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:23 +0000 (17:25 +0100)]
Implement optional mtu parameter for mssfix
The current mssfix parameter is a bit difficult to use as it needs
manual calculation of the allowable packet size and also the resulting
MSS value does not take into account if IPv4 or IPv6 is used on the
outer tunnel. Add 'mtu' parameter to fix both of these problem by
dynamically including the real overhead.
The syntax and naming of the parameter is chosen for compatiblity with
OpenVPN3.
Arne Schwabe [Sat, 1 Jan 2022 16:25:22 +0000 (17:25 +0100)]
Fix datagram_overhead and assorted functions
This function is supposed to calculate the overhead of the protocol
header (IP/IPv6 + TCP/UDP). But at some point the index that used
to index the array proto_overhead and the associated PROTO_N went
completely out of sync. This fixed the function and related caller
to again calculate the overhead as intended.
Note that IPv6 mapped IPv4 addresses still have the wrong overhead
calculated as they treated are as IPv6 addresses (0:0:0:0:0:ffff::/96)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23504.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 24 Jan 2022 02:54:59 +0000 (03:54 +0100)]
Change buffer allocation calculation and checks to be more static
Currently we use half dynamic buffer sizes where we use have a fixed
overhead for crypto (crypto_max_overhead) but use a dynamic overhead
for the the other small header sizes.
Patch v3: rebase
Patch v4: add size of ack array to control channel frame size
Patch v5: fix calculation of compression overhead calculated over 0 instead
of payload size
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220124025459.1042317-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23638.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Jan 2022 16:25:20 +0000 (17:25 +0100)]
Fix mssfix and frame calculation in CBC mode
This commit fixes the MSS calculation in CBC mode. This fix has two parts:
- Added rounding to a multiple of block size during calculation of overhead
- In CBC mode the packet ID is part of the plaintext (or payload) rather
than part of the header (like for AEAD), adjust the functions to
correctly reflect this.
OCC link calculation is not affected since it ignores rounding of CBC
block size completely.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101162532.2251835-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23494.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Fri, 21 Jan 2022 18:57:52 +0000 (13:57 -0500)]
Do not error when md_kt_size() is called with mdname="none"
An easy way to trigger this error is to run an otherwise working setup
(at say verb = 4) with increased verbosity of verb >= 7 and using a GCM
cipher (e.g., AES-256-GCM). It will cause a fatal exit while printing the
cipher and hmac in key2_print().
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220121185752.14138-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23631.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
unit-test: fix test_crypto when USE_COMP is not defined
This unit-test did not consider the case when USE_COMP is not defined,
thus generating a compiler error.
Adapt the test to the case when no compression is available.
Cc: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220121144313.24961-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23628.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In the past we had issues with patches accidentally breaking less common
OpenVPN configurations. For this reason it makes sense to some of those
configurations build via CI.
Lev Stipakov [Mon, 17 Jan 2022 09:49:17 +0000 (11:49 +0200)]
tun: remove tun_finalize()
tun_finalize() is essentially subset of socket_finalize() apart from:
- using WSAFoo() functions instead of Foo()
- "from" address is not returned
There is no clear official statement that one can use non-WSA
API on handles, so let's be on a safe side and use both.
Introduce sockethandle_t abstraction, which represents
socket and handle. Add SocketHandle* routines which call
proper API depends on underlying type in abstraction.
Rename socket_finalize() to sockethandle_finalize(), take
sockethandle_t and new routines into use and kick tun_finalize().
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20220117094917.178-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23555.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 19 Jan 2022 18:21:26 +0000 (19:21 +0100)]
crypto: Fix OPENSSL_FIPS enabled builds
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.
Without this fix, the following compilation error appears:
./src/openvpn/crypto.c: In function ‘print_cipher’:
./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in
this function); did you mean ‘iphdr’?
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
^~~~~~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220119182126.56880-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23570.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 20 Jan 2022 16:16:16 +0000 (11:16 -0500)]
Add a unit test for external key provider
Tests:
- Check SIGNATURE and KEYMGMT methods can be fetched
from the provider
- Load sample RSA and EC keys as management-external-key
and check that their sign callbacks are correctly exercised:
with and without digest support mocked in the client
capability flag.
-Test generic key load and signature
v4: 16/18 and 17/18 of v3 squashed into one patch
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220120161616.13447-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23608.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:24 +0000 (11:59 -0500)]
pkcs11: Interface the xkey provider with pkcs11-helper
- Load the 'private key' handle through the provider and set it in
SSL_CTX
- Add a sign op function to interface provider with pkcs11-helper.
Previously we used its "OpenSSL Session" which internally sets up
callbacks in RSA and EC key methods. Not useful for the provider
interface, so, we directly call the PKCS#11 sign operation
as done with mbedTLS.
- tls_libctx is made global for accessing from pkcs11_openssl.c
Supports ECDSA and RSA_PKCS1_PADDING signatures. PSS support
will be added when pkcs11-helper with our PR for specifying
CK_MECHANISM variable in sign operations is released.
(i.e., next release of pkcs11-helper).
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-15-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23442.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:22 +0000 (11:59 -0500)]
Increase ERR_BUF_SIZE when management interface support is enabled
Sending largish messages to the management interface errors due to
the limited size used for the "error" buffer in x_msg_va(). Although
all intermediate steps allocate required space for the data to
send, it gets truncated at the last step.
This really requires a smarter fix. As a quick relief, we just increase
the buffer size to 10240 when management support is compiled in. Should
be enough for PK_SIGN with undigested message.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-13-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23440.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:21 +0000 (11:59 -0500)]
Support sending DigestSign request to management client
To receive undigested message for signing, indicate support
for handling message digesting in the client using an argument
"digest" to --management-external-key.
For example, to announce pkcs1 padding and digesting support use:
--management-external-key pkcs1 pss digest
In PK_SIGN, the algorithm string will get data=message
in addition to other relevant options.
Note that it is not guaranteed that the client will be prompted
with undigested message. This is possible only when OpenSSL
calls our provider for DigestSign() as opposed to Sign(). In
practice, signature operation always appears to result in
a DigestSign() call through the provider interface.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-12-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23435.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:20 +0000 (11:59 -0500)]
Respect algorithm support announced by management client
Support for padding algorithms in management-client is indicated
in the optional argument to --management-external-key as "pkcs1",
"pss" etc. We currently use it only for an early exit based on heuristics
that a required algorithm may not be handled by the client. When
signature is requested we do not check whether the padding is indeed
supported by the client. This leads to situations like the client
announcing "nopadding" support but we request "pss" signature.
Here we add a check while requesting signature as well. If the padding
treat it as an error instead of submitting the request to the
management-interface regardless.
This change is made only when xkey provider is in use, though such a check
would be appropriate always.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-11-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23441.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:19 +0000 (11:59 -0500)]
Allow management client to announce pss padding support
The --management-external-key option can currently indicate support
for 'nopadding' or 'pkcs1' signatures in the client. Add 'pss' as an
option to announce that PSS signing requests are accepted.
To match, extend the algorithm string in PK_SIGN request to
include the following format:
Selva Nair [Tue, 14 Dec 2021 16:59:18 +0000 (11:59 -0500)]
Add a function to encode digests with PKCS1 DigestInfo wrapper
The EVP_PKEY interface as well as provider passes the raw
digest to the sign() function. In case of RSA_PKCS1,
our management interface expects an encoded hash, which
has the DigestInfo header added as per PKCSv1.5 specs,
unless the hash algorithm is legacy MD5_SHA1.
Fix this by
- add a function to perform the pkcs1 encoding before passing the
data to sign to the management interface. The implementation
is not pretty, but should work.
(Unfortunately OpenSSL does not expose a function for this).
Note:
1. cryptoki interface used by pkcs11-helper also requires this to be
done before calling the Sign op. This will come handy there too.
2. We have a similar function in ssl_mbedtls.c but its not prettier,
and require porting.
v2 changes: Use hard-coded headers for known hash algorithms instead
of assembling it from the ASN.1 objects.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-9-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23433.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:17 +0000 (11:59 -0500)]
Enable signing via provider for management-external-key
- Add a function to set as sign_op during key import. The
function passes the signature request to management interface,
and returns the result to the provider.
v2 changes: Method to do digest added to match the changes in
the provider signature callback.
TODO:
- Allow passing the undigested message to management interface
- Add pkcs1 DigestInfo header when required
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-8-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23428.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:14 +0000 (11:59 -0500)]
Implement import of custom external keys
Our key object retains info about the external
key as an opaque handle to the backend. We also
need the public key as an EVP_PKEY *.
For native keys we use OpenSSL API to import
data into the key. The 'handle' representing the
private key in that case is the OpenSSL EVP_PKEY
object itself.
For importing custom keys, we define custom
parameters describing the key using OSSL_PARAM
structure. We define 4 required and 1 optional
parameters for loading the key:
Note: data_size = 0 refer to NUL terminated string in OpenSSL.
This parameter is only used to identify that the key as non-native
with an opaque handle. We really do not check the content of
the string. Should not be NULL.
The 'handle' is opaque to us and is retained. The caller
should not free it. We will free it when no longer required
by calling 'free_op()', if provided. The 'handle' should
not be NULL as that indicates missing private key.
The 'pubkey' must be an 'EVP_PKEY *' variable, and is duplicated
by us. The caller may free it after return from import.
The 'sign_op' and 'free_op' function pointers should be of type
'XKEY_EXTERNAL_SIGN_fn' and 'XKEY_PRIVKEY_FREE_fn' defined
in xkey_common.h
For example, for management-external-key, we really do not
need any 'handle'. Pass anything that will live long and
won't dereference to NULL. We do not use it for any other
purpose. Pointer to a const string could be a choice.
In this case, free_op = NULL is the safest choice.
For a usage of keymgmt_import(), see the helper function
implemented using it to load the management key in the next commit.
v2 changes: "origin" --> "xkey-origin"
This was 5/9 in v1
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-5-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23439.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:13 +0000 (11:59 -0500)]
Implement SIGNATURE operations in xkey provider
- Basic frame work for announcing support for signature
operations
- DigestSign and Sign functions for native keys are also
implemented. Though strictly not needed, these functions
for native keys sets up the framework for signature operations.
They also help loading an exportable key from a file through
the provider for testing.
Subsequent commits will add support for signing with
external keys.
v2 changes:
- Remove verify operations which are no longer
required with proposed changes in OpenSSL 3.0.1 that we target.
- Undigested message is passed to the backend sign operation when
possible. This would allow more flexibility as some backends
prefer to do the hash operation internally.
This was 4/9 in v1
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-4-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:12 +0000 (11:59 -0500)]
Implement KEYMGMT in the xkey provider
A minimal set of functions for keymgmt are implemented.
No support for external key import as yet, only native
keys. Support for native keys is required as keys may
get imported into us for some operations as well as
for comparison with unexportable external keys that we hold.
Implementation of signature callbacks is in the next commit.
v2 changes: This was commit 3/9 in v1
v3 changes: When OpenSSL native key is imported instead of duplicating
the whole key, use only the public components for public key.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23438.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 14 Dec 2021 16:59:11 +0000 (11:59 -0500)]
A built-in provider for using external key with OpenSSL 3.0
Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD
structures is deprecated in OpenSSL 3.0. For signing with
external keys that are not exportable (tokens, stores, etc.)
requires a custom provider interface so that key operations
are done under its context.
A single provider is enough for handling all external keys
we support -- management-external-key, cryptoapicert(CNG) and
pkcs11-helper. The series of patches starting with this implement
such a provider.
This patch implements only the provider_init function so
that it can be loaded, but has no capabilities. The required
interfaces are added in following commits.
v2 changes:
- Require OpenSSL 3.0.1 or newer: 3.0.0 is "buggy" as it
does not preferentially fetch operations from the keymgmt
of the key. This causes either an unsuccessful attempt at
exporting unexportable keys or an onerous requirement that
the external key's KEYMGMT should support a whole lot
of unrelated functionalities including key generation and
key exchange.
Fixed by PR #16725 in OpenSSL.
- Use a child libctx for internal use in the provider
v3 changes:
- Move OpenSSL version check for 3.0.1+ from configure to
xkey_common.h
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23446.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
There are 2 occurrences where the order 'inline static' is used when
defining a function, while the rest of the code uses the definitely
more common form 'static inline'.
Convert those 2 occurrences to the common format.
Reported-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220117093508.17681-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23554.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
GitHub Actions: ensure Ubuntu builds are made with the chosen SSL library
The configure parameter was appended to the stage name but not to the
actual command. Fix this.
Cc: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220114122538.24662-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23539.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
PF (Packet Filter) has been dropped from the OpenVPN code base, however
some bits and pieces are left in the documentation.
Erase them all.
Reported-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220113200030.18656-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23531.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 7 Jan 2022 12:35:50 +0000 (14:35 +0200)]
auth_token.c: add NULL initialization
This fixes
error C4703: potentially uninitialized local pointer variable
'b64output' used
found by arm64 msvc compiler with SDL enabled.
Not sure why this is not triggered on x86/x64.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220107123550.188-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23511.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 14 Dec 2021 15:09:01 +0000 (16:09 +0100)]
Decouple MSS fix calculation from frame calculation
This consolidates the MSS fix calculation into a single function
instead having it distributed all over the code. It also calculates
the real wire overhead without extra sizes for buffer etc.
Patch v2: improve comment
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211214150901.4118886-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23423.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
