Arne Schwabe [Wed, 10 Oct 2018 14:30:51 +0000 (16:30 +0200)]
Fallback to password authentication when auth-token fails
Under some circumstances, the auth-token stored by a client may not
be valid anymore.
For example, if the server is restarted, the client will try to
reconnect and resend the old token during authentication. Unfortunately
this attempt will fail, because the server does not keep track of tokens
used during previous runs.
With the current behaviour, depending on how auth-retry was configured,
the client will either just quit, prompt the user for username and password
as the original values are overwritten by the token, or endelessly fail
authentication by sending the old token over and over.
This patch changes the behaviour of the client so that, upon failed
authentication using a token, it will drop the token, perform a soft
restart (USR1) and attempt re-authenticating with the original password
provided by the user if auth-nocache was not specified.
Patch V3: remove all server changes, include only minimal non
intrusive client changes that only improve error recovery but don't
change overall behaviour.
Patch V4: forget add push.c to git index, now also included
Patch V5: is fixing overlong lines and one minor style problem.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181010143051.27163-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17718.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 3 Dec 2018 16:48:18 +0000 (17:48 +0100)]
Implement block-ipv6
This can be used to redirect all IPv6 traffic to the tun interface,
effectively black holing the IPv6 traffic. Without ICMPv6 error
messages this will result in timeouts when the server does not send
error codes. block-ipv6 allows client side only blocking on all
platforms that OpenVPN supports IPv6. On Android it is only way to do
sensible IPv6 blocking on Android < 5.0 and broken devices (Samsung).
PATCH V6:
- Rebase on master and run uncrustify on the patch
PATCH V5:
- Fix even more style issues by Antonio
- Remove check for dev == tun as this also works for tap
PATCH V4:
- Fix more style issues reported by Antonio
- Clarify parts of the patch in comments and manpage
PATCH V3:
- Fix style iusses reported by Antonio and accidentily commited parts
- merge udp_checksum and ipv6_checkusm into common ip_checksum method
- Use fake ff80::7 address when no other address is configured.
- Make block-ipv6 also work for server by replying block-ipv6 to all
ipv6 traffic send to the server
Note for the server the process_ip happens before the ipv6 route
lookup so every ipv6 packet, regardless of its source address is
replyied to with a no route to host packet.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181203164818.15756-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17977.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 24 Oct 2018 10:12:05 +0000 (12:12 +0200)]
Remove deprecated --compat-x509-names and --no-name-remapping
As promised, remove these options for OpenVPN 2.5.
If a user still uses these, print an error that the user should update it's
configuration. Just printing a warning would cause much more confusing
errors, somewhere in middle of a failed connection attempt because the
(non-compat) names no longer match the expected names.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540375925-6111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 31 Oct 2018 13:07:16 +0000 (14:07 +0100)]
tls-crypt-v2: fix client reconnect bug
As reported by tincantech on the openvpn-devel IRC channel, a tls-crypt-v2
client could be caused to trigger an assert in tls_crypt_wrap() because the
client key might not be correctly initialized after a reconnect attempt.
This was caused by code that was written before the connection-block
tls-auth/tls-crypt logic was integrated (57d6f103), rebased on that change,
but not sufficiently changed to be compatible with the new logic.
This commit fixes that bug.
Note that I also moved the violating hunk of code to the same function
where the tls-auth and tls-crypt (v1) keys are initialized. Once moved
there, it is immediately clear that v2 didn't follow the same (new) logic.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Tested-by: Richard Bonhomme <tincanteksup@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540991236-4016-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17866.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 31 Oct 2018 10:22:57 +0000 (11:22 +0100)]
tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section
As kitsune1 mentioned in IRC, this section should explain that
"--tls-crypt-v2-genkey client" requires the user to supply the server
key using "--tls-crypt-v2".
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540981377-22752-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17865.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The exact type of time_t is platform dependent and therefore
can't be assumed to be uint64_t all the time.
For example, on 32bit platforms, where time_t is defined as long
(32bit), the compiler will generate the following warning, due
to the arithmetic used in the macro:
tls_crypt.c:745:29: warning: shift count >= width of type
[-Wshift-count-overflow]
Force time_t to be parsed as uint64_t.
Reported-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181031160124.26972-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17868.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 25 Oct 2018 03:05:16 +0000 (23:05 -0400)]
Declare Windows version of openvpn_execve() before use
commit bf97c00f7dba441b504881f38e40afcbb610a39f moved
the generic openvpn_execve() to run_command.c and made it static.
But the Windows version is still in win32.c and is called from
run_command.c
Fix by declaring the function in win32.h
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1540436716-5725-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17825.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 22 Oct 2018 11:45:15 +0000 (13:45 +0200)]
tls-crypt-v2: add script hook to verify metadata
To allow rejecting incoming connections very early in the handshake,
add a --tls-crypt-v2-verify option that allows administators to
run an external command to verify the metadata from the client key.
See doc/tls-crypt-v2.txt for more details.
Because of the extra dependencies, this requires adding a mock
parse_line() to the tls-crypt unit tests. Also, this turns tls_wrap_free
into a static inline function, so that we don't need to compile in ssl.c
(and all of it's dependencies) with the unit tests.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-6-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17789.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger [Mon, 22 Oct 2018 11:45:10 +0000 (13:45 +0200)]
tls-crypt-v2: add specification to doc/
This is a preliminary description of tls-crypt-v2. It should give a good
impression about the reasoning and design behind tls-crypt-v2, but might
need some polishing and updating.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17788.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Wed, 26 Sep 2018 12:01:59 +0000 (14:01 +0200)]
Add message explaining early TLS client hello failure
In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
TLS 1.0 only without setting tls-version-min.
We currently log only
OpenSSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
which indicates the right technical error but is not very helpful to a
person without deep knowledge in SSL/TLS and OpenVPN's TLS version
history.
This commit adds a hopefully helpful message and also tells users how
to fix the old Debian 8 clients. The error message will be displayed on
the server side only.
Note that connecting with an OpenSSL 1.1.1 client to a TLS 1.0 only
server works fine.
This behaviour is also not specific to OpenVPN. Using an openssl s_client
with the -tls1 option against an openssl s_server exhibits the same
behaviour.
Patch V2: fixed message grammar, use tls-version-min 1.0 and clarify
2.3.6 and older to be actually between 2.3.2 and 2.3.6
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180926120159.19874-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17491.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Lev Stipakov [Mon, 22 Oct 2018 10:19:31 +0000 (13:19 +0300)]
Introduce openvpn_swprintf() with nul termination guarantee
Every call to swprintf is followed by line which adds nul terminator. This
patch
introduces openvpn_swprintf() which guarantees nul termination for size >
0.
Same approach as for snprintf / openvpn_snprintf.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1540203571-17646-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17786.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 8 Oct 2018 21:41:23 +0000 (23:41 +0200)]
Refuse mbed TLS external key with non RSA certificates
The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.
Instead fail early and provide a clear message that only RSA keys are
supported.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html Signed-off-by: David Sommerseth <davids@openvpn.net>
bufferlist_* functions have no documentation whatsoever and the name is
not always enough to fully understand what the function is doing.
For this reason and for the sake of having better documented code, add
function doc in buffer.h.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181010083731.31132-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17701.html Signed-off-by: David Sommerseth <davids@openvpn.net>
Arne Schwabe [Thu, 11 Oct 2018 22:06:39 +0000 (00:06 +0200)]
Use right function to set TLS1.3 restrictions in show-tls
The last version of the patch used the TLS1.2 version
tls_ctx_restrict_ciphers to set the restrictions for both
TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
for TLS1.3.
Also fix minor style problem while I am touching the function Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181011220639.7316-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html
Arne Schwabe [Wed, 10 Oct 2018 15:36:24 +0000 (17:36 +0200)]
Add better support for showing TLS 1.3 ciphersuites in --show-tls
--show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The listed ciphers
are only valid in either --tls-cipher or --tls-ciphersuites, but it's
not clear which is which. This is confusing and not really helpful.
This patch modifies show-tls to show separate lists for TLS 1.2 and
TLS 1.3.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181010153624.27957-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17723.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 11 Oct 2018 11:51:42 +0000 (14:51 +0300)]
options.c: fix broken unary minus usage
In Visual Studio when unary minus is applied to unsigned,
result is still unsigned. This means that when we use result
as function formal parameter, we pass incorrect value.
Fix by introducing frame_remove_from_extra_frame(),
which makes code semantically more clear and eliminates
the need in negative value and cast.
Since GCC didn't complain (and users too :), it probably performed
cast to signed automatically.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539258702-15427-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17739.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 10 Oct 2018 06:44:43 +0000 (08:44 +0200)]
Fix mbedtls unit tests
Commit 674b166 ("Fix build warnings related to get_random()") broke the
unit tests for mbedtls, because <mbedtls/cipher.h> was now included via
platform.c -> crypto.h -> crypto_backend.h, but the crypto cflags were
not included for that unit tests.
Since we got rid of --disable-crypto, we can now fix this by simply always
including the CRYPTO_CFLAGS in the TEST_CFLAGS (and the CRYPTO_LIBS in the
TEST_LDFLAGS). This should not only fix this occurrence, but also prevent
similar problems in the future.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1539153883-15789-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17687.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 11 Oct 2018 07:20:00 +0000 (09:20 +0200)]
mbedtls: don't print unsupported ciphers in insecure cipher list
Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too. Those are
however unsupported (as openvpn will tell you when you try to use them).
This fixes that bug.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 9 Oct 2018 20:43:15 +0000 (22:43 +0200)]
List ChaCha20-Poly1305 as stream cipher
As Antonio pointed out, "8-bit block cipher" is a bit funny. So teach
print_cipher() to print such cipher as "stream cipher".
Because I didn't want to write the same code twice, I decided to merge the
two print_cipher() implementations into one shared function. That should
make it easier to keep both backends consistent.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181009204315.8262-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 7 Oct 2018 21:55:39 +0000 (23:55 +0200)]
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Arne Schwabe [Mon, 8 Oct 2018 18:16:16 +0000 (20:16 +0200)]
Remove AUTO_USERID feature
There is no user facing way to enable this feature and way that feature
works (username build from MAC of primary net device) is questionable.
It also does not compile anymore. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008181618.8976-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17664.html
build: Fix another compile warning in console_systemd.c
console_systemd.c: In function ?get_console_input_systemd?:
console_systemd.c:75:5: warning: implicit declaration of function
?openvpn_popen? [-Wimplicit-function-declaration]
if ((std_out = openvpn_popen(&argv, NULL)) < 0)
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008180017.31413-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17660.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
platform.c: In function ?platform_create_temp_file?:
platform.c:355:31: warning: implicit declaration of function
?get_random? [-Wimplicit-function-declaration]
prefix, (unsigned long) get_random(),
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008165648.27504-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17652.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Samy Mahmoudi [Sun, 7 Oct 2018 22:35:47 +0000 (00:35 +0200)]
man: correct a --redirection-gateway option flag
Replace "servers" with "peers" in the description
of the --redirection-gateway option flag local. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007223544.GA2246@t520.my.lan>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17630.html
Simon Rozman [Mon, 8 Oct 2018 09:45:59 +0000 (11:45 +0200)]
msvc: Unify Unicode/MultiByte string setting across all cfg|plat
The openvpnserv.vcxproj source code is Windows API Unicode compliant
with only Debug|x64 set to Unicode, while other cfg|plat pairs were set
to MultiByte. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17633.html
Steffan Karger [Sun, 7 Oct 2018 22:30:34 +0000 (00:30 +0200)]
Add support for CHACHA20-POLY1305 in the data channel
We explicitly only supported GCM as a valid AEAD mode, change that to also
allow ChaCha20-Poly1305 as an AEAD cipher. That works nicely with our new
(GCM) data channel format, because is has the same 96-bit IV.
Note that we need some tricks to not treat the cipher as insecure, because
we used to only look at the block size of a cipher to determine if find a
cipher insecure. But ChaCha20-Poly1305 is a stream cipher, which
essentially
has a 'block size' of 1 byte and is reported as such. So, special-case
this
cipher to be in the list of secure ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181007223035.21179-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17629.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Mon, 8 Oct 2018 09:46:00 +0000 (11:46 +0200)]
msvc: Move common project settings to reusable property sheets
The Visual Studio 2017 project files were refactored by migrating all
repeating common settings into three property sheets: Debug.props,
Release.props and the existing PropertySheet.props.
This simplifies configuration management while providing uniformity
across projects, configurations and platforms. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-2-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17634.html
Simon Rozman [Mon, 8 Oct 2018 10:03:23 +0000 (12:03 +0200)]
Reference msvc-generate from compat to assure correct build order
Single-process builds start building compat project first and they fail,
since the referenced config-msvc-version.h is not available yet. Multi-
process rebuilds also tends to fail if the compat project is built
faster than msvc-generate is able to produce the required output files.
Adding a reference to msvc-generate project assures correct build order. Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008100323.11308-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17635.html
Steffan Karger [Sun, 7 Oct 2018 17:52:15 +0000 (19:52 +0200)]
Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
Like 'proto', a mismatch in key-method, keydir or tls-auth would fail
before we ever get to the point where we can print this warning.
This prepares for removing these from the occ string later on, but also
prepares for tls-crypt-v2, which allows a server to support tls-auth and
tls-crypt-v2 connections in parallel. Such a server will send 'keydir'
and 'tls-auth' in the occ string. This change removes the spurious
warnings about that in the client log.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007175215.25009-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17618.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Fri, 5 Oct 2018 15:00:32 +0000 (17:00 +0200)]
Simplify --genkey option syntax
Instead of requiring users to do "--genkey --secret new.key", allow
them to just do "--genkey new.key". This has hit me often enough that I
decided to write a patch for it. Also, the upcoming tls-crypt-v2-genkey
uses a similar syntax and Antonio suggested we should make them consistent.
The documentation is updated to no longer mention the old syntax, but it is
still supported so people who are used to the old syntax can still use it.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181005150032.16541-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17574.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 3 Oct 2018 17:21:21 +0000 (20:21 +0300)]
openvpnserv: clarify return values type
Functions openvpn_vsntprintf and openvpn_sntprintf return
values of type int, but in reality it is always 0 or 1 (and -1 for
snrptinf), which can be represented as boolean.
To make code clearer, change return type to BOOL. Also
use stdbool.h header instead of bool definition macros in automatic.c.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1538587281-3209-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17532.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 7 Oct 2018 10:00:32 +0000 (12:00 +0200)]
Fix use-after-free in tls_ctx_use_management_external_key
Commit 98bfeeb4 changed our openssl backend implementation of
tls_ctx_use_management_external_key() to no longer use
tls_ctx_load_cert_file_and_copy(), but still free'd 'cert'. Which it no
longer should do. Credits go to Arne for spotting the issue (even though
it was missed during the review).
The offending commit is only recently applied to the master branch, so was
never part of a OpenVPN release. For that reason I did not do full impact
analysis.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181007100032.17060-1-steffan@karger.me>
URL: https://www.mail-archive.com/search?l=mid&q=20181007100032.17060-1-steffan@karger.me Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Rozman [Fri, 13 Apr 2018 12:47:56 +0000 (14:47 +0200)]
Signed/unsigned warnings of MSVC resolved
This patch fixes the signed/unsigned comparison warnings discovered when
compiling openvpnserv using MSVC.
Wherever possible, it changes iterator and/or size variables to a more
appropriate type, or uses type-casting when it is safe to do so. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180413124756.5756-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16756.html
ensure function declarations are compiled with their definitions
Function prototypes should be included when compiling their
definitions so that it is clear to compilers and static
analyzers that they are not static.
This means that several declarations have to be moved to the
related header files which in turn have to be included by the
source files implementing them.
Generally speaking this also improves the coding style and
makes this code more consistent with the rest that already
follows this rule.
Cc: Steffan Karger <steffan@karger.me> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20171111161836.23356-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15820.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 2 Oct 2018 20:01:13 +0000 (16:01 -0400)]
Enable dhcp on tap adapter using interactive service
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac: #1111
Tested on Windows 7
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17517.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 5 Oct 2018 12:23:30 +0000 (14:23 +0200)]
Add OpenSSL compat definition for RSA_meth_set_sign
Commit 6b495dc4c5cfc118091ddc9c19330b3c9e3e3dff introduced
RSA_meth_set_sign, which is OpenSSL 1.1.0 and newer. Add a compatibility
definition. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181005122330.31431-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181005122330.31431-1-arne@rfc2549.org
Pass the hash without the DigestInfo header to NCryptSignHash()
In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets
the hash with the DigestInfo prepended. Signing this using
NCryptSignHash() with hash algorithm id set to NULL works in most cases.
But when using some hardware tokens, the data gets interpreted as the pre
TLS 1.2 MD5+SHA1 hash and is silently truncated to 36 bytes.
Avoid this by passing the raw hash to NCryptSignHash() and let it
add the DigestInfo.
To get the raw hash we set the RSA_sign() method in the rsa_method
structure. This callback bypasses rsa_priv_enc() and gets called with
the hash type and the hash.
Lev Stipakov [Thu, 20 Sep 2018 13:12:34 +0000 (16:12 +0300)]
Refactor NCP-negotiable options handling
NCP negotiation can alter options. On reconnect
client sends possibly altered options while server
expects original values. This leads to warnings
in log and, if server uses --opt-verify, breaks
reconnect.
Fix by decouple setting/unsetting NCP options from
the state of TLS context. At startup (and once per sighup)
we load original values to c->c1, which persists over
sigusr1 (restart). When tearing tunnel down we restore
(possibly altered) options back to original values.
Trac: #1105
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1537449154-26879-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17477.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 28 Sep 2018 13:26:49 +0000 (16:26 +0300)]
win: support for Visual Studio 2017
This patch enables building openvpn with Visual Studio 2017.
It is advised to use openvpn-build/msvs/build.bat which
also downloads and build required dependencies.
Changes made:
- updated path to Visual Studio toolchain
- updated platform toolset
- added missing libraries
- added x64 configurations
- enabled AEAD ciphers to make NCP work
- enabled unicode support
- updated source files in project settings
- fix includes
- restored variable which was erroneously removed
- added properties file which sets required env variables
(required to build with IDE)
- etc
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1538141209-32330-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17499.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 98bfeeb4 introduced a memory leak in SSL_CTX_use_certificate by
removing the "if(x509) { ... }" bit while not changing the
"else if(x) {}" right after to an "if(x) {}".
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20180926192706.29460-1-steffan@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
mbedtls: remove dependency on mbedtls pkcs11 module
Instead of using mbedtls's pkcs11 module, reuse the code we already have
for management-external-key to also do pkcs11 signatures. As far as mbed
is concerned, we simply provide an external signature.
This has the following advantages:
* We no longer need mbed TLS to be compiled with the pkcs11 modules
enabled (which is not enabled by default). This makes it easier to use
a system/distribution-provided mbed shared library.
* We no longer have a dependency on pkcs11-helper through mbed TLS. So if
we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538
and #549 for reason why), this will be easier.
While touching this code, switch from M_FATAL to M_WARN and proper error
handling. This improves the error reporting, and helps prevent potential
future DoS attacks if someone starts using these functions on peer input.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-3-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17463.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not load certificate from tls_ctx_use_external_private_key()
The cert and key loading logic surrounding management-external-key and
management-external cert was somewhat intertwined. Untangle these to
prepare for making the external key code more reusable.
The best part is that this even reduces the number of lines of code.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17464.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
systemd: extend CapabilityBoundingSet for auth_pam
Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
openvpn[1111]: sudo: unable to send audit message
openvpn[1111]: sudo: pam_open_session: System error
openvpn[1111]: sudo: policy plugin failed session initialization
See links from https://community.openvpn.net/openvpn/ticket/918 for
more.
auth_pam is a common use case and capabilties for it should be allowed
by the .service file.
Fixes: #918 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 29 Aug 2018 13:49:43 +0000 (15:49 +0200)]
Fix memory leak after sighup
The c.es env_set is (re)allocated for each "sighup loop iteration", while
it was free'd only once at process shutdown. Move the env_set_destroy()
call to match the same level as the env_set_create() call to fix that.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1535550583-21825-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17429.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 29 Aug 2018 12:04:46 +0000 (14:04 +0200)]
mbedtls: print warning if random personalisation fails
... instead of when it doesn't fail. Looks like 'someone' mixed up the
mbedtls return style (0 means success) with the openvpn internal return
style (true means success).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1535544286-29638-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17428.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 6 Aug 2018 08:02:33 +0000 (10:02 +0200)]
Introduce buffer_write_file()
Rewrite buf_write_string_file to buffer_write_file, which is simpler to
use and can deal with not-null-terminated strings. Mostly implemented so
this can be easily reused for tls-crypt-v2 (client) key files.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net> Tested-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1533542553-7383-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17371.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Parse static challenge response in auth-pam plugin
If static challenge is in use, the password passed to the plugin by openvpn
is of the form "SCRV1:base64-pass:base64-response". Parse this string to
separate it into password and response and use them to respond to queries
in the pam conversation function.
On the plugin parameters line the substitution keyword for the static
challenge response is "OTP". For example, for pam config named "test" that
prompts for "user", "password" and "pin", use
plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP"
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 21 Nov 2017 01:43:25 +0000 (20:43 -0500)]
Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- This is an opaque pointer so the change should not affect
existing plugins. But it makes the code consistent and clears up
the documentation as the handle pointer is treated as of type
"openvpn_plugin_handle_t" in the rest of the code.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1511228605-23207-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15908.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
make tls-auth and tls-crypt per-connection-block options
Different VPN servers may use different tls-auth/crypt keys.
For this reason it is convenient to make tls-auth/crypt
per-connection-block options so that the user is allowed to
specify one key per remote.
If no tls-auth/crypt option is specified in a given connection
block, the global settings, if any, are used.
In preparation to having tls-auth/crypt keys per connection
block, it is important to ensure that such material is always
reloaded upon SIGUSR1, no matter if `persist-key` was specified
or not.
This is required because when moving from one remote to the
other the key may change and thus the key context needs to
be refreshed.
To ensure that the `persist-key` logic will still work
as expected, the tls-auth/crypt key is pre-loaded so that
the keyfile is not required at runtime.
Needed for tls-crypt-v2, but isolated enough to be reviewed as a separate
patch.
The encode API allocates memory, because it fits our typical gc-oriented
code pattern and the caller does not have to do multiple calls or
calculations to determine the required destination buffer size.
The decode API does not allocate memory, because the required destination
buffer is always smaller than the input buffer (so is easy to manage by
the caller) and does not force the caller to use the heap.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20180722100645.5813-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17284.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
stream_buf_init(), stream_buf_close() and stream_buf_added()
are only used within socket.c, therefore there is noneed to
have them declared in socket.h.
Make them static and remove useless declarations.
This change reuired adding function prototypes in socket.c to
avoid useless code re-ordering.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180712012955.24050-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17246.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Move execve/run_script helper functions to run_command.c
To avoid having to include misc.c - which is a dependency mess - in the
tls-crypt unit tests, move the command execution helper functions to a new
run_command.c module.
While at it, abstract away the script_security global variable.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20180704175404.22371-2-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17212.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Move file-related functions from misc.c to platform.c
To avoid having to include misc.c - which is a dependency mess - in the
tls-crypt unit tests, move file-handing related functions to platform.c
(which is where other file-related functions already reside).
Note that platform_create_temp_file() needs random. To avoid including
misc.c in other tests that use platform.c, add a mock get_random().
(Almost every test includes platform.c, because buffer.c depends on it.
That smells like it needs cleanup too, but not in this patch set.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180704175404.22371-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17208.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 3 Jul 2018 16:17:51 +0000 (18:17 +0200)]
Add MTU to Android IFCONFIG6 control command
Since OpenVPN nows supports IPv6 only connections, OpenVPN for Android
cannot longer rely on IFCONFIG to send the MTU. Add sending the MTU to
IFCONFIG6 too. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180703161751.7680-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17186.html
Gert Doering [Sun, 1 Jul 2018 19:59:38 +0000 (21:59 +0200)]
Extend push-remove to also handle 'ifconfig'.
Push-remove (introduced in commit 970312f1850) did not handle "ifconfig"
yet, as both "ifconfig" and "ifconfig-ipv6" are handled differently from
all other pushed options. Since there was no valid use-case to not-push
"ifconfig" (no support on the client side for running IPv6-only) this
was not an issue so far - but with the recent commits to enable ipv6-only
operation it can be a desirable feature.
The implementation is similar to "push-remove ifconfig-ipv6" - namely,
flagging via a new context option (c->options.push_ifconfig_ipv4_blocked)
and then not creating the push statement in "send_push_reply()".
While not truly elegant, it's much less invasive than the alternatives
(storing the list of "push-remove" statements somewhere and then checking
in push_option_ex())
Trac: #1072
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20180701195938.2541-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17169.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 26 Nov 2017 15:49:12 +0000 (16:49 +0100)]
openssl: add missing #include statements
Compiling our current master against OpenSSL 1.1 with
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
the errors caused by missing includes. Previous openssl versions would
usually include 'the rest of the world', but they're fixing that. So we
should no longer rely on it.
(And sneaking in alphabetic ordering of the includes while touching them.)
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126154912.13283-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 26 Nov 2017 15:04:00 +0000 (16:04 +0100)]
openssl: don't use deprecated SSLEAY/SSLeay symbols
Compiling our current master against OpenSSL 1.1 with
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
the errors about the deprecated SSLEAY/SSLeay symbols and defines.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126150401.28565-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
windows: properly configure TAP driver when no IPv4 is configured
This patch ensures that the TAP driver on a windows host is still
configured, even though no IPv4 has been provided.
In this case the TAP driver ioctl will be invoked with a fake
0.0.0.0/0.0.0.0 IPv4 which will simply start the interface and
get it to a working state.
Trac: #208 Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180623183108.18684-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20180623183108.18684-1-a@unstable.cc Signed-off-by: Gert Doering <gert@greenie.muc.de>
Both "compiler" and "exclude" are redundant, so remove them.
Add openssl-1.0.1u to build matrix. Enable explicit apt update
(it was disabled by default in travis-ci).
Signed-off-by: Ilya Shipitsin <chipitsine@gmail.com>
--
v2: Add openssl-1.0.1u to build matrix (thanks to Steffan Karger),
Add explicit apt-get update (it was disabled by default in travis-ci) Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180527190057.3488-1-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16898.html
tun: ensure interface can be configured with IPv6 only
This change ensures that an interface is properly brought
up and down even when only IPv6 settings are configured/pushed.
At the same time, some code restyling took place to ensure the new
generic logic is easier to read. Both do_ifconfig() and close_tun()
(Linux only) functions have been rearranged by splitting the logic
into a v4 and a v6 specific part. Each part has then been moved
into an idependent helper that can be invoked as
needed.
This makes the code easier to read and more "symmetric" with
respect to the two address families.
Trac: #208 Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180618074733.19773-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17064.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch is a small "logic restyle" which basically moves the
check for "tt != NULL" outside of the various close_tun()
implementations and replaces it with an ASSERT.
This way the check is done only once and the function can rely
on the assumption that "tt" is always valid.
This change is mainly to improve the code style inside close_tun()
implementations by removing one level of indentation.
No functional change is present.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180613122824.4207-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17045.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
