Arne Schwabe [Tue, 29 Nov 2022 11:30:31 +0000 (12:30 +0100)]
Add section about common error with OpenVPN 2.6 and OpenSSL 3.0
We expect a number of configurations to no longer work with OpenVPN
2.6 and OpenSSL 3.0. This section tries to explain the most common
errors that will come up and how to work around them.
Patch V2: several mistakes highlighed and suggestions made by Frank
included.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221129113031.3735598-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25571.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 30 Nov 2022 10:55:02 +0000 (05:55 -0500)]
pull-filter: ignore leading "spaces" in option names
It seems sometimes comma-separated pulled options have
an offending leading space. Not sure whether that is an error,
but the change here matches the behaviour of option parsing.
v2: fix typo in commit message
v3: space() --> isspace()
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221130105502.662374-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25582.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 28 Nov 2022 11:16:42 +0000 (12:16 +0100)]
Update PORTS
Instead of fully removing PORTS, keep "this is what you want to do for
porting OpenVPN to a new platform" section, and update the PLATFORMS
part to better reflect current status.
v2:
drop "2.2+" from Linux, and name the fruitish thing "macOS"
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221128111642.3483-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25558.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 27 Nov 2022 09:07:42 +0000 (10:07 +0100)]
Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id
The lifetime and state machine of multi->peer_id does not exactly the
lifetime/state of DCO. This is especially for p2p NCP where a reconnection
can change the peer id. Also use this new field with value -1 to mean
not installed, replacing the dco_peer_added field.
Also ensure that we have a failure adding a new peer, we don't try to
set options for that peer or generating keys for it.
Patch v2: fix one comparison checking for 0 instead of -1
Patch v3: make recovery after failing dco_add_peer more robust
and the comparison that lead to not deleting a peer.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221127090742.3487997-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20221127090742.3487997-1-arne@rfc2549.org Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 24 Nov 2022 16:26:42 +0000 (17:26 +0100)]
Move dco_installed from sock->info to sock->info.lsa.actual
For tcp this makes no difference as the remote address of the
socket never changes. For udp this allows OpenVPN to differentiate
if a reconnecting client is using the same address as before or
from a different one. This allow sending via the normal userspace
socket in that case.
Patch v2: fix windows code path
Patch v3: fix mtcp server code path
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20221124162642.3173118-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20221124162642.3173118-1-arne@rfc2549.org Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 15 Nov 2022 12:29:40 +0000 (13:29 +0100)]
Fix logic error in checking early negotiation support check
We want to check if EARLY_NEG_START is set and reserve the other bits
for future expansions. Right now we also check if all reserved bits are
zero. oops.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221115122940.1947284-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25519.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 9 Nov 2022 15:48:09 +0000 (16:48 +0100)]
Allow tun-mtu to be pushed
This allows tun-mtu to pushed but only up to the size of the preallocated
buffers. This is not a perfect solution but should allow most of the use
cases where the mtu is close enough to 1500 (or smaller).
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v4: rebase for check_session_cipher name change
Patch v5: remove mention of change of default mtu, remove leftover code
from an earlier approach.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221109154810.1268403-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25498.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
There is no way to detect whether this information
is outdated in nmake itself. So leave it up to the
Python script to decide.
While here, change some leading whitespace to tabs as
expected in Makefile.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20221111121212.25167-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25508.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 8 Nov 2022 13:45:23 +0000 (14:45 +0100)]
Improve documentation for --dev and --dev-node.
During the research for commit a5cf4cfb77f745 it turned out that
OpenVPN's behaviour regarding "--dev arbitrary-name" is very
platform-specific and not very well documented.
The referenced commit fixed DCO behaviour to be in line with non-DCO
linux behaviour, this commit catches up on the documentation.
v2: disambiguate Linux ("all drivers") and FreeBSD ("only DCO"), add
comment about --dev-type being necessary for devices not starting with
tun* or tap*
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20221108134523.2325-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25488.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 9 Nov 2022 11:52:08 +0000 (12:52 +0100)]
Fix md_kt_size in mbed TLS when queried for size of "none"
Previously this would error out with a M_FATAL message about cipher
not known. Align the mbed TLS version to OpenSSL version and also remove
unreachable code. This manifested in key_print2() running into this
M_FATAL message when used with an AEAD cipher and verb 7.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221109115208.1248948-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25494.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 14 Sep 2022 17:25:27 +0000 (19:25 +0200)]
Improve data key id not found error message
With delayed data key generation now with deferred auth, NCP and similar
mechanism the "TLS Error: local/remote TLS keys are out of sync" is shown
much too frequent and confuses a lot of people.
This also removes the dead code of printing multi not ready keys and
replace it with an assert.
Factor out printing of error messages into an extra function to make
the code easier to understand and also to only call into that function
in the case that a key is not found and avoid the overhead.
Patch v2: fix comparing key_id to state value, improve message
Patch v3: also take key_id into account
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220914172527.2661529-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25212.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 31 Aug 2022 13:41:40 +0000 (15:41 +0200)]
Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks
Softether had the number of ACKs in ANY OpenVPN packet limited to 4 and
dropped packets with more than 4 ACKs. This leads to Softether dropping
P_ACK_V1 packets with more than 4 ACKs as invalid. As the recent change
of always acking as many packets as possible, this leads to Softether
server not being able to successfully establish a connection anymore as
it never registers the ACKs.
This behaviour has been fixed on the Softether side with commit 37aa1ba5
but in order to allow clients to connect to older Softether servers, this
commit implements a workaround for the case that the peer might be a
Softether server (no tls-auth/tls-crypt and no other advanced protocol
feature) and limits ACKs to 4 in this case.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220831134140.913337-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25142.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 31 Aug 2022 13:41:39 +0000 (15:41 +0200)]
Always include ACKs for the last seen control packets
This adds an MRU cache for the last seen packets from the peer to send acks
to all recently recently packets. This allows packets to be acknowledged
even if a single P_ACK_V1 gets lost, avoiding retransmissions. The downside
is that we add up to 28 byte to an P_ACK_V1 (7* packet_id) and up to 24
bytes to other control channel packets (4* packet_id + peer session id).
However these small increases in packet size are a small price to pay for
increased reliability.
Currently OpenVPN will only send the absolute minimum of ACK messages. A
single lost ACK message will trigger a resend from the peer and another
ACK message.
Patch v2: fix multiple typos/grammar. Change lru to mru (this is really an
MRU cache), add more unit test cases
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220831134140.913337-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25143.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 4 Nov 2022 12:56:55 +0000 (13:56 +0100)]
Allow setting control channel packet size with max-packet-size
Currently control packet size is controlled by tun-mtu in a very
non-obvious way since the control overhead is not taken into account
and control channel packet will end up with a different size than
data channel packet.
Instead we decouple this and introduce max-packet-size. Control packet size
defaults to 1250 if max-packet-size is not set.
Patch v2: rebase on latest patch set
Patch v3: Introduce TLS_CHANNEL_MTU_MIN define and give explaination
of its value.
Patch v4: introduce max-packet-size instead of tls-mtu
Patch v5: improve documentation
Patch v6: Rebase, lower lower limit, add warning message for
when wrapped tls-crypt-v2 keys will ignore max-packet-size
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221104125655.656150-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25477.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 4 Nov 2022 12:56:54 +0000 (13:56 +0100)]
Refactor/optimise code sending TLS control channel messages
This commit originally tried to solve a problem that the SSL library
might split up a control frame into multiple TLS records when doing
multiple reads. However, this does not seem to be actually the case.
OpenVPN will consider a control message packet complete
when the TLS record is complete, we have to ensure that the SSL library
will still write one record, so the receiving side will only be able
to get/read the control message content when a TLS record is
complete.
To improve handling of large control channel messages, this
commit does:
- Split one read from TLS library into multiple control
channel packets, splitting one TLS record into multiple
control packets.
- increase allowed number of outstanding packets to 6 from 4 on the
sender side. This is still okay with older implementations as
receivers will have room for 8. This allows transmitting larger
control message more quickly.
- take the wrapped key length into account when sending packets
This is especially important for the tls-crypt-v2 P_CONTROL_WKC_V1
message
- calculate the overhead for control channel message to allow
staying below that threshold.
- remove maxlen from key_state_read_ciphertext and related functions.
We now always give the function a correctly sized buffer.
If we end up needing to send a packet larger than max-packet-size, we
warn about it but still do it as it might still work, while refusing to
send will never work.
Patch v2: avoid assertion about to large buffer by sticking to 1250 max
control size in this commit and leaving larger sizes for the
--max-packet-size commit. Also fix
various other small problems and grammar fixes.
Patch v3: grammar fixes
Patch v4: adjust tls-mtu to max-packet-size in message.
Patch v6: no longer make the assumption that multiple reads from the SSL
library split a control frame into multiple TLS records.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221104125655.656150-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Thu, 27 Oct 2022 16:06:19 +0000 (12:06 -0400)]
Do not copy auth_token username to itself
- Fixes a potential mis-behaviour (strncpy with
dest == src) introduced by commits ecad4839c (2.6)
and 3d792ae955 (2.5).
Reported by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221027160619.11894-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20221027160619.11894-1-selva.nair@gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 26 Oct 2022 18:55:43 +0000 (14:55 -0400)]
Purge auth-token as well while purging passwords
Starting from commit e61b401a auth-token is saved in a separate struct
from auth-user-pass and is not cleared when ssl_purge_auth() is called.
This makes "forget-passwords" sent to the management
interface or "--management-forget-disconnect" option not to work
as expected.
Purging caused by --auth-nocache is not affected
(auth-token is retained in that case as it should be).
Use case:
For Pre-Logon access and persistent connections on Windows, use of
"forget-passwords" before disconnect is probably the only way to
ensure that no credentials are left behind. Note that openvpn.exe
continues to run after disconnect in these cases.
Also, the original intent of "forget-passwords" appears to be to
clear all "passwords" that can be used to reconnect.
v2:
- call ssl_clean_auth_token() directly from manage.c instead
of amending ssl_purge_auth()
- Add a comment that ssl_purge_auth() does not clear auth-token
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221026185543.5378-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25460.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Sun, 23 Oct 2022 19:51:05 +0000 (15:51 -0400)]
Ensure --auth-nocache is handled during renegotiation
Currently, clearing auth_user_pass struct is delayed until
push-reply processing to support auth-token. This results in
username/password not purged after renegotiations that may
not accompany any pushed tokens -- say, when auth-token is not
in use.
Fix by always clearing auth_user_pass soon after it is used,
instead of delaying the purge as in pre-token days. But, when
"pull" is true, retain the username in auth_token in anticipation
of a token that may or may not arrive later.
Remove ssl_clean_user_pass() as there is no delayed purge any
longer -- auth-nocache handling is now done immediately after
writing username/password to the send-buffer.
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221023195105.31714-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25452.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
close_tun: print interface type consistently in message
When closing the tunnel interface we know if we were using DCO or not.
for this reason we can customize the closing message and make it
consistent with the opening one.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221022205521.29406-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25449.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 19 Oct 2022 13:36:27 +0000 (15:36 +0200)]
Fix regression of ignoring --user
Commit facb6fffb changed a call in the style of if(a() | b())
to if(a() || b()). While this looks identical, it is not. The first
statement always executes b() while the second only executes b() if
a() returns false. This lead to to the platform_state_user never to
set as side effect and thus --user being ignored. Rewrite the code
to make this more explicit.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221019133627.2918110-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25430.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 12 Oct 2022 14:59:15 +0000 (16:59 +0200)]
FreeBSD DCO: introduce real subnet mode
To be able to configure a FreeBSD interface to "subnet" mode
(as opposed to point-to-point mode), it needs to have its
if_iflags set to IFF_BROADCAST. For tun(4) interface this is
done with the TUNSIFMODE ioctl(), but this does not work for
more modern interfaces like ovpn(4) which communicate over
a common SIOCSDRVSPEC ioctl() that contains a "cmd" and a
"parameter list".
Introduce OVPN_SET_IFMODE cmd, add dco_set_ifmode() function
to put kernel interface into IFF_BROADCAST or IFF_POINTOPOINT
as needed.
NOTE: this needs a FreeBSD kernel that includes commit 2e797555f701c38d9d
to add the OVPN_SET_IFMODE on the kernel side - with an older kernel,
OpenVPN + ovpn(4) will log an error, and "topology subnet" setups
will not work.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kristof Provost <kprovost@netgate.com>
Message-Id: <20221012145915.25810-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25395.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 12 Oct 2022 14:59:14 +0000 (16:59 +0200)]
FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode
For reasons unknown, OpenVPN has always put FreeBSD tun(4) interfaces
into point-to-point mode (IFF_POINTOPOINT), which means "local and
remote address, no on-link subnet".
"--topology subnet" was emulated by adding a subnet-route to the "remote"
(which was just picking a free address from the subnet).
This works well enough for classic tun(4) interfaces that have no
next-hop resolution, and routes pointing to "that fake remote" only
(because all routing is done inside OpenVPN and it does not matter how
packets get there) - but for ovpn(4) interfaces, it breaks iroute setup,
where the route next-hop must be an on-link address.
Thus, change interface to IFF_BROADCAST mode, and get rid of all the
special code needed to "fake" subnet mode.
Tested with tun(4) and ovpn(4) on FreeBSD 14, client and server, and
with tun(4) on FreeBSD 12 and 7.4
To actually work with ovpn(4) / FreeBSD DCO, a followup patch for
kernel ovpn(4) and OpenVPN dco_freebsd.c is needed.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kristof Provost <kprovost@netgate.com>
Message-Id: <20221012145915.25810-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25396.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 18 Oct 2022 14:37:04 +0000 (16:37 +0200)]
Fix renewal spelling and actually allow external-auth with renewal time
The previous commit 9a516170 forgot to change to allow more than 2
parameters to auth-gen-token, so you could either have renewal time
or external-auth but not both. Also fix two instances of misspelled
"renewal".
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221018143704.2759522-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25418.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 9 Sep 2022 19:59:00 +0000 (21:59 +0200)]
Allows renegotiation only to start if session is fully established
This change makes the state machine more strict in terms of transaction
that are allowed. The benefit of this change are twofold:
- only allow renegotiations after pushed option handling is done,
to ensure that pushed options which might affect renegotiation
have been processed on both sides
This is a prerequisite for the upcoming secure renegotiation patch set
- avoids corner cases of a peer (or an attacker) trying to renegotiate the
session while the original session is not fully setup. Currently there
there are no problems known with this but it is better to avoid the
corner case in the first time.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220909195902.2011798-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25162.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 17 Oct 2022 09:51:45 +0000 (11:51 +0200)]
Allow Authtoken lifetime to be short than renegotiation time
Currently the life time of the auth-token is tied to the renegotiation
time. While this is fine for many setups, some setups prefer a user
to be no longer authenticated when the user disconnects from the VPN
for a certain amount of time.
This commit allows to shorten the renewal time of the auth-token and
ensures that the server resends the auth-token often enough over the
existing control channel. This way of updating the auth token is a lot
more lightweight than the alternative (frequent renegotiations).
Patch v2: fix grammar mistakes (thanks Gert), fix unit tests
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221017095145.2580186-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25407.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 16 Oct 2022 15:49:53 +0000 (17:49 +0200)]
Change exit signal in P2P to be a SIGUSR1 and delayed CC exit in P2MP
From the implemention of explicit-notify and the fact that it is a an
OCC message (basically the rudimentary predecessor to control channel),
this message is very old.
I think in the past this feature fit nicely to the weird inetd + openvpn
mode that seems to have far to many hacks still left in our code. With
inetd, it made sense that the server instance quits if you press C-c
on the client.
In our current state where inetd is no longer supported, this behaviour
to exit makes little sense and this patch changes the behaviour to SIGUSR1.
Testing this lead to a confused v2 of the patch and also finally the
insight that if a CC channel exit is triggered too early the remaining
control channel packets coming in after that can trigger the HMAC code
to open a sessions again if the whole session lasted less than two
minutes (with default settings).
Patch v2: use different signals for p2mp and p2p
Patch v3: use delayed exit for P2MP/CC exit and USR1 for everything else
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221016154953.2483509-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25403.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 10 Oct 2022 15:55:15 +0000 (17:55 +0200)]
Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers
Make sure cipher_valid only considers these four operations as valid.
This fixes that something like --data-ciphers AES-256-GCM:AES-128-CCM
will start but later fail when trying to use the CCM cipher.
We say "a supported AEAD" mode in our error since CCM is also an AEAD mode
but one we don't support, unlike GCM.
Patch v2: add the indication if the cipher was optional into the message
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221010155515.1687151-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25379.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Paolo Cerrito [Mon, 10 Oct 2022 12:27:46 +0000 (14:27 +0200)]
Insert client connection data into PAM environment
OpenVPN provides the IPv4/IPv6 address of incoming client connections
to the plugin-api by means of two environment variables, $untrusted_ip
and $untrusted_ip6. This patch adds support to plugin-auth-pam to pass
this information to the PAM stack as pam_set_item(PAM_RHOST).
v3:
- styled code as openvpn
- added check for remote, if NULL after all get_env, put to point
to empy string
Signed-off-by: Paolo Cerrito <wardragon78@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221010122745.19809-1-wardragon78@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25375.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 9 Oct 2022 13:08:05 +0000 (15:08 +0200)]
Fix OpenVPN querying user/password if auth-token with user expires
The problematic behaviour happens when starting a profile without
auth-user-pass and then connecting to a server that pushes auth-token.
When the auth token expires OpenVPN asks for auth User and password
again (but it shouldn't).
The problem is that the auth_user_pass_setup sets
auth_user_pass_enabled = true; This function is called from two places.
In ssl.c it is only called with an auth-token present or that
variable already set. The other one is init_query_passwords.
Move setting auth_user_pass_enabled to the second place to ensure it is
only set if we really want passwords.
Patch v2: Remove unrelated code change
Patch v3: Rebase to master
Patch v4: Rebase to master
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221009130805.1556517-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
get_user_pass_cr: get password from stdin if missing inline
Until now, when HTTP proxy user and password were specified inline,
it was assumed that both creds were specified. A missing password would
result in an empty password being stored.
This behaviour is not ideal, as we want to allow the user to store the
username, but let the password be entered via stdin.
This affects both http proxy and authentication inline'd creds.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220914185937.31423-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25215.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
auth-user-pass: add support for inline credentials
--auth-user-pass is probably the only option expecting a filename as
argument that cannot be inline'd as of today.
This patch allows specifying username and password inline in the config
file within the <auth-user-pass></auth-user-pass> tag.
This logic was already implemented for --http-proxy-user-pass, therefore
it was just about applying it to this specific option as well.
Note that the current logic expects username and password to always be
specified when inline. Therefore omitting the password will result in
storing an empty password.
A later patch will change this behaviour to make it consistent with the
classic case (username writte in file), where the password is requested
via stdin when missing.
While a it, add an empty line between prototypes in init.c to make
uncrustify happy.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220917134832.16359-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25236.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 6 Oct 2022 12:29:40 +0000 (14:29 +0200)]
Document/cleanup event_timeout functions
Remove function event_timeout_clear_ret as it is unused.
Cleanup event_timeout_trigger a bit. Do an instant return false if the
timeout is not defined and inline local_now and use
event_timeout_remaining instead of local duplicated code.
Add doxygen comments for all timeout function, especially for the
event_timeout_trigger function that is hard to understand otherwise.
Patch v2: add many fixes/correction suggested by Frank
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221006122940.1202712-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25348.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 4 Oct 2022 14:51:42 +0000 (16:51 +0200)]
use boolean '||' to join two bools, not bitwise '|'
FreeBSD 14 clang complains about this:
init.c:3530:13: warning: use of bitwise '|' with boolean operands
[-Wbitwise-instead-of-logical]
platform_group_get(c->options.groupname,
&c0->platform_state_group)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
init.c:3530:13: note: cast one or both operands to int to silence this
warning
1 warning generated.
.. so do what it wants us to do.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20221004145142.19091-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25333.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 4 Oct 2022 15:31:27 +0000 (17:31 +0200)]
un-break undo_ifconfig_ipv4()/_ipv6() on all non-linux/non-win32 platforms
This commit needs a somewhat longer background story to explain the
problem...
undo_ifconfig_ipv4()/_ipv6() started their life as part of the
TARGET_LINUX (only) close_tun() function.
In commit 611fcbc48, these functions were created, to decouple IPv4/IPv6
dependency, still TARGET_LINUX only, with an #ifdef ENABLE_IPROUTE
inside, to differenciate iproute2 vs. old-style ifconfig.
Commit dc7fcd714 changed this to "the new linux API" (sitnl), calling
net_addr_ptp_v4_del() etc. - in the first branch of the #ifdef,
changing from ENABLE_IPROUTE to TARGET_LINUX, inside a TARGET_LINUX,
so the #else branch was never looked at for any platform. The code
in that #else branch was still "the old linux ifconfig" style to
undo IPv4/IPv6 address config on the tun interface.
Now, commit 0c4d40cb8 comes along and makes undo_ifconfig_ipvX() a
global function, during the bugfix to "don't undo ifconfig if
--ifconfig-noexec is in effect". Due to "it makes the code a lot
cleaner" undo_ifconfig*() is now called from do_close_tun_simple()
and no longer from (Linux-) close_tun().
*This* now enables the old "linux ifconfig" code to be run on
"all non-windows platforms" - running commands like
ifconfig tun0 0.0.0.0
to remove the IPv4 address - which plain doesn't work on the BSDs
(and has not been tested anywhere else).
This all said, it's debatable whether any platforms actually NEED
this - all unixoid platforms remove IPv4/IPv6 addresses on interface
destroy time, so for non-persistant tun/tap interfaces, there is no
hard requirement to remove IP addresses on program exit. For
persistent tun/tap (pre-create with "ifconfig tun7 create") this is
indeed useful to restore the pre-openvpn state by removing anything
OpenVPN configured.
OpenVPN up to 2.5 did not do this IP address removal on any non-Linux
platform, which is better than exec'ing an ifconfig command that does
nothing but print an error message (very annoying in t_client.sh V=1 runs).
This all said: this patch brings an implementation of undo_ifconfig_*()
for TARGET_FREEBSD ("ifconfig tunX $ip -alias"), and brings back the
old "do nothing" behaviour for all other unixoid platforms. Tested
on FreeBSD 7.4, 12.3, 14.0.
v2: use #elif defined(TARGET_FREEBSD), otherwise it breaks other platforms
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20221004153127.527-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25337.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 20 Sep 2022 13:23:51 +0000 (15:23 +0200)]
introduce V= level to manage t_client.sh output verbosity
If t_client.sh is run interactively, more verbose output is useful
to quickly see what it is doing. If run from a CI environment, going
through lots of output for successful tests just to find the one that
failed is non-useful.
Introduce V=<n> environment variable to control output verbosity
V=0 - do not print any per-test output at all, just overall summary
V=1 - print single header line for each successful test
print full output for failing tests
V=99 - print full output, always, as before
default is V=1 now
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v2:
fix erroneous test on "-n"
do not accumulate extra "\n" in outbuf (V=1)
fix missing "-e" at "test failures. FAIL." message
fix missing "\n" when including "diff" output
fix missing "-n" when printing outbuf (= extra newline)
(and more newlines being shuffled around)
v3:
fix quoting on inclusion of "ifconfig/route diff", with newlines...
Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220920132351.27718-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25285.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
solaris/open_tun: prevent crash when dev is empty string
This was originally reported on GH, but never dealt with.
Make sure 'ptr' is always initialized to prevent derefence of null
pointer in case of empty dev string.
While at it, change the if condition to use ptr instead of dev, since
dev is not used anymore in the logic.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220917125811.13549-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25235.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 30 Aug 2022 10:49:58 +0000 (13:49 +0300)]
dco-win: support for --persist-tun
Since version 0.8.0, dco-win driver added support for
DEL_PEER command, which enabled --persist-tun
implementation on client side.
Add real implementation for dco_del_peer on Windows,
which calls DEL_PEER, which clears peer state
on the driver without tearing tunnel down.
When pulled options are changed on restart,
we need to close and reopen tun device. This
is not yes supported for dco-win, so we close
tun and trigger reconnect.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220830104958.91-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25136.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 14 Sep 2022 17:01:34 +0000 (19:01 +0200)]
Implement AUTH_FAIL, TEMP message support
This allows a server to indicate a temporary problem on the server and
allows the server to indicate how to proceed (i.e. move to the next server,
retry the same server, wait a certain time,...)
This adds options_utils.c/h to be able to unit test the new function.
Patch v2: Improve documentation, format man page better, comment that
protocol-flags is not a user usable option.
Patch v3: cleanup parse_auth_failed_temp to use a simple const string
instead of a buffer
Patch v4: move message + strlen(TEMP) to caller
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220914170134.2659433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25210.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 14 Sep 2022 16:50:41 +0000 (18:50 +0200)]
Implement exit notification via control channel
Current exit notification relies on data channel messages with specific
prefix. Adding these to new data channel modules (DCO) adds unncessary
complexity for the data for messages that from their idea belong to the
control channel anyway.
This patch adds announcing support for control channel and sending/receving
it. We use the simple EXIT message for this.
Patch v2: add comment about protocol-flags to be not a user visible option,
fix various grammar mistakes, remove unused argument to
receive_exit_message
Patch v3: rename data_channel_crypto_flags to imported_protocol_flags
add tls-ekm to protocol-flags.
Patch v4: rebase, use a buffer for the code that prepares the push reply
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220914165041.2658423-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25209.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 15 Sep 2022 10:40:28 +0000 (13:40 +0300)]
Use DCO on Windows by default
On startup, check following conditions:
- ovpn-dco-win driver is installed. Perform this check
by trying to open adapter by symbolic name.
- options are compatible with dco. Same checks as on
Linux and FreeBSD. In addition, check that --mode server
is not used and --windows-driver is not set to tap-windows6/wintun.
If both checks are passed, use DCO.
Move options_postprocess_mutate_invariant() call
below since it depends on selected windows driver.
dco_check_option() has side effect on Windows -
if dco is not used, it might complain "cipher chachapoly
not supported by dco, disabling dco" if chachapoly
support is missing system-wide. To not to see this,
check dco options only if dco is enabled. This means
moving dco_enabled() from dco_check_startup_option()
to one level above. We do similar thing in
multi_connection_established() before checking ccd options.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220915104028.188-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25221.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Fix various formatting inconsistencies
- Remove outdated (as of 2.6) information from
--data-ciphers and instead add a link to
cipher negotiation chapter.
- Some drive-by fixes in related code comments
and log messages as I was reading them.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220628080814.745-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24575.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 8 Aug 2022 15:23:44 +0000 (17:23 +0200)]
cleanup open_tun() for TARGET_NETBSD
- NetBSD "dynamic tap" (--dev tap -> tap<number>) handling had special
#ifdef'ed code inside open_tun_generic() - pull out, move to NetBSD
open_tun(). Roughly the same amount of code, less #ifdef, code flow
is more clear.
- fix one spurious warning about "remote" not being initialized
- adjust NetBSD do_open() comments to actual code - the "pre NetBSD 4.0"
code has long be removed, but the comment was still there.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220808152344.17539-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24849.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Kristof Provost [Mon, 22 Aug 2022 09:28:34 +0000 (11:28 +0200)]
FreeBSD networking cleanup
Address a few minor code review remarks:
- use constants for the inet_ntop() buffers
- replace argv_printf() + argv_printf_cat() with a single argv_printf()
- net_route_v4/6 both add and remove, so adjust the error message to
reflect that.
Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220822092834.14231-2-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25054.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 9 Sep 2022 12:18:41 +0000 (15:18 +0300)]
dco.c: check certain options only on startup
Following options are set on startup and cannot be changed later:
- dev
- dev-type
- connections list
- mode
- topology
Same for system-wide availability of dco.
dco_check_option_conflict(), where those options
were checked, is also called in server mode when
client is connected. Move those checks to
dco_check_startup_option_conflict() which is only
called at startup.
Since we moved dco_enabled() check to startup,
dco_check_option_conflict() might now trigger exit
on Windows if system lacks chachapoly support.
Since dco checks only need to be performed for
dco, wrap those into "if (dco_enabled) {}".
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220909121841.646-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25158.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: trigger ping timeout event only if the peer expired
DEL_PEER events can be sent by ovpn-dco to userspace for various reasons.
We should trigger the ping timeout reaction only if the reason was
"peer has expired".
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220818144431.208337-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25000.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 24 Aug 2022 11:09:30 +0000 (13:09 +0200)]
Implement --client-crresponse script options and plugin interface
This allows scripts and plugins to parse/react to a CR_RESPONSE message
Patch V2: doc fixes, do not put script under ENABLE_PLUGIN
Patch V3: rebase
Patch V4: fix else branch of the verify_crresponse_script function
Patch V5: unify message when unable to create/write crresponse file
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220824110930.73009-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25089.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 8 Sep 2022 16:14:35 +0000 (18:14 +0200)]
Change command help to match man page and implementation
Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220908161435.327109-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25151.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 29 Aug 2022 19:01:24 +0000 (21:01 +0200)]
Adjust Linux+FreeBSD DCO device name handling to 'non DCO linux style'
On Linux, tun devices are created according to the following algorithm
--dev tun -> try tun0, tun1, ... tun255, use first free
--dev anything -> create a TUN device named "anything"
(as long as "anything" is not "null" or "tap[N]")
DCO was following the "other platform convention", where everything
not having a digit was iterated ("--dev tun-home" -> "tun-home0") -
which does not work for classic tun/tap devices on the BSDs anyway,
so is not the best model.
Adjust open_tun_dco_generic() to document expected behaviour and
do the thing.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kristof Provost <kprovost@netgate.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220829190124.2636045-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25134.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In order to build OpenVPN with DCO support on Windows there is no need
to pull the full ovpn-dco-win source code, because we now ship the
UAPI header within OpenVPN directly. This also eliminates the need
to specify the DCO_SOURCEDIR var.
At the same time, DCO is always enabled therefore passing --enable-dco
at configure time is not needed anymore.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220826084111.239523-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25120.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 20 Aug 2022 14:01:24 +0000 (16:01 +0200)]
DCO: require valid netbits setting for non-primary iroutes.
The existing DCO code had extra logic for "if this is not
MR_WITH_NETBITS, set 32/128 as address length", but only for
iroute addition. For iroute deletion, this was missing, and
subsequently iroute deletion for IPv4 host routes failed on
FreeBSD DCO (commit 3433577a99).
Iroute handling differenciates between "primary" iroutes (coming
from anm IP pool or ccd/ifconfig-push), and "non-primary" iroutes,
coming from --iroute and --iroute-ipv6 statements in per-client config.
"Primary" iroutes always use "-1" for their netbits, but since these
are not installed via DCO, this is of no concern here. Whether these
can and should be changed needs further study on internal route
learning and cleanup.
Refactor options.c and multi.c to ensure that netbits is always set
for non-primary iroutes - and ASSERT() on this in the DCO path, so we can
find out if there might be other code violating this.
Change options.c::option_iroute() to always set netbits=32 for IPv4
host routes (options_iroute_ipv6() never differenciated). Since
netmask_to_netbits() also insists on "-1" for host routes, change
to netmask_to_netbits2().
Remove all the extra MR_WITH_NETBITS logic from dco.c, where it should
have never appeared.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kristof Provost <kprovost@netgate.com> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220820140124.11325-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25044.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 24 Aug 2022 16:57:18 +0000 (18:57 +0200)]
Fix declaration of pubkeys in test_provider.c in MSVC builds
Error: test_provider.c(74): error C2099: initializer is not a constant
Fix this issue by making the const char* to const char[]. This is probably
of one the weird array decay corner cases
I could not find another/better way around this issue.
This error only occurs when building unit tests with windows which our
normal build system does not do but my out of tree cmake build script
tries and fails.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220824165718.102002-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25102.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220813204224.22576-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24921.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win: implement ovpn-dco support in P2P Windows code path
With this change it is possible to use ovpn-dco-win when running OpenVPN
in client or P2P mode.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220825131449.260-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25108.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Thu, 11 Aug 2022 12:07:22 +0000 (14:07 +0200)]
Handle EVP_MD_CTX as an opaque struct
Building OpenVPN on the latest OpenBSD snapshot failed because EVP_MD_CTX
is an opaque struct in LibreSSL now. Therefore, call md_ctx_new() instead
of declaring them on the stack. When they're not on the stack anymore, we
don't have to call EVP_MD_CTX_init() anymore, but we need to call
EVP_MD_CTX_free() instead of cleanup.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220811120722.29168-2-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24873.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sat, 20 Aug 2022 08:47:19 +0000 (11:47 +0300)]
dco-win: use run-time dynamic linking for GetOverlappedResultEx
This function is available starting from Windows 8. Calling it
"as is" causes startup error on Windows 7.
dco-win driver available on Windows 10 20H1 and newer. On older
systems installer will not show nor install the driver and dco-win code
won't be reached. It is safe to load GetOverlappedResultEx in runtime
and exit in case of error.
Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220820084719.243-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25038.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 19 Aug 2022 18:24:39 +0000 (20:24 +0200)]
FreeBSD-DCO: repair device iteration to find first free interface.
During review/update phase, FreeBSD/DCO's ability to find the first
free tun interface on "--dev tun" got broken, due to two issues:
- create_interface() called msg(M_ERR|...), which is a fatal error
and aborts OpenVPN, so "no retry with 'tun1' after 'tun0' failed"
Change to M_WARN|M_ERRNO (= warning level, add strerror(errno), return).
- open_tun_dco_generic() expects "-errno" as return value of
open_tun_dco(), and breaks the loop on -EPERM. create_interface()
was returning "-1" instead (ioctl() error signalling), which happens
to be "-EPERM" on FreeBSD.
Change create_interface() to return -errno.
While at it, remove logging of errors from dco_freebsd.c::open_tun_dco()
(because all errors from create_interface() would be already logged there),
reducing open_tun_dco() to just a wrapper around create_interface().
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kristof Provost <kprovost@netgate.com>
Message-Id: <20220819182439.71531-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25034.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Wed, 10 Aug 2022 15:30:06 +0000 (17:30 +0200)]
Don't "undo" ifconfig on exit if it wasn't done
When running with --ifconfig-noexec, OpenVPN does not execute ifconfig,
but on exit, it still tries to "undo" the configuration it would have
done. This patch fixes it by extracting an undo_ifconfig() function from
close_tun(). The undo function is called before close_tun(), but only if
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
v4: Move undo_ifconfig{4,6}() out of #ifdef TARGET_LINUX.
v5: Keep ctx argument in close_tun().
v6: Fix bug in non-Linux non-Windows version of undo_ifconfig_ipv6
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220810153006.18860-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24860.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).
However, in this case, the status of management-def-auth
(ks->mda_status) stays at its default value of ACF_PENDING
and will never change. This causes TLS keys to go out of sync
and an eventual client disconnect.
Further, a message saying username/password authentication is
"deferred" gets logged which is misleading.
For example:
test/127.0.0.1:35874 TLS: Username/auth-token authentication
succeeded for username 'test'
followed by
test/127.0.0.1:35874 TLS: Username/Password authentication
deferred for username 'test' [CN SET]
Fix by setting ks->mda_status to ACF_DISABLED, and do not
set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true.
Also log a warning message when token is marked as expired on
missing the reneg window.
At the moment dco-win doesn't support --persist-tun and --server,
so check for these options at startup time.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220819065250.222590-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25014.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win: introduce low-level code for handling ovpn-dco-win in Windows
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Lev Stipakov <lev@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220813204224.22576-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24919.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: move availability check to the end of check_option_conflict() function
To better arrange the order DCO option conflict messages are printed, we
decided to first perform all needed checks on provided options and, only
at the end, if no conflict was detected, to check if DCO is really
available on the system.
This way a user gets prompted with all warnings about their
configuration first and, when everything is fixed, they will see if DCO
is available or not.
While at it, compress the first check in just one if to make the code
simpler.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220802130312.18871-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24783.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win: ensure the DCO API is not used when running on Windows
On Windows the high level API should still use the link_socket object to
read and write packets. For this reason, even if dco_installed is true,
we still need to rely on the classic link_socket object.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220814085117.7128-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24929.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco: turn platform config checks into separate function
All the checks in there are only relevant during startup, and
specifically the capability check might cause issues when checking a CCD
config later at runtime.
So move them to their own function and call it only during startup. Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220817210857.1558-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24969.html
projects / thirdparty / openvpn.git / log
