This is the actual return value of send/sendto/sendmsg.
We will leave it to the single caller of link_socket_write()
to decide how to map that to the int buffer world. For now
just cast it explicitly.
Change-Id: I7852c06d331326c1dbab7b642254c0c00d4cebb8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240918204844.2820-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29323.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Increase required version to 2.60 since that is documented
minimum version for AC_USE_SYSTEM_EXTENSIONS
- Remove obsolete macros AC_C_CONST and AC_C_VOLATILE. They
are noops on every compiler we support.
- Add explicit call to AC_PROG_CC. We get this implictly as
dependency of other macros, but it is nicer to have it
explicitely as well.
- A few typo and whitespace fixes.
Change-Id: I7927a572611b7c1dc0b522fd6cdf05fd222a852d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240918204551.2530-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29321.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not communicate any of the flags via the global
CFLAGS and LIBS, so that users are not confused when
overriding them on the command line.
Github: closesOpenVPN/openvpn#586
Change-Id: I39a6f58b11b922f5dbd3e55a5bc8574eda8a83fe
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240917133253.19616-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29282.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If the configuration is read from stdin, we cannot reread the configuration
as stdin provides the configuration only once. So whenever we hit the
"close_context usr1 to hup" logic, the OpenVPN process will fail as tries
to restart with an empty configuration.
While OpenVPN tries to block USR1 from normal unix signal, I have observed
cases in my app which sends USR1 from management interface where the
CC_HARD_USR1_TO_HUP logic is trigger and breaking the OpenVPN process.
Change-Id: Icfc179490d6821e22d14817941fb0bad667c713f
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240719131016.75042-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28941.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Implemented a safeguard to verify the returned value
from add_route3() when the default gateway is not a local
remote host.
Prior to this implementation, RT_DID_LOCAL flag was
erroneously set even in case of add_route3() failure.
This problem typically occurs when there's no default
route and the --redirect-gateway def1 option is specified,
and in case of reconnection makes it impossible for the client
to reobtain the route to the server.
This fix ensures OpenVPN accurately deletes the appropriate
route on exit by properly handling add_route3() return value.
Trac: #1457
Change-Id: I8a67b82eb4afdc8d82c5a879c18457b41e77cbe7
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240221111814.942965-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In init_tun() make sure to pass the --local and --remote addresses in
the host order so that they can be compared to the --ifconfig addresses.
Change-Id: I5adbe0a79f078221c4bb5f3d39391a81b4d8adce
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240917091433.24092-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29261.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These functions are not used outside tun.c
Change-Id: I028634dba74a273c725b0beb16b674897b3c23fa
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240916133436.29943-1-gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29249.html
some extra DCO calls may be made after receiving the DEL_PEER
notification (i.e. due to timeout), but this will result in
an error message due to the peer having disappeared already.
An extra call might be, for example, an explicit DEL_PEER
in the attempt of cleaning the peer state.
For this reason, inform userspace that there is no peer in
kernel anymore and prevent errors which may result confusing.
Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240912165339.21058-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Anonymous unions/structs are technically a custom GNU C99 feature but
was already widely supported by other compilers. With C11 this feature
has become a standard feature so all compilers nowadays support it.
Change-Id: I1ef5f6f21f0135a628a63553c39515fa4549ce87
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240710160238.190189-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28914.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun opening in OpenBSD, NetBSD and Darwin.
Change-Id: I235891212b15277349810913c9c1763da5c48587
Signed-off-by: Marco Baffo <marco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240912142421.703-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29217.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OPENSSL_STORE_load() can error and return NULL even when the file or URI
still has readable objects left.
Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid
misleading messages printed at the end by crypto_print_openssl_errors().
Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240911104941.19429-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29187.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The previous code went through some hoops
to avoid compiler warnings. But there is
a much easier way by just telling it
exactly what you want to do.
Also fix typo in variable name while I'm
here.
Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240910170005.5586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29178.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are all fixes I considered "safe". They either
- Have sufficient checks/shifts for a cast to be safe
- Fix the type of a variable without requiring code changes
- Are in non-critical unittest code
v2:
- add min_size instead of abusing min_int
v6:
- remove change of return value of link_socket_write.
Move to separate patch.
Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240910122008.23507-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29172.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not all of these touch uninitialzed members of the struct, but that
could change in future.
Change-Id: I71bc847b48da54b70f60ccd7c4521ec699daf9cb
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240909204829.10379-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29152.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In UDP case, on a p2mp server, dco_set_peer() is currently called
at the wrong time since the mssfix param is calculated later on in
tls_session_update_crypto_params_do_work().
Move the dco_set_peer() inside tls_session_update_crypto_params_do_work(),
and remove p2p_set_dco_keepalive() to avoid calling dco_set_peer()
twice on the client side.
This way, we'll ensure that all crypto and frame params are properly
initialized and if an update occurs DCO will be notified.
Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20240906145745.67596-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29086.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Using "tun" as the variable name for the return of
is_tun_p2p is probably a historical accident. But
it has actual consequences in that the other code
often seems to assume that it does less checks
than it actually does.
Use "tun_p2p" as the variable name and remove checks
that are not required. Also use is_tun_p2p in more
places.
Change-Id: Ice8b95f953c3f7e71657a78ea12b02a08c60aa67
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240906162514.78671-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29091.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Ilia Shipitsin <chipitsine@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240708210912.566-2-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28884.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Extend "--static-challenge" option to take a third
argument (= scrv1 or concat) to specify that the password and
response should be concatenated instead of using the
SCRV1 protocol. If unspecified, it defaults to "scrv1"
meaning that the SCRV1 protocol should be used.
v2: use scrv1|concat instead of 0|1 as option argument
fix typos
v3: improve and correct documentation in management-notes.txt
Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240719131407.75746-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28943.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was missed in commit 3512e8d3ad
Also add a comment to clarify how pem_password_callback is accessed
in ui_reader().
Change-Id: I82835ff8e1e31e067efd81bfb6e8cd19ee004d9c
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240908224220.478684-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29114.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We do not load any providers, so only file: URI internally supported by
OpenSSL 3+ is tested. On non-OpenSSL 3 builds the test prints "SKIPPED".
v2: avoid dead code; rebase to current master
Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103900.37037-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The test certificate used in test_ssl.c is updated to use 2048 bit
RSA and the matching key is added.
Tests include loading certificate and key as inlined pem as well as
from files. Note that loading the key also checks that it matches
the certificate, providing an indirect test that the latter was loaded
correctly.
Change-Id: Ic6f089896191145f68ce9a11023587d05dcec4d8
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103814.36839-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29074.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 3 has providers which can load keys and certificates
from various key stores and HSMs using a provider-specific URI.
While certificates are generally exportable, and some providers
support a PEM file that acts as a proxy for non-exportable private
keys, not all providers are expected to do so. A generic capability
to read keys and certificates from URIs appears useful.
This patch does this by extending the scope of the argument for
"--key" and "--cert" options to include URIs. Many of OpenSSL 3
utilities also work the same way: e.g., the "-in" option for
"openssl pkey" or "openssl x509" could be a filename or URI.
Other applications have started emulating this behaviour:
e.g., pkcs11: URI works as an alternative to a file name for
certificates and keys in apache. Even for files, this has a nice
side effect that non-PEM files get transparently parsed. E.g., a
pkcs12 file could be used in place of a PEM file without needing
any extra options.
This is backward compatible as OpenSSL falls back to treating URIs
with no scheme or unrecognized scheme as file names.
Parsing of inlined keys and certificates is unchanged (those
should be in PEM format).
Specification of URIs that OpenSSL accepts depends on the
providers that support them. Some are standard URIs such as
"file:/path", but providers may support non-standard URIs
with arbitrary scheme names. OpenSSL by itself recognizes
only file URI. However, the implementation is agnostic to the
URI specification as parsing is done by the provider that supports
the URI. A new URI gets automatically recognized when the provider
that supports it is loaded.
Below are some usage examples:
Relative or absolute path to a file or as a URI "file:/absolute/path":
--key mykey.pem (same as what is currently supported)
--key file:/path/to/mykey.pem
--cert file:/path/to/mycert.pem
Other file types supported by OpenSSL would also work:
--key client.p12
--cert client.p12
pkcs11-provider supports "pkcs11:" URI (RFC 7512):
--key pkcs11:token=Foo;id=%01
--cert pkcs11:token=Foo;id=%01
tpm2-provider recognizes a custom URI "handle:<hex>":
--key handle:0x81000000
These examples assume that required providers, if any, are loaded
and configured.
v2: same as PR 591 but with the fixup commit that addresses review comments is squashed.
Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103734.36633-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Keep the memory segment containing username and password in
"struct user_pass" encrypted. Works only on Windows.
Username and auth-token cached by the server are not covered
here.
v2: Encrypt username and password separately as it looks more
robust. We continue to depend on the username and password buffer
sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16,
which is the case now. An error is logged if this is not the case.
v3: move up ASSERT in auth_token.c
Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906112908.1009-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Usage of credentials is a bit odd in this file.
Actually the copy of "struct user_pass" kept in p->up is not
required at all. It just defeats the purpose of auth-nocahe
as it never gets cleared.
Removing it is beyond the scope of this patch -- we just ensure
it's purged after use.
Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240905100724.4105-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29061.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
mbedTLS does not seem to have pkg-config support on e.g.
Debian/Ubuntu, so we definitely need to keep the
fallback check as well.
Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20240906160510.76387-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Maintain GitHub actions and other version references
in GHA.
Switch some GHA references from branch versions to
tag version so the pinning works correctly.
Change-Id: I06253be7ed783e3bf30e7df1d6da8ca888016711
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20240906151243.69549-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29087.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
E.g. if you use openvpn as a git submodule, it can be a
file that points to the parent's git directory.
The changes to Makefile.am are not strictly required, they
still work with that case, but I wanted to keep the usage
consistent.
Change-Id: I9b7a3df012e7606ddb04a944e3fa33247180e8dd
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20240906172112.87148-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Using the AEAD tag at the end is the standard way of doing AEAD. Several
APIs even only support the tag at the end (e.g. mbed TLS). Having the tag at
the front or end makes no difference for security but allows streaming HW
implementations like NICs to be much more efficient as they do not need to
buffer a whole packet content and encrypt it to finally write the tag but
instead just add the calculated tag at the end of processing.
Change-Id: I00821d75342daf3f813b829812d648fe298bea81
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240214132719.3031492-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28239.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The current way doesn't work if the device is already in use.
Starting from 1.3.0, dco-win creates a non-exclusive
control device \\.\ovpn-dco-ver which can be opened by
multiple apps and supports a single IOCTL to get
a version number.
https://github.com/OpenVPN/ovpn-dco-win/pull/76
This will be expecially handy later when checking which
features driver supports.
Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240809192257.24208-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29009.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently key and cert file fd's are reused after ftruncate()
without setting the offset to zero. This causes subsequent
data to be written at some finite offset with the hole in
the file automatically filled by zeros. Fix it by calling
lseek() to set the offset to zero.
The test works nevertheless because p11tool seem to generously
ignore any junk before the "BEGIN" marker.
Change-Id: Ib0fe15a4ba18d89216b0288e6cd6be66ed377bd4
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240812232158.3776869-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29010.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows us to override query_user_exec for unit
tests more consistently without having to jump through
weird hoops.
Fixes running test_pkcs11 with --enable-systemd.
While here also fix documentation comments for
query_user_exec*.
Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240726104032.2112-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28983.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Incompatible changes to the --dns server address and --dns server
exclude-domains options were introduced after the code for handling them
was released. Add and send a new IV_PROTO flag, so servers which act on
the flags set can differentiate between clients which have implemented
--dns and those which just support the new option. This enables them to
decide which variant of options to send to the client.
Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240725112248.21075-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These result from broken up literals where it
is easy to miss the missing space.
Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240722121034.10816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28950.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mostly so we can use anonymous structs without jumping through
hoops or relying on unofficial support.
Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240710160306.190351-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28916.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Writing a reason from a script will easily end up adding extra \r\n characters
at the end of the reason. Our current code pushes this to the peer. So be more
liberal in accepting these message.
Github: closesOpenVPN/openvpn#568
Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240710140623.172829-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- exit after a timeout if unable to kill servers
- use sudo or equivalent only for server stop/start
- use /bin/sh directly instead of through /usr/bin/env
- simplify sudo call in the sample rc file
- remove misleading and outdated documentation
- make it work on OpenBSD 7.5
- make it work on NetBSD 10.0
- make server logs readable by normal users
Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a
Signed-off-by: Samuli Seppänen <samuli.seppanen@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240704133337.26595-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28871.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Recent versions of mbedtls only support TLS 1.2. When the minimum
version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the
actual minimum version.
Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240703174158.7137-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On most systems this should work just fine.
v2:
- simplify code by removing -llzo special handling
v3:
- reintroduce support for autodetection without pkg-config,
no need to break backwards compatibility right now
v7:
- Handle case correctly where lzo/lzo1x.h can not be included
at all. On most distros this works even though the .pc
file suggests to use it without. We had some partly
solution for that but it wasn't really working.
v8:
- Handle systems that do not implicitly include limits.h
in configure test builds.
lzodefs.h usually relies on lzoconf.h to include it.
Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240626161921.179301-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Caching proxy credentials was not working due to the
lack of handling already defined creds in get_user_pass(),
which prevented the caching from working properly.
Fix this issue by getting the value of c->first_time,
that indicates if we're at the first iteration
of the main loop and use it as second argument of the
get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP
upon instance context restart credentials would be erased
every time.
The nocache member has been added to the struct
http_proxy_options and also a getter method to retrieve
that option from ssl has been added, by doing this
we're able to erase previous queried user credentials
to ensure correct operation.
Fixes: Trac #1187
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240623200551.20092-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are not covered by -Wall (nor -Wextra) but we want
to enforce them.
Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240620144230.19586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The changes for POSIX shell compatibility and parallel
make compatibility broke actually failing the test
when a subtest fails.
Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Message-Id: <20240620103749.7923-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment everyone but anonymous are permitted
to create a pipe with the same name as interactive service creates,
which makes it possible for malicious process with SeImpersonatePrivilege
impersonate as local user.
This hardens the security of the pipe, making it possible only for
processes running as SYSTEM (such as interactive service) create the
pipe with the same name.
While on it, replace EXPLICIT_ACCESS structures with SDDL string.
CVE: 2024-4877
Change-Id: I35e783b79a332d247606e05a39e41b4d35d39b5d
Reported by: Zeze with TeamT5 <zeze7w@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20240619144629.1718-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28808.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rather stop
processing it completely.
Previously it was possible to get invalid characters to end up in log
files or on a terminal.
This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.
This patch also include several improvement suggestion from Reynir
(thanks!).
CVE: 2024-5594
Reported-By: Reynir Björnsson <reynir@reynir.dk>
Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240619103004.56460-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
So far --server-poll-timeout was only applied
for HTTP proxies, apply it also to SOCKS proxies.
This removes the default 5 second socks connect timeout
which can be too small depending on network setup and
replaces it with the configurable overall connect timeout
(default 120 seconds).
Trac: #328
Github: fixesOpenVPN/openvpn#267
Change-Id: I2b109f8c551c23045a1be355778b08f0fd4d309f
Signed-off-by: 5andr0 <sandro.trianni@gmail.com>
Tested-By: ValdikSS <valdikss@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240315162011.1661139-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28408.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
