The "route add" code always used "metric 0" on OpenSolaris, because
(on tun interfaces) it was required to make the route work on
"non-ethernet" interfaces (connected, no NDP).
This breaks routes via tap interfaces on recent Solaris versions
(tested on OpenIndiana 2019) - there, routes only work if metric
is != 0 (or just not set). Otherwise it tries to map the gateway
address to a local address and fails.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18906.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 611fcbc48 joined the two distinct calls for "add ipv6 address
to tap interface" and "set MTU" for Solaris - but due to peculiarities
on how this platform handles IPv6 addresses ("ifconfig addif" creates
a new "tap0:1" subinterface with the new address - which does not have
a distinct MTU) this does not work.
un-join calls again.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18905.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Visual Studio doesn't support empty designated initializers
for C code, so use { 0 }. Also replace existing CLEAR() call with
the new initializers.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1570539154-31784-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18904.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 1b9a88a has added new C source/header files which
have to be added to VS project file.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1570539154-31784-2-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18903.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The unit test is breaking the 80 char limit in some places
but the remaining lines it breaks the limit I feel
forcing the 80 char limit will impair readibility
Patch V2: adapt unit tests to other V2 patches
Patch V4: Resolve rebase conflicts
Patch V5: Add \ lost in rebase that broke compilation
Patch V7: Fix unit test failure, try to stay below 80
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917123321.15993-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18821.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A couple of places the documentation was not clear enough or not even
correct. Just improve this to avoid confusion later on.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-4-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When building with --disable-management, the compiler complains with
implicit declaration of function ‘ssl_clean_auth_token’. This is due to
the ssl_clean_auth_token() function being declared inside an #ifdef
ENABLE_MANAGEMENT fence where it should not be.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18873.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The final patches of the auth-token hmac support patches had a typo in
the P2MP_SERVER fencing breaking --disable-server builds. It used #if
instead of #ifdef.
While at it, also fix another missing P2MP_SERVER fencing causing the
compiler to complain about an unused variable in push.c
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-2-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18875.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows OpenVPN 3 core to fall back to the original authentication
method.
This commit changes man_def_auth_set_client_reason to
auth_set_client_reason since it now used in more contexts.
Also remove a FIXME about client_reason not being freed, as it is freed
in tls_multi_free with auth_set_client_reason(multi, NULL);
Patch V4: Rebase on master
Patch V7: Rebase on master
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121115.13966-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18820.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows an external authentication method
(e.g. management interface) to track the connection and distinguish a
reconnection from multiple connections.
Addtionally this now also checks to workaround a problem with
OpenVPN 3 core that sometimes uses a username hint from the config
instead of using an empty username if the token would be valid
with an empty username. Accepting such token can be only done
explicitly when the external-auth keyword to auth-gen-token is present.
Patch V2: Add Empty variants to work around behaviour in openvpn 3
Patch V3: document the behaviour of external-auth better in the man page,
rename 'auth' parameter to 'external-auth'
Patch V4: Rebase on current master
Patch V6: Fix tls_lock_username rejecting clients with empty username
when explicitly accepting them with external-auth
Patch V7: Fix compiling with disable-server
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121039.13791-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18819.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The previous auth-token implementation had a serious problem, especially
when paired with an unpatched OpenVPN client that keeps trying the
auth-token (commit e61b401a).
The auth-token-gen implementation forgot the auth-token on reconnect, this
lead to reconnect with auth-token never working.
This new implementation implements the auth-token in a stateles variant. By
using HMAC to sign the auth-token the server can verify if a token has been
authenticated and by checking the embedded timestamp in the token it can
also verify that the auth-token is still valid.
Using the new config directive auth-gen-token-secret instead of
extending auth-gen-token (--auth-gen-token [lifetime] [secret-key]) was
chosen to allow inlining the secret key.
Patch V2: cleaned up code, use refactored read_pem_key_file function
Patch V3: clarify some design decision in the commit message
Patch V4: Use ephermal_generate_key
Patch V5: Use C99 PRIu64 instead of %lld int printf like statement,
fix strict aliasing
Patch V6: Rebase on master
Patch V7: fix compiling with --disable-server
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121004.13685-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18818.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A test run with FreeBSD PR 229925 'Disallow escaping ordinary
characters in regex(3)' reveals one sed expression that uses the
GNU-extension "\s".
Given that this is the only occurrence and it's a trivial fix,
update it to be POSIX-compatible.
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190906174458.14975-2-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18806.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If parameter is not specified, default value "root\tap0901"
is used.
This enables tapctl to work with different tun drivers,
like "tapoas" (from OpenVPN Connect) or "wintun".
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1569229682-9731-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18854.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ensure to check the exit code of the mktun command *before* running
sleep, otherwise '$?' will resolve to the exit code of sleep itself,
thus nullifying the check.
Reported-by: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190919202257.19405-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18845.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Interfaces of type tun are marked as NO-CARRIER when no process is
attached to them. However, this bit gets set with some delay after
creation.
For this reason, it is better to wait for the bit to settle before
starting any test, otherwise any timing influence on the test may lead
to inconsistencies due to the NO-CARRIER bit randomly being or not in
the snapshot output taken by t_net.sh.
This patch add a 'sleep 1' command right after creation of the
interface, to give the NO-CARRIER bit a chance to settle.
This issue has been witnessed on a buildbot that is
apparently slowler than average to run the unit tests.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190919072820.9913-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20190919072820.9913-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since the very beginning this define has only
been used together with _WIN32 and code wrapped into it
uses Win32 API, so it could be safely removed and
replaced with _WIN32.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1568019436-28527-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18808.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This function's return value is never used, so make it void.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1567784437-25922-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the introduction of the new networking API layer on linux, some
ifdefs can be pruned or simplified.
While at it move some variable to improve readability.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-7-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18724.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Give this file a run under uncrustify to fix a few style glitches here
and there.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-6-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18727.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the new networking APIs, each implementation handles garbage
collection internally and therefore does not require a gc object to be
provided by the outer layer.
However, there are a few cases where a garbage collector is still required.
In close_tun() move the declaration and cleanup of gc to the
area where it is used and simplify the surrounding code a bit.
While at it, fix a typo in a nearby ifdef comment.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18726.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Networking backend implementations may need to allocate dynamic
resources that require an explicit free/release.
Since these cleanup are perfomed not very often, and only at specific
times, it makes sense to have the upper layer signal when it's the right
time to do so, by means of a new API call.
For this purpose two news APIs have been implemented:
- net_ctx_free() to release all backend specific resources. Expected to
be called at application cleanup time;
- net_ctx_reset() to let backends release temporary resources (i.e.
reset garbage collectors). To be invoked after routines that
are expected to allocate memory (i.e. tun setup or shutdown).
In this patch related implementations for iproute2 and sitnl are also
provided.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190816202654.19388-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit ("openssl: Fix compilation without deprecated OpenSSL 1.1 APIs")
has removed the cipher_ctx_cleanup() API, as it is not anymore required
to be a distinct call. However, while doing so it also touched the
mbedtls backend in a wrong way causing a systematic segfault upon
connection.
Basically mbedtls_cipher_free(ctx) was moved from the defunct
cipher_ctx_cleanup()
to md_ctx_free(), while it was supposed to go into cipher_ctx_free().
This was clearly wrong as also the type of the ctx variable was not
correct anymore.
Fix this mistake by actually moving mbedtls_cipher_free(ctx) to
cipher_ctx_free().
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190816204945.7937-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18781.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.
EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of
earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part
of _free.
Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API
everywhere.
Also removed initialisation with OpenSSL 1.1 as it is no longer
needed and causes compilation errors when disabling deprecated APIs.
Same with SSL_CTX_set_ecdh_auto as it got removed.
Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190724152934.9884-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For reasons historically unknown, OpenVPN sets the listen() backlog
queue to "1", which signals the kernel "while there is one TCP connect
waiting for OpenVPN to handle it, refuse all others" - which, on
restarting a busy TCP server, will create connection issues.
The exact "best" value of the backlog queue is subject of discussion,
but for a server that is not extremely busy with many connections
coming in in parallel, there is no real difference between "10" or "500",
as long as it's "more than 1".
Found and debugged by "mjo" in Trac.
Trac: #1208
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190815155319.28249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment a strcpy() (without length check!) is performed between a
string long IFNAMSIZ bytes and one of 16 bytes. This is ok right now
because IFNAMSIZ is defined as 16, however this bit is not under our
control and may change in he future without us being warned.
For this reason, force both strings to use IFNAMSIZ as size and, since
this constant may not exist on every platform, ensure it is always
defined.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18722.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It turns out that the only part of Android that still shares routing
code with Linux is the get_default_ipv6 method.
Instead of fixing a method that makes little sense on Android anyway,
have a method that returns a fake ipv6 gateway like for ipv4.
Patch V2: Instead adding ANDROID to a long list of ifdefs, change this
to a non LINUX ifdef
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190815121053.18433-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18752.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Clang/Android complained
warning: address of array 'rgi6->iface' will always evaluate to 'true'
[-Wpointer-bool-conversion]
if (rgi6->iface)
iface is a char[16]; So its pointer is always true.
we do a CLEAR(rgi6) always before setting this struct and strcpy the
name into iface. So using strlen instead of checking for the pointer
should be the right fix.
Patch V2: use if(strlen > 0) instead of if(strlen)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20190815121053.18433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20190815121053.18433-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The prefixlen parameter is not used at all while retrieving a route
therefore it can safely be removed.
Signed-off-by: Antonio Quartulli <antonio2openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18725.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
I noticed the .rc-files for programs uses
'FILETYPE 0x2L'. The 0x2L' is for a .DLL (VFT_DLL).
Ref: Win-Kit's 'um/verrsrc.h':
#define VFT_DLL 0x00000002L
Hence these '0x2L' should be replaced with 'VFT_APP':
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <aa4f4026-a684-f96d-c8cb-d4f8a3468c4c@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18644.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit fb4e8ab added variable-length array which
is C99 feature and is not supported by Visual Studio.
This removes VLA and writes data directly into passed buffer.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1563442503-11119-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18676.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
From the pkcs11-helper API documentation about pkcs11h_setForkMode():
> This funciton is releavant if PKCS11H_FEATURE_MASK_THREADING is
> set. If safe mode is on, the child process can use the loaded
> PKCS#11 providers but it cannot use fork(), while it is in one of
> the hooks functions, since locked mutexes cannot be released.
As far as I can tell, pkcs11-helper functionality is not used in a
child process that is created after initialization. Even if OpenVPN is
turned into a daemon, the pkcs11-helper library is only initialized
after calling possibly_become_daemon(), i.e. in the child process. All
other uses of fork() are immediately followed by an exec()
This simple change fixes the symptoms described in both
<https://community.openvpn.net/openvpn/ticket/538> (hang on password
prompt when systemd support is enabled) and
<https://community.openvpn.net/openvpn/ticket/1157> (hang on
initialization with newer versions of pkcs11-helper).
I have successfully tested that this makes the described symptoms go
away. For this, I used a YubiKey NEO on Debian/stable, a rebuild of
OpenVPN 2.4.6 and two versions of libpkcs11-helper:
- libpkcs11-helper 1.21-1 from Debian/stretch
- a backport of libpkcs11-helper 1.25-1 from Debian/buster
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190218153129.3818-1-bengen@hilluzination.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18218.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
NCP negotiation replaces worst cast crypto overhead
with actual one in data channel frame. That frame
params are used by mssfix.
Fragment frame still contains worst case overhead.
Because of that TCP packets are fragmented, since
MSS value exceeds max fragment size.
Fix by replacing worst case crypto overhead with
actual one for fragment frame, as it is done for data
channel frame.
Trac #1140
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1548101094-4449-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18135.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
get_default_gateway_ipv6() has always been implemented using
netlink, however, now that we have sitnl, we can re-use the
latter and get rid of the netlink code from route.c.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190715144609.19616-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18667.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
GCC 9 no longer accepts this flag and trying to find out what it does do
leads to an article
"-no-cpp-precomp: the compiler flag that time forgot"
that also no longer on the Internet. And most other things are
PRs/commits from over ten years ago that remove the flag since it
is no longer needed.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190705114243.9481-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18650.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is useful for features that can use enither a persistent
or an ephemeral key.
Patch V2: Move the functionality of generating a random key into a
separate function that acts as wrapper for pem_read_key_file
Patch V4: Move wrapper functionality to caller and leave only generate
epehermal key functionality in the new function
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190613134834.5709-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18527.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This unifies our key generation and also migrates the generation
of the tls-crypt-v2 keys. Since tls-crypt-v2 is not included in any
released version, we remove the the old syntax without compatibility.
PATCH V4: Introduce warning/error when using --secret with --genkey
Update non code usages to use new --genkey syntax
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190613134834.5709-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18524.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
tap windows, pkcs11 helper, mbedtls, openssl were updated to the most
recent versions
Signed-off-by: Ilya Shipitsin <chipitsine@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190628194637.5038-3-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18619.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We used to ship git submodule instructions to build a local copy of
cmocka in vendor/cmocka/ and use that (if cmake is installed) to build
unit tests. With the network test driver this turns out to be a
LD_LIBRARY_PATH vs. SUDO complication which is really outweighing the
benefit of a local build today - so, use the system-wide installation
if available (querying pgk-config). Do not build unit-tests otherwise.
v2: (inspired by patch from David Sommerseth)
introduce "configure --disable-unit-test" switch
simplify configure.ac logic
use CMOCKA_LIBS and CMOCKA_INCLUDE (set by PKG_CHECK)
v3:
repair conflict with commit 7473f32636
CMOCKA_INCLUDE is not correct, must be CMOCKA_CFLAGS (see config.status)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190623183210.6005-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18570.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The man page states that when using --capath, the user is required to
provide CRLs for CAs. This is not true and providing CRLs is optional -
both in case of --capath as well as --crl-verify options. When relevant
CRL is not found OpenVPN simply logs the warning in the logs while
allowing the connection, e.g.:
VERIFY WARNING: depth=0, unable to get certificate CRL
This patch clarifies the behavior.
Signed-off-by: Michal Soltys <soltys@ziu.info>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190409143438.25348-2-soltys@ziu.info>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18343.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes "make check" builds on systems with lzo on a non-standard
location.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190602101831.21216-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18482.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
1) Building the networking unit-test when SITNL is not enabled does not
make much sense right now.
Make compilation dependent on having SITNL configured.
2) Remove some no-op mock_msg function calls.
3) Remove obsolete comment and declarations
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190618163435.26431-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18556.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The current script is performing a test on the "kill" command, but this
is not useful to the t_net.sh script as it never really executes it.
Rather test that "sudo <unit-test-binary>" really works.
<unit-test-binary> has to be added to the sudoers file if this test
has to be performend unattanded. The path is:
./unit_tests/openvpn/networking_testdriver
On top of that, print a simple OK for every test that is succesful.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190615230213.14888-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18548.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The t_net script currently has #!/bin/sh but it implicitly assume to
be using bash.
This is fine on most distros, but some do not have sh pointing to bash
by default, thus breaking the script.
Explicitly use bash to avoid failures.
On the other hand, run this unit-test only if SITNL was enabled at
compile time. This test was designed with SITNL in mind and it is
not yet ready for other backends.
Running only when SITNL is enabled implies running on Linux only
therefore we are guaranteed that bash will always work.
While at it, also add a comment as of why the t_client.rc file is
sourced.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190615230213.14888-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18547.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While the existing code is not wrong and will never cause an overflow,
it will copy (on a too-long source string) "maxlen" bytes to dest, and
then overwrite the last byte just copied with "0" - which causes a
warning in gcc 9 about filling the target buffer "up to the end,
with no room for a trailing 0 anymore".
Reducing the maximum bytes-to-be-copied to "maxlen -1", because the
last byte will be stamped with 0 anyway.
v2: do not ASSERT() on "maxlen == 0", but move the strncpy() call inside
the if() clause - so "just do nothing" on maxlen == 0, as before.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20190608075622.11589-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18502.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch introduces a new unit test that is not executed
by the cmocka framework, but rather used by a new t_net.sh
bash script.
The idea behind this test is to ensure that invoking sitnl
functions or running iproute commands leads to the same
networking (interface and routing table) state.
To achieve this, the t_net.sh script first runs a binary
implemented invoking sitnl functions and then takes a
"screenshot" of the state. Subsequently a series of
iproute commands, expected to mimic exactly the same behaviour
as the sitnl functions invoked before, are executed.
The final state is then compared with the screenshot
previously taken.
If no mismatching is found, the test is passed.
The current unit_test, however, does not cover all the
sitnl functionalities and it is expected to be extended
in the future.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181219050118.6568-7-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18027.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
By switching to the networking API (for Linux) openvpn will
now use any of the available implementations to handle the
routing table.
At the moment only iproute2 is implemented.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181219050118.6568-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18029.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>