Old expiration was October 2024, less than a year away.
Give everyone the chance to get the new keys before tests
start failing.
Change-Id: Ie264ec1ec61fd71e8cc87987be3e2adc2735c201
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121110430.16893-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27530.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some pushed options (such as DOMAIN-SEARCH) require DHCP server to work.
Warn user that such options will not work if the current driver (such
as dco-win) doesn't support DHCP.
Change-Id: Ie512544329a91fae15409cb18f29d8be617051a1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120656.6825-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixesOpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixesOpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a regression from commit
01341840 ("add basic CMake based build")
S_IRUSR and S_IWUSR should NOT be defined as 0 but
as _S_IREAD and _S_IWRITE, as it was already fixed in commit
077445d0 ("Fix some more wrong defines in config-msvc.h")
Those are used as permission mode when opening a file. Passing
zero makes file read-only, which break for example --status-file
functionality.
Github: fixesOpenVPN/openvpn#454
Trac: #1430
Change-Id: I53eaee85d7b284af6bc63da5f6d8f310ddd96c47
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231114141653.10486-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27393.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fixed typographical errors in various documentation files for improved clarity and readability.
Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixesOpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This overwrites the default that cmake automatically sets. In the
case of debug builds, this breaks debugging as -O1 already optimises
many variables away.
Change-Id: I3ca6965799b23d542ababc3e38880317cb46a3ac
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231107141755.30559-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231107141755.30559-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When I refactored the tls_state_change method in
9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 57a5cd1e12)
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cd4d819c99)
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1cfca65924)
Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:
* Netscape certificate type
* key usage (you can check key usage, but not get the raw bytes)
I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.
Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.
Change-Id: I445a93e84dc54b865b757038d22318ac427fce96
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we're trying to use Gerrit for patch reviews, but the actual
merge process is still implemented against the ML and Patchwork,
I wrote a script that attempts to bridge the gap.
It extracts all relevant information about a patch from Gerrit
and converts it into a mail compatible to git-am. Mostly this
work is done by Gerrit already, since we can get the original
patch in git format-patch format. But we add Acked-by information
according to the approvals in Gerrit and some other metadata.
This should allow the merge to happen based on this one mail
alone.
v3:
- handle missing display_name and email fields for reviewers
gracefully
- handle missing Signed-off-by line gracefully
v4:
- use formatted string consistently
Change-Id: If4e9c2e58441efb3fd00872cd62d1cc6c607f160
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022105919.21779-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27279.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The -fno-sanitize-recover=all flag ensures that for all errors we actually
abort the tests in the automated testing and not just print some errors in red
that nobody sees. Also add the undefined tests to catch more bugs.
For libreSSL we do not add the udefined behaviour as we have (even with the
latest LibreSSL version) an undefined behaviour in LibreSSL itself.
Change-Id: I204b396dea9f22d68e8e091d181a85ffebde4c17
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231022105756.21080-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27278.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixesOpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Half of them used unsigned int, the other half size_t.
Standardize on one. Could've also standardized on the
other, both are much too big for the expected numbers
anyway.
Add a new utility function clamp_size_to_int for
cases we need to change from size_t to int (there
are a lot of those all over our codebase).
Resolves some -Wconversion warnings.
Change-Id: Ic996eca227d9e68279a454db93fcbc86a7bd0380
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008104022.20200-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008104022.20200-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
inet_ntoa is officially deprecated and in some places
its use already causes warnings (e.g. Fedora submissions).
Since we mostly use inet_ntop already, just convert the
remaining usages to that.
Change-Id: I052bebe720ddf26340827f25b94705945e470bfa
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008103415.19625-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008103415.19625-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus
subsequent fixes).
Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231006111910.3541180-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27133.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since in the end this always ends up as an uint16_t
anyway, just make the conversion much earlier. Cleans
up the code and removes some -Wconversion warnings.
v2:
- proper error handling in options.c
v4:
- also introduce a minimum mssfix
Change-Id: Id8321dfbb8ad8d79f4bb2a9da61f8cd6b6c6ee26
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231009105151.34074-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231009105151.34074-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Print dco-win driver version using the new ioctl.
Requires dco-win driver 1.0.0 or newer to work.
Change-Id: I1d0d909e7fca3f51b5c848f1a771a989ab040f17
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008112755.23568-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27174.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The peer temporary key in TLS session is related to the PFS
exchange/generation. From the SSL_get_peer_tmp_key manual page:
For example, if ECDHE is in use, then this represents the
peer's public ECDHE key.
Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105518.34432-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27192.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN 2.6 already warned about this feature being removed. OpenVPN
2.7 will with this change no longer accept these configurations without
having a --allow-deprecated-insecure-static-crypto added to the command
line or the configuration itself. This will serve as a last and final
warning for people who missed the warning message in OpenVPN 2.6.
This commit also removes the documentation for --secret and the static key
mode.
Change-Id: I4f29953b91cf8e8daf2c9503da44073ad96d0ff5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105832.34762-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27194.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not on every push due to submit limits.
Use caching to not submit a scan for the same git commit
twice. Since we have many days without pushes to master
this saves a lot of Github and Coverity resources.
v2:
- add caching to not submit redundant scans
Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230911110735.34491-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Officially deprecated since v2.4.
We have warned about using this forever.
It is time to pull the plug.
Change-Id: I58706019add6d348483ba222dd74e1466ff6c709
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20230922103830.37151-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27059.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On Linux, daemon() is defined in unistd.h, not in
stdlib.h like in MacOS or FreeBSD.
Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230922103900.37205-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27058.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We do this via explicit PRs now, generated by renovate.
This allows much better control over what state of the
code gets built.
Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922103936.37230-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27060.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
"INFO_PRE,..." command length is limited to 256 bytes. If the server
implementation pushes command which is too long, warn the user and
don't send the truncated command to a management client.
Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922105055.37969-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are based on review comments for the 2.6 backport.
But since they apply to the original master implementation
as well, I address them in this separate patch.
- Add documentation to contrib/cmake/*.py
- Fix grammar in README.cmake.md
- Update a TODO in CMakeLists.txt to better reflect
the status quo
- Fix indentation in unit_tests' Makefile.am
Change-Id: I4e16767ee221e1aefdd18d13b3411c27d8dd844a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/342
Message-Id: <20230919155635.708557-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27043.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While CMake is not the official way to build OpenVPN on Linux,
it still make sense to support it. Turns out that
HAVE_SETSID, HAVE_OPENLOG and HAVE_SYSLOG
were not set by CMake configure, and --daemon and syslog
functionality was broken.
While on it, fix compiler error on unused return value of chdir().
Change-Id: I171d55da2be868d961caa1d4491e6f1ed10ebe8a
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230920121519.177949-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27045.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Although it's a combination of options that is not really useful,
when specifying --multihome along with --proto tcp and DCO is enabled,
OpenVPN will crash while attempting to access c2.link_socket_actual
(NULL for the TCP case) in order to retrieve the local address (in
function dco_multi_get_localaddr())
Prevent crash by running this code only if proto is UDP.
The same check is already performed in socket.c/h for the non-DCO
case.
Github: fixesOpenVPN/openvpn#390
Change-Id: I61adc26ce2ff737e020c3d980902a46758cb23e5
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230815231555.6465-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26953.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.
Signed-off-by: orbea <orbea@riseup.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230909134956.5902-1-orbea@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26994.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently, OCC exit messages are only logged at some high debug level
(and if OpenVPN compiled with DEBUG), while control-channel EEN messages
are logged on verb 1. Make this consistent, both in wording and in
log level.
Both messages are prefixed with the "channel" where the exit message
came in.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230814060409.50742-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26949.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command
openvpn --providers vollbit
will print out (on macOS):
OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)
Patch v2: Format message more like current messages
Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The return value of add_bypass_routes overwrites
the return value of add_route3 instead of combining
them.
Coverity: CID 1539180 (#1 of 1): Unused value (UNUSED_VALUE)
Change-Id: I78f92f363fe203af5661c6958b2417ea30f7055c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <60951251cdb2f39b20cfc86130c2dc0570ba0363-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26900.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The code was not very clear if we accept the base64 decode if the
NTLM challenge was truncated or not. Move the related code lines
closer to where buf is first used and comment that we are not concerned
about any truncation.
If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect. The
buffer size is fixed and known to be in a cleared state before the
decode starts.
Resolves: TOB-OVPN-14
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- "if (sig == X) signal_reset(sig)" now becomes
"signal_reset(sig, X)" so that the check and assignment
can be done in one place where signals are masked.
This is required to avoid change of signal state between
check and reset operations.
- Avoid resetting the signal except when absolutely necessary
(resetting has the potential of losing signals)
- In 'pre_init_signal_catch()', when certain low priority signals
are set to SIG_IGN, clear any pending signals of the same
type. Also, reset signal at the end of the SIGUSR1 and
SIGHUP loops where their values are checked instead of later. This
avoids the need for 'signal_reset()' after SIGHUP or in 'init_instance()'
which could cause a signal like SIGTERM to be lost.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230128215901.2207208-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26088.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
