OpenVPN shipped a small packet filtering tool called PF. It has never
been straightforward as it required a plugin to work. On top of that,
keeping PF support, makes the code more complicated and increases the
maintenance cost of OpenVPN.
PF itself is not actually maintained at all and there is little
motivation in keeping it alive.
Some years ago an IPv6 extension for PF was proposed, but it was never
picked up for the reasons above.
External (and more appropriate) tools can still be used to implement
packet filtering on the OpenVPN interface.
Drop PF support for good.
Note that IDs used for external communication (i.e. to the plugin
or management interface) have been commented out, but not removed, as
they should not be used in the future.
v2:
* changed // to /* */
* changed "NOT IMPLEMENTED" to "REMOVED FEATURE"
* removed extra empty lines after removing ifdef blocks
* clarified on IRC that tls_final has to be removed and therefore that
hunk is correct
* removed mi_prefix() function as it is now unused
Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210827190014.12640-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
"pdb" files are important for example, for BinSkim analysis. Let us
keep them
Signed-off-by: Ilya Shipitsin <chipitsine@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210826100221.1378-1-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22769.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ubuntu spelling was wrong and the matrix for operating system
does not do anything but run the same build twice.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210908142724.3391935-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22822.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL on RHEL 8 and CentOS 8 system when these system are put into
FIPS mode need extra code to figure out if a specific cipher algorithm
is usable on these system. This is particularly problem in data-ciphers
as the errors might occur much later when a client connects and as these
cipher are not caught during config initialisation.
This also prepares for adding Chacha20-Poly1305 when available to
data-ciphers by making the detection logic used to check if
cipher_kt_get returns non-NULL work on these systems.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210818213354.687736-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22746.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change the value of '--allow-compression' is set to 'no'.
Therefore compression is not enabled by default and cannot be enabled
by the server either.
This change is in line with the current trend of not recommending
compression over VPN tunnels for security reasons (check Voracle).
Of top of that compression is mostly useless nowadays, therefore
there is not real reason to enable it.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210904095629.6273-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22797.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This changes introduces the basic infrastructure required
to allow the user to specify a specific OpenVPN version to be
compatible with.
The next commits will modify defaults to more modern and safer
values, while allowing backwards-compatible behaviour on demand.
The backwards-compatible behaviour is intructed via the config
knob '--compat-mode' implemented in this patch.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by:
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210908072606.5863-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20210908072606.5863-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Most TLS 1.3 libraries inlcude the Chacha20-Poly1305 based cipher suite
beside the AES-GCM based ones int he list of default ciphers suites.
Chacha20-Poly1305 is accepted as good alternative AEAD algorithm to the
AES-GCM algorithm by crypto community.
Follow this and include Chacha20-Poly1305 by default in data-ciphers
when available. This makes picking Chacha20-Poly1305 easier as it only
requires to change server (by changing priority) or client side (removing
AES-GCM from data-ciphers) to change to Chacha20-Poly1305.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210818213354.687736-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22745.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A code string terminating character (`) is missing, thus leading to the
following warning:
man-sections/protocol-options.rst:99: (WARNING/2) Inline interpreted text
or phrase reference start-string without end-string.
Add missing char at the end of the code word.
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210827145656.21646-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22779.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
IN6_IS_ADDR_UNSPECIFIED on most systems is defined as a macro that
expects a struct in6_addr* argument.
In one instance we are passing the right address but using a wrong type.
Fix this invocation by properly passing the right pointer.
This issue might become more critical on systems implementing
IN6_IS_ADDR_UNSPECIFIED as a function rather than a macro.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by:
Message-Id: <20210826061725.22169-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22767.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The experience with openurl/OPEN_URL has shown that just sending
a URL to a client is not enough and we often need different
behaviour of the client depending on circumstances. Replace
OPEN_URL with a more flexible WEB_AUTH pending auth method.
Patch v2: use WEB_AUTH instead WEBAUTH
Patch v3: incooperate other comments from Selva
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210813115542.2794-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22737.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Add the missing timeout value that is required (not optional)
- Split the long line
- Also make the AUTH_PENDING state message format in
management-notes.txt more precise.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by:
Message-Id: <20210814044834.2236-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22739.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The mbedtls_ctr_drbg_update_ret() function was backported to various
older branches, including 2.14 and 2.7.
To avoid making the #if guard too complex, let's detect if this function
exist at configure time.
All versions not having this function, will use our compat code.
Cc: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20210812085300.4738-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The function mbedtls_ctr_drbg_update is deprecated as of mbedtls 2.16
and is superseded by mbedtls_ctr_drbg_update_ret, which returns an error
code. This commit replaces the call to the deprecated function with the
new one and logs a warning in case of an error.
For older versions of mbedtls, we add a compatibility function that runs
mbedtls_ctr_drbg_update and returns 0.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210810061644.20353-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22711.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This gets rid of a few #ifdef and also removes the need for
commit a11bea18b1 (argv is only initialized after the
early exit check on RT_DEFINED).
v2:
use gc_new(), group gc and argv init in both add_route*() functions
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210802152619.30754-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22694.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mixed udp+tcp configs can not have --explicit-exit-notify in them
today because this option is refused in TCP mode. At the same time,
it was always possible to push the option both in UDP and TCP mode
(with a warning logged in TCP mode, and the option reset to 0).
Do the same thing for local config - warn, and reset to 0.
(Leaving it enabled in TCP mode is harmless, but causes extra error
messages in the log which is undesired behaviour. Maybe one should
just fix the underlying logic for TCP mode instead, but this is more
invasive)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210802133127.25000-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22690.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
the unit tests do not compile under Windows since Windows does not
provide a unistd.h header. The header is still included on Unix
platforms via syshead.h
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210802100740.694474-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22685.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently P2P mode of OpenVPN is on of the few places that cannot negotiate
modern OpenVPN features. This becomes more and more problematic since P2P
and P2MP code diverge more and more and also the lack of switching to more
advanced features like Data v2 currently blocks P2P mode from working
together with the upcoming ovpn-dco support.
This NCP support is a lot simpler and works in the following way:
- P2P peer announce an extremely limited IV_ variable set
(IV_PROTO and IV_CIPHERS)
- Both peers check if the IV_PROTO_NCP_P2P bit is present in IV_PROTO
- if yes both sides deterministically determine according to
IV_PROTO and IV_CIPHER what options can be used and start using these
There are no poor man's NCP or other compatibility workaround like in the
normal NCP, making this NCP leaner and more deterministic.
Patch v2: remove empty lines, add doxygen comment to push_peer_info, fix
push_peer_info >= 2 that should be > 2
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210728123050.564595-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22671.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is meant to give new users a quickstart for a useable OpenVPN
setup. Our own documentation is lacking in this regard and many
tutorials that can be found online are often questionable in some
aspects.
Linking the individual RST file on github also give a tutorial
in a nicely formatted way.
Patch V2: Fix grammar/spelling mistakes (thanks tincantech), move
to openvpn-examples(5).
Patch v3: use server.key and server.crt instead of server.pem/serverkey.pem
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210728154922.568796-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22674.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
MSFT has merged PR to vcpkg which
added OPENSSL_NO_AUTOLOAD_CONFIG option
https://github.com/microsoft/vcpkg/pull/18389
This means that we don't need to have our own openssl port
and instead we just add
set(OPENSSL_NO_AUTOLOAD_CONFIG ON)
to our custom triplets.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210628080832.510-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22616.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
By reasons remain unknown, MSVC GitHub Actions
started to fail after some irrelevant change.
While problem is also reproduced on my GitHub fork,
I couldn't reproduce it locally. Despiteadding
debug logging to GitHub Actions it is not clear
what went wrong:
##[debug]Exit code '3221225477' received from command
'"D:\a\openvpn\openvpn\vcpkg\vcpkg.exe"'
Turns out that update to a newer vcpkg commit fixed the problem.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210726223920.144-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22678.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
NCP has proven to be stable and apart from the one VPN Provider doing
hacky things with homebrewed NCP we have not had any reports about
ncp-disable being required. Remove ncp-disable to simplify code paths.
Note: This patch breaks client without --pull. The follow up patch
for P2P NCP will restore that. But to avoid all the NCP/non-NCP special
cases to be implemented in P2P. P2P will directly switch from always
non-NCP to always NCP.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22418.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This changes that auth_token_initial is set when the token is
initially generated instead when pushing the token. Even I do not
know anymore why I did it in this way in the first place. Also use
multi->auth_token_initial as source for the sesssion ID since it should
now always be available. Also set auth_token_initial directly to
up->password once we verified that we have gotten a valid token from
a client. This cleans ups the logic in generating the environment and
makes the code flow clearer.
Since the change makes auth_token_initial always available we need to add
a check to only send a PUSH reply to update the token on renegotiations.
The old code relied on multi->auth_token not being set in this case.
This commit also removes the workaround for old OpenVPN clients. These
were only available as commercial OpenVPN Connect client and not in use
anymore.
Furthermore, introduce a check if the session ID has changed during a
session. Even though this is still a valid authentication changing to
a different auth token mid session is highly irregular and should never
occur naturally.
Patch V2: rebase.
Patch V3: fix formatting, clarifying commit message, remove initial
token workaround for old v3.
Patch v4: move sending the auth-token for renegotiations to a sane place
and trigger it when the TLS session reaches its fully authenticated
state.
Patch v5: Move also setting auth_token_inital from up->password to a more
logical place, general cleanups, add session id mismatch check
Patch v6: Rework some comments and general cleanup of small things
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210719133132.128783-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22645.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If a route structure is passed to add_route() or add_route_ipv6()
without the RT_DEFINED flag set, both functions leak an "argv"
structure allocation.
Add appropriate argv_free() calls.
Signed-off-by: David Korczynski <david@adalogics.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210714162533.10098-1-david@adalogics.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22637.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit bc36d9d569 removed the autoconf detection of various OpenSSL
functions. This overlooked HAVE_SSL_CTX_SET_SECURITY_LEVEL check in
tls_ctx_set_cert_profile. Replace this also with a version number
based check.
Tested with LibreSSL on OpenBSD 6.8, OpenSSL 1.1 and wolfSSL.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210623183728.2565286-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22584.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since generating data channel keys does not happen when we have reached
the S_ACTIVE/S_GOT_KEY state anymore like it used to be before NCP, the
state that data channel keys have been created deserves its own state in
the TLS session state machine.
The changes done by this commit are rather intrusive since they
move the key generation to a completely different place and also
rely on the state machine to decide if keys should be
generated rather than on the complicated conditions that were
implemented in the key_method_2_write/read methods.
A (intended) side effect of this change is that sessions that
are still in deferred state (ks->authenticated == KS_DEFERRED)
will not have data channel keys generated. This avoids corner
cases where a not fully authenticated sessions might leak data.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v2: rebased
Patch v3: fix crash in non TLS mode
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210705133414.3102815-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22617.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The IV_HWADDR description was only partially correct, as there are more
implementations using other values than the MAC address of the default
gateway.
The intention of this value is to provide a unique identifier of the
client and on some platforms this is not possible to retrieve other than
to generate this information.
The 64 bytes limitation is an arbitrary value, it is not enforced by
OpenVPN 2.x. But it was considered a good idea to at least have some
reasonable upper limit of how long this string can be, at least for
those implementing support for this information.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210709134849.161728-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22625.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Prior to this patch, the Makefile.am needs to be modified multiple
places to add a new man or HTML page to be generated. Since it is not
too often we modify this, it is easy to miss these finer details.
This changes the man and HTML generator rules to be more generic and use
variables as many places as possible. Also moved all the lines which
should not need to be changed as much towards the bottom-half of the
file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210630185134.144826-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22604.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When openvpn needs to prompt user for a password
(for example, to set management interface password),
the prompt is written to standard error device.
When log is redirected to a file, that prompt is written
to that file and not to the "original" stderr. Moreover, on recent
Insider build (21390.2025) openvpn exits with fatal error
get_console_input_win32(): unexpected error: No such device or address
(errno=6)
while attempting to write that prompt.
When redirecting stdout/stderr, we use _dup2() to associate stderr
descriptor with a log file. This call closes file associated
with stderr descriptor, which might explain why it has stopped
working (original stderr is closed and WriteFile() fails) and on
older versions it appears to work "by accident" - not failing
but use redirected stderr instead of original one.
Fix by creating new file descriptor with _dup() for stderr
before redirect and use this descriptor for writing prompts.
While on it, make code a bit more C99-ish by moving variables
declaration from the beginning of the scope to the actual
initialisation.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210625010405.224-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20210625010405.224-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This extract the update of a deferred key status into into own
function.
Patch v2: Do not ignore auth_deferred_expire. Minor format changes.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22420.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When the function setup fails due to invalid file handles, or because
WriteFile(err, ...) fails (due to file handle corruption elsewhere),
the function used to silently "return false"
Change this to print a M_WARN|M_ERRNO message.
Also, change the function style to early-return style (= large diff, but
most are indent changes only).
v2: fix spurious "}" that was left over from change to early-return.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210618181246.30769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22577.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We ensure here that the tls session is authenticated before sending
a push_reply
This the final part of the fix for CVE-2020-15078 in the master branch.
CVE: 2020-15078
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210624130840.2583433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22587.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously we relied on checking tls_authentication_status to check
wether to determine if the context auth state is actually valid or not.
This patch eliminates that check by introducing waiting on the
authentication as extra state in the context auth, state machine.
The simplification and reorganization of the state machine in this
and the previous patches also eliminates a number of corner cases,
including the specific one that lead to CVE-2020-15078.
Patch v3: Fix ccd config from management being ignored
Patch v4: Fix race condition, we need to accept the config from
management if we are in CAS_WAITING_AUTH or earlier states
and not just in CAS_WAITING_AUTH state
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210604143938.779193-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22491.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The socket_info->connection_establish is set through
link_socket_set_outgoing_addr when we reach FULL_SYNC. This patch
introduces a new state in context_auth that replaces the
connection_established state for TLS connections. This make the state
machine easier to understand.
Also, rename "enum client_connect_status" to "multi_status", re-order
states so CAS_NOT_CONNECTED (=0) is the default state, and introduce
CAS_CONNECT_DONE as numerically highest so "are we done?" can be
easily checked.
This is part of the patchset to fix CVE-2020-15078 in "master" by
reorganizing the handling of incoming new and renegotiated TLS sessions
to make the code easier to understand and less prone to "edge case"
issues.
Patch v2: fix p2p mode server without (without ncp)
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22419.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The auth-token check is tied to the username/password that is coming
via a specific SSL session, so keep the state also in the key_state
structure.
This also ensures the auth_token_state is always set to 0 on a new
session since we clear the key_state object at the start of a new
SSL session.
This is a prerequisite patch to fix 2020-15078 in the following two
commits.
This also applies the changes to the auth_token_test.c. The change of
tls_session to a pointer is necessary since before that we had tls_session
not tied to the multi and had two tls_session used in the test. One
implicitly in tls_multi and one explicit one. Merge these to one.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22415.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In default configuration OpenSSL loads config from
certain location on disk, for example
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf
which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff (indented with "!" to avoid
confusing "git am"):
! diff --git a/ports/openssl/windows/portfile.cmake
! b/ports/openssl/windows/portfile.cmake
! index 7a3bf08ed..c873eb756 100644
! --- a/ports/openssl/windows/portfile.cmake
! +++ b/ports/openssl/windows/portfile.cmake
! @@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
! enable-capieng
! no-ssl2
! no-tests
! + no-autoload-config
! -utf-8
! ${OPENSSL_SHARED}
! )
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061259.297-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22569.html
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file. However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
CVE-2121-3606 has been assigned to acknowledge this risk.
Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
p2p connections with both ends backing off seldom succeed
as their connection attempt durations becomes increasingly
unlikely to overlap when the retry wait time is long.
Avoid this by applying the backoff logic only on TCP clients
or the tls_client side for UDP.
Regression warning: shared secret setups are left out of the
backoff logic.
Trac: #1010, #1384
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210602194739.29488-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22485.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When not using username and password (i.e. auth-user-pass) it can still
be desirable to provide the client with an auth-token, e.g. for allowing
a session to continue after a reconnect without requiring 2FA again.
However, without --auth-user-pass openvpn does not have a username and will
ignore any pushed auth-token command.
This patch adds support for auth-token-user to set the username that should
be used for auth-token
The spec of using auth-token-user base64-encoded-user are the ones that
OpenVPN3 already implements.
Patch V2: Improve style, fix comments and commit message
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22417.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 36b9aa "contrib/vcpkg-ports: add pkcs11-helper port"
has trimmed trailing white space in .patch files and thus corrupted them.
Restore trailing whitespaces to "uncorrupt" patches.
** applied with git am --whitespace=nowarn **
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-By: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210615104331.210-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22553.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
pkcs11-helper is a dependency library used by OpenVPN.
So far it has been built only by mingw.
Since we're making MSVC build system a first class citizen,
we need to build depencencies with MSVC, which we do with vcpkg.
All dependencies are in vcpkg official repo, expect pkcs11-helper.
This provides vcpkg port for building pkcs11-helper.
Example usage:
vcpkg --overlay-ports=<openvpn>\contrib\vcpkg-ports install pkcs11-helper
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210607104213.216-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22503.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This finally enables standalone MSVC building, without
dependency on openvpn-build/msvc. This makes MSVC build
process much simpler.
Dependencies are managed by vcpkg. To install dependencies, run:
> vcpkg --overlay-ports=<openvpn>\contrib\vcpkg-ports
--overlay-triplets=<openvpn>\contrib\vcpkg-triplets install
lz4:x64-windows-ovpn lzo:x64-windows-ovpn
openssl-windows:x64-windows-ovpn pkcs11-helper:x64-windows-ovpn
tap-windows6:x64-windows-ovpn
To build for other arch, use x86-windows-ovpn or arm64-windows-ovpn.
Custom triplets are defines so that lz4 is linked statically and
other libraries dynamically.
Since we don't have CMake support yet, we cannot use vcpkg manifest
mode, since it doesn't work with overlay ports
(https://github.com/microsoft/vcpkg/issues/12289),
therefore this one-time manual dependency installation is required.
While on it, bump msvc-generate project target version to VS2019 and
cleanup leftovers from compat.vcxproj.filters.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210514045704.686-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22389.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
clang does not like if the format argument of printf like function
is not a string literal (or constant):
warning: format string is not a string literal (potentially insecure)
Make the format string constant to silence the warning.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210609061532.12774-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22519.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
dummy0 gives strange errors on the Ubuntu 16 runner on github actions
because
dummy already exist, so use a more unique ovpn-dummy0 name instead.
Github actions are a good alternative to travis-ci, which futrure is
questionable
at the moment without payment. The github actions also allows building on
macOS
and Windows (not included in this commit). The matrix is a bit different
than Coverity and uses different Ubuntu version with their native OpenSSL
(1.0.2, 1.1.1)/mbed TLS instead of manually compiling different OpenSSL
versions on just Ubuntu 20.04.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210608152434.1403999-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>