Remote access to the service pipe is not needed and might
be a potential attack vector.
For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged interactive service on a victim machine
and start openvpn processes remotely.
CVE: 2024-24974
Microsoft case number: 85925
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20240319151723.936-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases
Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240319154456.2967716-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently, there's a risk associated with allowing plugins to be loaded
from any location. This update ensures plugins are only loaded from a
trusted directory, which is either:
- HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
then HKLM\SOFTWARE\OpenVPN, which is installation directory)
- System directory
Loading from UNC paths is disallowed.
Note: This change affects only Windows environments.
CVE: 2024-27903
Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20240319135355.1279-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The licenses are compatible now, so we can remove the warning.
Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240314185527.26803-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28400.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The systemd unit files for both client and server were referencing
outdated documentation as they were hard-coded to the OpenVPN 2.4.x
release branch.
Github: closesOpenVPN/openvpn#457
Change-Id: Iee289aa5df9ee0e9a03c0dc562e45dd39836e794
Signed-off-by: Christoph Schug <com+github@schug.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240308140346.4058419-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28369.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.
Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240308120557.9065-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240308102818.9249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240308102818.9249-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Probably introduced by copy & paste since there is no
COMP_ALGV2_LZO.
Github: #500
Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240216123037.3670448-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240307124616.16358-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Change the default behavior of the OpenVPN configuration
by enabling the persist-key option by default.
This means that all the keys will be kept in memory
across restart.
Trac: #1405
Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Message-Id: <20240307140355.32644-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are mostly redundant with client/server.conf
Let's try to manage to maintain one set of sample
configurations before we branch out further.
Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240304161556.2036270-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28316.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits 7d48d31b, 39619b7f added support for inlining username
and, optionally, password.
Add a description of its usage in the man page.
Github: resolvesOpenVPN/openvpn#370
Change-Id: I7a1765661f7676eeba8016024080fd1026220ced
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20240220175215.2731491-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28284.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The openvpn/src directory needs to be included before include/wolfssl. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths.
src/openvpn/Makefile.am does not need to be modified because AM_CPPFLAGS is placed before AM_CFLAGS in the output Makefile.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240212132522.125903-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28229.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves
us now with three different implementation for 1.0.2, 1.1.x and 3.x.
This was initially done to maybe still have a working TLS 1.0 PRF when
using OpenSSL 3.0 in FIPS but it gives the same error as with the older API.
But since moving to a new API is always good, we use the new API when using
OpenSSL 3.0. We also print the internal OpenSSL error message when
the KDF fails.
This also allows us now to compile an OpenSSL build that has been built with
OPENSSL_NO_MD5. Which is not yet common but might be in the future.
Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240209110629.15364-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28203.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is more SSL debug information that most people do not really need
or care about. OpenSSL's own s_client also logs them:
Peer signing digest: SHA256
Peer signature type: ECDSA
The complete message looks like this:
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits X25519, peer signing digest/type: SHA256 RSASSA-PSS
or when forcing a specific group via tls-groups X448 with a ECDSA server:
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp key: 448 bits X448, peer signing digest/type: SHA384 ECDSA
Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240209111000.16258-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28206.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This test is reusing code from --test-crypto but is modified to not rely
on the static key functionality and also only tests the most common
algorithm. So it does not yet completely replace --test-crypto
Change-Id: Ifa5ae96165d17b3cae4afc53e844bb34d1610e58
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240208085749.869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28195.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It's possible for the buffer we provide for OVPN_GET_PEER_STATS to be
too small. Handle the error, re-allocate a larger buffer and try again
rather than failing.
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240124152739.28248-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28128.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- description of IV_PROTO was outdated, missing a lot
of flags
- complete list of compression flags, but separate them out
- various other style/grammar/typo fixes
Change-Id: I7f854a5a14d2a2a391ebb78a2a92b3e14cfd8be6
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240206141057.46249-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28178.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
CMakePreset.json is supported since 3.19, but we have a version
3 preset file, so need at least 3.21.
Github: OpenVPN/openvpn#489
Change-Id: I44c555f6ffa08f2aee739c7f687fa3b678c86231
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240201123039.174176-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28160.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Settings the environment variable required for running unit tests is
tiresome in my IDE (Clion). So allow unit tests to fall back to a hard
coded location in case the environment variable is not set.
Change-Id: Ide72b81f497088dd0fd2cdcfff83cbce5b48f145
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240201144817.188884-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28161.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When writing the file specify encoding and newline, so that
the local settings (like locale) do not change the output.
Change-Id: Id7b4bda38adfbb446bdac635ac5d5207ef3f2f40
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240129145756.769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28153.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For simplicity I implemented them only with the
inline method, but they actually apply to all methods.
Change-Id: Ie8d2d5f6f58679baaf5eb817a7e2ca1afcb8c4db
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240129105358.11161-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240129105358.11161-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
UTs for basic functionality, without management functions.
v2:
- add CMake support
- add GHA support for both MSVC and mingw
v3:
- fix distcheck by adding input/ directory to dist
Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240127200716.10255-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28138.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
stderr is normally always unbuffered but stdout can be buffered. Especially,
when stdout is redirected it will become buffered while it is normally
unbuffered when connected to a terminal. This mean that if the unit exits
prematurely, the output in the buffered output will be lost.
As the unit test x_msg mock implementation prints even fatal on stdout
we ensure with this setup method that stdout is also unbuffered.
Change-Id: I5c06dc13e9d8ab73997f79b13c30ee8949e5e993
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240123104358.495517-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 1.1.1 will initialise itself using clever linker magic. For
OpenSSL 1.0.2 we need to manually initialise the library. For other
unit tests just doing the OpenSSL_add_all_algorithms is enough but
this unit test needs a more complete initialisation.
Change-Id: I378081f391ad755d0a6fd5613de5c2a8bacc389a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240122130909.10706-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28112.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously, when using a third argument to --http-proxy other
than auto/auto-nct, order did matter between --http-proxy and
--http-proxy-user-pass. Always prefer --http-proxy-user-pass
when given.
Change-Id: I6f402db2fb73f1206fbc1139c47d2bf4378376fa
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240122092122.8591-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28099.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As Coverity says:
An unsigned value can never be negative, so this test will always
evaluate the same way.
Was changed from int to size_t in commit
7fc608da4e which triggered warning,
but the check did not make sense before, either.
Change-Id: I64f094eeb0ca8c3953a94d742adf468faf27dab3
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240119120341.22933-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28093.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 21910ebc2e removed
support for NTLMv1 authentication. This adjusts the
behavior for existing configurations that specify
"ntlm" keyword.
Do not error out hard, instead just try to upgrade. This
should work fine in many cases and will avoid breaking
user configs unnecessarily on upgrade.
In addition it fixes an issue with the mentioned patch
where "auto" wasn't working correctly for NTLM anymore.
Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240118151242.12169-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240118151242.12169-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
And extend examples section for authenticated HTTP proxies because
is was misleading.
Change-Id: I7a754d0b4a76a9227bf922f65176cd9ec4d7670c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240118164903.22519-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28083.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the reimplementation of the tls-export feature and removal/approval
or being trivial of the rest of the code, now all the code falls under
new license. Remove the conditional text of the license to be only valid
for parts of OpenVPN.
Change-Id: Ia9c5453dc08679ffb73a275ddd4f28095ff1c1f8
Acked-by: dazo <dazo@eurephia.org>
Message-Id: <20240118135530.3911-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28077.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are all not actually problems, since the
uninitialized parts are either .unused members of the
struct (mroute_addr) or only written to (buflen), but
still doesn't hurt to explicitely initialize them.
Change-Id: I45cd0917d24570ae9e9db7eb6c370756e4595842
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008103641.19864-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27157.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It turned out that symlinking compile_commands.json from the top level
source dir has some issues:
* file is not created on Windows and symlinking may cause an error
* some IDEs create their own json and error out b/c a file exists
Since clangd also looks for the json in build/ directories by default,
we now symlink the whole build directory instead, not just the json file.
This approach requires for the existing build/ dir in the repo to
vanish. Luckily it only contains one automake include file, which is
moved to the top level source dir.
Lastly, make this an opt-in feature, so that the default configuration
of the buildsystem never causes a build failure because of this.
Change-Id: Ib1a5c788269949d8de95d1da2cb0c32a65bf13f2
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117134929.5317-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28061.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With NTLMv2 the target information buffer can be rather large
even with normal domain setups.
In my test setup it was 152 bytes starting at offset 71.
Overall the base64 encode phase 2 response was 300 byte long.
The linked documentation has 98 bytes at offset 60. 128 byte
is clearly too low.
While here improve the error messaging, so that if the buffer
is too small at least one can determine that in the log.
Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117090840.32621-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28040.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.
Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117085951.27414-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28037.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This introduces a number of mock function to be able to compile
ssl_verify_*.c and ssl_mbedtls.c/ssl_openssl.c into a unit and adds
quite a number of files to that unit. But it allows similar unit tests
(in term of dependencies) to be added in the future.
Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116214152.27316-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28028.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we only apply the defines for windows APIs and Unicode to
OpenVPN itself. We should rather treat the unit tests the same as
our main binary to reduce potential differences.
Change-Id: Ie5aa643ab6190262f7c8b9e614bedb398e85859b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240116131831.31217-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28019.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a re-implementation of the --tls-export-cert feature. This
was necessary to due to missing approval to re-license the old
(now removed) code. The re-implementation is based on the following
description of the feature provided by David:
Add an option to export certificate in PEM format of the remote
peer to a given directory.
For example: --tls-export-cert /var/tmp
This option should use a randomised filename, which is provided via a
"peer_cert" environment variable for the --tls-verify script or the
OPENVPN_PLUGIN_TLS_VERIFY plug-in hook.
Once the script or plugin call has completed, OpenVPN should delete
this file.
Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116101556.2257-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28014.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we only warn in get_tmp_dir fails and set o->tmp_dir to
a null pointer. This will not be caught by check_file_access_chroot
either since that ignores NULL pointers but other parts of OpenVPN
will assume that tmp_dir is set to a non-NULL string.
Also move get_tmp_dir to win32-util.c to use it in unit tests.
Change-Id: I525ccf7872880367b248ebebb0ddc83551498042
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240108171349.15871-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27964.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We have D_ROUTE for route addition/deletion messages, which prints at
loglevel 3. Use that for IPv6, like we do for IPv4 to reduce terminal
spam for non-legacy-networking setups. Prvious code would print the
messages at --verb 1.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240105135742.21174-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27954.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make sure we get to see the test-suite.log on
failure.
Change-Id: Ie44a4b750605c4cc3ac1f75e1fa5ab85804ffa71
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240105142340.25735-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27943.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.
On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.
When found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO
not found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (not found) installed? Must be version 3.4.0 or newer for DCO
On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:
checking for pkg-config... no
configure: error: pkg-config is required
Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240105140540.14757-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27939.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240104140214.32196-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
