Our man page was missing the information that the life time of the
auth-token also depends on the reneg-sec
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200326172332.2356-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19620.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
sizeof for a constant string return the size including the null byte.
For copying the session id this meant that we do not copy the first
byte. This made the session id reported to the external authenticator
one byte shorter than it was intended to be.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200326172332.2356-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19622.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Now that the whole inline logic has been converted to using bool flags,
the INLINE_FILE_TAG constant is not useful anymore.
Get rid of the constant as it's now unused and to prevent any future
developer from mistakenly use it again.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200508212356.18522-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19863.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The inline logic was recently changed by commit
("convert *_inline attributes to bool"), however the code testing a
newly created tls-crypt-v2 client key was not adapted.
Adapt tls-crypt-v2 test routine by properly signaling when the passed
key is inlined or not.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200510140017.16837-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19870.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With commit ("convert *_inline attributes to bool") the logic for
signaling when a certain option is inline has been changed.
Due to an overlook, the auth-gen-token-secret was not converted, thus
making it impossible to be inlined.
Fix parsing logic and allow auth-gen-token-secret to be inlined as well.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200508211434.27545-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19862.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit cb2e9218f2 re-factored the internal file handling, but
somehow overlooked the --tls-crypt-v2 option processing. It was no
longer possible to load a configuration file with this key file inlined.
There where two issues here. First was that the OPT_P_INLINE flag was
not set, so the option parser rejected --tls-crypt-v2 as inline capable.
Second issue was that the 'streq(p[1], INLINE_FILE_TAG)' check makes no
longer sense, as at this point p[1] contains the file contents. Instead
use the is_inline flag.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200508114411.15762-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19859.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A configuration file using --persist-key and with inlined --tls-auth or
--tls-crypt files was failing in check_file_access(). The file argument
to check_file_access() contained the key file and not the file name.
This was because check_file_access_inline() which calls
check_file_access() if the file is not inlined was told the file was not
an inline file.
The reason the check_file_access_inline() was misled was due to a prior
option_postprocess_mutate() call puts these key files into a connection
block entry in option_postprocess_mutate_ce(). OpenVPN was modified a
long while ago to always use connection blocks in the option structure
for simplicity. So the "root" key files would be transferred into a
connection entry in this method.
When --persist-key is used, option_postprocess_mutate_ce() will load the
key file and "convert" the option into an inline option. But in
commit cb2e9218f2 this logic had lost the "inline indicator". The
result was that the connection entry had the key file content stored in
the object but was "tagged" as a normal file (name) not an inline file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200508114243.15532-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19858.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
After some discussion among the core community developers [1,2], it was
decided to remove the possibility to build openvpn as a pure client.
This was alterted on the mailing list [3] that it was scheduled for
removal unless anyone had strong arguments why it was needed.
The general consensus was that we had not received any strong arguments
to keep this possibility after approximately 5 months, so it was fine to
remove this ./configure option.
By removing this, we remove quite some entangled sections of #ifdef
scattered all over the code base, making it more readable.
One note:
Inside the options_postprocess_mutate_invariant() function,
the #ifdef P2MP_SERVER and #ifdef _WIN32 blocks where slightly
reworked to make the _WIN32 block more continous and avoiding having an
empty if(options->mode == MODE_SERVER) block.
Signed-off-by: David Sommerseth <davids@openvpn.net>
[1]
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18830.h
tml
[2]
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19505.h
tml
[3]
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18829.h
tml
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200227205443.27562-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Carrying around the INLINE_TAG is not really efficient,
because it requires a strcmp() to be performed every
time we want to understand if the data is stored inline
or not.
Convert all the *_inline attributes to bool to make the
logic easier and checks more efficient.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200507135909.21227-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19854.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Apply uncrustify 0.70.1 (FreeBSD port) with our rules to that part
of the tree, which followed a more compact coding style so far.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20200426095402.65047-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19823.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In the corner case that the global OpenSSL has an invalid command like
MinProtocol = TLSv1.0
(due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
the SSL_ctx_new function leaves the errors for parsing the config file
on the stack.
OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
Since the later functions, especially the one of loading the
certificates expected a clean error this error got reported at the
wrong place.
Print the warnings with crypto_msg when we detect that we are in this
situation (this also clears the stack).
Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958296
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200421101122.24284-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When invoking openvpn as standalone with the --genkey
argument, options_postprocess() is not called at all
because do_genkey() takes over the execution earlier.
For this reason, checking the --genkey argument in
options_postprocess_filechecks() is a no-op.
Geti rid of the bogus check altogether.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200420102102.20981-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19795.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
After the last big formatting patch a number of changes have been
commited that do not conform with our style/uncrustify config. This
has lead to the problem that running uncrustify on before sending
PR some of the changes made by uncrustify need to be backed out again.
To bring everything back to the agreed upon style, run uncrustify once
more. Uncrustify version used:
Uncrustify-0.70.1_f
I double checked the result by running uncrustify (Uncrustify-0.69.0_f)
from Ubuntu focal/20.04 which does not do any further changes and
uncrustify 0.66.1_f from Ubuntu bionic/18.04
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200416113930.15192-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19750.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are small manual changes that are done to improve the code
style and also make the result of uncrustify better without mixing
manual changes/automatic changes into a single commit.
- Make prototype and function identical for gc_addspecial. Also fixes
uncrustify misparsing the embedded function pointer decleration
- Disallow uncrustify to reformat link_socket_init_phase1, which it
messes up
- Format the the parameters of a call of mbedtls_ssl_tls_prf to
be more inline with the rest of our function calls with multiple
arguments
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200416113930.15192-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19748.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The tun interface has proved to be a bit fragile for basic netlink tests
as it may introduce delays in switching state, depending on the system
the test is ran on.
For this reason, switch to dummy interface type and at the same type
set its oper-state to up right after creation to avoid hitting the
no-carrier state later. No-carrier has been problematic in pasts tests
as it sometimes persists long enough to create a discrepancy between the
various tests snapshots thus causing a test failure.
Setting a static MAC addressis also re-enabled to avoid it being
different and thus causing a test failure when comparing snapshots.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200416134925.8848-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19751.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The logic is to treat EEXIST as non-error because it means that the
address/soute we wanted to install already exists, therefore we can
move on and not fail.
However, this logic is currently based on checking errno == EEXIST.
This is wrong, because sitnl_send() does not set errno, but returns the
error directly as negative value.
Fix this issue by directly comparing the the return value with -EEXIST.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200418094350.26349-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19777.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The is_tun_p2p() function can return false for both TAP or TUN
interfaces (under certain conditions), therefore we should not
assume any TUN/TAP type when printing related messages.
Remove reference to TUN/TAP when printing messages under conditions
based on is_tun_p2p().
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200418013123.22551-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19775.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The err->errno value reported by netlink is already negative.
Prepending ierr->errno with '-' when forwarding it to
the caller results in a positive value and thus not
detected as error.
Fix error handling in sitnl by not negating the sign of
the value returned by sitnl_send() in case of generic error.
While at it, print the errno in decimal form along with
its string represenation.
Reported-by: Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200418011849.382-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19773.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from
another address and with same peer-id, this would cause client to float
to that new address. This is because:
- tls_pre_decrypt() sets packet length to zero if
data channel key has not been initialized, which leads to
- openvpn_decrypt() returns true if packet length is zero,
which leads to
- process_incoming_link_part1() returns true, which
calls multi_process_float(), which commits float
Note that problem doesn't happen when data channel key is initialized,
since in this case openvpn_decrypt() returns false.
The net effect of this behaviour is that the VPN session for the
"victim client" is broken. Since the "attacker client" does not have
suitable keys, it can not inject or steal VPN traffic from the other
session. The time window is small and it can not be used to attack
a specific client's session, unless some other way is found to make it
disconnect and reconnect first.
CVE-2020-11810 has been assigned to acknowledge this risk.
Fix illegal float by adding buffer length check ("is this packet still
considered valid") before calling multi_process_float().
Trac: #1272
CVE: 2020-11810
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With NCP and deferred auth, we perform cipher negotiation and generate
data channel keys on incoming push request, assuming that auth succeeded.
With async push, when auth succeeds in between push requests, we send
push reply immediately.
The code which generates data channel keys is only called on handling
incoming push requests (incoming_push_message). It might not be called
with NCP, deferred auth and async push, because on incoming push request,
auth might not be complete yet. When auth is complete in between push
requests, push reply is sent and it is assumed that connection is
established. However, since data channel keys are not generated on the
server side, connection doesn't work.
Fix by adding a call to generate data channel keys when async push is
triggered.
Also, all the "session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized"
checks have been moved into tls_session_update_crypto_params(), which
is just reducing duplicate code, no actual code change (*all* callers
had this pre-check).
Trac: #1259
Reported-by: smaxfield@duosecurity.com
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200313165913.12682-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19553.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 8a01147ff attempted to avoid calling the deprecated/noop
operation SSL_CTX_set_ecdh_auto by surrounding it with #ifdef.
Unfortunately, that change also made the return; that would exit
the function no longer being compiled when using OpenSSL 1.1.0+.
As consequence OpenVPN with OpenSSL 1.1.0+ would always set
secp384r1 as ecdh curve unless otherwise specified by ecdh
This patch restores the correct/previous behaviour.
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200328040858.16505-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19630.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lack of this led people accepting multiple CAs to use capath,
which already supports multiple CRLs. But capath mode itself
is somewhat ugly: you have to create new file/symlink every time
CRL is updated, and there's no good way to clean them up without
restarting OpenVPN, since any gap in the sequence would cause it
to lose sync (see trac 623).
mbedtls crypto backend already loads multiple CRLs as is, so
it doesn't need this fix.
The patch also includes some logging changes which I think are useful.
Trac: #623
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200407174436.238933-1-wgh@torlan.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19710.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of writing at the end of the metadata buffer, the decoded
base64 data overwrites the opcode as BPTR points to the beginning
of the buffer and not the current position. Replace with BEND to
fix this off-by-one
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20200403090944.17726-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19695.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(if available).
When only username is found in the file, redirect the auth-user-pass
query to the management interface if management-query-passwords is
enabled. Otherwise the user is prompted on console, if available,
as before.
This changes the behaviour for those who run from the command line,
with --management-query-passwords, but still expect the prompt
on the console.
Note that the management interface will prompt for both username and
password ignoring the username read from the file. As most GUIs can
save the the username, this is a one-time inconvenience.
Currently, the password is queried on the console (or systemd)
in such cases. This is not sensible when console is not available
(windows GUI, tunnelblick etc.) or when the log is redirected
to a file on Windows (for some reason prompt goes to the log file).
Trac # 757
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1585591527-23734-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19655.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This helps the next patch. No functionality changes, only
refactoring.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1585591527-23734-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19656.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit f67efa94 exposed that tls_ctx_add_extra_certs will always leave
an error of PEM_R_NO_START_LINE on the stack that will printed the next
time that the error is printed.
Fix this by discarding this error. Also clean up the logic to report
real error on other errors and also the no start line error if no
certificate can be found at all and it is required (--extra-certs
config option)
Patch V2: fix optional flag was flipped betwen --cert and --extra-certs
Patch V3: Make logic more easy to follow, no functional changes
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200402103821.10347-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19685.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When provisioning IP configuration, we shall not ask what kind of
adapter this is. Rather, we should ask what method of provisioning we
are configured to use.
It is options.c's job to rule out invalid combinations.
- do_ifconfig_ipv4(): unify the workflow with its IPv6 counterpart
No need to distinguish Wintun and TAP-Windows6 here. This also fixes
an issue with --windows-driver wintun overriding --ip-win32 manual,
the later being perfectly fine choice for Wintun too.
- open_tun(), tuntap_post_open(), tuntap_set_ip_addr(): unify Wintun and
TAP-Windows6 workflow. This allows allows --ip-win32 ipapi now.
- close_tun() the cleanup has been revised to match the ifconfig
workflow in reverse.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200314125801.1031-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19560.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
New versions are already available as source/old but old version at
some point disappear from the normal download path. Use the source/old
path for all OpenSSL versions to avoid this problem.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200401124019.10529-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20200401124019.10529-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a client disconnects from a server compiled with mbedTLS, the server
cannot process the PUSH_REQUEST from a new connection with the same client
IP and port number. This is the case when the client binds to a static
port.
This behavior is initiated by move_session(), which copies the content of
the
tls_session to a new session and re-initializes the old session once the
new
session is authenticated.
This tls_session contains, among other things, an mbedtls_ssl_config and
bio_ctx structure. However, the mbedtls context has internal pointers to
the
mbedtls_ssl_config and bio_ctx. When the session is moved, these internal
pointers point to the reinitialized session and as a result all received
packets that are stored in the bio_ctx of the moved session can never be
read
by the mbedtls session. The PUSH_REQUEST is therefore never seen by the
server.
Since there is no public method to update these internal pointers, this
patch dynamically allocates the mbedtls_ssl_config and bio_ctx and stores
the pointers to those structures in the tls_session instead.
Trac #880
Signed-off-by: Tom van Leeuwen <tom.van.leeuwen@technolution.eu>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200331071437.12708-1-tom.van.leeuwen@technolution.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19661.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is probably the best description of the rather confusing
capath directory structure OpenSSL manual has to offer.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200325122624.3142017-1-wgh@torlan.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19615.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
TAP-Windows6 adapters created with tapinstall/devcon.exe have hardware
ID "tap0901", where TAP-Windows6 adapters created with tapctl.exe have
hardware ID "root\\tap0901".
The enumeration of the network adapters have been extended to detect
adapters using a list of acceptable hardware IDs.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200310104022.431-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19542.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
1. We don't need two custom actions to evaluate the system state, do we?
2. FindTUNTAPAdapters was actually broken. It enumerated all existing
network adapters, rather than just the ones we are interested in:
TAP-Windows6 and Wintun.
3. TUNTAPADAPTER and ACTIVETUNTAPADAPTERS were split into
TAPWINDOWS6ADAPTERS, ACTIVETAPWINDOWS6ADAPTERS, WINTUNADAPTERS and
ACTIVEWINTUNADAPTERS to allow finer control.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200309131728.380-11-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19531.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In scenarios of mbed TLS vs OpenSSL we already normalise the ciphers
that are send via the wire protocol via OCC to not have a mismatch
warning between server and client. This is done by
translate_cipher_name_from_openvpn. The same applies also to the
ncp-ciphers list. Specifying non normalised names in ncp-ciphers will
cause negotation not to succeed if ciphers are not in the same form.
Therefore we will normalise the ciphers in options_postmutate.
The alternative and a lot less user friendly alternative would be to
bail if on of the ciphers in ncp-ciphers is not in its normalised form.
Also restrict the ncp-ciphers list to 127. This is somewhat arbitrary
but should prevent too large IV_CIPHER messages and problems sending
those. The server will accept also large IV_CIPHER values from clients.
Patch V2: Correct comment about normalising ciphers
Patch V3: Correct #ifdef statement
Patch V5: Fix tests with OpenSSL 1.0.2 and libraries missing Chacha
Patch V6: Fix unit tests for mbed tls, which recognises ChaCha20-Poly1305
only when used with all uppercase, fix missing space in message
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200312113654.16184-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19546.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Clear error stack on successful certificate loading in
tls_ctx_load_cert_file_and_copy() and handle errors also for
PEM_read_bio_PrivateKey() call in tls_ctx_load_priv_file().
Due to certificate loading possibly leaking non-fatal errors on OpenSSL
error stack, and some slight oversights in error handling, the
>PASSWORD:Verification Failed: 'Private Key'
line was never produced on the management channel for PEM formatted keys.
Signed-off-by: Santtu Lakkala <santtu.lakkala@jolla.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20191021113506.30377-1-santtu.lakkala@jolla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18953.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
as described on https://docs.travis-ci.com/user/multi-cpu-architectures
travis-ci
now supports amd64, ppcle, arm64, s390 architectures. Add arm64 and s390x.
travis-ci images were upgraded to bionic.
"sudo" is deprecated, let us remove it, also "matrix" is deprecated in
favour of "jobs".
LD_LIBRARY_PATH was replaced by using "rpath" in LDFLAGS, which is more
elegant way of linking.
also, dependencies were upgraded to the latest versions.
travis_wait was added for long openssl builds.
cmocka was added to linux and osx builds.
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200322123521.17710-1-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
tap_create_adapter() and tap_list_adapter() no longer default to
"root\tap0901". Defining a default hardware ID value is at the
responsibility of upper layers that process user desires.
Since the tap_list_adapter() no longer defaults the hardware ID to
anything, its behavior was simplified to return all existing
adapters when a NULL hardware ID is specified.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200309131728.380-10-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19524.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The function and property names that are common to TAP and TUN from
TAP-Windows6 and TUN from Wintun were renamed not to make the now
mainstream TUN sad.
I would have go with just the "adapter". But, wouldn't that cause
confusion when user sees "Deleting adapters" when uninstalling the
OpenVPN?
Internal variable names were simplified thou to omit the TUN/TAP
referencing.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200309131728.380-8-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19526.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Interface is not equal to adapter. A quote from Microsoft documentation:
> There is a one-to-one correspondence between the interfaces and
> adapters on a given computer. An interface is an IP-level abstraction,
> whereas an adapter is a datalink-level abstraction.
As tapctl and openvpnmsica are all about managing network adapters on
Windows computers, the terminology has been updated.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200309131728.380-7-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19529.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Sequence scripts in temporary files has been discontinued in favor of
much simpler sequence strings passed to individual custom actions.
Pros: no temporary files; less code
Cons: the evaluation phase must make a complete plan what to perform in
each deferred custom action
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200309131728.380-5-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19523.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This option can be used in FreedBSD with devel/libinotify installed.
Detect presence of libinotify with pkgconf and use its word
to compile and link.
Trac: #1256
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200314052906.28095-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20200314052906.28095-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The IPv6 interface network route should be setup as soon as possible
after the interface address is set. Actually, all routes should be added
before DNS servers are configured. This would allow Windows to validate
DNS servers properly instead of shutting the validation off.
The cleanup order has been changed to match reverse order of ifconfig.
An additional check was added to skip the cleanup when --ip-win32 is set
to manual.
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200310094822.588-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19541.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 509c45f has factored out code blocks of open_tun()
into separate functions and introduced "use after free" bug:
Variable "device_guid" is allocated inside tun_open_device()
function and used outside of it. Allocation happens with
local gc_arena, which is freed at the end of tun_open_device(),
making futher access to "device_guid" invalid.
Fix by ensuring that gc_arena scope covers all access to "device_guid".
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <20200312060829.19468-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19547.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When adding IPv4 DNS servers without interactive service use
"validate=no", on Windows 7 and higher, to skip time consuming automatic
address validation, that is on by default.
Fix uses adapted code from commit 786e06a
Signed-off-by: Domagoj Pensa <domagoj@pensa.hr>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200205124615.15758-2-domagoj@pensa.hr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19355.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>