The libnv check doesn't work as expected on FreeBSD 14.x, because
FreeBSD has namespaced libnv to avoid conflicts with libnvpair.
This means that the naive check generated by AC_CHECK_LIB() fails to
detect libnv even though it's present.
Instead check for the if_ovpn.h header. This is a more accurate check
anyway, as libnv is present on FreeBSD versions prior to 14 (which do
not support DCO).
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301091848.80760-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26314.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Very low values for 'fragment' can result in a division by zero in
optimal_fragment_size() (because it rounds max_frag_size down with
FRAG_SIZE_ROUND_MASK).
Enforce a minimal fragment size of 68 bytes, based on RFC 791 ("Every
internet module must be able to forward a datagram of 68 octets without
further fragmentation.")
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301091851.82243-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26313.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The current casting triggers a warning on 32bit:
init.c:1842:66: error: cast from pointer to integer of different size
[-Werror=pointer-to-int-cast]
Use the proper printf format specifier for printing a pointer avoiding
the cast alltogether.
In options.c use a cast to intptr_t before converting to a handle to
avoid having to ifdef atoll/atol for 32/64 bit.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230214134323.1033590-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26255.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This log message is printed within check_tls(),
which is called by pre_select(), which is called
on every iteration of event loop.
When management is attached (and doesn't use own event loop),
this message sets management state to "wait write",
which arms event loop. When on the next iteration iowait
returns with "management write event is set", we call
pre_select() and print that message again, causing the loop.
Fix by simply removing this log message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230217122156.541-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26284.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change we extend the text exposed to people opening a bug in
the OpenVPN project.
Hopefully they will read and immediately understand that GH is not the
right place to report ossues about commercial products.
Change-Id: Idd039612698a6b08f9544450885d1a5f77fd95c6
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230226213420.21201-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26305.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make consistent with the other options.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230206130846.63415-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On Linux those functions actually take void pointer,
so no behavior change there. On Windows, we avoid
warnings about unsigned char vs char.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230203191440.136050-6-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26144.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More tests coming..
v2: a line that belongs here was mistakenly included in the previous
commit. Corrected.
v3: add to list of tests run in github actions
v4: - correct comment above invalid strings (copy paste error)
- make invalid strings differ from correct value only in the
explicitly introduced invalid characters/separators (one had
two distinct errors which is not a robust test).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230214200804.600405-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26268.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Automatically disabled when
- iproute2 is enabled
(Don't want to force people specifying --disable-dco explicitely)
- libnv is missing on FreeBSD
(FreeBSD version too old anyway)
Will still error out if libnl-genl is missing on Linux to
make people aware of new dependency.
v2: error out when libnl-genl is missing as discussed with ordex on
IRC.
v3:
- improvements to the messages, suggested by Selva
- further improvements to the default specification, trying to make it clear
- if enabling iproute2, do not test for libnl-genl
v4: add updates for GHA
v5:
- v4 was missing the changes of v3. v5 combines the changes from v3 and v4
- fix build failure GHA/ubuntu1804/mbedtls
- fix build failure GHA/ubuntu2204/libressl
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230215162654.52137-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
DCO doesn't support proxy and we already disable DCO
is proxy is set in profile.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230220090601.983-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26287.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The Android implementation is relying on the management interface to be
always available. Trying to run the Android binary without the mangament
interface outside the app leads to a segfault. Exit with a FATAL error
instead.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230220131424.1749736-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26288.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Certificate selection string can now specify a partial
issuer name string as "--cryptoapicert ISSUER:<string>" where
<string> is matched as a substring of the issuer (CA) name in
the certificate.
Partial case-insensitive matching against the "issuer name" is
used. Here "issuer name" is a text representation of the RDN's
separated by commas.
E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA".
See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR
as "FindType" for more details.
As the order of RDN's is not well-defined[*] and type names like "OU"
or "CN" are not included, its best to match against a single attribute
like the CN of the issuer:
E.g., --cryptoapicert "ISSUER:Acme Root"
[*] Windows appears to order RDN's in the reverse order to which
its written in the certificate but do not rely on this.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v2: Moved the "parse_hexstring" chunk to a function for clarity
and to permit unit-testing.
A test is submitted as a follow up patch.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230204004322.250210-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26146.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert
Note:
Ideally we should also make ENABLE_CRYPTOAPI conditional
on HAVE_XKEY_PROVIDER but that looks hard unless we can agree
to move HAVE_XKEY_PROVIDER to configure/config.h.
v2: use "binary" instead of "version" in the error message
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230201230340.2268781-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26131.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- With various ways of specifying the selector-string to the
"--cryptoapicert" option, its not immediately obvious
which certificate gets selected from the store. Log it.
The "name" logged is a friendly name (if present), or a
representative element of the subject (usually the common-name).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26093.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Newer OpenVPN 3 core versions now allow limited configuration of ciphers:
// Allow usage of legacy (cipher) algorithm that are no longer
// considered safe
// This includes BF-CBC, single DES and RC2 private key encryption.
// With OpenSSL 3.0 this also instructs OpenSSL to load the legacy
// provider.
bool enableLegacyAlgorithms = false;
// By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core
// 3.7) will only allow
// preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work
// with the newer DCO
// implementations. If this is enabled, we fall back to allowing all
// algorithms (if these are
// supported by the crypto library)
bool enableNonPreferredDCAlgorithms = false;
Adjust the man page section accordingly but only really mention the AEAD
ciphers to be always present and that they should be included in the
data-ciphers option.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230210142712.572303-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This runs each test in its own action since order of stderr and stdout
is seemingly random in github action Windows output and this way at least
tests outputs are grouped by test
Patch v2: use -static-libgcc to avoid comping gcc runtime libraries.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230209163705.466173-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26204.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Socket is a handle on Windows, which is usually logged in hex.
Also an interesting value is INVALID_SOCKET, which is ~0.
PRIuPTR prints decimals, and for INVALID_SOCKET it prints something like
2023-02-10 14:45:21 us=906000 write to TUN/TAP : Jrjestelmkutsulle
annettu data-alue on liian pieni. (fd=18446744073709551615,code=122)
PRIxPTR prints hex, and INVALID_SOCKET looks a bit nicer:
2023-02-10 15:17:11 us=828000 write to TUN/TAP : Jrjestelmkutsulle
annettu data-alue on liian pieni. (fd=ffffffffffffffff,code=122)
Reported-by: Selva Nair <selva.nair@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20230210133159.1336-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26220.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of passing a value and a bool just pass the value and 0 if
the caller does not want the value to be added. This also allows
the function to be used by a function without a frame struct.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230210142712.572303-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26223.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
WinAPI uses __stdcall calling convention on x86. Wrong
calling convention causes UB, which in this case breaks
dco-win functionality.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230131125448.1913-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26113.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and run manually. Executables are in
<buid-dir>/tests/unit_tests/openvpn/.libs/ and these depend on
cmocka.dll in addition to openssl libs that some tests link to.
Building with mingw on Windows should run the tests (untested).
v2: networking_testdriver was mistakenly enabled to run, while
originally it was only set to build. Corrected.
v3: exclude check_engine_keys.sh when cross-compiling
As suggested by Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230208005925.393200-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26188.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
My mingw compiler/headers (mingw-w64 10.0.0 on macOS) seem to be more
pendantic than the one that comes with Ubuntu 22.04 (github actions) or
any of the other platforms including msvc/normal windows header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230208001819.244694-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26182.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
overlapped_io_init() has a "bool tuntap_buffer" argument which is only
passed onwards to alloc_buf_sock_tun(), which does nothing with it.
Remove from both functions.
v2:
move alloc_buf_sock_tun() to win32.c
v3:
leave alloc_buf_sock_tun() where it is, and fix non-WIN32 call from
socket.c
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230130161730.110021-1-gert@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26099.h
tml
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bdc842d72e92995261bac3579120c94f93e4064a)
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230201141518.119157-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Eliminates repeated warnings such as
warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,
but option 'subdir-objects' is disabled
- Enabled only for automake >= 1.16 as older versions have a buggy
implementation of this option
Main side effect of this option is that object files like
openvpnserv-blockdns.o are now created in src/openvpn where block-dns.c
resides instead of in src/openvpnserv.
Same for object files for sources from $(openvpn_srcdir) compiled
into test executables.
See also past discussion on this topic:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00013.html
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230204004512.250271-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26147.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Followin DHCP options:
DOMAIN, ADAPTER_DOMAIN_SUFFIX, DNS, WINS
don't require DHCP server in order to be used.
This change allows those options to be used with dco and wintun
drivers. If an option specified which requires DHCP server and
tap-windows6 driver is not used, print a clear error message
instead of obscure reference to --ip-win32.
Reported-by: Marek Zarychta
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230207145416.1415-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26169.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
During the build of LibreSSL portable it pulls in a branch from OpenBSD
upstream. Unfortunately they use master there instead of a fixed branch.
So we work around this issue.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230209163115.465548-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20230209163115.465548-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
At this point it might be easier to create a
dedicated function for Windows...
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230203191440.136050-3-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26140.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- An item added to undo-list was not removed on error, causing
attempt to free again in Undo().
Also fix a memory leak possibility in the same context.
Github: fixesOpenVPN/openvpn#232
v2: Split add and delete functions and reuse the delete
function for cleanup.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230201170735.2266851-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26130.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows identifying the source of undefined behaviour more easily
from the github action logs.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230130172936.3444840-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26102.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The version 3.5.3 triggers undefined behaviour with the usan sanatizer.
Updating LibreSSSL to 3.7.0 does unfortunately does not fix the issue but
at least we are now using a current version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230130172936.3444840-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26105.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The undefined behaviour USAN clang checker found this. The optimiser
of clang/gcc will optimise the memcpy away in the auth_token case and
output excactly the same assembly on amd64/arm64 but it is still better
to not rely on undefined behaviour.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230130172936.3444840-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26103.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The linux userspace API header has acquired the MIT license (check the
ovpn-dco repository for the related change), therefore we simply bring
this change in our local copy to ensure compliancy.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230125095321.23063-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26077.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Custom action "FindSystemInfo" finds adapters with certain hwid and
assigns found adapters' guids to a certain property. Later another custom
action "EvaluateTUNTAPAdapters" schedules adapter creation if the
abovementioned property is not set - which means no adapters exist
with given hwid.
I think this logic is needed to prevent duplicate adapter creation
if adapter was renamed and then new version is installed.
As one can see, there is a typo in property name ("OVPNDCOAPTERS"). As
a result of this typo, installer will always try to create DCO adapter
no matter if there are existing adapters. It however won't do anything
if adapter with the name "OpenVPN Data Channel Offload" already exists,
this is handled in schedule_adapter_create() function.
Because of that typo, following scenario works fine:
1) Upcoming release of OpenVPN Connect is installed, which creates
adapter named "OpenVPN Connect DCO Adapter"
2) OpenVPN-GUI is installed. Because of typo, it ignores adapter created
by Connect and creates own "OpenVPN Data Channel Offload" adapter
3) OpenVPN Connect is uninstalled and it removes
"OpenVPN Connect DCO Adapter".
4) OpenVPN-GUI still has its "OpenVPN Data Channel Offload" adapter
If we just fix a typo, OpenVPN-GUI won't create a adapter on step 2 and
after Connect removal on step 3 there won't be DCO adapters anymore
for OpenVPN-GUI to use.
The ultimate solution to this would be moving adapter creation to MSM,
a shared component which adds/removes the DCO driver. However this change
is not trivial and requires a lot of work. For the time being we apply
this band-aid by excluding Connect-created adapters from enumerations in
"FindSystemInfo" custom action. This makes sure that OpenVPN-GUI won't
rely on adapter created by Connnect (which is deleted on Connect uninstall)
and ensures that additional DCO adapters won't be created on upgrade
if user decides to rename adapter.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230124142316.441-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26072.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
That code has been moved to MSM by commit 640c4d82
("openvpnmsica: remove dco installer custom actions")
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230124091441.397-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26070.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Ensure net_route_v4/v6_add/del() functions using iproute2 return
error when route addition fails. Return value follows the same logic
as corresponding functions using netlink though all failure reasons
get the same error code of -1.
TODO: Preserve any preexisting direct route to VPN and optionally the
IPv6 connected net route.
v2: Following review, removed the poorly coded RL_DID_LOCAL-related chunks.
That part needs a better fix.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230121194226.2081637-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26067.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use a unified logging format for various route-methods
- Route add/delete errors are always logged with M_WARN, so
log only additional information (succeed/exists) with D_ROUTE.
- Non-windows platforms log route errors with a prefix "ERROR:" and
debug info with "ROUTE:". Do the same on Windows. Do not log
errors or success multiple times.
- In add_route_ipv6, log the interface id instead of device name
as the latter always point to the tun/tap adapter name on Windows.
Log lines prefixed with a PACKAGE_NAME "ROUTE" are unchanged.
They appear to use the same format on all platforms.
v2: rebase to master
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230120094100.2063883-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26058.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- If there are no pkcs11-providers either directly specified or
through p11-kit-proxy made available through a build-time detection,
these options are ignored. Log a warning in such cases.
Especially important on Windows where automatic loading of p11-kit
is not enabled in our release builds.
- Document this behaviour.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230120021841.2048791-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26056.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Those have been moved into MSM to be reused by openvpn-gui and Connect.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230119085959.157-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26053.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This workaround avoids the kernel trigger ENOBUFS when the kernel
internal queue is overrun with events of disconnectingh clients or
similar. This is a workaround until we come up with a more permanent
solution.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20230112163737.1240059-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25988.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The bounding set being empty will overpower the likes of su/sudo
and will make it impossible for any child processes to ever gain
additional privileges again.
Github: fixesOpenVPN/openvpn#220
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230118142428.162-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26048.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The code in sitnl_route_set() used to treat "route can not be installed
because it already exists" (EEXIST) as "not an error".
This is arguably a reasonable approach, but needs to handled higher
up - if the low level add_route() function say "no error", we will try
to remove that route later on in delete_route(), possibly removing
someone else's "already existing" route then.
So:
- remove special case in sitnl_route_set()
- do not pass NLM_F_REPLACE flag to sitnl_route_set() call - this would
cause netlink to just replace existing routes, never return EEXIST
(see "man netlink(7)")
- add detailed return code handling to add_route(), assign "2" on
"-EEXIST"
(and log appropriate message).
(Note: sitnl_route_set() is a common function for sitnl route add and
delete, but EEXIST can not happen on delete - so this change has no
impact for the "delete" case)
v2: use RTA_ macros, also adjust add_route_ipv6()
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230118074633.27586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26046.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Instead of 0, 1, 2 use RTA_ERROR, RTA_SUCCESS, RTA_EEXIST
as the return code of route addition functions.
- Also fix a logging error: status -> (status == RTA_SUCCESS)
v2: fold long lines
use "bool ret = .." pattern for android too
fix two more lines where status was directly assigned to bool
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230115164818.1973210-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26041.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 67c4eebdae introduces a new peer disconnect reason (transport
disconnected, aka "TCP session closed") which breaks compilation on
FreeBSD - OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT not part of the
enum in freebsd_dco.h, and no kernel support for TCP anyway.
This patch is an intermediate bandaid, making the offending code in
multi.c "linux only" while a better solution is discussed.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20230113080745.82783-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20230113080745.82783-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>