- Move OCC warnings to debug level. This moves the only useful OCC message
of compress-migrate to D_PUSH
- remove configure option --enable-strict-options
- ignore disable-occ in TLS mode as it is logged under debug now only
disable-occ is now strictly a non-TLS option
- mark opt-verify and disable-occ as deprecated.
Patch v2: change one missed M_WARN to D_OCC
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111134439.1107915-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We listed those in Changes, but did not update the documentation.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111125242.21025-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25968.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not enabled by default with OpenSSL 3, so we don't
see this in our builds.
While here add missing entries to .gitignore (which
is what made me look at engine-key test in the first
place).
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110170257.113527-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25949.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
That makes it possible to remove several preprocessor
directives which is a good thing. The cost should be
negligible.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221127142506.41986-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25554.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- The response to the management command "remote-entry-get" is
amended to include the status of the remote entry. The status
reads "disabled" if (ce->flag & DISABLED) is true, "enabled"
otherwise.
- Update and correct the description of this option in
management-notes.txt
Example responses:
In response to "remote-entry-get 0"
0,vpn.example.com,udp,enabled
END
Or, in response to "remote-entry-get all"
0,vpn.example.org,udp,enabled
1,vpn.example.com,udp,enabled
2,vpn.example.net,tcp-client,disabled
END
This helps the management client to show only enabled remotes
to the user.
An alternative would require the UI/GUI to have knowledge of
what makes the daemon set CE_DISABLED (--proto-force,
--htttp-proxy-override etc.).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111062910.1846688-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230111062910.1846688-1-selva.nair@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Warning by GCC 12:
pkcs11_openssl.c:237:22: warning:
dangling pointer ‘tbs’ to ‘enc’ may be used [-Wdangling-pointer=]
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230110131947.59552-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25942.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This enables logging the peer id in p2mp mode if dco is enabled
and the log level is high enough
Patch v2: use check_debug_level to check current log level
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110151901.998479-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25946.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
p2p --tls-server with no active client/peer logs once per second
"dco_update_keys: peer_id=-1"
which does exactly nothing, except fill the disk. So skip the call to
dco_update_keys() if peer_id == -1.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230109200011.2525342-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25935.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Makes it possible to report management state as CONNECTED,ROUTE_ERROR
instead of CONNECTED,SUCCESS in case of routing errors.
This depends on treating "route already exists" as not
an error which right now works when using netlink on Linux
and IPAPI or iservice on Windows.
For route set via command line there is no easy way to get this
information and current behaviour is unchanged: i.e., the management
state continues to be reported as CONNECTED,SUCCESS.
Status notification to systemd is not affected.
To test on Linux, build with netlink and use a --route option with
an unreachable gateway like:
"--route 192.168.122.0 255.255.255.0 1.1.1.1"
Notes:
On windows, if the route method is "exe", setting a route
that exists *may* get logged as error and this patch will lead to
a slightly misleading CONNECTED,ROUTE_ERROR state message. This is
considered tolerable as no one should be using "exe" (i.e. route.exe)
as the route method.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230105022718.1641751-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25884.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This limits the number of packets OpenVPN will respond to. This avoids
OpenVPN servers being abused for refelection attacks in a large scale
as we gotten a lot more efficient with the cookie approach in our
initial connection handling.
The defaults of 100 attempts per 10s should work for most people,
esepcially since completed three way handshakes are not counted. So
the default will throttle connection attempts on server with high packet
loss or that are actually under a DOS.
The 100 per 10s are similar in size to the old 2.5 and earlier behaviour
where every initial connection attempt would take up a slot of the
max-clients sessions and those would only expire after the TLS timeout.
This roughly translates to 1024 connection attempts in 60s on an
empty server.
OpenVPN will announce once per period when starting to drop packets and
ultimatively how many packets it dropped:
Connection Attempt Note: --connect-freq-initial 100 10 rate limit
exceeded, dropping initial handshake packets for the next 10 seconds
Connection Attempt Dropped 217 initial handshake packets due to
--connect-freq-initial 100 10
to inform an admin about the consequences of this feature.
Patch v2: use strtol instead of atoi to be able to differentiate between
an error parsing and parsing 0. Use int64_t instead int to
avoid overflow errors.
Patch v3: Add message when we start dropping. Add a few fixes to the logic.
improve docs
Patch v4: missing missing return statement.
Patch v5: add build files for msvc build
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110015901.933522-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25938.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 5e19cc2c1b introduced a workaround for a race condition
that showed itself on IPv6 ifconfig on FreeBSD 12.x - sometimes breaking
IPv6 connectivity on tun/tap interfaces.
This was fixed on the FreeBSD side in 12.4, 13.1 and up, and 13.0 is
no longer supported. So conditionalize the workaround on "12.0..12.3",
to be fully removed later when 12.3 is also running out of support.
v2: fix version number comparison
Trac: 1226
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230107162558.59659-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25911.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When possible, functions that add a route now return 1 on success,
or 2 if route already exists or 0 on other errors instead of true/false.
Note:
net_route_v4/v6_add using netlink filters out EEXIST before returning
this looks like a bug as add_route() and add_route_ipv6() should set
RT_ADDED only if route was really added.
v2: "succeeded/skipped" --> "succeeded" in log.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230106150412.1667492-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25903.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We got warnings from MinGW about function being defined
but not used when compiling modules which include tun.h.
This function is not defined as inline, so its definition
should not be in header. Since this is not a performance
critical, no need to make it inline.
Leave declaration in tun.h and move definition to tun.c.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230109113046.1678-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25923.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signals are ordered as SIGUSR2, SIGUSR1, SIGHUP, SIGTERM, SIGINT
in increasing priority. Lower priority signals are not allowed to
overwrite higher ones.
This should fix Trac #311, #639 -- SIGTER/SIGINT lost during dns
resolution (except for the Windows-specific bug handled in previous commit).
On sending SIGTERM during dns resolution, it still takes several seconds
to terminate as the signal will get processed only after getaddrinfo times
out twice (in phase1 and phase2 inits).
Github: fixesOpenVPN/openvpn#205
Trac: #311, #639
Note: one has to still wait for address resolution to time out as
getaddrinfo() is no interruptible. But a single ctrl-C (and some
patience) is enough.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230101215109.1521549-4-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25871.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- In win32_signal_get() re-order the check so that Windows
signals are picked up even if signal_received is non-zero
- When management is not active, management_sleep() becomes sleep()
but it is not interruptible by signals on Windows. Fix this by
periodically checking for signal.
Trac: #311#639 (windows specific part)
Github: FixesOpenVPN/openvpn#205 (windows specific part)
Note: if stuck in address resolution, press ctrl-C and wait for
getaddrinfo() to timeout.
v2: WIN32 --> _WIN32
add a chunk in management_sleep that was missed by sloppy
conflict-resolution
v3: following review by Lev Stipakov <lstipakov@gmail.com>
win32_sleep()
- Early fallback to Sleep() if no wait handles -- less indentation
- Check signal only if wait-object triggered
- Exit the while loop if not safe to continue
Behaviour of win32_sleep(0) checking signal is retained though may be
redundant
v4: Avoid Sleep(0) and never loop back to wait again if wait-failed
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230106005438.1664046-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25895.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we use netsh for this. The new code closely follows
what interactive service does.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230105022718.1641751-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25886.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While at it also improve the debug message itself
to be more self-explanatory.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230103202330.1835-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25883.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi_process_incoming_dco() is currently partly processing
messages that were actually discarded. This results in a bogus
message being printed:
"Received packet for peer-id unknown to OpenVPN: -1, type 0, reason 2"
Change the flow so that we bail out immediately when we know that no
message was truly delivered by DCO.
Currently this can be verified by checking that the peer_is is greater
than -1.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230103202330.1835-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25882.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
After processing a message, all fields of the dco object should be
re-initialized so that future processings are not affected by stale
values.
This includes dco_del_peer_reason.
Since its values can start at 0, re-initialize it with -1.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230103202330.1835-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25881.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Pass in sig_info struct to use register signal instead of
modifying signal_received.
No functional changes though some may be warranted.
Questions:
- Why are we overwriting SIGUSR1 in this function?
- Why the special interrupted syscall treatment for getaddrinfo?
Its not a syscall, is it?
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230101215109.1521549-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25872.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Do not directly update signal_received: always use register_signal()
throw_signal() or signal_reset().
To facilitate this, register_signal() now takes c->sig as an argument
instead of the context c itself, and sig_info struct is passed-in to
functions that need to set a signal.
- openvpn_getaddrinfo() is updated in a following commit as it
could benefit from some logic changes that we may or may not want
to do.
No functional changes.
TODO:
(i) update signal handling in openvpn_getaddrinfo
(ii) enforce signal priority
(iii) fix signal handling on Windows
for 2.7?
(iv) replace system-V signal with POSIX sigaction
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230101215109.1521549-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Several handles from openvpn.exe are duplicated in the
service for registering ring buffer memory maps with the
driver. These handles are not required after registration,
as all access is through handles in openvpn.exe. Only the
map base address (send_ring, rceive_ring) need be retained
for later unmapping.
Use local variables for duplicated handles and close them
soon after use.
The struct ring_buffer_handles_t is renamed to ring_buffer_maps_t
as there are no handles in there any longer.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20221229182739.1477336-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25863.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
HandleRegisterRingBuffers() in interactive.c did not follow the
the original API of HandleMessage(): a new argument was added
to HandleMessage to pass-in prer-process ring-buffer handles. The
existing undo lists argument is meant for such use.
Rewrite following the original design.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20221229182739.1477336-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25864.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The return value of MapViewOfFile must be passed to UnmapViewofFile,
instead of the file handle.
Github: FixesOpenVPN/openvpn#206
v2: move *ring = NULL inside if {}
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20221229134729.1474034-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25859.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
GCC with -O3 complains:
warning: ‘%s’ directive argument is null [-Wformat-overflow=]
And indeed:
--cipher alg : Encrypt packets with cipher algorithm alg
(default=(null)).
Since there is no real default anymore, remove it.
While here also indicate the somewhat-deprecated status
of the option.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221228171314.133115-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25851.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
error: format not a string literal and no format arguments
[-Werror=format-security]
2309 | msg(M_USAGE, str);
Found by accident, since it only happens without optimization.
Seems the compiler can figure out that this is harmless when
thinking a bit harder about it. Fix anyway.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221228110752.34060-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25848.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
TCP multipoint servers with Linux-DCO can crash under yet-unknown
circumstances where a TCP socket gets handed to the kernel (= userland
shall not acceess it again) but the socket still lands in the event
polling mechanism, and is passed to link_socket_read() with
sock->fd being "-1" (SOCKET_UNDEFINED).
This is a bug, but it happens very unfrequently so not fixed yet.
When this happens, the server gets stuck in an endless loop of
"trying recvfrom(-1, ..), getting an error, looging that error,
continue" until the server's disk is full.
The situation is being made a bit more complex by the dco-win
approach of treating "all kernel sockets as UDP", so the Linux
implementation tries to access the -1 socket as UDP, confusing
the picture more.
As a bandaid to avoid the crash, this patch changes
- socket.h: only do the "if dco_installed, treat as UDP" for WIN32
(link_socket_read())
- socket.c: add ASSERT(sock->fd >= 0); checks to all UDP socket paths
(we should never even hit those as this is a TCP specific problem,
but in the "sock->fd = -1" case, doing a clean server abort is
preferred to "the disk is full with non-helpful logfiles, and then
the server crashes anyway")
- socket.c: in the TCP read function, link_socket_read_tcp(),
check for sock->fd < 0 and trigger "sock->stream_reset = true"
(+ write to the log what happened).
This change will kill this particular TCP client instance (SIGTERM),
but leave the rest of the server running fine - and given that
in our tests this issue seems to be triggered by inbound TCP RST
in just the wrong moment, it seems to be "a properly-sized bandaid".
v2: rebase on top of "move dco_installed back to link_socket"
v3: move sock->fd check inside !residual_fully_formed clause (so
we can still handle already-read packets)
Github: OpenVPN/openvpn#190
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221227202614.2114971-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The realloc logic has the problem that it relies on the memory being
deallocated by uninit_options rather than by freeing the gc. This
does not always happen in all code path. Especially the crypto selftest
run by make check will not call uninit_options.
This introduces a gc_realloc function that ensures that the pointer is
instead freed when gc_free is called.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221227140249.3524943-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25829.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The mamangement command "remote SKIP" is extended with an
optional parameter 'count' > 0. If count is greater than
number of connection entries (len), count % len is used.
On going past the index of the last connection entry,
counting is restarted from the first connection entry.
Without this, use of management-query-remote from a UI is
virtually impractical except when there are only a handful
of remote entries. Skipping the entries one by one takes
a long time when there are many entries to be skipped
(~ 1 second per entry). Use of "remote MOD" is not an
option as change of protocol is not supported.
Management clients can determine the availability of this
feature by checking that the management interface version
is > 3. Older versions will ignore the count parameter and
behave identically to using count = 1.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210907223614.8574-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22817.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The message
"ERROR: The 'foo' commmand is not supported by current daemon mode"
is repeatedly used in manage.c. Move it to a function for uniformity
in messaging.
v3, v3: no change
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210907223126.8440-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22814.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we allow a max of 64 connection entries and remotes.
A larger number would allow users with 100's of independent
config files for different end points of same provider to
consolidate them to connection entries.
v2,v3: no change
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210907223126.8440-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22816.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selecting the remote host via the management interface
(management-query-remote) provides a restrictive user
experience as there is no easy way to tabulate all available
remote entries and show a list to the user to choose from.
Fix that.
Two new commands for querying the management interface are added:
(i) remote-entry-count : returns the number of remotes specified
in the config file. Example result:
10
END
(ii) remote-entry-get i [j]: returns the remote entry at index i
in the form index,host,port,protocol. Or, if j is present
all entries from index i to j-1 are returned, one per line.
Example result for i = 2:
2,ovpn.example.com,1194,udp
END
Example result for i = 2, j = 4
2,ovpn.example.com,1194,udp
3,ovpn.example.com,443,tcp-client
END
remote-entry-get all: returns all remote entries.
v2: use independent callback functions for the two commands
v3: return results as 0 or more lines terminated by END, as done
for all other similar commands. v1 was fashioned after
pkcs11-id-count and pkcs11-id-get which uses a format not
consistent with the rest of the management commands.
See also management-notes.txt
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210907223126.8440-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22815.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If we get a message from a mismatched packet we need to clear
the incoming message buffer to ensure we can receive another
packet.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221224194253.3202231-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25797.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
libnl increases the sizes we pass to 8192 anyway. Currently when we have
a lot of events queued we might run into a NLE_NOMEM message and that
terminates the server. So rather let the kernel decide the buffer sizes.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221224194253.3202231-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25789.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
this change was done in order to be able to differentiate when needing to
use dco and when to use normal socket sendto. Since we want to eventually
completely use the userspace sockets for sending/receiving, we just switch
to always use UDP sendto even if the socket is already installed in the
kernel.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221224194253.3202231-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25792.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we start new session in TM_ACTIVE or TM_INITIAL depending if
we already have an active session in TM_ACTIVE or not.
With this change, all session will be started in TM_INITIAL both initiated
by a peer but also session by ourselves. This simplifies state transitions
and eliminates the wacky state transition that when we have a failed
reneogitiation (and move TM_ACTIVE to TM_LAME_DUCK) that a new session of
a peer starts in TM_ACTIVE rather than TM_INITIAL
This is a squash of two mailing list patches:
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221224194253.3202231-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25798.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221224194253.3202231-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25795.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This changes the password check on the management interface to be constant
time. Normally the management port should not be exposed in a way that
allows an attacker to even interact with it but making the check constant
time as an additional layer of security is always good.
Patch v2: include NUL byte in comparison
Reported-by: Connor Edwards <cedw@pm.me>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221220140458.2666637-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25784.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As change in auth-token is common on restart and does not
require tun-reopen, exclude it from the "pulled options digest"
calculation. Without this tun is always re-opened on SIGUSR1
if auth-token is in use which breaks persist-tun.
Github: FixesOpenVPN/openvpn#200
v2: explcitly filter auth-token and auth-token-user
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221219140405.1221341-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25768.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
My own non-standard cmake based build system found this one. But
even if this is not a problem with the normal autoconf based system
we should still be consistent.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221219172141.2565798-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25777.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Git magic to get branch name
git rev-parse --symbolic-full-name HEAD
doesn't work when we're on tag, which is the case when
we build releases.
First, try to get tag name with
git describe --exact-match
and if this fails, get branch name as before.
Use subprocess.Popen() to suppress stdout/stderr output.
Github: FixesOpenVPN/openvpn#199
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221219155638.497-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25773.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Current value of restart pause is 5 seconds which feels
unduly long. Reduce it to 1 second.
User can still customize the delay using the first parameter for
"--connect-retry".
Also improve the description of "--connect-retry" in the
man page.
v2 changes:
- fix incomplete man page edit as pointed out by Arne Schwabe
- fix man page (rst) changes as suggested by Frank Lichtenheld
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221219150435.1222451-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25770.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
NTLMv1 is ancient and not considered secure anymore and we are not
aware of any users or software still requiring this feature.
Additionally it currently depends on our "doing single DES using
3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing
NTLMv1 will also allow us to remove that workaround.
Reported-By: Trial of Bits (TOB-OVPN-7)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221215190143.2107896-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25731.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>