By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.
However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.
The tls-groups option allows to modify the group list to account
for these corner cases.
Patch V2: Uses local gc_arena instead of malloc/free, reword commit
message. Fix other typos/clarify messages
Patch V3: Style fixes, adjust code to changes from mbedTLS session
fix
Patch V5: Fix compilation with OpenSSL 1.0.2
Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
which accidentally got lost.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 037669f3dd already made occ being unconditionally on. This commit
only removes the #ifdefs
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717134739.21168-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20442.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Key-method 1 is only needed to talk to pre OpenVPN 2.0 clients.
Patch V2: Fix style. Make V1 op codes illegal, remove all code handling
v1 op codes and give a good warning message if we encounter
them in the legal op codes pre-check.
Patch V3: Add a bit more comments in the existing methods.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200721100128.9850-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20516.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This removes support for the --client-cert-not-required option. To
avoid starting a server with this option just ignored, which would make
it impossible for existing clients to connect it will exit with
instructions to replace this option with --verify-client-cert none.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200720113010.10450-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20502.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This option has been deprecated since OpenVPN 2.1 and it has been
highlighted in the documentation and log files since OpenVPN 2.4.4.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200720115156.13322-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20504.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
All supported crypto libraries have AEAD support and with our
ncp/de facto default cipher AES-256-GCM we do not want to support
the obscure corner case of a library with disabled AEAD.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Remove three instances of (harmless) #ifdef Steffan spotted
that can be removed now too.
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200720121704.20333-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 1.0.1 was supported until 2016-12-31. Rhel6/Centos6 still
use this version but considering that RHEL7 and RHEL8 are already
out, these versions can also stay with OpenVPN 2.4.
All the supported Debian based distributions also come with at
least 1.0.2.
We (accidently) unconditionally compiled some key exporter code on
OpenSSL 1.0.2+ without problems. So always compile the whole
key exporter feature for OpenSSL.
This also allows the tls groups commit to be applied without
adding ifdefs to disable that functionality on OpenSSL 1.0.1
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20441.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since commit f500c49c8e, the man page and html documentation need to be
generated when building out of the git repository, as both openvpn.8 and
openvpn.8.html will be shipped pregenerated inside the tarball generated
by 'make dist'.
Travis was lacking the python-docutils package, which made the
'make distcheck' build test fail.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200720103822.26088-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20497.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The V2 API is simpler than the V1 API since there is no passing of
data via files. This also means that with the current API the V2 API
cannot support async notify via files. Adding a file just for async
notify seems very hacky and when needed we should implement a better
option when async is needed for the plugin V2 API.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20480.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(Only) on "CC_RET_SUCCESS", run multi_client_connect_post().
On "CC_RET_FAILURE", add missing log line, do not call ..._post().
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200720070802.18819-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20488.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Uses the infrastructure provided and used in the previous patch to provide
deferral support to the v1 client-connect plugin handler as well.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
PATCH V3: Modify the API to also (optionally) call the plugin on a deferred
call (CLIENT_CONNECT_DEFER).
This allows the plugin authors to be more flexible and make the V1 API more
similar to the CLIENT_CONNECT_V2 API.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20483.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As we never do client-connect and authentication at the same time
it is safe to reuse the existing fields for client-connect return
status file
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20481.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch introduces the concept of a return value file for the
client-connect handlers (this is very similar to the auth value file
used during deferred authentication). The file name is stored in the
client_connect_state struct.
In addition, the patch also moves the storage of the client config file
name into struct client_connect_state.
Both changes are used by the client-connect script handler to support
deferred client-connection handling. The deferred return value file
(deferred_ret_file) is passed to the script via the environment.
If the script succeeds and writes the value for deferral (2) into the
deferred_ret_file, the handler knows to indicate deferral. Later on,
the deferred handler checks whether the value of the deferred_ret_file
has been updated to success or failure.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20200719173436.16431-2-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This state is used to handle a corner case when multiple connect
handlers are active and one of them fails. Unfortunately, this state
complicates the state machine a bit without a good benefit.
Current behaviour:
First/all connect handler(s) fail:
- client disconnect handler is not called at all
At least one connect handler succeeds but a subsequent handler fails:
- client disconect is called when we actually
disconnect the client (a few seconds later, max tls timeout)
All connect handlers suceed:
- client disconect is called when we actually
disconnect the client
This patches changes the behaviour in the second to immediately
call disconnect_handler in this case.
This simplifies the logic that already caused a bug and the
behaviour change is very little and affects only a pretty
exotic corner case.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719173436.16431-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20482.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When the man page got split up into several .rst files, these files got
listed into dist_doc_DATA=. This variable will both distribute (package
in the source tarball) and install these files into /usr/share/doc.
This was not intended, and it duplicates the content and makes the doc
dir quite messy.
By moving these files to dist_noinst_DATA= instead, these files are
still distributed but not installed via 'make install'.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200719114853.24168-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20476.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This finializes the depreacation started in OpenVPN 2.4, where --no-iv
was made into a NOOP option.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717171544.21632-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20460.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the conversion of the introduction of a bool variable to signal
when a certain string is a filename or the actual (inline'd) key
material, the SHOW_STR() macro is now leaking the inline'd material to
the log file.
This happens because SHOW_STR will just print the content of the passed
argument without any check. With the new logic this should not happen
anymore.
A new macro SHOW_STR_INLINE() is therefore introduced which will check
the appropriate bool member before deciding to print the actual string
content or not.
Trac: #1304
Reported-by: Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717212820.8998-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20472.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Else one location overwrites options from the other.
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200717171918.230727-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20462.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch moves the state, that was previously tracked within the
multi_connection_established() function, into struct client_connect_state.
The multi_connection_established() function can now be exited and
re-entered as many times as necessary - without losing the client-connect
handling state.
The patch also adds the new return value CC_RET_DEFERRED which indicates
that the handler couldn't complete immediately, and needs to be called
later. At that point multi_connection_established() will exit without
indicating completion.
Each client-connect handler now has an additional argument: "deferred",
to signal "additional call(s) while in deferred state". The first call
to a handler always sets "deferred = false". If that call returns
CC_RET_DEFERRED, the next call to the handler will be "deferred = true".
For some handlers (mda, ccd) this can never happen, so we ASSERT()
on !deferred. If that ever triggers, something is wrong in our data
structures and we should better abort.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V3: Use a static struct in multi_instance instead of using
malloc/free and use two states (deferred with and without
result) instead of one to eliminate the counter that was
only tested for > 0.
Patch V5: Use new states in context_auth instead of the extra state
that the patch series previously used.
Patch V6: Restructure code to make it a bit more readable, rebase on
master.
Patch V7: move deferred bool into client connect handler calls, switch
to switch case
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200716134315.17742-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20395.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This file did not get added to Makefile.am by a mistake during the
man-page overhaul, and the issue this causes is not easily spotted.
If a consumer of a tarball (created with 'make dist' from the git
tree) tries runs 'make clean' and 'make dist' plus have
python-docutils installed from such a tarball, it will explode and
complain about this missing file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717110136.11579-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20431.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717105453.10718-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20429.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-8-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20415.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit c67e93b252 updated the man page in reagrds to new
compression options and improving existing compression options. This
adopts those changes into the .rst format.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-7-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20414.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Due to the VORACLE attack vector, compression in general is deprecated.
Make this clear in the man page.
Also remove an incorrect statement claiming --compress lzo is compatible
with --comp-lzo. It is not, as --compress lzo uses a different
compression framing than --comp-lzo.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-6-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20417.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
To avoid keeping around a full-size openvpn.rst file which is never
needed but will take space in the repo forever, patches 01...04
of the big documentation overhaul projects were squashed togehter,
keeping the individual commit logs and URL references below.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is a combination of 4 commits.
* This is the 1st commit message:
doc/man: Add an .rst formatted version of the man page
This is the first step to move away from a manually editing g/nroff
encoded man page.
Some modifications was needed to ensure formatting was consistent and
rendered reasonably okay in GitHub and that the generated man page
(using rst2man) is looking as a proper man page. Unsupported options
has also been moved into its own section. HTML rendering directly
using rst2html has also been used to validate the conversion.
The rst2man and rst2html utilities comes from the python-docutils
project: https://docutils.sourceforge.io/
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-2-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is the commit message #2:
doc/man: Replace old man page with generated man page
The doc/openvpn.8 and doc/openvpn.8.html files are now being removed
from the git tree, as it will be generated from the doc/openvpn.8.rst
file using python-docutils.
An additional dist-hook is added so these files are generated
automatically when source tarballs are generated for releases. This
means users compiling directly from the source tarball will not need
python-docutils installed.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-3-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is the commit message #3:
doc/man: Split up and reorganize main man page
The openvpn.8.rst file is quite long and hard to edit, as it covers
several hundred options. Some options were even documented multiple
places. The example has also received some attention, cleaning up
old and outdated infomration.
In this commit the main man page is split up into multiple sections
and options are sorted into each of the corresponding section.
Inside each category, each option is for now sorted alphabetically.
The main openvpn.8.rst file is currently kept unchanged and will be
handled in the next commit.
Many language improvements contributed by Richard Bonhomme has also
been incorproated.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-4-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* This is the commit message #4:
doc/man: Complete openvpn.8.rst splitting
This rebuilds the openvpn.8.rst content by using the text which was
split out in the previous commit by using RST ..include statements.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-5-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If OpenVPN signals deferred authentication support (by setting
the internal environment variables "auth_control_file" and
"deferred_auth_pam"), do not wait for PAM stack to finish. Instead,
the privileged PAM process returns RESPONSE_DEFER via the control
socket, which gets turned into OPENVPN_PLUGIN_FUNC_DEFERRED towards
openvpn.
The PAM process will then fork() and handle all the PAM auth in
the new process, signalling success/failure back by means of the
auth_control_file (forking twice, to simplify wait() handling).
With the extra fork(), multiple deferred authentications can run at
the same time - otherwise the first one would block the next auth
call (because the child would not be ready again to read from the
control socket).
Lightly tested on Linux.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
v2:
- only do deferred auth if "deferred_auth_pam" is set (env)
- put deferred auth logic into do_deferred_pam_auth()
- line-wrap lines where needed
- close "background end" of socketpair in deferred auth process
- remove leftover /* plugin_log() */ lines from initial testing
- tested over a few hundred "15s delayed" authentication cycles
v3:
- uncrustify new code
- do not abort background process if do_deferred_pam_auth() fails
(this can only happen if fork() fails, which is assumed to be
temporary, or if something is wrong with the socketpair which we
should notice on the next read()) --> change do_deferred_pam_auth()
to "void"
- add documentation to README.auth-pam and Changes.rst
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200715090105.22296-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20361.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The refactor accidently used a wrong code style template and
ended up using 2 instead of 4 as indent.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200715141425.26293-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20371.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This makes the code a more readable and also prepares reusing
the function for client-connect return files
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20284.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This deviates from Fabian's original patch that relied on the now
removed connection_established bool as pointer being NULL or non NULL as
implicit third state and making connection_established as a substate of
(cas_context == CAS_PENDING)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: extend cas_context with two new states instead adding an
extra mini state machine.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20292.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch changes the calling of the client-connect functions into an
array of hooks and a block of code that calls them in a loop.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Rebase on master.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20293.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch changes the way the client-connect helper functions communicate
with the main function. Instead of updating cc_succeeded and cc_succeeded_count,
they now return either CC_RET_SUCCEEDED, CC_RET_FAILED or CC_RET_SKIPPED.
In addition, the client-connect helpers are now called in completely
identical ways. This is in preparation of handling the helpers as simple
call-backs.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V5: Minor style fixes
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20286.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch moves multi_client_connect_setenv into
multi_client_connect_early_setup and makes sure that every client-connect
handling function updates the virtual address selection.
Background: This unifies how the client-connect handling functions work.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20288.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Refactor multi_client_connect_source_ccd(), so that
options_server_import() (or the success path in general) is only
entered in one place within the function.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V5: Simplify the logic even further to make it more easy to
understand.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200711093655.23686-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20287.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As of Windows 10 1809 Windows finally supports this so it makes sense
to add support to OpenVPN as well.
Multiple options can be specified at the same time, with one search
domain per line (in the config, or pushed from server):
dhcp-option DOMAIN-SEARCH my.company.domain
dhcp-option DOMAIN-SEARCH some.example.domain
OpenVPN will (on windows) concatenate them all together into a single
"option 119" for the tapv9 DHCP server. Max length is 254 in total.
DNS label compression is not used - it's complicated, and Windows does
not need it. See RFC 3397 for more details.
This only works with the tun/tap driver, not with wintun.
On non-windows platforms, these settings are exported in the environment
towards --up scripts (or to the management interface), and need to be
picked up there.
Signed-off-by: Jan Just Keijser <jan.just.keijser@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <c404dd17-e0db-ce61-0d79-864a5736f2d0@nikhef.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20349.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch splits up the multi_connection_established() function. Each new
helper function does a specific job. Functions that do a similar job
receive a similar calling interface.
The patch tries not to reindent code, so that the real changes are as
clearly visible as possible. (A follow-up patch will only do indentation
changes.)
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
PATCH v3: Since the code has changed enough from the time the original
patch to the current master, the splitting has been redone from the
current code. Also some style and minor code changes have been added
doing this patch. This and the big reformatting done before eliminates
the follow up patch with only indentation changes.
The original patch already replaced some instances of
option_permission_mask with CLIENT_CONNECT_OPT_MASK. The V3 version does
this more consistently.
Patch v4: Move config -> mi->cc_config into its own commit
Patch v5: Clean up some minor issues, add one missing check on
temporary file deletion, rebase on latest master.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200711093655.23686-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20289.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
ssl_ncp.c:ncp_get_best_cipher() would crash if a client connects without
NCP (or with a NCP cipher list that does not contain the first NCP cipher
in the server list) due to a NULL pointer strcmp().
Work around / fix by just assigning an empty string to remote_cipher here
("not NULL but will never match either").
Add new warning message in multi.c for the "we do not know what the
client can do" case (no NCP and non-helpful OCC), rewrapped the existing
message to keep line lenght limit.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200713093252.30916-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20309.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to control the fallback cipher that is used when the
client/server do have any common cipher on a per client basis.
The patch is similar to Steffan's
[PATCH v4] Allow changing cipher from a ccd file.
Steffan's old patch also moves the cipher negotiation to
multi_established_connection() which I independently discovered and
implemented in commit 5e78bf66fa (Extract process_incoming_push_reply
from process_incoming_push_msg)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ever since the NCPv2 the ncp_get_best_cipher uses the global
options->ncp_enabled option and ignore the tls_session->ncp_enabled
option.
The server side's poor man's NCP is implemented as seeing the list
of supported ciphers from the peer as just one cipher so this special
handling for poor man's NCP of the older NCP here is not needed anymore.
Theoretically we can now get rid of tls_session->ncp_enabled but doing
so requires more refactoring since options is not available in the
methods that still use it. And when we remove ncp-disable the variable
will be removed anyway.
This commit moves the data channel key generation for the corner case of a
client not supporting NCP but having the same cipher as the server to
the same function that also generates data channel keys for NCP and
poort man's NCP.
This has an unintended side effect of changing the calculated frame
size for this special case. The old path did call
tls_session_update_crypto_params.
To avoid this change in behaviour, this patch adds a hacky
workaround for this.
A proper solution for this needs still be found but this allows the patch
set to be merged.
Document the remaining usage of tls_poor_mans_ncp better.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20251.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The simplify the control flow, it makes more sense to generate the
data keys when all the prerequisites for generating the data channel
keys (ncp cipher selection etc) are met instead of delaying it to the
next incoming PUSH_REQUEST message.
This also eliminates the need for the hack introduced by commit
3b06b57d9 to generate the data channel keys on the async file close
event.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20253.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This clean ups the code and removes the surprising side effects
of preparing a push reply to also select protocol options.
We also remember if we have seen a push request without async
push. This improves reaction time if deferred auth is involved
like managment interface deferred auth. The other benefit is
removing a number of ifdefs.
NOTE: this patch breaks asynchronous authentication (via plugins
and possibly also via management interface). The next commit will
fix this. This is understood and hereby documented, but the two
individual commits are much cleaner without trying to fix it here
or squash both together.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20255.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a small refactoring to make both function more readable. It also
eliminates the ret variable in process_incoming_push_msg that now serves
no purpose anymore.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20254.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This order the states from unauthenticated to authenticated and also
changes the comparison for KS_AUTH_FALSE from != to >
It also add comments and documents part using the state machine
better.
Remove a now obsolete comment and two obsolete ifdefs. While
keeping the ifdef in ssl_verify would save a few bytes of code,
this is too minor to justify keeping the ifdef
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20258.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For some reason, openvpn --version has since the beginning of time
returned exit code 1. A quick sample among common unix utilities confirms
that the rest of the world agrees with me that 0 makes more sense. Let's
make openvpn --version exit with exit code 0 too.
Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of having the whole function as
if (x) { func }
do
if (!x) return;
func
Due to the whitespace changes in the function body this patch looks
very strange. Ignoring whitespace makes the diff look sane.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707121615.15736-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20231.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For whatever reason, we never removed the pid file on program exit.
Not only this is unclean, but it also makes testing for "I want this
test case to FAIL" in t_client.sh more annoying to code for "is the
OpenVPN process still around?"...
Do not unlink the file if chroot() is active (might be outside the
chroot arena - testing for realpath etc. is left for someone else).
v2: make this work on M_FATAL exit, by unlinking from openvpn_exit() in
error.h - this requires moving write_pid() to init.c so module hierarchy
is maintained and introducing a static variable to save the PID file
name (otherwise it is no longer available when the top level GC is gone).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707084220.45753-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20224.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Both are tightly coupled often both are checked at the same time.
Merging them into one state makes the code simpler and also brings
us closer in the direction of a state machine
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200706163516.11390-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20216.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
