This option allows to pin one or more more peer certificates. It also
prepares for doing TLS authentication without a CA and just
self-signed certificates.
Patch V2: Allow peer-fingerprint to be specified multiple times
to allow multiple peers without needing to use inline
syntax. (e.g. on command line).
Patch V3: rebase on v3 of 1/4, reword message of verify-hash and
peer-fingerpring incompatibility
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210321143353.2677-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20210321143353.2677-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch introduces support for verify-hash inlining.
When inlined, this options now allows to specify multiple fingerprints,
one per line.
Since this is a new syntax, there is no backwards compatibility to take
care of, therefore we can drop support for SHA1. Inlined fingerprints
are assumed be to SHA-256 only.
Also print a warning about SHA1 hash being deprecated to verify
certificates as it is not "industry standard" anymore.
Patch v2: fix/clarify various comments, fix a few minor problems, allow
the option to be specified multiple times and have that
added to the list.
Patch v3: Remove leftover variable, always call
parse_hash_fingerprint_multiline, add comments clarifying list
appending
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210321142538.1656-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20210321142538.1656-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lots of string functions were declared unsafe in favor of ..._s()
counterparts. However, the code already is careful about the buffer
size. Code analysis is just not smart enough (yet) to detect this.
The code was refactored to use ..._s() variants MSVC is considering as
"safe".
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210321144627.1621-5-simon@rozman.si>
URL: https://www.mail-archive.com/search?l=mid&q=20210321144627.1621-5-simon@rozman.si
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It's about using a standard recommended alias for the wcsdup():
> warning C4996: 'wcsdup': The POSIX name for this item is deprecated.
> Instead, use the ISO C and C++ conformant name: _wcsdup. See online
> help for details.
And the documentation says:
> The Microsoft-implemented POSIX function names strdup and wcsdup are
> deprecated aliases for the _strdup and _wcsdup functions. By default,
> they generate Compiler warning (level 3) C4996. The names are
> deprecated because they don't follow the Standard C rules for
> implementation-specific names. However, the functions are still
> supported.
>
> We recommend you use _strdup and _wcsdup instead. Or, you can continue
> to use these function names, and disable the warning. For more
> information, see Turn off the warning and POSIX function names.
Reference:
https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strdup-wcs
dup
Signed-off-by: Simon Rozman <simon@rozman.si>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210321144627.1621-3-simon@rozman.si>
URL: https://www.mail-archive.com/search?l=mid&q=20210321144627.1621-3-simon@rozman.si
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Plaintext authentication is not exactly high security, but we might as
well memzero the credentials before leaving the function.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210319215448.38350-1-max@max-fillinger.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21738.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This function is used by both NCP and push, so move it to a more proper
place.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210319153129.8734-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21732.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When using the LLVM clang compiler instead the MSVC cl.exe but with
the same build environment as MSVC, clang encounters a few errors:
src\openvpn\socket.c(3550,23): warning: assigning to 'CHAR *' (aka 'char
*') from 'uint8_t *' (aka 'unsigned char *') converts between pointers to
integer types with different sign [-Wpointer-sign]
wsabuf[0].buf = BPTR(&sock->reads.buf);
^ ~~~~~~~~~~~~~~~~~~~~~~
src\openvpn\socket.c(3670,23): warning: assigning to 'CHAR *' (aka 'char
*') from 'uint8_t *' (aka 'unsigned char *') converts between pointers to
integer types with different sign [-Wpointer-sign]
wsabuf[0].buf = BPTR(&sock->writes.buf);
^ ~~~~~~~~~~~~~~~~~~~~~~~
Use BSTR instead of BPTR, which casts to the correct type that is
expected.
src\compat\compat-gettimeofday.c(105,18): error: assignment to cast is
illegal, lvalue casts are not supported
tv->tv_sec = (long)last_sec = (long)sec;
Split into two assignments to avoid the illegal cast
include\stdint.h(18,28): error: typedef redefinition with different types
('signed char' vs 'char')
typedef signed char int8_t;
^
openvpn\config-msvc.h(162,16): note: previous definition is here
typedef __int8 int8_t;
Removes our custom int type typdefs from config-msvc.h and replace it
with an include of inttypes.h.
C:\Program Files (x86)\Windows
Kits\10\include\10.0.19041.0\shared\tcpmib.h(56,3): error: typedef
redefinition with different types ('enum MIB_TCP_STATE' vs 'int')
} MIB_TCP_STATE;
^
C:\Users\User\source\repos\openvpn\src\openvpn/syshead.h(369,13): note:
previous definition is here
typedef int MIB_TCP_STATE;
^
1 error generated.
This seems to be for mingw32 only, so guard this with a mingw32
compiler guard.
\src\openvpn\tun.c(3727,34): warning: passing 'char [256]' to parameter of
type 'LPBYTE' (aka 'unsigned char *') converts between pointers to integer
types with different sign [-Wpointer-sign]
net_cfg_instance_id,
^~~~~~~~~~~~~~~~~~~
C:\Program Files (x86)\Windows
Kits\10\include\10.0.19041.0\um\winreg.h(955,88): note: passing argument
to parameter 'lpData' here
This is windows specific code, use the Windows LPBTYE in the
definitions. (long pointer to BYTE (long pointer as far/near pointer
relict from windows 16 bit times, in moddern words (unsigned char *))
Fix also a few other char vs uint8/unisgned char/BYTE issues in tun.c
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210319114631.20459-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21719.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Updates for the wolfSSL README file:
- fix typos
- correct wolfSSL company spelling
- add a point of contact for users having problems using OpenVPN + wolfSSL
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210319134322.131905-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21722.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The PKG_CHECK_VAR() macro is not available on versions of pkgconfig before
0.28, which breaks configure on RHEL-7, Ubuntu 16, and others.
This patch copies the definition generated by newer versions of autoconf
to be used for compatibility with older versions. Tested with automake
1.14.1-2ubuntu1 and autoconf 2.69-6 on Ubuntu 14.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210318181258.89704-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21708.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch adds support for wolfSSL in OpenVPN. Support is added by using
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
linked against the wolfSSL library. The wolfSSL installation directory is
detected using pkg-config.
As requested by OpenVPN maintainers, this patch does not include
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
in the configure script wolfSSL will include wolfssl/options.h on its own
(change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch
adds an option `--disable-wolfssl-options-h` in case the user would like
to supply their own settings file for wolfSSL.
wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```
OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The main motivation to make this change is to avoid a crash in mbed TLS
2.25 with --verb < 8.
mbed TLS 2.25 has a nasty bug that the print function for Montgomery style
EC curves (Curve25519 and Curve448) does segfault. See also the issue
reported here: https://github.com/ARMmbed/mbedtls/issues/4208
We request always debug level 3 from mbed TLS but filter out any debug
output of level 3 unless verb 8 or higher is set. This commeit sets
the debug level to 2 to avoid this problem by makeing mbed TLS not
generatin the problematic debug output.
For the affected version to still use --verb 8 with mbed TLS 2.25 is to
restrict the EC groups to ones that do not crash the print function
like with '--tls-groups secp521r1:secp384r1:secp256r1'.
This patch has no patch on user-visible behaviour on unaffected mbed TLS
versions.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Replace magic constant with proper define. Highlight more this
avoding generating unessary debug output than crash workaround.
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20210316124421.1635-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21667.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since 2014, the OpenVPN project has shipped an adopted LZ4 library to be
enabled if no LZ4 libraries was found on the system. This was due to
the LZ4 library not being available on all platforms and it was vastly
better than the older LZO compression algorithm. But this was years
before VORACLE and related attack vectors affecting VPN connections,
where compression is considered a vulnerability.
The OpenVPN project is gradually moving away from supporting compression,
so shipping our own LZ4 library is no longer wanted. It will now only
use the LZ4 compression libraries found on the host, and can otherwise
be disabled completely with ./configure --disable-lz4.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210317220642.38741-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20210317220642.38741-1-openvpn@sf.lists.topphemmelig.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Suppress printing the complete Diffie Hellman parameters file
to the log file when it has been configured as an inline file.
Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210317223448.1278818-1-tincanteksup@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21688.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In the EVP_DigestSignFinal API, "before the call the siglen parameter
should contain the length of the sig buffer".
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210312150629.57302-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21663.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If --mlock is used, the amount of memory OpenVPN can use is guarded
by the RLIMIT_MEMLOCK value (see mlockall(2)). The OS default for this
is usually 64 Kbyte, which is enough for OpenVPN to initialize, but
as soon as the first TLS handshake comes it, OpenVPN will crash due
to "ouf of memory", and might even end up in a crash loop.
Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with
many concurrent clients) of memory. TLS renegotiation with EC keys
requires up to 90 MB of transient memory.
So: with this patch, we check if getrlimit() is available, and if yes,
log the amount of mlock'able memory. If the amount is below 100 MB,
which is an arbitrary value "large enough for most smaller deployments",
we try to increase the limits to 100 MB, and abort if this fails.
v2:
change arbitrary number to 100 MB, introduce #define for it
not only check but also increase with setrlimit()
uncrustify fixes
v3:
OpenSolaris has mlockall() and getrlimit(), but no RLIMIT_MEMLOCK -
make code conditional on HAVE_GETRLIMIT *and* RLIMIT_MEMLOCK
add Changes.rst entry
Trac: #1390
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210310124808.14741-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21657.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Patch v2: removed change that slipped into this patch and belongs
into the next
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210125125628.30364-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21489.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This prepares send_auth_pending_messages to be used a in context that
does not have context c available but also does not need to schedule
an immediate sending of the message (auth plugin/script)
Patch V2: Adjust the comment of reschedule_multi_process to actually fit a
function.
Patch V3: Rebase needed because v3 of 3/11
Patch V4: Send with push.h prototype
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210310102823.29508-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20210310102823.29508-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Our "natural" place for this function would be ssl.c but ssl.c has a lot of
dependencies on all kinds of other compilation units so including ssl.c
into
unit tests is near impossible currently. Instead create a new file
ssl_util.c
that holds small utility functions like this one.
Patch v2: add newline add the end of sll_util.h and ssl_util.c
Patch v3: Refactor/clean up the function even more as suggested by Gert.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210226111012.21269-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21585.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Patch V2: eliminate parse_kid function, fix style
Patch V3: adding missing parameter in function, this was added
by a later patch in the original series
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210303123818.16012-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21596.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 06f6cf3ff8 introduced use of newer OpenSSL functions
for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL.
LibreSSL masquerades as "very new OpenSSL" but does not have these
functions (or at least not on the OpenBSD system tested), so compilationg
breaks.
Add a "but not if LibreSSL" check to the OpenSSL version check, as we
do in other places.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210308114405.19066-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21628.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This moves from using our own copy of the TLS1 PRF function to using
TLS library provided function where possible. This includes currently
OpenSSL 1.1.0+ and mbed TLS 2.18+.
For the libraries where it is not possible to use the library's own
function, we still use our own implementation. mbed TLS will continue
to use our own old PRF function while for OpenSSL we will use a
adapted version from OpenSSL 1.0.2t code. The version allows to be
used in a FIPS enabled environment.
The old OpenSSL and mbed TLS implementation could have shared some
more code but as we will eventually drop support for older TLS
libraries, the separation makes it easier it remove that code
invdidually.
In FIPS mode MD5 is normally forbidden, the TLS1 PRF1 function we
use, makes uses of MD5, which in the past has caused OpenVPN to segfault.
The new implementation for OpenSSL version of our custom implementation
has added the special flags that tell OpenSSL that this specific use
of MD5 is allowed in FIPS mode.
No FIPS conformitiy testing etc has been done, this is only about
allowing OpenVPN on a system where FIPS mode has been enabled system
wide (e.g. on RHEL derivates).
Patch v4: Handle the unlikely case that PRF generation fails. More
formatting
fixes.
Patch v5: v4 with the formatting fixes actually commited. sigh.
Patch v6: More formatting fixes, make OpenSSL fucntion return bool instead
of int.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210305141352.21847-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21612.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to use script that have more than just fail/sucess but
also deferred as status
Patch v2: minor style fixes, improve doxygen comments
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210125125628.30364-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21487.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows a UI client to display the correct state. Technically the
client is still waiting for PUSH_REPLY but for every practical concern
this is a different state as we are waiting for the pending
authentication to finish.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210125125628.30364-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21498.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows a client to extend the timeout of pull-request response
while waiting for the user to complete a pending authentication. A
timeout of 60s for a normal authentication might still works for a
simple 2FA (but still challenging). With a sophisticated (or overly
complicated) web based authentication 60s are quite short.
To avoid not detecting network problem in this phase, we use the
constant sending of PUSH_REQUEST/AUTH_PENDING as keepalive signal
and still timeout the session after the handshake window time.
patch v2: typo fixes, invert if for sscanf
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210125125628.30364-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21491.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Without this OpenVPN will later segfault on a FIPS enabled system due
to the algorithm available but not allowed.
Patch V2: Use (!func) instead (func != 1)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210201174310.22153-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21546.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
sample-plugins/defer/simple.c uses OPENVPN_PLUGINv3_STRUCTVER settings
that may not be obvious to a new author. Add a comment to reduce
possible confusion.
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1612163389-16421-1-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21540.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit changes the count n_sent_push_requests to time_t based
push_request_timeout. This is more in line to our other timeouts which
are also time based instead of number retries based.
This does not change the behaviour but it prepares allowing to extend
the pull request timeout during a pending authentication. As a user
visible change we print the the time we waited for a timeout instead
Also update the man page to actually document that hand-window controls
this timeout.
Patch V2: grammar fix in manual page
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210125125628.30364-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21490.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This code is from another time and has almost no relevance today.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201214172407.30451-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21360.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While not required, adding openvpn_plugin_min_version_required_v1 helps
by making an example for others to copy, and helps to explicitly call
attention to the difference between the API version number and the
struct version number in v3 calls.
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1611778909-20630-2-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21508.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This isn't strictly required, but it modernizes the functions used.
This change makes _open the same parameter form as _func (for better
parallelism in function writing) and includes a check for the correct
struct version, as recommended by openvpn-plugin.h
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1611778909-20630-1-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21507.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The comments refered to parameters found in openvpn_plugin_func_v2 but not
in v3
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1611531973-443-1-git-send-email-gcox@mozilla.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21481.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If we ship something that we consider a form of documentation
"this is how to write an OpenVPN plugin" it should meet our standards
for secure and modern code. This plugin did neither.
- get rid of system() calls, especially those that enabled a
remote-root exploit if this code was used "as is"
- change logging from printf() to OpenVPN's plugin_log()
- this requires changing to openvpn_plugin_open_v3() to get
to the function pointers
- change wacky "background and sleep in the shell call" to the
double-fork/waitpid model we use in plugins/auth-pam
(copy-paste code reuse)
- OpenVPN 2.5 and later react badly to OPENVPN_PLUGIN_FUNC_ERROR
returns to OPENVPN_PLUGIN_ENABLE_PF calls (SIGSEGV crash), so
always return SUCCESS. Only hook ENABLE_PF if that functionality
is actually requested ("setenv test_packet_filter NN").
- change deeply-nested functions auth_user_pass_verify() and
tls_final() to use early-return style
- actually make defered PF setup *work* with recent OpenVPNs
(pre-creating temp files broke this, so unlink() the pre-created
file in the ENABLE_PF hook, and re-create asyncronously later)
- add lots of comments explaining why we do things this way
Security issue reported by "oxr463" on HackerOne.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210121172536.32500-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21466.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Without this patch, if openpn is using a plugin that provides
OPENVPN_PLUGIN_ENABLE_PF but then fails (returns OPENVPN_PLUGIN_FUNC_ERROR),
OpenVPN will crash on a NULL pointer reference.
The underlying cause is (likely) the refactoring work regarding
CAS_SUCCEEDED etc., and that nobody adjusted the pf.c code accordingly
(it tries to sent itself a SIGUSR1, which tries to tear down the
client MI instance, but since it is not fully set up yet at this
point, things explode). Full details on the call chain in Trac...
Since we intend to remove pf in 2.6, but we still do not want OpenVPN
to ever SIGSEGV, change the requirements for the plugins to "MUST SUCCEED",
so if the plugin ENABLE_PF call fails, abort openvpn with a M_FATAL
message.
Trac: #1377
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210121133929.20186-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21464.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The 'echo' command can be used to signal information to an OpenVPN
GUI driving the openvpn core via management interface. Which commands
exists and their syntax has so far been mostly undocumented.
Condense the long and good discussion between Selva Nair and
Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
Jonathan, comments from Selva and Arne), with a pointer added
to doc/management-notes.txt.
See:
https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/CAEsd45T%2Bd
6FUJ9Po0KHwtHjfuL9Q2D-poG8yFtY45Qyh%2BtHjkg%40mail.gmail.com/#msg36136236
and
https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/CAKuzo_jPThh
vXTJAtzhqVUVOLPW1VGu6h2jQhVsHicY8P2WRqA%40mail.gmail.com/#msg36141193
for the details.
Re-enable logging of 'echo' statements, but only for the particular
class of messages starting with 'echo msg...'.
v2:
incorporate feedback from Selva Nair, correct >ECHO examples
v3:
add "msg*" support status for Windows GUI (11.22.0) and Android (Planned)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210118162850.24214-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21443.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A server with tls-cryptv2 and tls-auth produces the warning:
WARNING: 'tls-auth' is present in local config but missing in remote
config, local='tls-auth'"
The tls-auth option has no argument so the strpefix with the space
included does not match it.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20201211125957.7764-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21358.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Wintun does not support DHCP.
Running DHCP renew with Wintun adapter fails with a logged warning.
Fixed so that DHCP renewing is called only for TAP-Windows6 adapters.
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20201215173004.26170-1-domagoj@pensa.hr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21364.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When running various netsh commands before each 1 second sleep is added.
As more netsh commands are run, especially for Wintun adapters, that can
add to a noticable delayed connecting time.
This should be safe. No problems were found in tests and all netsh
commands executed properly with delay removed. Also, no delays are used
in a similar code in interactive service and netsh command executions
are guarded with a semaphore.
Instead of removing management_sleep(1), management_sleep(0) is used as
a replacement to allow processing any pending actions on the management
interface without any wait.
Signed-off-by: Domagoj Pensa <domagoj@pensa.hr>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20201224115910.10129-1-domagoj@pensa.hr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21405.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--block-ipv6 is a fairly special-purpose option, and only blocks packet
in the client->server direction. This is implied by not ever mentioning
the other direction in the existing documentation, but not written down.
Make this explicit, avoid confusion.
Also, point why this option exist (avoid IPv6 leakage from dual-stacked
clients around IPv4-only VPN offerings).
Trac: #1351
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Richard Bonhomme <tincanteksup@gmail.com>
Message-Id: <20201225164214.22771-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21407.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This ensure that all unused fields in msg are zero.
Spotted by Coverity:
Using uninitialized value "msg". Field "msg.msg_flags" is uninitialized
when calling "sendmsg".
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210105131758.20311-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21418.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit cc5a71637 ("Replace key_scan array of static pointers with inline
function") has introduced get_key_scan() routine with switch statement
which calls ASSERT() in the default case.
Even though "this should never happen", this code triggers Level 1 warning
"not all control paths return a value" in msvc.
Fix by adding "return NULL; /* NOTREACHED */" after ASSERT.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201217224834.160-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21373.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When registering DNS on Windows, argv is freed after being used in first
ipconfig command (/flushdns).
Then same argv is used uninitialized in next ipconfig command
(/registerdns)
causing heap exception and subprocess crash.
As a consequence second command is never executed and locked netcmd
semaphore is not cleanly released.
Removing argv freeing between ipconfig calls solves the problem.
This issue was introduced in commit 870e240 (argv: do fewer memory
re-allocations). After a quick glance at commit no similar problem was
spotted in rest of the argv related changes.
Signed-off-by: Domagoj Pensa <domagoj@pensa.hr>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201215171600.25534-1-domagoj@pensa.hr>
URL: https://www.mail-archive.com/search?l=mid&q=20201215171600.25534-1-domagoj@pensa.hr
Signed-off-by: Gert Doering <gert@greenie.muc.de>
<inline> segments neglected to increment the "current line number
in config file" variable (line_num), so after the first <inline>,
errors reported have the wrong line number.
Fix by introducing an extra argument to read_inline_file() function:
"so many lines in the inline block", and changing the return values of
the "check_inline*()" functions to "int", changing this from "false/true"
to "0 = no inline, 1...N = inline with <N> lines".
On calling add_options() this is implicitly converted back to bool.
v2: use int return value, not extra call-by-reference parameter
Trac: #1325
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20201206125711.12071-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21334.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The port-share option assumed that all openvpn initial reset packets
are between 14 and 255 bytes long. This is not true for tls-crypt-v2.
Patch V2: use correct length for TLS-Crypt v2, use length variable
non-tlscryptv2 test
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20201130123813.21388-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows tls-crypt-v2 servers to drop privileges after reading the
keys. Without it, the server would try to read the key file for each
connecting client. (And clients for each reconnect.)
As with the previous patch, the pre-loading was developed in parallel
with tls-crypt-v2, and the tls-crypt-v2 patches were never amended to
implement the pre-loading.
Also as with the previous patch, it would be nicer if servers would not
reload the tls-crypt-v2 server key for each connecting client. But let's
first fix the issue, and see if we can improve later.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20201203154951.29382-2-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21307.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>