Since these are examples, people might use them as a basis for their own
configs. In the non-push/pull configs, we should specify a decent cipher.
Further, I don't think we should recommend anyone to still use a static key
configuration, so remove the static key config examples.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191109174235.20511-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19081.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
GCC>=8 supports truncation checking, however the logic is somewhat
fragile when it comes to evaluating strncpy().
In buffer.h we have implemented a wrapper called strncpynt() which
ensures we always do the right hting in the code and reduce the chance
of having bugs.
This said, it seems that the gcc logic is not able to always understand
if we are doing the right thing and throws a false positive.
Toa void the noise, disable truncation checking on Linux by default.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191110100323.13206-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we changed MSVC version in project files to 2019,
we have to do the same in travis script.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1573317611-6462-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19074.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
57623b4e introduced a print_sockaddr() call in socks.c to print an
openvpn_sockaddr object.
However, this is not correct because print_sockaddr() expects a sockaddr
object as argument instead of openvpn_sockaddr.
This error did not lead to any issue because the two objects are very
similar in regards to the data accessed by print_sockaddr().
Fix this by replacing print_sockaddr() with print_openvpn_sockaddr().
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191109163714.25506-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19073.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
To open wintun device, we cannot use "\\.\Global\Wintun<luid>"
path as before. To get device path which we supply to CreateFile,
we have to use SetupAPI to:
- enumerate network adapters with "wintun" as component id
- for each adapter save its guid
- open device information set
- for each item in set
- open corresponding registry key to get net_cfg_instance_id
- get symbolic link name of device interface by instance id
- path will be symbolic link name of device instance matched with
adapter's guid
See
https://github.com/OpenVPN/openvpn3/blob/master/openvpn/tun/win/tunutil.hpp
and
https://github.com/WireGuard/wireguard-go/blob/master/tun/wintun/wintun_win
dows.go for
implementation examples.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1573148729-27339-4-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19029.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to specify which tun driver openvpn should use,
tap-windows6 (default) or wintun.
Note than wintun support will be added in follow-up patches.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1573234655-905-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19046.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch adds documentation for all the VLAN related knobs.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191109095836.11190-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20191109095836.11190-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This changes allows the user to configure the server TAP interface to
forward both VLAN tagged and untagged packets (i.e. vlan_accept ==
VLAN_ALL).
Untagged packets are marked with the VID configured in the server
configuration file, while tagged packets will keep their header as it
is.
Forwarding is then performed following the standard rules, while
ensuring that pakcets do not leave the VLAN they belong to.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-8-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
By building on top of the VLAN basic support, allow the user to configure
the server in VLAN_TAGGED-only mode. This way, only packets that reach
the TAP interface with an 802.1Q header are considered for forwarding -
untagged packets are all dropped.
A VLAN-tagged packet is then treated like any other packet by the
OpenVPN routing engine, with the exception of being allowed to reach
only clients configured with the same VID.
The logic applies to all server-to-client and client-to-client traffic.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-7-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18918.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Extend is_ipv_X() routine by properly parsing 802.1q frame rather than
dropping them.
This change is required in order to allow OpenVPN to accept VLAN tagged
frames, which otherwise would be dropped when trying to access the inner
IP header.
While at it, slightly fix the function style.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-6-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18916.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change, client-to-client communications are possible only if
clients were configured with the same PVID.
At the same time also broadcast packets are now forwarded only to hosts
belonging to the originator VLAN.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18922.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When receiving a packet from a client, the associated maddr needs to
carry also the VID associated with that client. This way the VID can be
appended to the packet later, if needed.
This patch adds support for exporting the VID from the client context to
the related per-packet maddr object.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18917.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch introduces basic support for VLAN tagging on the server side.
The introduced functionality consists in allowing the user to assign
a VID to the server TAP device and a VID to each client port.
Client specific VID are assigned by means of files in CCD (like for
other client specific settings).
Once VIDs have been assigned, everything works as before, except that
communications are allowed only between hosts having the same VID.
With this patch all broadcast and client-to-client traffic is yet
separated by VLAN: only client-to-server unicasts are affected.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18924.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we release Windows client with OpenSSL 1.1.0
(and will switch to 1.1.1 in the next release),
it makes sense to use a newer version in VS build.
This patch adds msvc-specific defines which imply
that underlying OpenSSL is 1.1.x (works with 1.1.0 and 1.1.1).
Also OpenSSL library names in project file are updated.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1571315023-17044-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18948.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Our current socks.c code does not handle IPv6 + UDP mode (socket
negotiated with server is IPv4-only, addresses passed in the
packets are IPv4-only). If this combination is specified, print
an explanatory message and force IPv4-only.
While at it, extend socks.c code to print address+port of auxiliary
UDP connection to SOCKS server (helps debugging).
Trac: #1221
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191020150039.21516-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18952.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN-GUI (For Windows) currently always adds "--pull-filter"
which is a fatal error when also using "--mode server"
Using "--pull-filter" implicitly requires the use of "--pull".
Using "--mode server" and "--pull" is a fatal error which supercedes
"--pull-filter"
Safely ignore "--pull-filter" for "--mode server"
Trac: #1164
v2: Improve commit message, no functional changes.
Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191024214832.22737-1-tincanteksup@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18964.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This changes default path to openvpn dependencies, so that
openvpn-build and openvpn projects can be cloned from the same
folder:
c:\Users\Administrator\Projects>git clone
git@github.com:OpenVPN/openvpn-build.git
c:\Users\Administrator\Projects>git clone
git@github.com:OpenVPN/openvpn.git
This also removes the necessity of copying openvpn-build\msvc\image
to %USERPROFILE%.
To use Visual Studio, clone both projects, install dependencies
(VS2017 Community with SDK 10.0.17143, Strawberry Perl) and run:
c:\Users\Administrator\Projects\openvpn-build\msvc\build.bat
Then just open solution file:
c:\Users\Administrator\Projects\openvpn\openvpn.sln
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1570784625-8837-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18930.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_client.sh relies on "echo -e" and "echo -n" to produce nicely
looking output, which fails on Solaris /bin/sh - force SHELL=/bin/bash
on recent-enough Solaris variants that have it.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20191009120043.22692-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18914.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The "route add" code always used "metric 0" on OpenSolaris, because
(on tun interfaces) it was required to make the route work on
"non-ethernet" interfaces (connected, no NDP).
This breaks routes via tap interfaces on recent Solaris versions
(tested on OpenIndiana 2019) - there, routes only work if metric
is != 0 (or just not set). Otherwise it tries to map the gateway
address to a local address and fails.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18906.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 611fcbc48 joined the two distinct calls for "add ipv6 address
to tap interface" and "set MTU" for Solaris - but due to peculiarities
on how this platform handles IPv6 addresses ("ifconfig addif" creates
a new "tap0:1" subinterface with the new address - which does not have
a distinct MTU) this does not work.
un-join calls again.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20191009095200.9337-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18905.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Visual Studio doesn't support empty designated initializers
for C code, so use { 0 }. Also replace existing CLEAR() call with
the new initializers.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1570539154-31784-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18904.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 1b9a88a has added new C source/header files which
have to be added to VS project file.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1570539154-31784-2-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18903.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The unit test is breaking the 80 char limit in some places
but the remaining lines it breaks the limit I feel
forcing the 80 char limit will impair readibility
Patch V2: adapt unit tests to other V2 patches
Patch V4: Resolve rebase conflicts
Patch V5: Add \ lost in rebase that broke compilation
Patch V7: Fix unit test failure, try to stay below 80
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917123321.15993-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18821.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A couple of places the documentation was not clear enough or not even
correct. Just improve this to avoid confusion later on.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-4-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When building with --disable-management, the compiler complains with
implicit declaration of function ‘ssl_clean_auth_token’. This is due to
the ssl_clean_auth_token() function being declared inside an #ifdef
ENABLE_MANAGEMENT fence where it should not be.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18873.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The final patches of the auth-token hmac support patches had a typo in
the P2MP_SERVER fencing breaking --disable-server builds. It used #if
instead of #ifdef.
While at it, also fix another missing P2MP_SERVER fencing causing the
compiler to complain about an unused variable in push.c
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190927224536.27480-2-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18875.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows OpenVPN 3 core to fall back to the original authentication
method.
This commit changes man_def_auth_set_client_reason to
auth_set_client_reason since it now used in more contexts.
Also remove a FIXME about client_reason not being freed, as it is freed
in tls_multi_free with auth_set_client_reason(multi, NULL);
Patch V4: Rebase on master
Patch V7: Rebase on master
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121115.13966-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18820.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows an external authentication method
(e.g. management interface) to track the connection and distinguish a
reconnection from multiple connections.
Addtionally this now also checks to workaround a problem with
OpenVPN 3 core that sometimes uses a username hint from the config
instead of using an empty username if the token would be valid
with an empty username. Accepting such token can be only done
explicitly when the external-auth keyword to auth-gen-token is present.
Patch V2: Add Empty variants to work around behaviour in openvpn 3
Patch V3: document the behaviour of external-auth better in the man page,
rename 'auth' parameter to 'external-auth'
Patch V4: Rebase on current master
Patch V6: Fix tls_lock_username rejecting clients with empty username
when explicitly accepting them with external-auth
Patch V7: Fix compiling with disable-server
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121039.13791-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18819.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The previous auth-token implementation had a serious problem, especially
when paired with an unpatched OpenVPN client that keeps trying the
auth-token (commit e61b401a).
The auth-token-gen implementation forgot the auth-token on reconnect, this
lead to reconnect with auth-token never working.
This new implementation implements the auth-token in a stateles variant. By
using HMAC to sign the auth-token the server can verify if a token has been
authenticated and by checking the embedded timestamp in the token it can
also verify that the auth-token is still valid.
Using the new config directive auth-gen-token-secret instead of
extending auth-gen-token (--auth-gen-token [lifetime] [secret-key]) was
chosen to allow inlining the secret key.
Patch V2: cleaned up code, use refactored read_pem_key_file function
Patch V3: clarify some design decision in the commit message
Patch V4: Use ephermal_generate_key
Patch V5: Use C99 PRIu64 instead of %lld int printf like statement,
fix strict aliasing
Patch V6: Rebase on master
Patch V7: fix compiling with --disable-server
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190917121004.13685-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18818.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A test run with FreeBSD PR 229925 'Disallow escaping ordinary
characters in regex(3)' reveals one sed expression that uses the
GNU-extension "\s".
Given that this is the only occurrence and it's a trivial fix,
update it to be POSIX-compatible.
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190906174458.14975-2-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18806.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If parameter is not specified, default value "root\tap0901"
is used.
This enables tapctl to work with different tun drivers,
like "tapoas" (from OpenVPN Connect) or "wintun".
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1569229682-9731-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18854.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ensure to check the exit code of the mktun command *before* running
sleep, otherwise '$?' will resolve to the exit code of sleep itself,
thus nullifying the check.
Reported-by: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190919202257.19405-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18845.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Interfaces of type tun are marked as NO-CARRIER when no process is
attached to them. However, this bit gets set with some delay after
creation.
For this reason, it is better to wait for the bit to settle before
starting any test, otherwise any timing influence on the test may lead
to inconsistencies due to the NO-CARRIER bit randomly being or not in
the snapshot output taken by t_net.sh.
This patch add a 'sleep 1' command right after creation of the
interface, to give the NO-CARRIER bit a chance to settle.
This issue has been witnessed on a buildbot that is
apparently slowler than average to run the unit tests.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190919072820.9913-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20190919072820.9913-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since the very beginning this define has only
been used together with _WIN32 and code wrapped into it
uses Win32 API, so it could be safely removed and
replaced with _WIN32.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1568019436-28527-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18808.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This function's return value is never used, so make it void.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1567784437-25922-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the introduction of the new networking API layer on linux, some
ifdefs can be pruned or simplified.
While at it move some variable to improve readability.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-7-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18724.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Give this file a run under uncrustify to fix a few style glitches here
and there.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-6-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18727.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the new networking APIs, each implementation handles garbage
collection internally and therefore does not require a gc object to be
provided by the outer layer.
However, there are a few cases where a garbage collector is still required.
In close_tun() move the declaration and cleanup of gc to the
area where it is used and simplify the surrounding code a bit.
While at it, fix a typo in a nearby ifdef comment.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18726.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Networking backend implementations may need to allocate dynamic
resources that require an explicit free/release.
Since these cleanup are perfomed not very often, and only at specific
times, it makes sense to have the upper layer signal when it's the right
time to do so, by means of a new API call.
For this purpose two news APIs have been implemented:
- net_ctx_free() to release all backend specific resources. Expected to
be called at application cleanup time;
- net_ctx_reset() to let backends release temporary resources (i.e.
reset garbage collectors). To be invoked after routines that
are expected to allocate memory (i.e. tun setup or shutdown).
In this patch related implementations for iproute2 and sitnl are also
provided.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190816202654.19388-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit ("openssl: Fix compilation without deprecated OpenSSL 1.1 APIs")
has removed the cipher_ctx_cleanup() API, as it is not anymore required
to be a distinct call. However, while doing so it also touched the
mbedtls backend in a wrong way causing a systematic segfault upon
connection.
Basically mbedtls_cipher_free(ctx) was moved from the defunct
cipher_ctx_cleanup()
to md_ctx_free(), while it was supposed to go into cipher_ctx_free().
This was clearly wrong as also the type of the ctx variable was not
correct anymore.
Fix this mistake by actually moving mbedtls_cipher_free(ctx) to
cipher_ctx_free().
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190816204945.7937-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18781.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.
EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of
earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part
of _free.
Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API
everywhere.
Also removed initialisation with OpenSSL 1.1 as it is no longer
needed and causes compilation errors when disabling deprecated APIs.
Same with SSL_CTX_set_ecdh_auto as it got removed.
Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190724152934.9884-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For reasons historically unknown, OpenVPN sets the listen() backlog
queue to "1", which signals the kernel "while there is one TCP connect
waiting for OpenVPN to handle it, refuse all others" - which, on
restarting a busy TCP server, will create connection issues.
The exact "best" value of the backlog queue is subject of discussion,
but for a server that is not extremely busy with many connections
coming in in parallel, there is no real difference between "10" or "500",
as long as it's "more than 1".
Found and debugged by "mjo" in Trac.
Trac: #1208
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190815155319.28249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moment a strcpy() (without length check!) is performed between a
string long IFNAMSIZ bytes and one of 16 bytes. This is ok right now
because IFNAMSIZ is defined as 16, however this bit is not under our
control and may change in he future without us being warned.
For this reason, force both strings to use IFNAMSIZ as size and, since
this constant may not exist on every platform, ensure it is always
defined.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190805092529.9467-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18722.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It turns out that the only part of Android that still shares routing
code with Linux is the get_default_ipv6 method.
Instead of fixing a method that makes little sense on Android anyway,
have a method that returns a fake ipv6 gateway like for ipv4.
Patch V2: Instead adding ANDROID to a long list of ifdefs, change this
to a non LINUX ifdef
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190815121053.18433-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18752.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Clang/Android complained
warning: address of array 'rgi6->iface' will always evaluate to 'true'
[-Wpointer-bool-conversion]
if (rgi6->iface)
iface is a char[16]; So its pointer is always true.
we do a CLEAR(rgi6) always before setting this struct and strcpy the
name into iface. So using strlen instead of checking for the pointer
should be the right fix.
Patch V2: use if(strlen > 0) instead of if(strlen)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20190815121053.18433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20190815121053.18433-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>