Prior to this patch, the Makefile.am needs to be modified multiple
places to add a new man or HTML page to be generated. Since it is not
too often we modify this, it is easy to miss these finer details.
This changes the man and HTML generator rules to be more generic and use
variables as many places as possible. Also moved all the lines which
should not need to be changed as much towards the bottom-half of the
file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210630185134.144826-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22604.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When openvpn needs to prompt user for a password
(for example, to set management interface password),
the prompt is written to standard error device.
When log is redirected to a file, that prompt is written
to that file and not to the "original" stderr. Moreover, on recent
Insider build (21390.2025) openvpn exits with fatal error
get_console_input_win32(): unexpected error: No such device or address
(errno=6)
while attempting to write that prompt.
When redirecting stdout/stderr, we use _dup2() to associate stderr
descriptor with a log file. This call closes file associated
with stderr descriptor, which might explain why it has stopped
working (original stderr is closed and WriteFile() fails) and on
older versions it appears to work "by accident" - not failing
but use redirected stderr instead of original one.
Fix by creating new file descriptor with _dup() for stderr
before redirect and use this descriptor for writing prompts.
While on it, make code a bit more C99-ish by moving variables
declaration from the beginning of the scope to the actual
initialisation.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210625010405.224-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20210625010405.224-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This extract the update of a deferred key status into into own
function.
Patch v2: Do not ignore auth_deferred_expire. Minor format changes.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22420.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When the function setup fails due to invalid file handles, or because
WriteFile(err, ...) fails (due to file handle corruption elsewhere),
the function used to silently "return false"
Change this to print a M_WARN|M_ERRNO message.
Also, change the function style to early-return style (= large diff, but
most are indent changes only).
v2: fix spurious "}" that was left over from change to early-return.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210618181246.30769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22577.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We ensure here that the tls session is authenticated before sending
a push_reply
This the final part of the fix for CVE-2020-15078 in the master branch.
CVE: 2020-15078
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210624130840.2583433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22587.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously we relied on checking tls_authentication_status to check
wether to determine if the context auth state is actually valid or not.
This patch eliminates that check by introducing waiting on the
authentication as extra state in the context auth, state machine.
The simplification and reorganization of the state machine in this
and the previous patches also eliminates a number of corner cases,
including the specific one that lead to CVE-2020-15078.
Patch v3: Fix ccd config from management being ignored
Patch v4: Fix race condition, we need to accept the config from
management if we are in CAS_WAITING_AUTH or earlier states
and not just in CAS_WAITING_AUTH state
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210604143938.779193-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22491.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The socket_info->connection_establish is set through
link_socket_set_outgoing_addr when we reach FULL_SYNC. This patch
introduces a new state in context_auth that replaces the
connection_established state for TLS connections. This make the state
machine easier to understand.
Also, rename "enum client_connect_status" to "multi_status", re-order
states so CAS_NOT_CONNECTED (=0) is the default state, and introduce
CAS_CONNECT_DONE as numerically highest so "are we done?" can be
easily checked.
This is part of the patchset to fix CVE-2020-15078 in "master" by
reorganizing the handling of incoming new and renegotiated TLS sessions
to make the code easier to understand and less prone to "edge case"
issues.
Patch v2: fix p2p mode server without (without ncp)
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22419.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The auth-token check is tied to the username/password that is coming
via a specific SSL session, so keep the state also in the key_state
structure.
This also ensures the auth_token_state is always set to 0 on a new
session since we clear the key_state object at the start of a new
SSL session.
This is a prerequisite patch to fix 2020-15078 in the following two
commits.
This also applies the changes to the auth_token_test.c. The change of
tls_session to a pointer is necessary since before that we had tls_session
not tied to the multi and had two tls_session used in the test. One
implicitly in tls_multi and one explicit one. Merge these to one.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22415.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In default configuration OpenSSL loads config from
certain location on disk, for example
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf
which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff (indented with "!" to avoid
confusing "git am"):
! diff --git a/ports/openssl/windows/portfile.cmake
! b/ports/openssl/windows/portfile.cmake
! index 7a3bf08ed..c873eb756 100644
! --- a/ports/openssl/windows/portfile.cmake
! +++ b/ports/openssl/windows/portfile.cmake
! @@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
! enable-capieng
! no-ssl2
! no-tests
! + no-autoload-config
! -utf-8
! ${OPENSSL_SHARED}
! )
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061259.297-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22569.html
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file. However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
CVE-2121-3606 has been assigned to acknowledge this risk.
Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
p2p connections with both ends backing off seldom succeed
as their connection attempt durations becomes increasingly
unlikely to overlap when the retry wait time is long.
Avoid this by applying the backoff logic only on TCP clients
or the tls_client side for UDP.
Regression warning: shared secret setups are left out of the
backoff logic.
Trac: #1010, #1384
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210602194739.29488-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22485.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When not using username and password (i.e. auth-user-pass) it can still
be desirable to provide the client with an auth-token, e.g. for allowing
a session to continue after a reconnect without requiring 2FA again.
However, without --auth-user-pass openvpn does not have a username and will
ignore any pushed auth-token command.
This patch adds support for auth-token-user to set the username that should
be used for auth-token
The spec of using auth-token-user base64-encoded-user are the ones that
OpenVPN3 already implements.
Patch V2: Improve style, fix comments and commit message
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22417.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 36b9aa "contrib/vcpkg-ports: add pkcs11-helper port"
has trimmed trailing white space in .patch files and thus corrupted them.
Restore trailing whitespaces to "uncorrupt" patches.
** applied with git am --whitespace=nowarn **
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-By: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210615104331.210-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22553.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
pkcs11-helper is a dependency library used by OpenVPN.
So far it has been built only by mingw.
Since we're making MSVC build system a first class citizen,
we need to build depencencies with MSVC, which we do with vcpkg.
All dependencies are in vcpkg official repo, expect pkcs11-helper.
This provides vcpkg port for building pkcs11-helper.
Example usage:
vcpkg --overlay-ports=<openvpn>\contrib\vcpkg-ports install pkcs11-helper
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210607104213.216-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22503.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This finally enables standalone MSVC building, without
dependency on openvpn-build/msvc. This makes MSVC build
process much simpler.
Dependencies are managed by vcpkg. To install dependencies, run:
> vcpkg --overlay-ports=<openvpn>\contrib\vcpkg-ports
--overlay-triplets=<openvpn>\contrib\vcpkg-triplets install
lz4:x64-windows-ovpn lzo:x64-windows-ovpn
openssl-windows:x64-windows-ovpn pkcs11-helper:x64-windows-ovpn
tap-windows6:x64-windows-ovpn
To build for other arch, use x86-windows-ovpn or arm64-windows-ovpn.
Custom triplets are defines so that lz4 is linked statically and
other libraries dynamically.
Since we don't have CMake support yet, we cannot use vcpkg manifest
mode, since it doesn't work with overlay ports
(https://github.com/microsoft/vcpkg/issues/12289),
therefore this one-time manual dependency installation is required.
While on it, bump msvc-generate project target version to VS2019 and
cleanup leftovers from compat.vcxproj.filters.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210514045704.686-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22389.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
clang does not like if the format argument of printf like function
is not a string literal (or constant):
warning: format string is not a string literal (potentially insecure)
Make the format string constant to silence the warning.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210609061532.12774-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22519.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
dummy0 gives strange errors on the Ubuntu 16 runner on github actions
because
dummy already exist, so use a more unique ovpn-dummy0 name instead.
Github actions are a good alternative to travis-ci, which futrure is
questionable
at the moment without payment. The github actions also allows building on
macOS
and Windows (not included in this commit). The matrix is a bit different
than Coverity and uses different Ubuntu version with their native OpenSSL
(1.0.2, 1.1.1)/mbed TLS instead of manually compiling different OpenSSL
versions on just Ubuntu 20.04.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210608152434.1403999-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit b7fe49c ("Do not require CA when peer-fingerprint is used") broke
msvc build by adding #ifdef within msg() macro call.
options.c(2074,1): error C2121: '#': invalid character: possibly the
result of a macro expansion
options.c(2074,1): error C2146: syntax error: missing ')' before
identifier 'ifndef'
options.c(2074,1): error C2059: syntax error: ')'
Fix by moving #ifdef outside of msg().
Reported-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: selva.nair@gmail.com
Message-Id: <20210607184820.343-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A server pushing "echo" without arguments can crash the client.
In such a situation, the code in question receives p[1] == NULL
(which was CLEAR(p)'ed above), hands it strncmp, which then
dereferences the null pointer.
Original report and analysis here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331
Fixes: Trac #1409
Reported-by: peo@nethead.se (to FreeBSD)
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210603123019.422644-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22486.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix --ca or --ca-path check when --pkcs11-id or --cryptoapicert
is used with --peer-fingerprint.
The multiple --ca or --capath checks are consolidated into a function
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210524184506.20582-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22443.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
TEXT(__FUNCTION__) does not work in mingw as __FUNCTION__
is not a macro. Instead, use __FUNCTION__ as a narrow
string in both UNICODE and ANSI builds.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210526224919.511-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22461.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The tapctl and openvpnmscia codebase is written with an intent of
supporting both unicode and ansi builds. This patch does not attempt
to change that although non-unicode support looks untested
and buggy.
The main change is to replace %s by PRIsLPTSR that is defined
as %ls or %s depending on _UNICODE is defined ot not.
v2: add missing ')' and fix whitespace
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210525173838.3969-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Use %ls for wchar_t * and %hs for char * variables
This makes it possible to build correctly with or without
__USE_MINGW_ANIS_STDIO defined. When this define is not used
all printf/scanf family functions are resolved from the windows
runtime MSVCRT. Newer (since version 8) mingw-w64 versions have
started automatically enabling this macro under some feature
sets such as _GNU_SOURCE and C99.
The changes should not affect MSVC builds as Windows support
these format specifications.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210522033232.20548-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22436.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The interactive service code implicitly treats TCHAR == WCHAR in
several places with the assumption that we build only with UNICODE
defined. Make this explicit and remove some redundant code.
Also replace openvpn_sntprintf(), _tprintf() and similar with
explicit wide string functions. This adds some definiteness as
to which stdio functions are used, and helps the next commit that
makes those calls C-standard compliant.
Also, replace direct swprintf calls with openvpn_swprintf.
Note: we need UNICODE defined mainly because of the use of
TEXT("..") throughout the code. If those are replaced by L"..",
we could build with just -municode as done for OpenVPN
core.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210522033232.20548-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22437.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A bunch of functions defined in forward.c and declared in forward.h
are actually used only in forward.c.
For this very reason they don't need to be declared in forward.h at
all and can be defined as static.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210505231255.1880-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22315.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Inline peer-fingerprint blocks can benefit from a bit of structuring
by indentation or by putting comments ("# this is Alice's key").
v2: accept ';' and '#' as comment delimiter. Fix tab-indent.
v3: we want ==
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210519133415.28627-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22404.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A deferred custom action can not set the reboot status via MsiSetMode.
To schedule reboot:
- get user's temp directory in immediate custom action
(EvaluateTUNTAPAdapters) which is called in the beginning of
installation and pass it to the deffered action
- in deferred action (ProcessDeferredAction) create a special empty file
in user's temp directory if reboot is required
- in the end of installation call immediate custom action
(CheckAndScheduleReboot) which checks the existence of special file
and uses MsiSetMode() to schedule reboot
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210511075739.158-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22335.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 5a571fb0 ("Move utility function from win32.c to win32-util.c")
moved some functions from win32.[ch] to a new win32-util.[ch], but missed
adding new include header, which results in compilation errors like:
>cryptoapi.c
>C:\Users\lev\Projects\openvpn\src\openvpn\cryptoapi.c(755,53): error
C2220: the following warning is treated as an error
>C:\Users\lev\Projects\openvpn\src\openvpn\cryptoapi.c(755,53):
warning C4047: '=': 'const void *' differs in levels of indirection from
'int'
Fix by adding #include "win32-util.h" to "win32.h".
While on it, update vcxproj.filters with a new header so that
it looks "correct" in VS project view.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210513140039.265-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22379.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The caching in tls_authentication_status broke the quick reaction to
authentication status in the code paths that did not do caching like
PUSH_REQUEST reply code path.
This patch introduces exponential backoff for the caching so we still
retain the quick reaction while still keeping the benefit of caching.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210510131356.968965-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22327.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
tls_authentication_status does caching to avoid file I/O more than
every TLS_MULTI_AUTH_STATUS_INTERVAL (10s) per connection. But
counter-intuitively it does not return the cached result but rather
TLS_AUTHENTICATION_UNDEFINED if the cache is not refreshed by the call.
This is workarounded by forcing a refresh in some areas of the code
(latency = 0).
This patch changes the behaviour by always returning the last known
status and only updating the file status when the i/o timeout for the
caches is reached.
The old logic in send_auth_failed is fragile in the sense that if
it is called again while an exit is scheduled it will reset the timer
to 5s again. Since we now always report the status from
tls_authentication_status() instead only every 10s, this caused OpenVPN
to infinitively reset the timer. Fix this by only setting the status
if no exit is scheduled. The function is still called multiple times but
since it is with coarse timer frequency, the 4 extra calls (1 per second)
are better than to add more extra code to avoid these calls.
The patch also changes the DEFINE enum into a real enum.
Patch v2: only update tas_cache_last_udpate when actually updating the cache.
Patch v3: avoid rearming timer
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210506141259.309741-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22318.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This done to allow to include parts win32.c when building unit tests
as win32.c itself has too many dependencies and cannot be included in
a small unit test.
Also fix a missing Windows.h include in error.h that otherwise
breaks complation when included from unit tests.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22348.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The extra function does not really give a better understanding
of the code or any other benefit. Inline it to make the code more
streamlined.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22341.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
getpeername is part of SUSv3 and Windows also provides the function
as part of winsocks.
getpid is also provided by both Posix and windows and we do not even
use getpid on Windows since we rather call GetCurrentProcessId.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22340.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This macro is currently used only in 3 places in syshead.h
- EXTENDED_SOCKET_ERROR_CAPABILITY is linux specific anyway and
starts with #if defined(HAVE_LINUX_TYPES_H)
- port share and ip_pktinfo macros depends on sendmsg/recvmsg
that implicitly also require iovec
So in all three cases we can implicitly assume that iovec is present
and do not need to make this explicit check
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22343.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is is a small memory leak as this key is only leaked once
per server start.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210512131511.1309914-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22345.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While on it, bump msvc solution version.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210507145644.195-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22325.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When --crl-verify is enabled, specified CRL file gets reloaded on
every client connection. With huge CRL files it may take a significant
amount of time - seconds and tens of seconds, during which OpenVPN is
blocked and can't serve existing and/or incoming connections due its
singlethread nature.
In alternative mode --crl-verify option takes directory containing
files named as decimal serial numbers of the revoked certificates and
'dir' flag, revoked certificate check is being done by checking the
presence of client's certificate number in that directory.
This script allow to perform incremental extraction of revoked serial
numbers from CRL by adding absent ones and removing excess ones.
Usage example:
extractcrl.py -f pem /path/to/crl.pem /path/to/outdir
extractcrl.py -f der /path/to/crl.crl /path/to/outdir
cat /path/to/crl.pem | extractcrl.py -f pem - /path/to/outdir
cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir
Output example:
Loaded: 309797 revoked certs in 4.136s
Scanned: 312006 files in 0.61s
Created: 475 files in 0.05s
Removed: 2684 files in 0.116s
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201002215146.31324-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21154.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
AUTH_TOKEN_HMAC_OK is 1, so the first term is always 0/1 and the bool
from the second part is also 0/1, so the & does the same in this instance
as &&.
In this specific case & instead && does not change behaviour but using
&& is the intended semantic behaviour.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210331155508.19423-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21911.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It is hard to imagine that we still have any supported OS that does
not support non-blocking connect while still supporting non-blocking
sockets in general.
Patch V2: remove epoll.h removal that should have been in other patch.
Patch V3: remove another instance in socket.c that I misseds in v1
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105850.3903732-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22291.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change we always build multihome support if the operating
system supports it.
Patch v2: Remove also from config-msvc.h
Patch v3: Remove also another line from configure.ac
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105638.3903379-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
