The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it
necessary to reallow them in certain deployments. Currently this works
by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0".
Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In OpenSSL 3.0, fetched algorithms must be freed
(down referenced). In this case, though EVP_MAC_CTX_new()
keeps a reference to 'hmac', it up-refs it. So we have to free
it here before return.
(Tested using an enable-asan build).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211030185756.1831-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23080.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.
This patch fixes the code path and restores its intended function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-19-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23010.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Even though DES is super outdated and also NTLM is super outdated,
eliminating the warnings for OpenSSL 3.0 is still a step in the right
direction and using the correct APIs. We cheat a bit by using 3DES instead
of DES to avoid needing legacy provider for DES encryption for now.
Patch v4: add unit test, use 3DES to avoid legacy provider for now
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029111109.2003101-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23078.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The test_check_ncp_ciphers_list test assumed that BF-CBC is always
available, which is no longer the case with OpenSSL 3.0. Rewrite the
test to not rely on BF-CBC to be available.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-14-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23003.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use the new name for the function as it indicates with
get0 the ownership of the returned value
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-12-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23016.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm
even if the algorithm is not available with the currently available
provider. Luckily EVP_get_cipherbyname can be used here as drop
in replacement and returns only non NULL if the algorithm is actually
currently supported.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-11-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23005.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
EC_Key methods are deprecated in OpenSSL 3.0. Use
EVP_PKEY_get_group_name instead to query the EC group name from an
EVP_PKEY and add a compatibility function for older OpenSSL versions.
Patch v4: adjust compatibility function and remove accidently included
fragment of unrelated patch.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20211029111109.2003101-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23077.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
compiler warnings which in turn also break -Werror.
By using --with-openssl-engine=no or --with-openssl-engine=yes engine
support can be forced on or off. If it is enabled but not detected an
error will be thown.
This commit cleans up the configure logic a bit and removes the
ENGINE_cleanup checks as we can just assume that it will be also
available as macro or function if the other engine functions are
available. Before the cleanup we would only check for the existance
of engine.h if ENGINE_cleanup was not found.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23000.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API would be more complex than
just having two implementations. So this switches to a new hmac
implementation for OpenSSL 3.0.
Unfortunately the new API does not have an easy to reset an HMAC,
so we need to keep the key around to emulate a reset functionality.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23013.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-16-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23002.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When the EVP_PKEY object with the Diffie-Hellman parameters is passed
to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
pointer in the SSL_CTX. Therefore, we should not free it.
The EVP_PKEY will be freed automatically when we free the SSL_CTX.
Trac: #1436
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by:
Message-Id: <20211025145314.23009-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/search?l=mid&q=20211025145314.23009-1-maximilian.fillinger@foxcrypto.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.
However, "common_name" goes through the cycle of being
"CN", then "username" during every reauth (renegotiation).
As the client-connect script is not called during reneg, the changed
value never gets back into the env. The end result is that the
disconnect script gets "common_name=<CN>" instead of the username.
Unless no reneg steps have happened before disconnect.
(For a more detailed analysis see
https://community.openvpn.net/openvpn/ticket/1434#comment:12)
Fix by adding common_name to env whenever it changes.
Trac: #1434
Very likely applies to #160 as well, but that's too old and
some of the relevant code path has evolved since then.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211023000706.25016-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23051.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This code mainly sets the parity bits in the DES keys. As mbed TLS and
OpenSSL already ignore these bits in the DES key and since DES is
deprecated, remove this special DES code that is not even needed by
the libraries.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23014.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When building with both --disable-lz4 and --disable-lzo, the function
comp_non_stub_enabled and various flags are not defined. One of the
places where it is used in options.c was not put behind an #ifdef, which
caused compilation to fail.
Trac: #1435
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211021115037.27056-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23035.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211019183127.614175-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23004.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23015.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of
SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups
using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to
say that --ecdh-curve is ingored and --tls-groups should be used.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22999.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This just adds a very simple unit test to check that the HMAC
implementation produces a well known hash.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211019183127.614175-18-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23012.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we never display the OpenSSL error stack when decoding a
PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure
might not be a wrong password but can actually be an unsupported encoding,
seeing the error stack is really helpful (example from OpenSSL 3.0):
error:0308010C:digital envelope routines:inner_evp_generic_fetch:
unsupported:crypto/evp/evp_fetch.c:346:Global default library
context, Algorithm (RC2-40-CBC : 0), Properties ()
to pinpoint the issue
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211019183127.614175-17-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not support the use of OPENSSL_NO_EC on Windows.
We build Windows releases with EC key support enabled in
OpenSSL and there is no reason to disable it in OpenVPN.
TODO: If there are no platforms of interest where EC support
cannot be enabled in OpenSSL, we should make !defined(OPENSSL_NO_EC)
a general requirement.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211019034118.28987-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22952.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There is no advantage in injecting/redirecting errors into OpenSSL
as we can, and we do, report these directly using our own logging
functions. This code probably originated from CAPI engine where
such usage made sense.
And, in cases when the error is within OpenSSL, guessing a
reason (like out of memory) and inserting it into the
OpenSSL error stack looks pointless.
As a bonus, the code gets leaner and a lot less cruft.
Some error messages are slightly edited and all near-fatal
errors are logged with M_NONFATAL and "Error in cryptoapicert:"
prefix.
Also remove some defines for mingw that we do not need.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211019034118.28987-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22951.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some legacy tokens do not have drivers compatible with
Windows Cryptography Next generation API (CNG) and require
the old CAPI interface. These also do not support anything
but RSA_PKCS1 signatures with MD5+SHA1 digests, and can only
handle TLS 1.1 and older. Continuing to support these add
too much maintenance burden especially with newer version of
OpenSSL and has very little benefit.
- Remove support for non CNG interface which also removes
support for such legacy tokens. Keys uploaded to Windows
certificate stores are not affected.
- Remove support for OpenSSL versions < 1.1.1 in Windows
builds
Note: TLS 1.0 and 1.1 is still supported. Only signing with legacy
tokens that have drivers incompatible with CNG is affected. These
can still be used with pkcs11-helper.
Tested on Windows 10 with RSA and EC keys in store
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211019034118.28987-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22953.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Latest lukka/run-vcpkg@v10 seem to break non-manifest
mode with custom triplets, so revert to latest working version.
While on it, bump vcpkg commit.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211015213115.516-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20211015213115.516-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not sure where these came from, but here goes:
S_IRUSR = 0 --> _S_IREAD
S_IWUSR = 0 --> _S_IWRITE
ENABLE_DEBUG is on, but I do not think we want it in production build
(removed).
S_IRGRP is not defined but seems to be used. I have added it, remove if
not required.
This define is based on mingw and matches MS docs on <filesystem>
(https://docs.microsoft.com/en-us/cpp/standard-library/filesystem-enumerati
ons?view=msvc-160)
Trac: #1430
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20211015175330.15760-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22942.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 968569f83b
defined TLS 1.2 as the minimum version if not set
by user. But the patch introduced two errors:
(i) ssl_flags is overwritten without regard to other
options set in the flags
(ii) Any tls-version-max set by the user is not taken into
account.
Makes it impossible to set tls-version-max without also setting
tls-version-min along with loss of other bits set in ssl_flags.
Fix it.
The fix retains the original intent when possible, and tries to
use the maximum possible value when it cannot be set to TLS 1.2
without conflicting with user-specified tls-version-max, if any.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211015043227.10679-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22939.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 2778443 ("msvc: OpenSSL 1.1.x support") added OpenSSL-related
defines to config-msvc.h, which in Linux/MinGW are set during configure
step.
Turns out that OPENSSL_NO_EC was added by mistake - it breaks loading EC
keys.
Commit bc36d9d ("Remove OpenSSL configure checks") removed
abovementioned defines. Adjust config-msvc.h accordingly.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211014010436.359-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22934.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
PRODUCT_VERSION_PATCH, defined in version.m4, already includes dot (like
".4"),
so no need to include it here.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211013230227.199-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22931.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Historically we always had -Wno-unused-parameter and
-Wno-unused-function enabled along with -Wall.
When we made -Wall a default option, we carried the other two along and
made them default too (in 2018).
Now the code is much cleaner compared to the past and we do not really
require -Wno-unused-parameter and -Wno-unused-function anymore.
Actually they may hide really unused functions that we'd need to
cleanup.
For this reason remove -Wno-unused-parameter and -Wno-unused-function
for good from the default CFLAGS.
Any new warning should rather be fixed than hidden.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211005122736.4060-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22917.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Starting from 2.5.4 we have switched to MSVC builds,
including dependencies such as OpenSSL.
When we link with natively-built OpenSSL .DLLs
(not cross compiled with MinGW), we are expected to include
applink.c, which provides glue between OpenSSL BIO layer
and compiler run-time. This doesn't apply to ARM64.
Failure to do that results in "no OPENSSL_Applink" fatal error
when calling, for example, d2i_PKCS12_fp(), which we do when
loading PKCS12 files.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211006090709.200-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22920.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make sure that set_addr() uses the proper networking backend when
setting the LL address of a TAP interface.
This operation was overlooked while implementing the networking APIs on
the Linux platform.
Reported-by: Jan Hugo Prins <jprins@betterbe.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Tested-by: Jan Hugo Prins <jprins@betterbe.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210903161113.30498-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Our codestyle demands having brackets also around if-blocks made up
by one line only.
In patch "networking: add and implement net_addr_ll_set() API" this
rule was not respected and a new one-line-if-block was added with no
brackets.
Fix this by adding the related brackets as needed.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210929115905.1281-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22908.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When running in TAP mode we may need to set the LL address of the
interface, if requested by the user.
This operation was overlooked when implementing the networking API and
it still relies on iproute/net-tools being installed.
Basically this means that when compiling OpenVPN on a system without
iproute2/net-tools and the user uses the "lladdr" config directive,
OpenVPN will fail to se the LL address of the interface.
With this patch a new API is introduced and it is implemented for both
SITNL and iproute2 backends.
Reported-by: Jan Hugo Prins <jprins@betterbe.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210903161113.30498-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22792.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Starting from 20th of September, GitHub has removed Ubuntu 16.04
environment from Actions. Safely remove it from our build script
where we already have Ubuntu 18.04 and 20.04.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210926061046.212-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22904.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The bullet points are not proeprly indented and they trigger
the following error/warning:
rst2man.py openvpn.8.rst > openvpn.8
man-sections/protocol-options.rst:62: (ERROR/3) Unexpected indentation.
man-sections/protocol-options.rst:67: (WARNING/2) Block quote ends without
a blank line; unexpected unindent.
rst2man.py openvpn-examples.5.rst > openvpn-examples.5
rst2html.py openvpn.8.rst > openvpn.8.html
man-sections/protocol-options.rst:62: (ERROR/3) Unexpected indentation.
man-sections/protocol-options.rst:67: (WARNING/2) Block quote ends without
a blank line; unexpected unindent.
Fix indentation and add white lines as expected.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210921121519.18912-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22867.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not accept handshakes with peers trying to negotiate TLS lower than 1.2.
TLS 1.1 and 1.0 are not recommended and therefore we will, by default,
allow TLS 1.2 as minimum version.
The minimum allowed version can still be controlled via
'--tls-version-min'.
At the same time automatically set '--tls-version-min' to 1.0 if the
user requires compatibility with versions onlder than 2.3.7, as that was
the only version supported back then.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210913192929.26391-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22838.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For compatibility with OpenVPN older than 2.4.0, the
'--data-cipher-fallback' argument is automatically added with the same
value as specified by '--cipher'.
This happens only when the user specifies compat-mode with a version
older than 2.4.0.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210904095629.6273-6-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22798.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The --cipher option has been there since a while, but it became more and
more confusing since the introduction of NCP (data cipher negotiation).
The fallback cipher can now be specified via --data-cipher-fallback,
while the list of accepted ciphers is specified via --data-ciphers.
--cipher can still be used for compatibility reasons, but won't affect
the cipher negotiation.
Adjust manpage to make clear that using --cipher in today's config really
is a thing from the past, and --data-ciphers should be used instead.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210904095629.6273-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22799.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
After getting rid of all PF related ifdef blocks, a pair of
useless brackets has remained in multi_process_incoming_link().
These brackets do nothing at the moment and can be just removed.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210913144531.8889-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22834.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On some systems the rst2{man,html} executables may have a slightly
different name, like rst2{man,html}.py.
Add this name variation to the Generic Programs check.
This specific variation is found on Gentoo Linux.
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210827144807.27004-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22777.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use rst2html to build html from rst. Ignore errors,
this is not fatal and affects only MSI build.
Modify MSVC GitHub Actions to install python3/rst2html
and add html man page to artifacts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Message-Id: <20210825164752.808-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22771.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN shipped a small packet filtering tool called PF. It has never
been straightforward as it required a plugin to work. On top of that,
keeping PF support, makes the code more complicated and increases the
maintenance cost of OpenVPN.
PF itself is not actually maintained at all and there is little
motivation in keeping it alive.
Some years ago an IPv6 extension for PF was proposed, but it was never
picked up for the reasons above.
External (and more appropriate) tools can still be used to implement
packet filtering on the OpenVPN interface.
Drop PF support for good.
Note that IDs used for external communication (i.e. to the plugin
or management interface) have been commented out, but not removed, as
they should not be used in the future.
v2:
* changed // to /* */
* changed "NOT IMPLEMENTED" to "REMOVED FEATURE"
* removed extra empty lines after removing ifdef blocks
* clarified on IRC that tls_final has to be removed and therefore that
hunk is correct
* removed mi_prefix() function as it is now unused
Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210827190014.12640-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
"pdb" files are important for example, for BinSkim analysis. Let us
keep them
Signed-off-by: Ilya Shipitsin <chipitsine@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210826100221.1378-1-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22769.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ubuntu spelling was wrong and the matrix for operating system
does not do anything but run the same build twice.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210908142724.3391935-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22822.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL on RHEL 8 and CentOS 8 system when these system are put into
FIPS mode need extra code to figure out if a specific cipher algorithm
is usable on these system. This is particularly problem in data-ciphers
as the errors might occur much later when a client connects and as these
cipher are not caught during config initialisation.
This also prepares for adding Chacha20-Poly1305 when available to
data-ciphers by making the detection logic used to check if
cipher_kt_get returns non-NULL work on these systems.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210818213354.687736-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22746.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change the value of '--allow-compression' is set to 'no'.
Therefore compression is not enabled by default and cannot be enabled
by the server either.
This change is in line with the current trend of not recommending
compression over VPN tunnels for security reasons (check Voracle).
Of top of that compression is mostly useless nowadays, therefore
there is not real reason to enable it.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210904095629.6273-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22797.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This changes introduces the basic infrastructure required
to allow the user to specify a specific OpenVPN version to be
compatible with.
The next commits will modify defaults to more modern and safer
values, while allowing backwards-compatible behaviour on demand.
The backwards-compatible behaviour is intructed via the config
knob '--compat-mode' implemented in this patch.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by:
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210908072606.5863-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20210908072606.5863-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Most TLS 1.3 libraries inlcude the Chacha20-Poly1305 based cipher suite
beside the AES-GCM based ones int he list of default ciphers suites.
Chacha20-Poly1305 is accepted as good alternative AEAD algorithm to the
AES-GCM algorithm by crypto community.
Follow this and include Chacha20-Poly1305 by default in data-ciphers
when available. This makes picking Chacha20-Poly1305 easier as it only
requires to change server (by changing priority) or client side (removing
AES-GCM from data-ciphers) to change to Chacha20-Poly1305.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210818213354.687736-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22745.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
