The interactive service code implicitly treats TCHAR == WCHAR in
several places with the assumption that we build only with UNICODE
defined. Make this explicit and remove some redundant code.
Also replace openvpn_sntprintf(), _tprintf() and similar with
explicit wide string functions. This adds some definiteness as
to which stdio functions are used, and helps the next commit that
makes those calls C-standard compliant.
Also, replace direct swprintf calls with openvpn_swprintf.
Note: we need UNICODE defined mainly because of the use of
TEXT("..") throughout the code. If those are replaced by L"..",
we could build with just -municode as done for OpenVPN
core.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210522033232.20548-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22437.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A bunch of functions defined in forward.c and declared in forward.h
are actually used only in forward.c.
For this very reason they don't need to be declared in forward.h at
all and can be defined as static.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210505231255.1880-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22315.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Inline peer-fingerprint blocks can benefit from a bit of structuring
by indentation or by putting comments ("# this is Alice's key").
v2: accept ';' and '#' as comment delimiter. Fix tab-indent.
v3: we want ==
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210519133415.28627-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22404.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A deferred custom action can not set the reboot status via MsiSetMode.
To schedule reboot:
- get user's temp directory in immediate custom action
(EvaluateTUNTAPAdapters) which is called in the beginning of
installation and pass it to the deffered action
- in deferred action (ProcessDeferredAction) create a special empty file
in user's temp directory if reboot is required
- in the end of installation call immediate custom action
(CheckAndScheduleReboot) which checks the existence of special file
and uses MsiSetMode() to schedule reboot
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210511075739.158-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22335.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 5a571fb0 ("Move utility function from win32.c to win32-util.c")
moved some functions from win32.[ch] to a new win32-util.[ch], but missed
adding new include header, which results in compilation errors like:
>cryptoapi.c
>C:\Users\lev\Projects\openvpn\src\openvpn\cryptoapi.c(755,53): error
C2220: the following warning is treated as an error
>C:\Users\lev\Projects\openvpn\src\openvpn\cryptoapi.c(755,53):
warning C4047: '=': 'const void *' differs in levels of indirection from
'int'
Fix by adding #include "win32-util.h" to "win32.h".
While on it, update vcxproj.filters with a new header so that
it looks "correct" in VS project view.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210513140039.265-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22379.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The caching in tls_authentication_status broke the quick reaction to
authentication status in the code paths that did not do caching like
PUSH_REQUEST reply code path.
This patch introduces exponential backoff for the caching so we still
retain the quick reaction while still keeping the benefit of caching.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210510131356.968965-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22327.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
tls_authentication_status does caching to avoid file I/O more than
every TLS_MULTI_AUTH_STATUS_INTERVAL (10s) per connection. But
counter-intuitively it does not return the cached result but rather
TLS_AUTHENTICATION_UNDEFINED if the cache is not refreshed by the call.
This is workarounded by forcing a refresh in some areas of the code
(latency = 0).
This patch changes the behaviour by always returning the last known
status and only updating the file status when the i/o timeout for the
caches is reached.
The old logic in send_auth_failed is fragile in the sense that if
it is called again while an exit is scheduled it will reset the timer
to 5s again. Since we now always report the status from
tls_authentication_status() instead only every 10s, this caused OpenVPN
to infinitively reset the timer. Fix this by only setting the status
if no exit is scheduled. The function is still called multiple times but
since it is with coarse timer frequency, the 4 extra calls (1 per second)
are better than to add more extra code to avoid these calls.
The patch also changes the DEFINE enum into a real enum.
Patch v2: only update tas_cache_last_udpate when actually updating the cache.
Patch v3: avoid rearming timer
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210506141259.309741-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22318.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This done to allow to include parts win32.c when building unit tests
as win32.c itself has too many dependencies and cannot be included in
a small unit test.
Also fix a missing Windows.h include in error.h that otherwise
breaks complation when included from unit tests.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22348.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The extra function does not really give a better understanding
of the code or any other benefit. Inline it to make the code more
streamlined.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22341.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
getpeername is part of SUSv3 and Windows also provides the function
as part of winsocks.
getpid is also provided by both Posix and windows and we do not even
use getpid on Windows since we rather call GetCurrentProcessId.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22340.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This macro is currently used only in 3 places in syshead.h
- EXTENDED_SOCKET_ERROR_CAPABILITY is linux specific anyway and
starts with #if defined(HAVE_LINUX_TYPES_H)
- port share and ip_pktinfo macros depends on sendmsg/recvmsg
that implicitly also require iovec
So in all three cases we can implicitly assume that iovec is present
and do not need to make this explicit check
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22343.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is is a small memory leak as this key is only leaked once
per server start.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210512131511.1309914-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22345.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While on it, bump msvc solution version.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210507145644.195-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22325.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When --crl-verify is enabled, specified CRL file gets reloaded on
every client connection. With huge CRL files it may take a significant
amount of time - seconds and tens of seconds, during which OpenVPN is
blocked and can't serve existing and/or incoming connections due its
singlethread nature.
In alternative mode --crl-verify option takes directory containing
files named as decimal serial numbers of the revoked certificates and
'dir' flag, revoked certificate check is being done by checking the
presence of client's certificate number in that directory.
This script allow to perform incremental extraction of revoked serial
numbers from CRL by adding absent ones and removing excess ones.
Usage example:
extractcrl.py -f pem /path/to/crl.pem /path/to/outdir
extractcrl.py -f der /path/to/crl.crl /path/to/outdir
cat /path/to/crl.pem | extractcrl.py -f pem - /path/to/outdir
cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir
Output example:
Loaded: 309797 revoked certs in 4.136s
Scanned: 312006 files in 0.61s
Created: 475 files in 0.05s
Removed: 2684 files in 0.116s
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201002215146.31324-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21154.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
AUTH_TOKEN_HMAC_OK is 1, so the first term is always 0/1 and the bool
from the second part is also 0/1, so the & does the same in this instance
as &&.
In this specific case & instead && does not change behaviour but using
&& is the intended semantic behaviour.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210331155508.19423-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21911.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It is hard to imagine that we still have any supported OS that does
not support non-blocking connect while still supporting non-blocking
sockets in general.
Patch V2: remove epoll.h removal that should have been in other patch.
Patch V3: remove another instance in socket.c that I misseds in v1
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105850.3903732-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22291.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change we always build multihome support if the operating
system supports it.
Patch v2: Remove also from config-msvc.h
Patch v3: Remove also another line from configure.ac
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105638.3903379-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Remove windows XP/old mingw compat code in socket.c
- Use _WIN32 instead checking for existence of windows.h, winsock2.h
and ws2tcpip.h in autconf
- Remove check for unlink. The last remaining use is a check inside
a Unix socket.
- Even Windows has umask, so remove the check for it
- Move epoll.h inclusion to event.c
Patch V2: Add epoll.h syshead.h that accidently was put into another
patch
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22201.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We have two define that do exactly the same. Also move the check
from configure.ac to syshead.h since it is really only checking
for Windows.
Patch V2: Also remove from config-msvc.h
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22203.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The direct.h header provides only a handful of functions [1] of which
we only use _wchdir. Directly included the direct.h file where it is
used and remove autoconf magic around it.
[1]
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-stud
io-2012/as5kw0ze(v=vs.110)?redirectedfrom=MSDN
Patch V2: also remove from config-msvc.h
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22202.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This warnings makes make check fail if Werror is exmaple on
LLVM/Clang on macOS for me.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22205.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A switch block in interactive.c is missing the _undo_type_max value
of the neum set, thus triggering a compiler warning.
Due to the logic, this value cannot really be assigned to the variable
being examinated, however, add the missing enum value to silence
the warning.
Fixes:
interactive.c: In function ‘Undo’:
interactive.c:1561:13: warning: enumeration value ‘_undo_type_max’ not
handled in switch [-Wswitch]
1561 | switch (type)
| ^~~~~~
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210501130640.9330-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22267.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
warn_used is a static variable but that is used only under certain
conditions. These conditions do not apply for Windows and therefore
mingw is spitting a warning for unused variable.
Move variable declaration inside code block that uses it.
Fixes:
run_command.c: In function ‘openvpn_popen’:
run_command.c:236:17: warning: unused variable ‘warn_shown’
[-Wunused-variable]
236 | static bool warn_shown = false;
| ^~~~~~~~~~
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210501130640.9330-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22265.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
To print a 64bit poiner, fprintf() must be provided with the appropriate
format specifier.
The most portable in this case is PRIx64, which is redefined accordingly
on each platform. It comes from inttypes.h and it's the recommended way
to print a 64bit long hex value.
Fixes various warnings of this type:
event.c: In function ‘we_ctl’:
event.c:235:24: warning: 'I' flag used with ‘%x’ gnu_printf format
[-Wformat=]
235 | dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg="
ptr_format,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
error.h:151:68: note: in definition of macro ‘dmsg’
151 | #define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags),
__VA_ARGS__);} EXIT_FATAL(flags); } while (false)
|
^~~~~~~~~~~
event.c:235:24: warning: format ‘%x’ expects argument of type ‘unsigned
int’, but argument 6 has type ‘long long unsigned int’ [-Wformat=]
235 | dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg="
ptr_format,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......
239 | (ptr_type)arg);
| ~~~~~~~~~~~~~
| |
| long long unsigned int
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210501130640.9330-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22268.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Changes from v4:
- get rid of the overly complex EVENT_SHIFT() macro
Changes from v3:
- re-introduce READ/WRITE_SHIFT because they are different from
EVENT_READ/WRITE
- define also EVENT_READ/WRITE using READ/WRITE_SHIFT
Changes from v2:
- moved event definitions to event.h
- removed READ/WRITE_SHIFT and use EVENT_READ/WRITE
- removed ifdefs around *_SHIFTS definitions in event.h
Changes from v1:
- fixed typ0s
- extended comment
- moved *_SHIFT definition to openvpn.h
- made READ/WRITE events dependant on _SHIFT definition with a macro
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210427191314.21317-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22247.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This uses get_key_scan and get_primary key instead the directly
accessing the members of the struct to improve readability of
the code.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210422151724.2132573-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22200.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Crypto backends are implementing the cipher_des_encrypt_ecb()
function without fully respecting the type of the argumentis as described
in the function prototype.
All ECB arguments (key, input block and output block) are expected to
be 8 bytes long, for this reason the prototype specifies the arguments
as 3 arrays of 8 bytes in size.
Convert the implementations to also explicitly mention the size of the
array they expect to receive in input.
Fixes these warnings:
crypto_openssl.c:866:39: warning: argument 2 of type ‘unsigned char *’
declared as a pointer [-Warray-parameter=]
866 | unsigned char *src,
| ~~~~~~~~~~~~~~~^~~
In file included from crypto.h:125,
from crypto_openssl.c:42:
crypto_backend.h:202:43: note: previously declared as an array ‘unsigned
char[8]’
202 | unsigned char src[DES_KEY_LENGTH],
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
crypto_openssl.c:867:39: warning: argument 3 of type ‘unsigned char *’
declared as a pointer [-Warray-parameter=]
867 | unsigned char *dst)
| ~~~~~~~~~~~~~~~^~~
In file included from crypto.h:125,
from crypto_openssl.c:42:
crypto_backend.h:203:43: note: previously declared as an array ‘unsigned
char[8]’
203 | unsigned char dst[DES_KEY_LENGTH]);
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210428081054.29081-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20210428081054.29081-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch also refactors the if condition that checks the result of
the authentication since that has become quite unreadable. It renames
s1/s2 and extracts some parts of the condition into individual variables
to make the condition better understandle
Patch v2: add refactoring of the if condition
Patch v4: fix documentation not mentioning method as 2nd line
Patch v5: fix deferred auth used by both plugin and script not working
Patch v6: Add missing async inotify for script deferred auth
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210407154951.13330-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22072.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The existing code was doing far too much work for too little
gain - copying the string segment for scanf(), checking extra
for spaces, making the result quite unreadable.
Verify each segment with (short-circuited) isxdigit() checks,
then feed directly to scanf(), which will stop parsing on ':'
or end-of-string.
Rewrite error message to differentiate "hash too short" (including
number of bytes read) and "hash too long" (it did not terminate when
we had enough bytes).
While at it, add an option printer for the resulting o->verify_hash
list to show_settings().
v2:
fix typo in commit message
appease whitespace dragon
add printing of verify_hash_algo and verify_hash_depth
print correct hash length for SHA1 certs
fix incorrect assignment to options->verify_hash_algo in c3a7065d5
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210427110300.6911-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22241.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead maintaining two different representation of the data channel
options in struct options and struct tls_options, use the same
flags variable that tls_options uses.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210408140229.31824-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22084.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL also allows ARIA-GCM and that works well with our implementation
While the handpicked list was needed for earlier OpenSSL versions (and
is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
1.0.2 and 1.1.x works as expected.
Patch V2: Remove special cases for AES-GCM ciphers.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210421123415.1942917-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22168.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
tls_pre_encrypt mainly performs the task of selecting the primary
encryption key but also performs other minor tasks. To allow only
querying for the key that should be used for encryption extract this
part of the function into its own function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210422151724.2132573-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22198.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A fingerprint is not expected to contains any blank (white space),
however, the parser routine will still attempt parsing the octect
and ignore the space.
This means that a fingerprint like
"5 :F0: 8:75:70:46:6E:(...)"
will be parsed successfully.
Explicitly check for spaces in the various octets, before conversion,
and error out if any is found.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210421234908.12817-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22182.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Move to definition inside the ifdef where they are used to avoid
unused warnings.
Fix a few printf related warnings when DWORD is used as paramter and
the printf format should be %lu (long unsigned int)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210421134348.1950392-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22176.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also change the types to use C99 uint64_t and its printf u64 define.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210421134348.1950392-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22171.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Now that the path for the CRL file is handled correctly when using
chroot, there's no good reason for the file to be inaccessible during
ssl_init().
This commit ensures that the CRL file is accessed successfully at least
once, which fixes a bug where the mbedtls version of OpenVPN wouldn't
use a reloaded CRL if it initially failed to access the file.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415093454.18324-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22118.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When using the chroot option, the init_ssl function can be called before
entering the chroot or, when OpenVPN receives a SIGHUP, afterwards. This
commit ensures that OpenVPN tries to open the correct path for the CRL
file in either situation.
This commit does not address key and certificate files. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415091248.18149-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22117.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with
the same port/ip as an existing session, it will give it the slot of the
renegotiation session (TM_UNTRUSTED). And when the authentication
succeeds it will replace the current session. In the case of a SOFT_RESET
this a renegotiation and we will generated data channel keys at the of
key_method_2_write function as key-id > 0.
For a HARD RESET the key-id is 0. Since we already have gone through
connect stages and set context_auth to CAS_SUCCEEDED, we don't
call all the connect stages again, and therefore also never call
multi_client_generate_tls_keys for this session.
This commit changes postponing the key generation to be done only if
the multi_connect has not yet been finished.
Patch V2: Explain better in the commit message why this change is done.
Trac: #1316
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210328120241.27605-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21873.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
context_2 and tls_multi have the same life cycle for TLS connections
but so this move does not affect behaviour of the variable.
OpenVPN TLS multi code has a grown a lot more complex and code that
handles multi objects needs to know the state that the object is in.
Since not all code has access to the context_2 struct, the code that
does not have access is often not checking the state directly but
checks other parts of multi that have been affected from a state
change.
This patch also renames it to multi_state as this variable represents
the multi state machine status rather than just the state of the connect
authentication (more upcoming patches will move other states
into this variable).
Patch V2: also rename context_auth to multi_state, explain a bit why this
change is done.
Patch V3: Add comments for c2->multi NULL check forwarding. Fix compile
with ENABLE_ASYNC_PUSH.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210418160111.1494779-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22155.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These functions return const pointers in OpenSSL 3.0.0alpha14, so
our pointers should be also const to avoid casting the const away.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210408133626.29232-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22081.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This adds support for setting a HTTP proxy that should be used after
connecting to a VPN.
The syntax has been picked to have compatibility with OpenVPN3.
Otherwise I would have used HTTP-PROXY instead.
Since this option requires an additional argument compared to the
existing dhcp-option keywords, move checking the number of arguments
to the individual keywords.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210416110955.1162574-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22129.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Current default gateway selection for zero destination address just
dumps and parses all the routing tables. If any of non-main table
with default route comes first, wrong default gateway can be picked.
Since adding/removing routes currently handles only main table,
let's stick to RT_TABLE_MAIN while selecting default route too.
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp <donaldsharp72@gmail.com>
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210416120708.1532-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22130.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Most of the functions remove were either already have a version check
against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
and SSL_library_init.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415114541.1001644-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22119.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 60f5889ae formally deprecated use of configs without either
"tls-client" or "tls-server" - but got the booleans wrong.
Fix.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210417100544.5497-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22139.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
