This function is similar to the essence of open_tun_generic(), but
calling open_tun_dco() instead of trying to do a file open on
"/dev/%s"
Previous attempts to save code duplication by including this into
open_tun_generic() created additional #ifdef plus confusing call
paths. So this is a clean new function, leaving the door open for
a cleanup of open_tun_generic().
Also, introduce tun_dco_enabled(tt) to avoid the negative
"!tt->options.disable_dco" calls.
v11:
- add new function open_tun_dco_generic() for Linux (and FreeBSD, later)
instead of lumping this into open_tun_generic()
- pick up tun_dco_enabled() from a later patch in the series
(easier to bring this in right now than to convert the code back
and then patch it again later)
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220721182425.1569798-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24717.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The new code to enable IPv6 extended error reporting will cause
an error ("Protocol not available (errno=92)") if trying to enable
that setsockopt() option on an IPv4-only socket.
Fix: pass sock->info.af to set_sock_extended_error_passing(), only
apply to AF_INET6 sockets.
To make that work, ensure that sock->info.af is set to not only
the value coming from config (which might be AF_UNSPEC) but to the
actual value used in socket creation (credits: Arne Schwabe).
Add comments to make explicit that the asymmetry here (IPv4 extended
socket error reporting is enabled on all sockets) is intentional.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220723121909.21943-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24731.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The correct errno can get overwritten by the call to
format_extended_socket_error() which may set errno to EAGAIN
losing the original error and cause to bypass the error reporting
below. Fix by reading the errno of interest at the top of the
function.
Reported by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220722204007.7537-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24728.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In automated tests we want the build to fail if the
worker node is configured incorrectly.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220722134902.22092-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24723.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 4df5003 introduced a check against options->config but
did not ensure that this variable is non-null.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220722134652.2446598-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24722.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN for Android uses config stdin to avoid writing the config
file containing private keys to 'disk'. However using stdin means
that config cannot be reread using SIGHUP. While there might be other
corner cases that trigger SIGHUP, this is an obvious one, so we
error out if we detect this misconfiguration.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220722130224.2442759-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24720.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This moves closing the tun handle into its own function and also prints
the adapter type we are operating on, instead hardcoding it to
tap-windows.
While at it, set the handle to NULL after closing, to prevent a double
close due to multiple invocations of this helper.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220624083809.23487-18-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24527.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently when we are listening on the management
interface, the local address/port is logged as that of
the connecting client.
Fix it.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220630190549.16675-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24619.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When the port is specified as zero, log the actual port
bound to, instead of 0.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220630190549.16675-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24617.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use of this has never been documented and the code was
dead for a long while now.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220701000726.8198-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24624.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The function signature for xkey_load_generic_key had
function pointers defined as function types that seems
to work in gcc but not in msvc.
Fix it by changing the function signatures to what was intended.
Also revert part of commit 627d1a3d28638... as that workaround
should be no longer required.
Reported by: Lev Stipakov https://github.com/lstipakov
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220707035151.25469-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24664.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This helper encloses the (simple) logic used by OpenVPN to determine if
the name passed to --dev has to be considered a fixed interface name or
just a pattern.
Having a helper is useful because when this logic is required elsewhere,
we can just re-use this logic without duplicating the code (which may
mean introducing bugs if a future logic change should not update all
spots).
The logic is actually fairly simple: check if the name contains a number
(i.e. tun0). If so, consider the name a fixed device name.
While at it make has_digit() accept a signed argument because strings
are normally signed (also isdigit() accepts a signed argument).
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220712221655.19333-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24676.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This new API can be used to retrieve the type of a specific interface.
It's mostly platform dependant, but right now expected values are
"ovpn-dco", "tun" or "tap".
Other values are possible too, but they are not of interest to us.
This commit also extends the networking unit-test by using the newly
introduced API in conjunction with iface_new and iface_del.
The t_net.sh script has been slightly adapted to allow running these
tests in standalone (as they don't require any iproute2 counterpart).
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220713124332.16147-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24688.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The API is designed to always return a negative error code in case of
failure, therefore we should return '-errno' when ifindex has failed.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220713121416.1912-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24686.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If 'max-clients' is set multi_create_instance() can return NULL (for any
client that would take us over the client limit).
If mi is NULL we don't add it to the hash map, but we do potentially
dereference it to increment the session count.
Do not attempt to do so if 'mi == NULL'.
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220713083404.13227-2-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24678.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The pre_connect_save() function is not used outside of options.c,
therefore it should not be exported.
Make it static and move definition before its invocation.
Move also pre_connect_restore() along with it in order to keep the two
close to each other.
Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220711122348.8756-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24666.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some auto correction must have sneaked in.
Restore proper wording.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220705091842.24053-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24636.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The %x specifier requires for the argument to be an unsigned int.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220512231901.1077306-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24336.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When using DCO iroutes and routes all live in the same routing table,
However, the latter should always come after the former.
for this reason assign a default metric of 200 to routes. iroutes will
later get a metric of 100.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220628185623.1734-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24599.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The tls-crypt-v2 key should be at least 2 bytes long in order to read
the actual length. Bail out if the key is too short.
This looks like it could be abused to trigger a read of uninitialized
memory, but after close checking it won't:
We read from BEND(), so this is defined for TCP since the minimum
length there is 3 bytes (pkt len + opcode)
For UDP we might read past the beginning of the packet but since they
are buffers coming from the packet stack we have the headroom/tailroom,
so might read some random data (but not out of bound!).
So we copy some more or less random number into net_len/wkc_len but without
actually reading from undefined memory.
The next line will then almost definitively fail (buf_advance()).
While at it improve the error message a bit.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220628094144.17471-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24580.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220513093740.1091639-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24350.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Override DNS related foreign_options with values set by the --dns
option. This is done so that scripts looking for these options continue
to work if only --dns option were pushed, or the values in the
--dhcp-options differ from what's pushed in --dns.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220527012457.1819262-5-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There are two flags to indicate peer-id usage, one is
in tls_multi struct and another one is in options.
For P2P mode we don't set this flag in options,
which is used in MTU calculation. As a result,
automatically calculated MSS value in P2P mode is wrong,
Fix by bring use_peer_id flag in options and tls_multi
into sync for P2P.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220524091916.145-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24430.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This function has only one usage and is so trivial that an extra
function makes little sense anymore.
frame_defined is no longer used, so remove the function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220621161649.2872985-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24492.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The frame_set_mtu_dynamic function and it defines were removed during
the buffer rework but this definitions were overlooked.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220621161649.2872985-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24494.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The man pages reference a logging message which has been rephrased
in ac1310528a. This commit updates the
man page message to reflect the change for improved grep-ability.
Signed-off-by: Martin Janů <martin.janu@protonmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <SVrvuTydxR6Qs_mvwvG7mqT8iLV0inlcCMXoenZTMI8M0LkosV4pZsH9m_XCTwcRWAPN5H8Zdro0ubhJrnSp6v5KC2ZNAL9So0Y2SKiSe7g=@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24472.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
After successfult builds on all platforms,
start openvpn-build GHA which produces
Windows MSI installers.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Patchwork-Id: 2508
URL: https://patchwork.openvpn.net/patch/2508/
Message-Id: <20220605004013.319-1-lstipakov@gmail.com>
Signed-off-by: David Sommerseth <davids@openvpn.net>
The out buffer is not filled and this adds an extra empty line for
CR_RESPONSE outputs. Also make minor style fixes.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220530224149.201883-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24447.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add setenv_ prefix to foreign_option funtion so it is more obvious what
it does. Move it further up within options.c, so it is defined before
all future callers. Also declare all argv strings const.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220527012457.1819262-4-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24436.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The call survived since the initial commit 94bfc256d, where it was added
as a fallback, since no IPv6 DNS server handling was implemented at the
time. Now there's dhcp_option_dns6_parse() which adds the servers to the
tuntap options, just like how it is done with the v4 servers.
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220527012457.1819262-2-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24433.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we used the OpenSSL <=1.1 names as part of our OCC message, they
are now unfortunately part of our wire protocol.
OpenSSL 3.0 will still accept the "old" names so we do not need to use
this translation table for forward lookup, only for returning the name
with md_kt_name()
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220523103546.3425388-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24423.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
Instead of belonging to the elliptic curve type or to a common Edwards
curve type, ED448 and ED25519 have each their own type.
Also, OpenSSL expects signatures using these curves to be done with the
EVP_DigestSign API instead of the EVP_Sign API but using md=NULL.
This has been tested using a "fake" external key that used a normal
software key instead of a hardware implementation but that makes no
difference from the perspective of xkey_provider/management interface.
Patch v2: remove name functions from ed448/ed25519, ensure md is NULL
for ed448/ed25519 and handle NULL/none better in general.
Patch v3: do not pass NULL as string for the OSSL params.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20220516104807.2568937-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24363.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously the generated patch was based on the file(s) in the working
directory. This is a problem if you have not to be commited changes
there and these changes fix formatting issues that exist in the staging
area. This effectively circumventes the script from rejecting the
commit.
An example:
git add file.c
git commit
... pre-commit hooks complains about formatting ...
... you fix the file manually, forget to git add ...
git commit
... succeeds, even though the commit still has issues ...
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220517210121.1312072-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24376.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Avoid the ugly "No newline at end of file" in git diffs.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220518105157.9026-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24386.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It is our usual style.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220519085428.6783-2-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24399.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 043c67f363 enhances format_extended_socket_error() by
recognizing IPv6 extended socket errors, but neglected to change
the "sockaddr_in" buffer passed to recvmsg() to "sockaddr_storage".
According to documentation, recvmsg() should not have overrun
that buffer (we pass the size of the struct), but according to
ASAN it does... so, pass a pointer to the correct structure.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220513101526.11486-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24352.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We use M_ERRNO flag in logging to display error code
and error message. This has been broken on Windows,
where we use error code from GetLastError() and
error description from strerror(). strerror() expects
C runtime error code, which is quite different from
last error code from WinAPI call. As a result, we got
incorrect error description.
The ultimate fix would be introducing another flag
for WinAPI errors, like M_WINERR and use either that or
M_ERRNO depends on context. However, the change would be
quite intrusive and in some cases it is hard to say which
one to use without looking into internals.
Instead we stick to M_ERRNO and in Windows case we
first try to obtain error code from GetLastError() and
if it returns ERROR_SUCCESS (which is 0), we assume that
we have C runtime error and use errno. To get error
description we use strerror_win32() with GetLastError()
and strerror() with errno.
strerror_win32() uses FormatMessage() internally, which
is the right way to get WinAPI error description.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20220503002840.295-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24270.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>