- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More tests coming..
v2: a line that belongs here was mistakenly included in the previous
commit. Corrected.
v3: add to list of tests run in github actions
v4: - correct comment above invalid strings (copy paste error)
- make invalid strings differ from correct value only in the
explicitly introduced invalid characters/separators (one had
two distinct errors which is not a robust test).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230214200804.600405-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26268.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Automatically disabled when
- iproute2 is enabled
(Don't want to force people specifying --disable-dco explicitely)
- libnv is missing on FreeBSD
(FreeBSD version too old anyway)
Will still error out if libnl-genl is missing on Linux to
make people aware of new dependency.
v2: error out when libnl-genl is missing as discussed with ordex on
IRC.
v3:
- improvements to the messages, suggested by Selva
- further improvements to the default specification, trying to make it clear
- if enabling iproute2, do not test for libnl-genl
v4: add updates for GHA
v5:
- v4 was missing the changes of v3. v5 combines the changes from v3 and v4
- fix build failure GHA/ubuntu1804/mbedtls
- fix build failure GHA/ubuntu2204/libressl
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230215162654.52137-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
DCO doesn't support proxy and we already disable DCO
is proxy is set in profile.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230220090601.983-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26287.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The Android implementation is relying on the management interface to be
always available. Trying to run the Android binary without the mangament
interface outside the app leads to a segfault. Exit with a FATAL error
instead.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230220131424.1749736-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26288.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Certificate selection string can now specify a partial
issuer name string as "--cryptoapicert ISSUER:<string>" where
<string> is matched as a substring of the issuer (CA) name in
the certificate.
Partial case-insensitive matching against the "issuer name" is
used. Here "issuer name" is a text representation of the RDN's
separated by commas.
E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA".
See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR
as "FindType" for more details.
As the order of RDN's is not well-defined[*] and type names like "OU"
or "CN" are not included, its best to match against a single attribute
like the CN of the issuer:
E.g., --cryptoapicert "ISSUER:Acme Root"
[*] Windows appears to order RDN's in the reverse order to which
its written in the certificate but do not rely on this.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v2: Moved the "parse_hexstring" chunk to a function for clarity
and to permit unit-testing.
A test is submitted as a follow up patch.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230204004322.250210-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26146.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert
Note:
Ideally we should also make ENABLE_CRYPTOAPI conditional
on HAVE_XKEY_PROVIDER but that looks hard unless we can agree
to move HAVE_XKEY_PROVIDER to configure/config.h.
v2: use "binary" instead of "version" in the error message
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230201230340.2268781-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26131.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- With various ways of specifying the selector-string to the
"--cryptoapicert" option, its not immediately obvious
which certificate gets selected from the store. Log it.
The "name" logged is a friendly name (if present), or a
representative element of the subject (usually the common-name).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26093.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Newer OpenVPN 3 core versions now allow limited configuration of ciphers:
// Allow usage of legacy (cipher) algorithm that are no longer
// considered safe
// This includes BF-CBC, single DES and RC2 private key encryption.
// With OpenSSL 3.0 this also instructs OpenSSL to load the legacy
// provider.
bool enableLegacyAlgorithms = false;
// By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core
// 3.7) will only allow
// preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work
// with the newer DCO
// implementations. If this is enabled, we fall back to allowing all
// algorithms (if these are
// supported by the crypto library)
bool enableNonPreferredDCAlgorithms = false;
Adjust the man page section accordingly but only really mention the AEAD
ciphers to be always present and that they should be included in the
data-ciphers option.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230210142712.572303-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This runs each test in its own action since order of stderr and stdout
is seemingly random in github action Windows output and this way at least
tests outputs are grouped by test
Patch v2: use -static-libgcc to avoid comping gcc runtime libraries.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230209163705.466173-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26204.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Socket is a handle on Windows, which is usually logged in hex.
Also an interesting value is INVALID_SOCKET, which is ~0.
PRIuPTR prints decimals, and for INVALID_SOCKET it prints something like
2023-02-10 14:45:21 us=906000 write to TUN/TAP : Jrjestelmkutsulle
annettu data-alue on liian pieni. (fd=18446744073709551615,code=122)
PRIxPTR prints hex, and INVALID_SOCKET looks a bit nicer:
2023-02-10 15:17:11 us=828000 write to TUN/TAP : Jrjestelmkutsulle
annettu data-alue on liian pieni. (fd=ffffffffffffffff,code=122)
Reported-by: Selva Nair <selva.nair@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20230210133159.1336-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26220.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of passing a value and a bool just pass the value and 0 if
the caller does not want the value to be added. This also allows
the function to be used by a function without a frame struct.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230210142712.572303-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26223.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
WinAPI uses __stdcall calling convention on x86. Wrong
calling convention causes UB, which in this case breaks
dco-win functionality.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230131125448.1913-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26113.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and run manually. Executables are in
<buid-dir>/tests/unit_tests/openvpn/.libs/ and these depend on
cmocka.dll in addition to openssl libs that some tests link to.
Building with mingw on Windows should run the tests (untested).
v2: networking_testdriver was mistakenly enabled to run, while
originally it was only set to build. Corrected.
v3: exclude check_engine_keys.sh when cross-compiling
As suggested by Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230208005925.393200-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26188.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
My mingw compiler/headers (mingw-w64 10.0.0 on macOS) seem to be more
pendantic than the one that comes with Ubuntu 22.04 (github actions) or
any of the other platforms including msvc/normal windows header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230208001819.244694-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26182.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
overlapped_io_init() has a "bool tuntap_buffer" argument which is only
passed onwards to alloc_buf_sock_tun(), which does nothing with it.
Remove from both functions.
v2:
move alloc_buf_sock_tun() to win32.c
v3:
leave alloc_buf_sock_tun() where it is, and fix non-WIN32 call from
socket.c
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230130161730.110021-1-gert@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26099.h
tml
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bdc842d72e92995261bac3579120c94f93e4064a)
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230201141518.119157-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Eliminates repeated warnings such as
warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,
but option 'subdir-objects' is disabled
- Enabled only for automake >= 1.16 as older versions have a buggy
implementation of this option
Main side effect of this option is that object files like
openvpnserv-blockdns.o are now created in src/openvpn where block-dns.c
resides instead of in src/openvpnserv.
Same for object files for sources from $(openvpn_srcdir) compiled
into test executables.
See also past discussion on this topic:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00013.html
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230204004512.250271-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26147.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Followin DHCP options:
DOMAIN, ADAPTER_DOMAIN_SUFFIX, DNS, WINS
don't require DHCP server in order to be used.
This change allows those options to be used with dco and wintun
drivers. If an option specified which requires DHCP server and
tap-windows6 driver is not used, print a clear error message
instead of obscure reference to --ip-win32.
Reported-by: Marek Zarychta
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230207145416.1415-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26169.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
During the build of LibreSSL portable it pulls in a branch from OpenBSD
upstream. Unfortunately they use master there instead of a fixed branch.
So we work around this issue.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230209163115.465548-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20230209163115.465548-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
At this point it might be easier to create a
dedicated function for Windows...
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230203191440.136050-3-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26140.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- An item added to undo-list was not removed on error, causing
attempt to free again in Undo().
Also fix a memory leak possibility in the same context.
Github: fixesOpenVPN/openvpn#232
v2: Split add and delete functions and reuse the delete
function for cleanup.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230201170735.2266851-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26130.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows identifying the source of undefined behaviour more easily
from the github action logs.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230130172936.3444840-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26102.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The version 3.5.3 triggers undefined behaviour with the usan sanatizer.
Updating LibreSSSL to 3.7.0 does unfortunately does not fix the issue but
at least we are now using a current version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230130172936.3444840-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26105.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The undefined behaviour USAN clang checker found this. The optimiser
of clang/gcc will optimise the memcpy away in the auth_token case and
output excactly the same assembly on amd64/arm64 but it is still better
to not rely on undefined behaviour.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230130172936.3444840-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26103.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The linux userspace API header has acquired the MIT license (check the
ovpn-dco repository for the related change), therefore we simply bring
this change in our local copy to ensure compliancy.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230125095321.23063-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26077.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Custom action "FindSystemInfo" finds adapters with certain hwid and
assigns found adapters' guids to a certain property. Later another custom
action "EvaluateTUNTAPAdapters" schedules adapter creation if the
abovementioned property is not set - which means no adapters exist
with given hwid.
I think this logic is needed to prevent duplicate adapter creation
if adapter was renamed and then new version is installed.
As one can see, there is a typo in property name ("OVPNDCOAPTERS"). As
a result of this typo, installer will always try to create DCO adapter
no matter if there are existing adapters. It however won't do anything
if adapter with the name "OpenVPN Data Channel Offload" already exists,
this is handled in schedule_adapter_create() function.
Because of that typo, following scenario works fine:
1) Upcoming release of OpenVPN Connect is installed, which creates
adapter named "OpenVPN Connect DCO Adapter"
2) OpenVPN-GUI is installed. Because of typo, it ignores adapter created
by Connect and creates own "OpenVPN Data Channel Offload" adapter
3) OpenVPN Connect is uninstalled and it removes
"OpenVPN Connect DCO Adapter".
4) OpenVPN-GUI still has its "OpenVPN Data Channel Offload" adapter
If we just fix a typo, OpenVPN-GUI won't create a adapter on step 2 and
after Connect removal on step 3 there won't be DCO adapters anymore
for OpenVPN-GUI to use.
The ultimate solution to this would be moving adapter creation to MSM,
a shared component which adds/removes the DCO driver. However this change
is not trivial and requires a lot of work. For the time being we apply
this band-aid by excluding Connect-created adapters from enumerations in
"FindSystemInfo" custom action. This makes sure that OpenVPN-GUI won't
rely on adapter created by Connnect (which is deleted on Connect uninstall)
and ensures that additional DCO adapters won't be created on upgrade
if user decides to rename adapter.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230124142316.441-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26072.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
That code has been moved to MSM by commit 640c4d82
("openvpnmsica: remove dco installer custom actions")
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230124091441.397-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26070.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Ensure net_route_v4/v6_add/del() functions using iproute2 return
error when route addition fails. Return value follows the same logic
as corresponding functions using netlink though all failure reasons
get the same error code of -1.
TODO: Preserve any preexisting direct route to VPN and optionally the
IPv6 connected net route.
v2: Following review, removed the poorly coded RL_DID_LOCAL-related chunks.
That part needs a better fix.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230121194226.2081637-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26067.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use a unified logging format for various route-methods
- Route add/delete errors are always logged with M_WARN, so
log only additional information (succeed/exists) with D_ROUTE.
- Non-windows platforms log route errors with a prefix "ERROR:" and
debug info with "ROUTE:". Do the same on Windows. Do not log
errors or success multiple times.
- In add_route_ipv6, log the interface id instead of device name
as the latter always point to the tun/tap adapter name on Windows.
Log lines prefixed with a PACKAGE_NAME "ROUTE" are unchanged.
They appear to use the same format on all platforms.
v2: rebase to master
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230120094100.2063883-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26058.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- If there are no pkcs11-providers either directly specified or
through p11-kit-proxy made available through a build-time detection,
these options are ignored. Log a warning in such cases.
Especially important on Windows where automatic loading of p11-kit
is not enabled in our release builds.
- Document this behaviour.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230120021841.2048791-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26056.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Those have been moved into MSM to be reused by openvpn-gui and Connect.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230119085959.157-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26053.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This workaround avoids the kernel trigger ENOBUFS when the kernel
internal queue is overrun with events of disconnectingh clients or
similar. This is a workaround until we come up with a more permanent
solution.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20230112163737.1240059-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25988.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The bounding set being empty will overpower the likes of su/sudo
and will make it impossible for any child processes to ever gain
additional privileges again.
Github: fixesOpenVPN/openvpn#220
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230118142428.162-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26048.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The code in sitnl_route_set() used to treat "route can not be installed
because it already exists" (EEXIST) as "not an error".
This is arguably a reasonable approach, but needs to handled higher
up - if the low level add_route() function say "no error", we will try
to remove that route later on in delete_route(), possibly removing
someone else's "already existing" route then.
So:
- remove special case in sitnl_route_set()
- do not pass NLM_F_REPLACE flag to sitnl_route_set() call - this would
cause netlink to just replace existing routes, never return EEXIST
(see "man netlink(7)")
- add detailed return code handling to add_route(), assign "2" on
"-EEXIST"
(and log appropriate message).
(Note: sitnl_route_set() is a common function for sitnl route add and
delete, but EEXIST can not happen on delete - so this change has no
impact for the "delete" case)
v2: use RTA_ macros, also adjust add_route_ipv6()
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230118074633.27586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26046.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Instead of 0, 1, 2 use RTA_ERROR, RTA_SUCCESS, RTA_EEXIST
as the return code of route addition functions.
- Also fix a logging error: status -> (status == RTA_SUCCESS)
v2: fold long lines
use "bool ret = .." pattern for android too
fix two more lines where status was directly assigned to bool
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230115164818.1973210-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26041.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 67c4eebdae introduces a new peer disconnect reason (transport
disconnected, aka "TCP session closed") which breaks compilation on
FreeBSD - OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT not part of the
enum in freebsd_dco.h, and no kernel support for TCP anyway.
This patch is an intermediate bandaid, making the offending code in
multi.c "linux only" while a better solution is discussed.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20230113080745.82783-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20230113080745.82783-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Move OCC warnings to debug level. This moves the only useful OCC message
of compress-migrate to D_PUSH
- remove configure option --enable-strict-options
- ignore disable-occ in TLS mode as it is logged under debug now only
disable-occ is now strictly a non-TLS option
- mark opt-verify and disable-occ as deprecated.
Patch v2: change one missed M_WARN to D_OCC
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111134439.1107915-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We listed those in Changes, but did not update the documentation.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111125242.21025-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25968.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not enabled by default with OpenSSL 3, so we don't
see this in our builds.
While here add missing entries to .gitignore (which
is what made me look at engine-key test in the first
place).
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110170257.113527-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25949.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
That makes it possible to remove several preprocessor
directives which is a good thing. The cost should be
negligible.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221127142506.41986-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25554.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- The response to the management command "remote-entry-get" is
amended to include the status of the remote entry. The status
reads "disabled" if (ce->flag & DISABLED) is true, "enabled"
otherwise.
- Update and correct the description of this option in
management-notes.txt
Example responses:
In response to "remote-entry-get 0"
0,vpn.example.com,udp,enabled
END
Or, in response to "remote-entry-get all"
0,vpn.example.org,udp,enabled
1,vpn.example.com,udp,enabled
2,vpn.example.net,tcp-client,disabled
END
This helps the management client to show only enabled remotes
to the user.
An alternative would require the UI/GUI to have knowledge of
what makes the daemon set CE_DISABLED (--proto-force,
--htttp-proxy-override etc.).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111062910.1846688-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230111062910.1846688-1-selva.nair@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Warning by GCC 12:
pkcs11_openssl.c:237:22: warning:
dangling pointer ‘tbs’ to ‘enc’ may be used [-Wdangling-pointer=]
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230110131947.59552-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25942.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>