Age | Commit message (Collapse) | Author |
|
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a68595a582b2c6c220b4f4502753d5f4154000d8)
|
|
This can happen if the memory alloc fails.
Patch V2: add goto error
Patch V3: return -ENOMEM instead of going to error
Change-Id: Iee66caa794d267ac5f8bee584633352893047171
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20231121170603.886801-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27541.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d1c31e428120bb0fc9488c62c1691c92a37d94c3)
|
|
The inner loop used i instead of j when iterating through the buffers.
Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds. So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 59551b93cdb55397d63b2fe58ad99612821c0faf)
|
|
This debug code is not very useful as it is outdated and the same
functionality is provided by --show-gateway
Change-Id: Ie7fd59cc84e2eb024086c28c2ec2a5606a2b2e7c
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231201111717.14940-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27624.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6158228f16836f56a564d4533e7b513dc6170854)
|
|
When we receive an SSL alert from a server we currently only log a
very cryptic OpenSSL error message:
OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70
This also enables logging the much more readable SSL error message:
Received fatal SSL alert: protocol version
which previously needed --verb 8 to be displayed (now verb 3). Also rework the
message to be better readable.
Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121103930.15175-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a1cb1b47b138b9f654cd0bca5de6d08dbca61888)
|
|
Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121104037.15307-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27524.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 66f109117649237947e3e5cd33a36f81bde71a2b)
|
|
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 227799b8345128dd3adf2029323457804209fe93)
|
|
Some pushed options (such as DOMAIN-SEARCH) require DHCP server to work.
Warn user that such options will not work if the current driver (such
as dco-win) doesn't support DHCP.
Change-Id: Ie512544329a91fae15409cb18f29d8be617051a1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120656.6825-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 85fc834b0229b87e466b4f60bd2618b2ecd27a5f)
|
|
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixes OpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 60def50420b050e628f4388e3c9ff771eb70a549)
|
|
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a903ebe9361d451daee71c225e141f4e1b67107d)
|
|
Fixed typographical errors in various documentation files for improved clarity and readability.
Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314)
|
|
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixes OpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 012ea92c414282488e3d60c87452849bde64aac4)
|
|
When I refactored the tls_state_change method in
9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixes OpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df7beea404df48745a608c584d863c5a377b7a1e)
|
|
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus
subsequent fixes).
Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231006111910.3541180-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27133.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e7427bcbb9b16b52d81c65b01d440a8ecd1e6ea7)
|
|
Change-Id: I85ae4e1167e1395b4f59d5d0ecf6c38befcaa8a7
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105336.34267-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27191.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2574ae5e6961ed5b39531a7f98e537f72f87bcfb)
|
|
Print dco-win driver version using the new ioctl.
Requires dco-win driver 1.0.0 or newer to work.
Change-Id: I1d0d909e7fca3f51b5c848f1a771a989ab040f17
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008112755.23568-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27174.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8e5f8a4c4f8e01dc7317ac87a85d3204882d6bf)
|
|
The peer temporary key in TLS session is related to the PFS
exchange/generation. From the SSL_get_peer_tmp_key manual page:
For example, if ECDHE is in use, then this represents the
peer's public ECDHE key.
Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105518.34432-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27192.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4e80aac451b99d5cc0b0cf268ca678e602959191)
|
|
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a840d5099a7d1a5ceb752c481fc345f6385719df)
|
|
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2671dcb69837ae58b3303f11c1b6ba4cee8eea00)
|
|
Completely replaced by the CMake build system now.
v2:
- rebase on top of my dist fixes
Change-Id: I807cffa40f18faa1adec4e15e84c032877a2b92e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230926095118.29924-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230926095118.29924-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This is based on the initial CMake patch by
Arne Schwabe, but extends that to provide
a complete replacement for existing MinGW
build (autotools based) and MSVC build
(openvpn.sln).
The following features are added while switching
these builds to CMake:
- vcpkg support for MinGW build, allowing for
trivial cross-compilation on Linux
- Add unittests to MSVC build
- Rework MSVC config header generation, removing
need for separate headers between autotools
and MSVC
The following advantages are reasons for switching
to CMake over the existing MSVC build:
- Easier to maintain CMake files without IDE
than the sln and vcxproj files
- Able to maintain MSVC and MinGW build side-by-side
The plan is to completely remove the existing MSVC
build system but leave the existing autotools builds
in place as-is, including MinGW support.
CMake is not the intended build system for Unix-like
platforms and there are no current plans to switch
to it.
This commits squashes a lot of commits from master
together, since most of them are just fixes or
enhancements for the original CMake commit. The
decisions was not to bloat the release/2.6 commit
history with these detours.
It contains the following commits:
- add basic CMake based build
(commit 0134184012dd46ec44cbca7eb3ece39037ae0bfa by
Arne Schwabe)
- CMake: Add complete MinGW and MSVC build
(commit e8881ec6dd63bd80ce05202573eac54ab8657fcb)
- CMake: Add /Brepro to MSVC link options
(commit 5e94e8de4bfaf6637124947a3489710b591e5e26)
- Do not blindly assume python3 is also the interpreter that runs rst2html
(commit 5dbec1c019d14880ae7bf364b062d3589c7fd9e7 by
Arne Schwabe)
- Only add -Wno-stringop-truncation on supported compilers
(commit eb3cd5ea36f9bf235da7b8a51fd6ce29780f0e39 by
Arne Schwabe)
- CMake: Throw a clear error when config.h in top-level source directory
(commit 0652ae84f4528daa57da344eee28b7385a6659a1)
- openvpnmsica: link C runtime statically
(commit 3be4986ea3d6e27acd3e3a317c15dfe07688e135 by
Lev Stipakov)
- CMake: Support doc builds on Windows machines that do not have .py file association
(commit 22213a8834ba5ba5c9818015730edbf3766ad915)
- README.cmake.md: Add new documentation for CMake buildsystem
(commit 53055fd23efb6209b12d3662427158e25247f1fe)
- Check if the -wrap argument is actually supported by the platform's ld
(commit 4ef76f0ee4e122dcd616e1b1e2d652562ab10756 by
Arne Schwabe)
- GHA: update to run-vcpkg@v11
(commit 66e33ee81d1d7fa3495ae3aad6e673766e296687)
- GHA: refactor mingw UTs and add missing tls_crypt
(commit 26c663f12815f55c483dbe660e28448dc63221d1)
- CMake: various small non-functional improvements
(commit 95cc5faa16833acaf12a4d273c5c848984fc73ce)
- CMake: fix broken daemonization and syslog functionality
(commit 8ae6c48d5d52dec8ec6e47cc1cfe89de9f2ffbcd)
- CMake: fix HAVE_DAEMON detection on Linux
(commit e363b393f2d1b72590666554e17d928c1603f8d5)
Change-Id: I6de18261d5dc7f8561612184059656c73f33a5f2
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Co-authored-by: Arne Schwabe <arne@rfc2549.org>
Co-authored-by: Lev Stipakov <lev@openvpn.net>
Message-Id: <20230926095030.29779-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27107.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Since we use strlen() to determine the length
and then check it ourselves, there is really
no point in using strncpy.
But the compiler might complain that we use
the output of strlen() for the length of
strncpy which is usually a sign for bugs:
error: ‘strncpy’ specified bound depends
on the length of the source argument
[-Werror=stringop-overflow=]
Warning was at least triggered for
mingw-gcc version 10-win32 20220113.
Also change the type of len to size_t
which avoids potential problems with
signed overflow.
v2:
- make len size_t and change code to avoid any theoretical overflows
- remove useless casts
v3:
- fix off-by-one introduced by v2 %)
v4:
- ignore unsigned overflow to simplify code
Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Heiko Hund <heiko@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c89a97e449baaf60924a362555d35184f188a646)
Message-Id: <20230922160441.167168-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b7eea48708ee73a5999f98626fb8d31d8f88ea6f)
|
|
"INFO_PRE,..." command length is limited to 256 bytes. If the server
implementation pushes command which is too long, warn the user and
don't send the truncated command to a management client.
Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230922105055.37969-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c)
|
|
Although it's a combination of options that is not really useful,
when specifying --multihome along with --proto tcp and DCO is enabled,
OpenVPN will crash while attempting to access c2.link_socket_actual
(NULL for the TCP case) in order to retrieve the local address (in
function dco_multi_get_localaddr())
Prevent crash by running this code only if proto is UDP.
The same check is already performed in socket.c/h for the non-DCO
case.
Github: fixes OpenVPN/openvpn#390
Change-Id: I61adc26ce2ff737e020c3d980902a46758cb23e5
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230815231555.6465-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26953.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0793eb105c5720c4eb31af71c9db81459439e510)
|
|
Currently, OCC exit messages are only logged at some high debug level
(and if OpenVPN compiled with DEBUG), while control-channel EEN messages
are logged on verb 1. Make this consistent, both in wording and in
log level.
Both messages are prefixed with the "channel" where the exit message
came in.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230814060409.50742-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26949.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f910a42b86e90f1893a668ee280422b6587ada1)
|
|
This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command
openvpn --providers vollbit
will print out (on macOS):
OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)
Patch v2: Format message more like current messages
Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f8485f2870277fb7ccdb4097380e35dc35b064e)
|
|
The return value of add_bypass_routes overwrites
the return value of add_route3 instead of combining
them.
Coverity: CID 1539180 (#1 of 1): Unused value (UNUSED_VALUE)
Change-Id: I78f92f363fe203af5661c6958b2417ea30f7055c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <60951251cdb2f39b20cfc86130c2dc0570ba0363-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26900.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8067cc8d1b384d3eb0fc9000992710b02951b266)
|
|
The code was not very clear if we accept the base64 decode if the
NTLM challenge was truncated or not. Move the related code lines
closer to where buf is first used and comment that we are not concerned
about any truncation.
If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect. The
buffer size is fixed and known to be in a cleared state before the
decode starts.
Resolves: TOB-OVPN-14
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f19391139836aa07312cf5b3ebbd00941d22ddc7)
|
|
Coverity: CID 1539183 (#1 of 1): Structurally dead code (UNREACHABLE)
Change-Id: I889de8bafb581b810a026c7359fbfee94f1b5a4e
Gerrit: http://gerrit.openvpn.net/c/openvpn/+/317
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <6b941ce86c4031a5535d6c1997e6ae06c9aec7b3-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26901.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38fbddc94596b6b2d8fa93a8bd0aca7dbb220def)
|
|
msglevel hides the function parameter of the same name,
which could lead to confusion. Use a unique name.
Change-Id: I9f9d0f0d5ab03f8cdfd7ba7200f2d56613cc586d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <d549c9b5e5d66624ef82f99206898ff8e43a5fb5-HTML@gerrit.openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26902.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f7c8cc092b8b6f5659cf8abd8d8624fc16f3dda2)
|
|
At the moments WINS servers are set either:
- via DHCP, which works only for tap-windows6 driver
- via netsh when running without interactice service
This means that in 2.6 default setup (interactive service and dco)
WINS is silently ignored.
Add WINS support for non-DHCP drivers (like dco) by passing
WINS settings to interactive service and set them there with
netsh call, similar approach as we use for setting DNS.
Fixes https://github.com/OpenVPN/openvpn/issues/373
Change-Id: I47c22dcb728011dcedaae47cd03a57219e9c7607
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230728131246.694-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26903.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 18826de5737789cb74b48fc40a9ff5cb37d38d98)
|
|
This is implements --peer-fingerprint command to support OpenVPN
authentication without involving a PKI.
The current implementation in OpenVPN for peer fingerprint has been already
extensively rewritten from the original submission from Jason [1]. The
commit preserved the original author since it was based on Jason code/idea.
This commit is based on two previous commits that prepare the infrastructure
to use a simple to use --peer-fingerprint directive instead of using
a --tls-verify script like the v1 of the patch proposed. The two commits
preparing this are:
- Extend verify-hash to allow multiple hashes
- Implement peer-fingerprint to check fingerprint of peer certificate
These preceding patches make this actual patch quite short. There are some
lines in this patch that bear some similarity to the ones like
if (!preverify_ok && !session->opt->verify_hash_no_ca)
vs
if (!preverify_ok && !session->opt->ca_file_none)
But these similarities are one line fragments and dictated by the
surrounding style and program flow, so even a complete black box
implementation will likely end up with the same lines.
[1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16781.html
Change-Id: Ie74c3d606c5429455c293c367462244566a936e3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230524132424.3098475-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26723.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3746da7f04acf872f251d3673551963380c4d77)
|
|
This reverts commit 423ced962db3129b4ed551c489624faba4340652, which
has Jason A. Donenfeld listed as author as the patch was based on his
initial submission.
We have not received permission to relicense the original patch.
Change-Id: I8142753928498169032450c56d0497a5042bdc9b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230524132424.3098475-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26722.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 370334828659e205941eecd1c90f085a64ca539d)
|
|
Android has no facility nor need one to delete routes as routes are
automatically cleaned up when the tun interface is closed. Also adjust
the IPv4 message to be only shown and verb 7 and rephrase the message.
Change-Id: If8f920d378c31e9ea773ce1f56f3df50f1ec36cd
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230712094620.569273-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26848.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ab01eaf49fa9341ff647206bd6e3017770cc0674)
|
|
Commit a261e173 ("Make sending plain text control message session
aware") added KID parameter to "client-pending-auth" management command,
but forgot to mention it in the output of management help.
Change-Id: I201bdaa5fe4020d15a9dd1674aba5e0c45170731
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230714111802.1773-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26856.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f5201eedd4ea55414bf8310668a3d00e7bf8ea71)
|
|
This is needed to support domains with hyphens.
Not using double quotes here, since our code replaces
them with underbars (see
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).
Github: fixes OpenVPN/openvpn#363
Change-Id: Iab536922d0731635cef529b5caf542f637b8d491
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230710112122.576-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26841.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4057814a8a783d4fb1475f49f073f6b3a7797677)
|
|
While it might be clear to people being (too?) well versed in
typical crypto applications that an authentication failure probably
mean wrong decryption key, this is not really obvious for the typical
user/server admin.
Change-Id: If0f0e7d53f915d39ab69aaaac43dc73bb9c26ae9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230522091231.2837468-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b)
|
|
the management interface expects the management key id instead
of the openvpn key id. In the past they often were the same for low ids
which hid the bug quite well.
Also do not pick uninitialised keystates (management key_id is not valid
in these).
Patch v2: do not add logging
Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-By: Jemmy Wang
Github: fixes OpenVPN/openvpn#359
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230522101138.2842378-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26719.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 223baa9c9b818e4c542a9037f190f53ce6f7af5c)
|
|
When cross compiling for Windows with Ubuntu 23.04 mingw complains about
route.c:344:26: warning: ‘special.S_un.S_addr’ may be used uninitialized
which is wrong technically. However the workaround isn't really
intrusive and while there are other warnings caused by libtool, the
cmake mingw build completes with -Werror now.
Change-Id: I8a0f59707570722eab41af2db76980ced04e6d54
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230706171922.752429-1-heiko@ist.eigentlich.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26831.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d559affd313a8f995db15908887fbc8f16a24659)
|
|
Changing the argument of check_malloc_return from const void* to void*
removes the warning from gcc 12.2.0:
In file included from ../../../openvpn-git/src/openvpn/crypto_openssl.c:40:
../../../openvpn-git/src/openvpn/buffer.h: In function ‘hmac_ctx_new’:
../../../openvpn-git/src/openvpn/buffer.h:1030:9: warning: ‘ctx’ may be
used uninitialized [-Wmaybe-uninitialized]
1030 | check_malloc_return((dptr) = (type *)
malloc(sizeof(type))); \
| ^~~~~~~~~~~~~~~~~~~
../../../openvpn-git/src/openvpn/buffer.h:1076:1: note: by argument 1 of
type ‘const void *’ to ‘check_malloc_return’ declared here
1076 | check_malloc_return(const void *p)
| ^~~~~~~~~~~~~~~~~~~
This more a quick fix/heads up for other people encountering the issue
on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in
our code or a compiler bug.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221127085933.3487177-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25549.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5ad793e8cab8fcccae93fe9442eca6a6de8c044c)
|
|
the funktion is_on_link is not used on FreeBSD and triggers a
warning/error (-Werror) on FreeBSD.
Patch v2: use actual platforms instead an ifndef FreeBSD
Change-Id: I6757d6509ff3ff522d6de417372a21e73ccca3ba
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230701202453.3517822-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 99035769233fb1186b72cd8e1e9966a0d077e53d)
|
|
Avoid compilation warnings on 32 bit platforms.
dco_linux.c: In function 'dco_update_peer_stat':
dco_linux.c:830:26: error: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'counter_type'
{aka 'long long unsigned int'} [-Werror=format=]
830 | msg(D_DCO_DEBUG, "%s / dco_read_bytes: %lu", __func__,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
831 | c2->dco_read_bytes);
| ~~~~~~~~~~~~~~~~~~
| |
| counter_type {aka long long unsigned int}
Signed-off-by: Sergey Korolev <sergey.korolev@keenetic.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230626130939.3267280-1-sergey.korolev@keenetic.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26767.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 330bef679544b6a22d16a800c898927a785d74fc)
|
|
So it is possible to build with MSVC from the release
tarballs.
Fixes #344.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230619132934.76085-2-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26748.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6801260dba38ae99f8726c2840ddf6bed57ee1d0)
|
|
In many scenarios the context will still have a reference to the cipher, so
this use-after-free does not explode but it is still wrong.
Change-Id: I59002d6613eaef36d5a47b20b56073e399cfa1df
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230601095721.4065834-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26735.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 13f5e615310ea64ab69f521e622a10f2d0ad3f4e)
|
|
Commit 36bef1b52b49ebbc3790635be230e2f30f0532a7 removed
the option but did not delete it from usage text.
Change-Id: I68d3c90c2bdf6f426a9eef81f852fcae2ea47ce9
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230525144657.40732-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26726.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8a026ac770592670b0dcf8f81cee6a98b4b4f65)
|
|
With --dev-node on Windows, one can specify GUID
of the adapter openvpn should use. Those can be listed with:
C:\Program Files\OpenVPN\bin>openvpn.exe --show-adapters
While on it, remove "TAP-WIN32 / Wintun" from --show-adapters output.
Github: Fixes OpenVPN/openvpn#336
Change-Id: I57de4d3c069465fb730bb635bfdbdf360fc8c475
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230518110058.1382-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26702.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c543cf464e97866e20345feb46c82752fedc9d71)
|