Age | Commit message (Collapse) | Author |
|
In Visual Studio when unary minus is applied to unsigned,
result is still unsigned. This means that when we use result
as function formal parameter, we pass incorrect value.
Fix by introducing frame_remove_from_extra_frame(),
which makes code semantically more clear and eliminates
the need in negative value and cast.
Since GCC didn't complain (and users too :), it probably performed
cast to signed automatically.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539258702-15427-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17739.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too. Those are
however unsupported (as openvpn will tell you when you try to use them).
This fixes that bug.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
As Antonio pointed out, "8-bit block cipher" is a bit funny. So teach
print_cipher() to print such cipher as "stream cipher".
Because I didn't want to write the same code twice, I decided to merge the
two print_cipher() implementations into one shared function. That should
make it easier to keep both backends consistent.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181009204315.8262-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17682.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
These defines are always defined when management is enabled.
We still have --disable-management as configure option, so we need
to replace these with ENABLE_MANAGEMENT in some cases.
PATCH v3: Rebase directly on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181010142527.27025-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181010142527.27025-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In function netsh_dns_cmd() it is possible to jump on a label and
call free() on uninitialized pointer. Move pointer initialization
above jump.
To fix a few warnings which are treated as errors with SDL enabled,
initialize pointers with NULL.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1539022378-24485-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17663.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
There is no user facing way to enable this feature and way that feature
works (username build from MAC of primary net device) is questionable.
It also does not compile anymore.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008181618.8976-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17664.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
console_systemd.c: In function ?get_console_input_systemd?:
console_systemd.c:75:5: warning: implicit declaration of function
?openvpn_popen? [-Wimplicit-function-declaration]
if ((std_out = openvpn_popen(&argv, NULL)) < 0)
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008180017.31413-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17660.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This fixes this compile warning:
platform.c: In function ?platform_create_temp_file?:
platform.c:355:31: warning: implicit declaration of function
?get_random? [-Wimplicit-function-declaration]
prefix, (unsigned long) get_random(),
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181008165648.27504-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17652.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The openvpnserv.vcxproj source code is Windows API Unicode compliant
with only Debug|x64 set to Unicode, while other cfg|plat pairs were set
to MultiByte.
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17633.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
We explicitly only supported GCM as a valid AEAD mode, change that to also
allow ChaCha20-Poly1305 as an AEAD cipher. That works nicely with our new
(GCM) data channel format, because is has the same 96-bit IV.
Note that we need some tricks to not treat the cipher as insecure, because
we used to only look at the block size of a cipher to determine if find a
cipher insecure. But ChaCha20-Poly1305 is a stream cipher, which
essentially
has a 'block size' of 1 byte and is reported as such. So, special-case
this
cipher to be in the list of secure ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181007223035.21179-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17629.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This removes declaration of function which has no definition and usage.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539008366-19656-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17644.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The Visual Studio 2017 project files were refactored by migrating all
repeating common settings into three property sheets: Debug.props,
Release.props and the existing PropertySheet.props.
This simplifies configuration management while providing uniformity
across projects, configurations and platforms.
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008094600.10164-2-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17634.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Single-process builds start building compat project first and they fail,
since the referenced config-msvc-version.h is not available yet. Multi-
process rebuilds also tends to fail if the compat project is built
faster than msvc-generate is able to produce the required output files.
Adding a reference to msvc-generate project assures correct build order.
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20181008100323.11308-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17635.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Like 'proto', a mismatch in key-method, keydir or tls-auth would fail
before we ever get to the point where we can print this warning.
This prepares for removing these from the occ string later on, but also
prepares for tls-crypt-v2, which allows a server to support tls-auth and
tls-crypt-v2 connections in parallel. Such a server will send 'keydir'
and 'tls-auth' in the occ string. This change removes the spurious
warnings about that in the client log.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181007175215.25009-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17618.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Instead of requiring users to do "--genkey --secret new.key", allow
them to just do "--genkey new.key". This has hit me often enough that I
decided to write a patch for it. Also, the upcoming tls-crypt-v2-genkey
uses a similar syntax and Antonio suggested we should make them consistent.
The documentation is updated to no longer mention the old syntax, but it is
still supported so people who are used to the old syntax can still use it.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181005150032.16541-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Functions openvpn_vsntprintf and openvpn_sntprintf return
values of type int, but in reality it is always 0 or 1 (and -1 for
snrptinf), which can be represented as boolean.
To make code clearer, change return type to BOOL. Also
use stdbool.h header instead of bool definition macros in automatic.c.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1538587281-3209-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17532.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 98bfeeb4 changed our openssl backend implementation of
tls_ctx_use_management_external_key() to no longer use
tls_ctx_load_cert_file_and_copy(), but still free'd 'cert'. Which it no
longer should do. Credits go to Arne for spotting the issue (even though
it was missed during the review).
The offending commit is only recently applied to the master branch, so was
never part of a OpenVPN release. For that reason I did not do full impact
analysis.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181007100032.17060-1-steffan@karger.me>
URL: https://www.mail-archive.com/search?l=mid&q=20181007100032.17060-1-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch fixes the signed/unsigned comparison warnings discovered when
compiling openvpnserv using MSVC.
Wherever possible, it changes iterator and/or size variables to a more
appropriate type, or uses type-casting when it is safe to do so.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180413124756.5756-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16756.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180413155517.895-1-simon@rozman.si>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16760.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Function prototypes should be included when compiling their
definitions so that it is clear to compilers and static
analyzers that they are not static.
This means that several declarations have to be moved to the
related header files which in turn have to be included by the
source files implementing them.
Generally speaking this also improves the coding style and
makes this code more consistent with the rest that already
follows this rule.
Cc: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20171111161836.23356-3-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15820.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
*-inline.h files are not very useful anymore.
In the attempt of cleaning up the code some more,
merge them into their main header files.
At the same time, move functions from forward.h
to forward.c, when they are used only in the latter.
No functional change is part of this patch.
Cc: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20171112084830.22912-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15838.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In the attempt of getting rid of any pf-inline.h file, we need
to make sure that inline functions do not trigger any circular
include dependency.
For this reason, avoid pf_c2c/addr_test() to be 'struct context'
aware, so that pf-inline.h does not need to rely on the content
of openvpn.h.
Cc: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20171111161836.23356-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15822.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This makes the tls_ctx_restrict_ciphers function more readable and
clean ups the code a bit more.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181006080617.18136-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181006080617.18136-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch provides better naming and description
for functions which deal with backup/restore NCP-negotiable
options.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538818219-18141-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=1538818219-18141-1-git-send-email-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Patch: V2 Do not use C99 style comments
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181005131632.32515-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17565.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Move writing the message buffer to the interactive service pipe and
reading acknowledgement to a function.
A minor bug in open_tun where the ack data could be read even after
a communication error is fixed.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-3-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17519.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac: #1111
Tested on Windows 7
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17517.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Only refactoring to reduce code-duplication, no functional changes.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17518.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 6b495dc4c5cfc118091ddc9c19330b3c9e3e3dff introduced
RSA_meth_set_sign, which is OpenSSL 1.1.0 and newer. Add a compatibility
definition.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181005122330.31431-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181005122330.31431-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets
the hash with the DigestInfo prepended. Signing this using
NCryptSignHash() with hash algorithm id set to NULL works in most cases.
But when using some hardware tokens, the data gets interpreted as the pre
TLS 1.2 MD5+SHA1 hash and is silently truncated to 36 bytes.
Avoid this by passing the raw hash to NCryptSignHash() and let it
add the DigestInfo.
To get the raw hash we set the RSA_sign() method in the rsa_method
structure. This callback bypasses rsa_priv_enc() and gets called with
the hash type and the hash.
Fixes Trac #1050
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1524752664-27946-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16840.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
NCP negotiation can alter options. On reconnect
client sends possibly altered options while server
expects original values. This leads to warnings
in log and, if server uses --opt-verify, breaks
reconnect.
Fix by decouple setting/unsetting NCP options from
the state of TLS context. At startup (and once per sighup)
we load original values to c->c1, which persists over
sigusr1 (restart). When tearing tunnel down we restore
(possibly altered) options back to original values.
Trac: #1105
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1537449154-26879-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17477.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch enables building openvpn with Visual Studio 2017.
It is advised to use openvpn-build/msvs/build.bat which
also downloads and build required dependencies.
Changes made:
- updated path to Visual Studio toolchain
- updated platform toolset
- added missing libraries
- added x64 configurations
- enabled AEAD ciphers to make NCP work
- enabled unicode support
- updated source files in project settings
- fix includes
- restored variable which was erroneously removed
- added properties file which sets required env variables
(required to build with IDE)
- etc
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <1538141209-32330-1-git-send-email-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17499.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 98bfeeb4 introduced a memory leak in SSL_CTX_use_certificate by
removing the "if(x509) { ... }" bit while not changing the
"else if(x) {}" right after to an "if(x) {}".
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20180926192706.29460-1-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Instead of using mbedtls's pkcs11 module, reuse the code we already have
for management-external-key to also do pkcs11 signatures. As far as mbed
is concerned, we simply provide an external signature.
This has the following advantages:
* We no longer need mbed TLS to be compiled with the pkcs11 modules
enabled (which is not enabled by default). This makes it easier to use
a system/distribution-provided mbed shared library.
* We no longer have a dependency on pkcs11-helper through mbed TLS. So if
we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538
and #549 for reason why), this will be easier.
While touching this code, switch from M_FATAL to M_WARN and proper error
handling. This improves the error reporting, and helps prevent potential
future DoS attacks if someone starts using these functions on peer input.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-3-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17463.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This prepares for reusing this code from the mbedtls pkcs11 implementation.
The change itself should not have any functional impact.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17465.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The cert and key loading logic surrounding management-external-key and
management-external cert was somewhat intertwined. Untangle these to
prepare for making the external key code more reusable.
The best part is that this even reduces the number of lines of code.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17464.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Trac-Ticket: #851
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180912110701.31609-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17460.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Both functions are never used, so let's get rid of them.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1537374009-11133-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17473.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The c.es env_set is (re)allocated for each "sighup loop iteration", while
it was free'd only once at process shutdown. Move the env_set_destroy()
call to match the same level as the env_set_create() call to fix that.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1535550583-21825-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17429.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
... instead of when it doesn't fail. Looks like 'someone' mixed up the
mbedtls return style (0 means success) with the openvpn internal return
style (true means success).
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1535544286-29638-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17428.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Adam Ciarcin?ski <adam@netbsd.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <8110ED8B-4084-4D47-87E2-7B1C14041268@netbsd.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17399.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Rewrite buf_write_string_file to buffer_write_file, which is simpler to
use and can deal with not-null-terminated strings. Mostly implemented so
this can be easily reused for tls-crypt-v2 (client) key files.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Tested-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1533542553-7383-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17371.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In the auth-pam plugin correctly parse the static challenge string
even when password or challenge response is empty.
Whether an empty user input is an error is determined by the PAM
conversation function depending on whether the PAM module queries
for it or not.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This was missed in commit 6690769f78bbfb889fef2a54088d979896c87d51
that exported base64_encode and base64_decode() functions.
Also check the version is >= 5 in auth-pam plugin to ensure
that the base64_decode function pointer can be referenced.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1533696271-21799-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=1533696271-21799-1-git-send-email-selva.nair@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
If static challenge is in use, the password passed to the plugin by openvpn
is of the form "SCRV1:base64-pass:base64-response". Parse this string to
separate it into password and response and use them to respond to queries
in the pam conversation function.
On the plugin parameters line the substitution keyword for the static
challenge response is "OTP". For example, for pam config named "test" that
prompts for "user", "password" and "pin", use
plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch builds on the "Export secure_memzero() to plug-ins" patch and
adds export of openvpn_base64_encode() and openvpn_base64_decode()
This also ships with a very simple plug-in which demonstrates how to use
the new exported functions.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20170505214624.11675-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14558.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Different VPN servers may use different tls-auth/crypt keys.
For this reason it is convenient to make tls-auth/crypt
per-connection-block options so that the user is allowed to
specify one key per remote.
If no tls-auth/crypt option is specified in a given connection
block, the global settings, if any, are used.
Trac: #720
Cc: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180707090421.25953-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In preparation to having tls-auth/crypt keys per connection
block, it is important to ensure that such material is always
reloaded upon SIGUSR1, no matter if `persist-key` was specified
or not.
This is required because when moving from one remote to the
other the key may change and thus the key context needs to
be refreshed.
To ensure that the `persist-key` logic will still work
as expected, the tls-auth/crypt key is pre-loaded so that
the keyfile is not required at runtime.
Trac: #720
Cc: Steffan Karger <steffan@karger.me>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180708024517.27108-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17237.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Needed for tls-crypt-v2, but isolated enough to be reviewed as a separate
patch.
The encode API allocates memory, because it fits our typical gc-oriented
code pattern and the caller does not have to do multiple calls or
calculations to determine the required destination buffer size.
The decode API does not allocate memory, because the required destination
buffer is always smaller than the input buffer (so is easy to manage by
the caller) and does not force the caller to use the heap.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20180722100645.5813-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17284.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|