[Openvpn-devel] [XS] Change in openvpn[master]: phase2_tcp_server: fix Coverity issue 'Dereference after null check'
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/490?usp=email )
Change subject: phase2_tcp_server: fix Coverity issue 'Dereference after null
check'
..
phase2_tcp_server: fix Coverity issue 'Dereference after null check'
As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway
There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.
v2:
- fix cleanly by actually asserting that sig_info is defined
Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240325071448.12143-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html
Signed-off-by: Gert Doering
---
M src/openvpn/socket.c
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 57eaee2..d2b82d5 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2005,7 +2005,8 @@
phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic,
struct signal_info *sig_info)
{
-volatile int *signal_received = sig_info ? _info->signal_received :
NULL;
+ASSERT(sig_info);
+volatile int *signal_received = _info->signal_received;
switch (sock->mode)
{
case LS_MODE_DEFAULT:
@@ -2031,7 +2032,7 @@
false);
if (!socket_defined(sock->sd))
{
-register_signal(sig_info, SIGTERM, "socket-undefiled");
+register_signal(sig_info, SIGTERM, "socket-undefined");
return;
}
tcp_connection_established(>info.lsa->actual);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/490?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Gerrit-Change-Number: 490
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: cron2
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Fix snprintf/swnprintf related compiler warnings
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/549?usp=email
to review the following change.
Change subject: Fix snprintf/swnprintf related compiler warnings
..
Fix snprintf/swnprintf related compiler warnings
When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler
will perform additional checks that the result is not truncated.
This warning can be avoid by either explicitly the return value
of snprintf (proxy) or ensuring that it is never truncated(tls crypt)
Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d
Signed-off-by: Arne Schwabe
---
M src/openvpn/proxy.c
M src/openvpn/socks.c
M src/openvpn/ssl_openssl.c
M src/openvpn/tls_crypt.c
M src/openvpnserv/interactive.c
5 files changed, 25 insertions(+), 17 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/49/549/1
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index c904301..5c1cdcb 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -948,17 +948,21 @@
}
/* send digest response */
-openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization:
Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s,
cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+int sret = openvpn_snprintf(buf, sizeof(buf),
"Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\",
uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+username,
+realm,
+nonce,
+uri,
+qop,
+nonce_count,
+cnonce,
+response,
+opaque_kv
+);
+if (sret >= sizeof(buf))
+{
+goto error;
+}
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf(sd, buf))
{
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index d842666..b046910 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -109,8 +109,11 @@
"Authentication not possible.");
goto cleanup;
}
-openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)
strlen(creds.username),
- creds.username, (int) strlen(creds.password),
creds.password);
+int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
+(int) strlen(creds.username), creds.username,
+(int) strlen(creds.password), creds.password);
+ASSERT(sret <= sizeof(to_send));
+
size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
if (size != strlen(to_send))
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e98..6f29c3d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2069,7 +2069,7 @@
#endif
#ifndef OPENSSL_NO_EC
-char groupname[256];
+char groupname[64];
if (is_ec)
{
size_t len;
@@ -2130,7 +2130,7 @@
print_cert_details(X509 *cert, char *buf, size_t buflen)
{
EVP_PKEY *pkey = X509_get_pubkey(cert);
-char pkeybuf[128] = { 0 };
+char pkeybuf[64] = { 0 };
print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
char sig[128] = { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31f..6ef1c7d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -575,7 +575,7 @@
char metadata_type_str[4] = { 0 }; /* Max value: 255 */
openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", metadata_type);
+ "%i", (uint8_t) metadata_type);
struct env_set *es = env_set_create(NULL);
setenv_str(es, "script_type", "tls-crypt-v2-verify");
setenv_str(es, "metadata_type", metadata_type_str);
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 452633c..d32223c 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -33,6 +33,7 @@
#include
#include
#include
+#include
[Openvpn-devel] [XS] Change in openvpn[master]: phase2_tcp_server: fix Coverity issue 'Dereference after null check'
cron2 has uploaded a new patch set (#3) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/490?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
Change subject: phase2_tcp_server: fix Coverity issue 'Dereference after null
check'
..
phase2_tcp_server: fix Coverity issue 'Dereference after null check'
As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway
There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.
v2:
- fix cleanly by actually asserting that sig_info is defined
Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240325071448.12143-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html
Signed-off-by: Gert Doering
---
M src/openvpn/socket.c
1 file changed, 3 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/490/3
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 57eaee2..d2b82d5 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2005,7 +2005,8 @@
phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic,
struct signal_info *sig_info)
{
-volatile int *signal_received = sig_info ? _info->signal_received :
NULL;
+ASSERT(sig_info);
+volatile int *signal_received = _info->signal_received;
switch (sock->mode)
{
case LS_MODE_DEFAULT:
@@ -2031,7 +2032,7 @@
false);
if (!socket_defined(sock->sd))
{
-register_signal(sig_info, SIGTERM, "socket-undefiled");
+register_signal(sig_info, SIGTERM, "socket-undefined");
return;
}
tcp_connection_established(>info.lsa->actual);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/490?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Gerrit-Change-Number: 490
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: cron2
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: phase2_tcp_server: fix Coverity issue 'Dereference after null check'
This is arguably a correct fix, though we could go a bit further in terms of refactoring and fully get rid of signal_received - if my understanding of the code is correct, it's only passed to a single function (socket_listen_accept()), which is only called from here - so "just pass on sig_info and use that" would be a bit less convoluted. But that's refactoring, so for future master... Lightly tested on the server framework. Your patch has been applied to the master and release/2.6 branch. commit e8c629fe64c67ea0a8454753be99db44df7ce53e (master) commit 5591af17694d98054da2cdf4cfd42508a8a4fb8e (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 25 08:14:48 2024 +0100 phase2_tcp_server: fix Coverity issue 'Dereference after null check' Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071448.12143-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Use snprintf instead of sprintf for get_ssl_library_version
cron2 has uploaded a new patch set (#2) to the change originally created by
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/545?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
Change subject: Use snprintf instead of sprintf for get_ssl_library_version
..
Use snprintf instead of sprintf for get_ssl_library_version
This is avoid a warning/error (when using -Werror) under current macOS
of sprintf:
__deprecated_msg("This function is provided for compatibility
reasons only. Due to security concerns inherent in the design
of sprintf(3), it is highly recommended that you use snprintf(3)
instead.")
Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240325125052.14135-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html
Signed-off-by: Gert Doering
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/45/545/2
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index b44ddd5..0730d25 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1614,7 +1614,7 @@
{
static char mbedtls_version[30];
unsigned int pv = mbedtls_version_get_number();
-sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
return mbedtls_version;
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/545?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Gerrit-Change-Number: 545
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Use snprintf instead of sprintf for get_ssl_library_version
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/545?usp=email )
Change subject: Use snprintf instead of sprintf for get_ssl_library_version
..
Use snprintf instead of sprintf for get_ssl_library_version
This is avoid a warning/error (when using -Werror) under current macOS
of sprintf:
__deprecated_msg("This function is provided for compatibility
reasons only. Due to security concerns inherent in the design
of sprintf(3), it is highly recommended that you use snprintf(3)
instead.")
Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240325125052.14135-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html
Signed-off-by: Gert Doering
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index b44ddd5..0730d25 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1614,7 +1614,7 @@
{
static char mbedtls_version[30];
unsigned int pv = mbedtls_version_get_number();
-sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
return mbedtls_version;
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/545?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Gerrit-Change-Number: 545
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Use snprintf instead of sprintf for get_ssl_library_version
Your patch has been applied to the master and release/2.6 branch (because this is good behaviour, even if we know there can not be an overrun - today). Tested on... Linux, with "library versions: mbed TLS 2.28.7, LZO 2.10" FreeBSD, with "library versions: mbed TLS 3.5.1, LZO 2.10" commit 6a60d1bef424088df55f4d07efd45ce080fc7132 (master) commit 11ca69cfac1c6d3ed34652650688a4b3c99573b0 (release/2.6) Author: Arne Schwabe Date: Mon Mar 25 13:50:52 2024 +0100 Use snprintf instead of sprintf for get_ssl_library_version Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240325125052.14135-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: documentation: make section levels consistent
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/527?usp=email ) Change subject: documentation: make section levels consistent .. documentation: make section levels consistent Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071520.12513-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html Signed-off-by: Gert Doering --- M doc/man-sections/cipher-negotiation.rst M doc/man-sections/encryption-options.rst M doc/man-sections/pkcs11-options.rst M doc/man-sections/renegotiation.rst M doc/man-sections/tls-options.rst 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 949ff86..1285e82 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=== +--- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour - +``` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients +``` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients -- +` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) --- +`` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server --- +`` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) --- +`` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation --- +` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -== +-- SSL Library information +``` --show-ciphers (Standalone) Show all cipher algorithms to use with the ``--cipher`` @@ -32,7 +32,7 @@ ``--ecdh-curve`` and ``tls-groups`` options. Generating key material +``` --genkey args (Standalone) Generate a key to be used of the
[Openvpn-devel] [S] Change in openvpn[master]: documentation: make section levels consistent
cron2 has uploaded a new patch set (#3) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/527?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: documentation: make section levels consistent .. documentation: make section levels consistent Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071520.12513-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html Signed-off-by: Gert Doering --- M doc/man-sections/cipher-negotiation.rst M doc/man-sections/encryption-options.rst M doc/man-sections/pkcs11-options.rst M doc/man-sections/renegotiation.rst M doc/man-sections/tls-options.rst 5 files changed, 14 insertions(+), 14 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/27/527/3 diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 949ff86..1285e82 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=== +--- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour - +``` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients +``` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients -- +` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) --- +`` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server --- +`` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) --- +`` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation --- +` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -== +-- SSL Library information +``` --show-ciphers (Standalone) Show all cipher algorithms to use with the
[Openvpn-devel] [PATCH applied] Re: documentation: make section levels consistent
Your patch has been applied to the master and release/2.6 branch (doc). commit 3fdf5aa04f7b96a3b7110f75306306ac5d7ed5fd (master) commit 7993084c7f2b537e20a0a0d67385733d7d56688c (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 25 08:15:20 2024 +0100 documentation: make section levels consistent Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071520.12513-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: mbedtls: avoid warning with GCC 13+
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
to review the following change.
Change subject: mbedtls: avoid warning with GCC 13+
..
mbedtls: avoid warning with GCC 13+
crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const
mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]
Previous compiler versions did not complain.
Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld
---
M src/openvpn/crypto_mbedtls.c
1 file changed, 2 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/48/548/1
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..91485cb 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -566,11 +566,12 @@
void
cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
-const char *ciphername, const mbedtls_operation_t operation)
+const char *ciphername, int enc)
{
ASSERT(NULL != ciphername && NULL != ctx);
CLEAR(*ctx);
+const mbedtls_operation_t operation = (mbedtls_operation_t)enc;
const mbedtls_cipher_info_t *kt = cipher_get(ciphername);
ASSERT(kt);
size_t key_bitlen = mbedtls_cipher_info_get_key_bitlen(kt);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/532?usp=email ) Change subject: samples: Update sample configurations .. samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-ciphers negotiation. - Add comment how to set data-ciphers for very old clients. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. - comment out "tls-auth" as that is not needed for a bare-bones VPN config and needs additional setup. Github: #511 Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071320.11348-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html Signed-off-by: Gert Doering --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 33 insertions(+), 43 deletions(-) diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index f51e017..53b8027 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -102,22 +102,15 @@ # EasyRSA can do this for you. remote-cert-tls server +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 97732c6..48716a0 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -84,12 +92,18 @@ # openssl dhparam -out dh2048.pem 2048
[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations
cron2 has uploaded a new patch set (#5) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/532?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: samples: Update sample configurations .. samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-ciphers negotiation. - Add comment how to set data-ciphers for very old clients. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. - comment out "tls-auth" as that is not needed for a bare-bones VPN config and needs additional setup. Github: #511 Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071320.11348-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html Signed-off-by: Gert Doering --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 33 insertions(+), 43 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/5 diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index f51e017..53b8027 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -102,22 +102,15 @@ # EasyRSA can do this for you. remote-cert-tls server +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 97732c6..48716a0 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint
[Openvpn-devel] [PATCH applied] Re: samples: Update sample configurations
Thanks for the housekeeping... As discussed on IRC, I've added text about tls-auth being commented out to the commit message. Your patch has been applied to the master and release/2.6 branch (relevant documentation update). commit b0fc10abd06fa2307e95c8a60fa94f7ccc08d2ac (master) commit 371cc5874faf67057c9f95796195306beeba0628 (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 25 08:13:20 2024 +0100 samples: Update sample configurations Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071320.11348-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Use snprintf instead of sprintf for get_ssl_library_version
From: Arne Schwabe
This is avoid a warning/error (when using -Werror) under current macOS
of sprintf:
__deprecated_msg("This function is provided for compatibility
reasons only. Due to security concerns inherent in the design
of sprintf(3), it is highly recommended that you use snprintf(3)
instead.")
Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/545
This mail reflects revision 1 of this Change.
Signed-off-by line for the author was added as per our policy.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index b44ddd5..0730d25 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1614,7 +1614,7 @@
{
static char mbedtls_version[30];
unsigned int pv = mbedtls_version_get_number();
-sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
return mbedtls_version;
}
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Add bracket in fingerprint message and do not warn about missing veri...
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/546?usp=email ) Change subject: Add bracket in fingerprint message and do not warn about missing verification .. Patch Set 1: Code-Review+2 (1 comment) File src/openvpn/init.c: http://gerrit.openvpn.net/c/openvpn/+/546/comment/bb7e46be_e6b178c9 : PS1, Line 3598: && !(o->verify_hash_depth ==0 && o->verify_hash)) > verify-hash does only verify the hash on a CA/intermediate CA, so it is an > more a restriction to --c […] Acknowledged -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/546?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781 Gerrit-Change-Number: 546 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-CC: ordex Gerrit-Attention: plaisthos Gerrit-Comment-Date: Mon, 25 Mar 2024 12:44:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Use snprintf instead of sprintf for get_ssl_library_version
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/545?usp=email ) Change subject: Use snprintf instead of sprintf for get_ssl_library_version .. Patch Set 1: Code-Review+2 (1 comment) File src/openvpn/ssl_mbedtls.c: http://gerrit.openvpn.net/c/openvpn/+/545/comment/d36b1b05_0b5bc893 : PS1, Line 1617: snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", > I think we probably want to get rid of openvpn_snprintf instead. […] Acknowledged -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/545?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039 Gerrit-Change-Number: 545 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Mon, 25 Mar 2024 12:42:39 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [L] Change in openvpn[master]: Remove openvpn_snprintf and similar functions
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/547?usp=email ) Change subject: Remove openvpn_snprintf and similar functions .. Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: not -Werror clean yet -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/547?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac Gerrit-Change-Number: 547 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: ordex Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 25 Mar 2024 11:14:07 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove openvpn_snprintf and similar functions
From: Arne Schwabe
Old Microsoft versions did strange behaviour but according to the
newly added unit test and
https://stackoverflow.com/questions/7706936/is-snprintf-always-null-terminating
this is now standard conforming and we can use the normal snprintf
method.
Microsoft own documentation to swprintf also says you nowadays need to
define _CRT_NON_CONFORMING_SWPRINTFS to get to non-standard behaviour.
Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac
Signed-off-by: Arne Schwabe
Acked-by: Antonio Quartulli
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/547
This mail reflects revision 1 of this Change.
Signed-off-by line for the author was added as per our policy.
Acked-by according to Gerrit (reflected above):
Antonio Quartulli
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index 66fd63f..3a8069c 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -279,32 +279,6 @@
return ret;
}
-
-/*
- * This is necessary due to certain buggy implementations of snprintf,
- * that don't guarantee null termination for size > 0.
- *
- * Return false on overflow.
- *
- * This functionality is duplicated in src/openvpnserv/common.c
- * Any modifications here should be done to the other place as well.
- */
-
-bool
-openvpn_snprintf(char *str, size_t size, const char *format, ...)
-{
-va_list arglist;
-int len = -1;
-if (size > 0)
-{
-va_start(arglist, format);
-len = vsnprintf(str, size, format, arglist);
-va_end(arglist);
-str[size - 1] = 0;
-}
-return (len >= 0 && len < size);
-}
-
/*
* write a string to the end of a buffer that was
* truncated by buf_printf
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index 7c2f75a..27c3199 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -448,19 +448,6 @@
*/
bool buf_puts(struct buffer *buf, const char *str);
-/*
- * Like snprintf but guarantees null termination for size > 0
- */
-bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
-#ifdef __GNUC__
-#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 3, 4)))
-#else
-__attribute__ ((format(__printf__, 3, 4)))
-#endif
-#endif
-;
-
/*
* remove/add trailing characters
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5d05cc4..207f145 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -874,11 +874,11 @@
key_direction_state_init(, key_direction);
-openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
+snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
init_key_ctx(>encrypt, >keys[kds.out_key], kt,
OPENVPN_OP_ENCRYPT, log_prefix);
-openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
+snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
init_key_ctx(>decrypt, >keys[kds.in_key], kt,
OPENVPN_OP_DECRYPT, log_prefix);
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..c806719 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -128,7 +128,7 @@
{
char prefix[256];
-if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line))
+if (!snprintf(prefix, sizeof(prefix), "%s:%d", func, line))
{
return mbed_log_err(flags, errval, func);
}
@@ -239,11 +239,11 @@
char header[1000+1] = { 0 };
char footer[1000+1] = { 0 };
-if (!openvpn_snprintf(header, sizeof(header), "-BEGIN %s-\n",
name))
+if (!snprintf(header, sizeof(header), "-BEGIN %s-\n", name))
{
return false;
}
-if (!openvpn_snprintf(footer, sizeof(footer), "-END %s-\n", name))
+if (!snprintf(footer, sizeof(footer), "-END %s-\n", name))
{
return false;
}
@@ -278,11 +278,11 @@
char header[1000+1] = { 0 };
char footer[1000+1] = { 0 };
-if (!openvpn_snprintf(header, sizeof(header), "-BEGIN %s-", name))
+if (!snprintf(header, sizeof(header), "-BEGIN %s-", name))
{
return false;
}
-if (!openvpn_snprintf(footer, sizeof(footer), "-END %s-", name))
+if (!snprintf(footer, sizeof(footer), "-END %s-", name))
{
return false;
}
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index 7de3991..0539ca5 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -349,11 +349,11 @@
if (j < 0)
{
-name_ok = openvpn_snprintf(name, sizeof(name), format, i);
+name_ok = snprintf(name, sizeof(name), format, i);
}
else
{
-name_ok = openvpn_snprintf(name, sizeof(name), format, i, j);
+name_ok = snprintf(name, sizeof(name), format, i, j);
}
if (!name_ok)
diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c
index
[Openvpn-devel] [PATCH v2] documentation: make section levels consistent
From: Frank Lichtenheld Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/527 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 949ff86..1285e82 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=== +--- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour - +``` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients +``` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients -- +` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) --- +`` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server --- +`` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) --- +`` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation --- +` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -== +-- SSL Library information +``` --show-ciphers (Standalone) Show all cipher algorithms to use with the ``--cipher`` @@ -32,7 +32,7 @@ ``--ecdh-curve`` and ``tls-groups`` options. Generating key material +``` --genkey args (Standalone) Generate a key to be used of the type keytype. if keyfile diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst index de1662b..dfc27af 100644 --- a/doc/man-sections/pkcs11-options.rst +++ b/doc/man-sections/pkcs11-options.rst @@ -1,5 +1,5 @@ PKCS#11 / SmartCard options +``` --pkcs11-cert-private args Set if
[Openvpn-devel] [PATCH v2] phase2_tcp_server: fix Coverity issue "Dereference after null check"
From: Frank Lichtenheld
As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway
There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.
v2:
- fix cleanly by actually asserting that sig_info is defined
Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/490
This mail reflects revision 2 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 480f4e5..387cb40 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2005,7 +2005,8 @@
phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic,
struct signal_info *sig_info)
{
-volatile int *signal_received = sig_info ? _info->signal_received :
NULL;
+ASSERT(sig_info);
+volatile int *signal_received = _info->signal_received;
switch (sock->mode)
{
case LS_MODE_DEFAULT:
@@ -2031,7 +2032,7 @@
false);
if (!socket_defined(sock->sd))
{
-register_signal(sig_info, SIGTERM, "socket-undefiled");
+register_signal(sig_info, SIGTERM, "socket-undefined");
return;
}
tcp_connection_established(>info.lsa->actual);
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] samples: Update sample configurations
From: Frank Lichtenheld - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-ciphers negotiation. - Add comment how to set data-ciphers for very old clients. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Github: #511 Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/532 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index f51e017..53b8027 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -102,22 +102,15 @@ # EasyRSA can do this for you. remote-cert-tls server +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 97732c6..48716a0 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -84,12 +92,18 @@ # openssl dhparam -out dh2048.pem 2048 dh dh2048.pem +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be
