Re: [Openvpn-devel] [PATCH release/2.6] Remove --tls-export-cert
On 22/11/2023 22:51, Gert Doering wrote: Hi, On Wed, Nov 22, 2023 at 03:31:10PM +0100, David Sommerseth wrote: From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Is this significantly different from the "master" patch that it needs an extra 2.6 patch? (So now I have 4 patches to deal with, not "1 that goes to master + release/2.6"...) The "second set" should just be offset changes between master and release/2.6. I did it that way so you wouldn't need to be worried about any merge conflicts. It is based on the latest heads of master and release/2.6. If you want to just cherry-pick the master patches for 2.6, that's all fine by me. Also if you want to squash them into a single commit as well. These patches are purely intended to ease the merging process, as in "no conflicts expected". And to indicate that this is both master + release/2.6 material. The main reason I overlooked the x509_write_pem() function was that Adriaan de Jong refactored out that functionality from the main feature function into a dedicated function back in the days with the SSL/TLS refactoring to support PolarSSL. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove superfluous x509_write_pem()
From: David Sommerseth
After removing --tls-export-cert, this function was left in the code
base with no other users. This was an oversight in the previous
change. Removing it to avoid leaving dead code behind.
Signed-off-by: David Sommerseth
---
src/openvpn/ssl_verify_backend.h | 11 ---
src/openvpn/ssl_verify_mbedtls.c | 7 ---
src/openvpn/ssl_verify_openssl.c | 11 ---
3 files changed, 29 deletions(-)
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 3b798811..d402b1f2 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -249,17 +249,6 @@ result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509,
const unsigned *const ex
*/
result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const
expected_oid);
-/*
- * Store the given certificate in pem format in a temporary file in tmp_dir
- *
- * @param cert Certificate to store
- * @param tmp_dir Temporary directory to store the directory
- * @param gcgc_arena to store temporary objects in
- *
- *
- */
-result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert);
-
/**
* Return true iff a CRL is configured, but is not loaded. This can be caused
* by e.g. a CRL parsing error, a missing CRL file or CRL file permission
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index a1ddf8d0..4596843c 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -547,13 +547,6 @@ x509_verify_cert_eku(mbedtls_x509_crt *cert, const char
*const expected_oid)
return fFound;
}
-result_t
-x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert)
-{
-msg(M_WARN, "mbed TLS does not support writing peer certificate in PEM
format");
-return FAILURE;
-}
-
bool
tls_verify_crl_missing(const struct tls_options *opt)
{
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 3194c232..5afffc1f 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -762,17 +762,6 @@ x509_verify_cert_eku(X509 *x509, const char *const
expected_oid)
return fFound;
}
-result_t
-x509_write_pem(FILE *peercert_file, X509 *peercert)
-{
-if (PEM_write_X509(peercert_file, peercert) < 0)
-{
-msg(M_NONFATAL, "Failed to write peer certificate in PEM format");
-return FAILURE;
-}
-return SUCCESS;
-}
-
bool
tls_verify_crl_missing(const struct tls_options *opt)
{
--
2.39.3
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove superfluous x509_write_pem()
From: David Sommerseth
After removing --tls-export-cert, this function was left in the code
base with no other users. This was an oversight in the previous
change. Removing it to avoid leaving dead code behind.
Signed-off-by: David Sommerseth
---
src/openvpn/ssl_verify_backend.h | 11 ---
src/openvpn/ssl_verify_mbedtls.c | 7 ---
src/openvpn/ssl_verify_openssl.c | 11 ---
3 files changed, 29 deletions(-)
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 3b798811..d402b1f2 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -249,17 +249,6 @@ result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509,
const unsigned *const ex
*/
result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const
expected_oid);
-/*
- * Store the given certificate in pem format in a temporary file in tmp_dir
- *
- * @param cert Certificate to store
- * @param tmp_dir Temporary directory to store the directory
- * @param gcgc_arena to store temporary objects in
- *
- *
- */
-result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert);
-
/**
* Return true iff a CRL is configured, but is not loaded. This can be caused
* by e.g. a CRL parsing error, a missing CRL file or CRL file permission
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index ce213246..56121394 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -536,13 +536,6 @@ x509_verify_cert_eku(mbedtls_x509_crt *cert, const char
*const expected_oid)
return fFound;
}
-result_t
-x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert)
-{
-msg(M_WARN, "mbed TLS does not support writing peer certificate in PEM
format");
-return FAILURE;
-}
-
bool
tls_verify_crl_missing(const struct tls_options *opt)
{
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 3194c232..5afffc1f 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -762,17 +762,6 @@ x509_verify_cert_eku(X509 *x509, const char *const
expected_oid)
return fFound;
}
-result_t
-x509_write_pem(FILE *peercert_file, X509 *peercert)
-{
-if (PEM_write_X509(peercert_file, peercert) < 0)
-{
-msg(M_NONFATAL, "Failed to write peer certificate in PEM format");
-return FAILURE;
-}
-return SUCCESS;
-}
-
bool
tls_verify_crl_missing(const struct tls_options *opt)
{
--
2.39.3
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH release/2.6] Remove --tls-export-cert
From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Signed-off-by: David Sommerseth --- README.mbedtls | 1 - doc/man-sections/script-options.rst | 4 -- doc/man-sections/tls-options.rst| 7 src/openvpn/init.c | 1 - src/openvpn/options.c | 14 --- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h| 1 - src/openvpn/ssl_verify.c| 60 + 8 files changed, 2 insertions(+), 87 deletions(-) diff --git a/README.mbedtls b/README.mbedtls index d3466fa9..24a9c224 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -40,5 +40,4 @@ in the mbed TLS version of OpenVPN: Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line - * X.509 certificate export does not work * X.509 certificate tracking diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 8c0be0cd..38dcfa2b 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -813,10 +813,6 @@ instances. translations will be recorded rather than their names as denoted on the command line or configuration file. -:code:`peer_cert` -Temporary file name containing the client certificate upon connection. -Useful in conjunction with ``--tls-verify``. - :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d51aff77..45009f7c 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -539,13 +539,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa --tls-exit Exit on TLS negotiation failure. ---tls-export-cert directory - Store the certificates the clients use upon connection to this - directory. This will be done before ``--tls-verify`` is called. The - certificates will use a temporary name and will be deleted when the - tls-verify script returns. The file name used for the certificate is - available via the ``peer_cert`` environment variable. - --tls-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 079c4f5e..f4ab1635 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -,7 +,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } to.verify_command = options->tls_verify; -to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7ca77a8e..dc18b332 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -647,9 +647,6 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" -"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" -" in an openvpn temporary file in [directory]. Peer cert is \n" -" stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" @@ -1998,7 +1995,6 @@ show_settings(const struct options *o) SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); -SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3061,7 +3057,6 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); -MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4117,8 +4112,6 @@ options_postprocess_filec
[Openvpn-devel] [PATCH master] Remove --tls-export-cert
From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Signed-off-by: David Sommerseth --- README.mbedtls | 1 - doc/man-sections/script-options.rst | 4 -- doc/man-sections/tls-options.rst| 7 src/openvpn/init.c | 1 - src/openvpn/options.c | 14 --- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h| 1 - src/openvpn/ssl_verify.c| 60 + 8 files changed, 2 insertions(+), 87 deletions(-) diff --git a/README.mbedtls b/README.mbedtls index ed9d3691..124eaa2b 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -38,7 +38,6 @@ in the mbed TLS version of OpenVPN: Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line - * X.509 certificate export does not work * X.509 certificate tracking * diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 8c0be0cd..38dcfa2b 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -813,10 +813,6 @@ instances. translations will be recorded rather than their names as denoted on the command line or configuration file. -:code:`peer_cert` -Temporary file name containing the client certificate upon connection. -Useful in conjunction with ``--tls-verify``. - :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 908a42a1..56da886f 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -555,13 +555,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa --tls-exit Exit on TLS negotiation failure. ---tls-export-cert directory - Store the certificates the clients use upon connection to this - directory. This will be done before ``--tls-verify`` is called. The - certificates will use a temporary name and will be deleted when the - tls-verify script returns. The file name used for the certificate is - available via the ``peer_cert`` environment variable. - --tls-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8c707a46..659c79e3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3323,7 +3323,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } to.verify_command = options->tls_verify; -to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2594b665..1521872d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -638,9 +638,6 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" -"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" -" in an openvpn temporary file in [directory]. Peer cert is \n" -" stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" @@ -1989,7 +1986,6 @@ show_settings(const struct options *o) SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); -SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3052,7 +3048,6 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); -MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_
[Openvpn-devel] OpenVPN 3 Linux v21 released
more easily in the logs. * Improvements: OpenVPN 3 Configuration Manager feature support tracking When upgrading OpenVPN 3 Linux versions, there might be situations where an older OpenVPN 3 Configuration Manager will be running but the openvpn3 command line tool is newer. When the command line tool attempts to access features in the Configuration Manager backed not available, it would result in an error and a poorer user experience. The code providing the glue interface for the calling side (openvpn3) has been extended with a feature/version mapping, so it can filter out operations not supported if the backend version is lacking certain functions. In most cases, the openvpn3 config commands will then continue to work as before, just not providing access to features available in newer back-ends. A similar functionality is planned for the Session Manager and is being considered for the OpenVPN 3 Python module. * Improvements: OpenVPN 3 Python module Configuration profiles from OpenVPN Access Server and some times OpenVPN Cloud Connexa will often contain "meta options", typically prefixed with "# OVPN_". The Python parser would not accept several of the deprecated meta options. The parser has now been extended to filter out those options not needed, used or supported by the OpenVPN 3 Core Library. * Improvements: Adjustments needed to satisfy Debian packaging Several minor issues has been done to satisfy the Debian package linter utility. There are still some issues left, some will not be possible to improve before Debian ships with a newer dbus-daemon - as we need functionality present in a newer release. The dbus-broker is also lacking a similar functionality currently. See the _credits_ section below for a bit more details on this. * Feature: Label/tag support for imported OpenVPN configuration profiles The OpenVPN 3 Configuration Manager and the openvpn3 config-manage and configs-list commands has been extended to with the ability to add one or more text labels to configuration profiles. At import time, the openvpn3 config-import command can also assign tags immediately. Users with many imported configuration profiles can more easily filter which configurations shown with the openvpn3 configs-list command. Other tools (openvpn3-as, openvpn-connector-setup) will also make use of this feature as they are being updated, to more easily understand where a configuration profile arrived from. * Feature: JSON formatted output with openvpn3 configs-list and config-dump The list of configurations can now be retrieved as a JSON formatted list via the openvpn3 configs-lists. The openvpn3 config-dump will normally dump the normal configuration using the standard OpenVPN configuration file format. The JSON format will contain all the additional meta options, overrides and access control lists not expressed in the standard file format. This format is the same format used internally for persistent configuration profiles. * Feature: Filtering options when retrieving available configurations The openvpn3 configs-list command has been extended with several filter arguments to only extract filters with a specific tag or owner as well as a simple prefix filter on the configuration name. The OpenVPN 3 Configuration Manager also exposes two new D-Bus methods to retrieve available configuration profiles based on a tag or owner. * Feature: Simple and verbose list formats in openvpn3 configs-list The default listing in openvpn3 configs-list has been simplified and will only list one configuration profile per line now. The more comprehensive list can be retrieved using the --verbose argument. The verbose list will also include configuration tags. Supported Linux distributions - - Debian 10, 11, 12 (amd64, arm64) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 20.04 and 22.04, (amd64, arm64) The arm64 support on selected Debian and Ubuntu releases are considered tech-preview. We would like to get feedback from arm64 users how OpenVPN 3 Linux works here, then we can remove the tech-preview label for arm64. Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> Credits --- This release has also received help from other contributors. Thank you to all of you! Antonio Quartulli Frank Lichtenheld Jeremy Fleischman mattjbyrd In addition, a "thanks in advance" goes to the work Marc Leeman is currently doing to provide a native Debian repository package for OpenVPN 3 Linux. Thanks a lot, Marc! That work can be followed here: <https://github.com/OpenVPN/openvpn3-linux/issues/193> --
Re: [Openvpn-devel] [PATCH v2] Fix StatusChangeCallback so it works without a LogCallback
On 06/09/2023 19:17, Jeremy Fleischman wrote: `StatusChangeCallback` requires that LogForward be enabled, which previously only happened in `LogCallback`. Now both of them do it, which requires a bit of bookkeeping. This fixes https://github.com/OpenVPN/openvpn3-linux/issues/197 Signed-off-by: Jeremy Fleischman --- src/python/openvpn3/SessionManager.py | 69 ++- 1 file changed, 58 insertions(+), 11 deletions(-) Thanks a lot for your patience and persistence through this review. Your patch has been put into the queue for the coming v21 release. I've not yet pushed out that branch, as I'm waiting for our QA team to complete the testing of an updated OpenVPN 3 Core library release first; which is required to be able to build OpenVPN 3 Linux from the public repos. But consider your patch applied. I've only done minor edits to some comments and commit messages, but the code itself is unchanged. I'll follow-up with an update once this commit is public. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
On 05/09/2023 07:03, Jeremy Fleischman wrote: I have a feeling we're missing a check here. Got it! You're right, I've added that in the v2 version of this patch (see below). Could you send this via git-send-email, I think this is getting ready to be pulled in now. $ git send-email -v2 \ --in-reply-to 20230709231929.195048-1-jeremyfleisch...@gmail.com Thx! -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
On 04/09/2023 23:27, Jeremy Fleischman wrote:
elif (cbfnc is not None and self.__log_callback is not None):
# In this case, the program must first disable the
# current LogCallback() before setting a new one.
raise RuntimeError('LogCallback() is already enabled')
This should enforce only one callback function being enabled this way,
and if the callback need to be changed - it's enough to first do disable
it (LogCallback(None)) before setting the new one. And if more
callbacks functions is wanted/needed, the additional ones can be called
via the callback function registered with the LogCallback(). No need to
make this code more complicated.
That makes sense! I *think* things get a little cleaner if we move this check
to the top of the relevant functions (StatusChangeCallback and LogCallback).
Basically, by first eliminating the possibility that we're changing an existing
registered dbus callback, then we don't actually need to be as careful later on.
For example, here's an updated version of LogCallback:
def LogCallback(self, cbfnc):
if cbfnc is not None and self.__log_callback is not None:
# In this case, the program must first disable the
# current LogCallback() before setting a new one.
raise RuntimeError('LogCallback() is already enabled')
if cbfnc is not None:
self.__log_callback = cbfnc
self.__dbuscon.add_signal_receiver(cbfnc,
signal_name='Log',
dbus_interface='net.openvpn.v3.backends',
bus_name='net.openvpn.v3.log',
path=self.__session_path)
else:
# Only remove the callback if there actually *is* a callback
# currently.
if self.__log_callback is not None:
self.__dbuscon.remove_signal_receiver(self.__log_callback,
'Log')
self.__log_callback = None
self.__set_log_forward()
Does this seem safe?
I have a feeling we're missing a check here.
The first check (with the raise RuntimeError), cbfnc and __log_callback
are both set.
Next check will enable the signal receiver if cbfnc is set. The
previous check enforces __log_callback to not be set in this case; this
is probably fine - but should have a comment of this condition.
The else: clause I'm less convinced about. If cbfnc is None,
__log_callback can also be None, which would trigger a
remove_signal_receiver() call. We should avoid that.
I'm not familiar with path email etiquette/best practices. Let me know
if/when I should send a fully updated patch.
So far, we've discussed possible solutions - so it has been fine doing
it like this now. But I think with this last round, we can go for a v2
patch.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
[re-sent to ML]
On 04/09/2023 19:51, Jeremy Fleischman wrote:
diff --git a/src/python/openvpn3/SessionManager.py
b/src/python/openvpn3/SessionManager.py
index 3632790..1a567be 100644
--- a/src/python/openvpn3/SessionManager.py
+++ b/src/python/openvpn3/SessionManager.py
@@ -114,6 +114,7 @@ def __init__(self, dbuscon, objpath):
self.__log_callback = None
self.__status_callback = None
self.__deleted = False
+self.__log_forward_enabled = False
def __del__(self):
@@ -291,16 +292,11 @@ def LogCallback(self, cbfnc):
dbus_interface='net.openvpn.v3.backends',
bus_name='net.openvpn.v3.log',
path=self.__session_path)
-self.__session_intf.LogForward(True)
else:
-try:
-self.__session_intf.LogForward(False)
-except dbus.exceptions.DBusException:
-# If this fails, the session is typically already removed
-pass
self.__dbuscon.remove_signal_receiver(self.__log_callback, 'Log')
self.__log_callback = None
Oops, this code unconditionally removes the callback, even if there
isn't currently a callback. The code below in StatusChangeCallback
first checks if there is currently a callback registered before removing
it. If `self.__dbuscon.remove_signal_receiver` is resilient to getting
passed None values for callbacks, then I suppose would could skip the
check and just unconditionally remove the callback.
Let me know what's best.
If you look at my proposal; in the LogCallback() method, I have this check:
if cbfnc is not None and self.__log_callback is None:
while you only do:
if cbfnc is not None:
I believe you need to check both (more below on that). And there is a
similar logic check when disabling the callback:
elif cbfnc is None and self.__log_callback is not None:
I believe this is the trap you fell into. Your new patch just do an "else:"
The additional final check of setting a new callback without disabling
the previous one can avoid some additional trouble. IIRC, the Python
D-Bus API will actually call multiple callbacks if add_signal_receiver()
is called more times with different callback methods. To support this,
the LogCallback() and StatusChangeCallback() methods would need to track
each callback function independently. I did not consider this a needed
feature just yet; hence the additional final check:
elif (cbfnc is not None and self.__log_callback is not None):
# In this case, the program must first disable the
# current LogCallback() before setting a new one.
raise RuntimeError('LogCallback() is already enabled')
This should enforce only one callback function being enabled this way,
and if the callback need to be changed - it's enough to first do disable
it (LogCallback(None)) before setting the new one. And if more
callbacks functions is wanted/needed, the additional ones can be called
via the callback function registered with the LogCallback(). No need to
make this code more complicated.
Otherwise, I like what you did to __set_log_forward(). That makes sense!
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix StatusChangeCallback so it works without a LogCallback
Hi Jeremy,
First of all; sorry it's taken so long time to get back to you. GH
issue #171 has unfortunately taken most of my time, so this patch went
on the side burner.
I've looked at your patch, and I wonder if it can be done a bit simpler.
I'm open to hear your views; I might have overlooked some details.
On 10/07/2023 01:19, Jeremy Fleischman wrote:
[...snip...]
@@ -285,22 +286,24 @@ def GetFormattedStatistics(self, prefix='Connection
statistics:\n', format_str='
#
def LogCallback(self, cbfnc):
if cbfnc is not None:
+# Remove the existing callback if there is one.
+if self.__log_callback is not None:
+self.LogCallback(None)
+
self.__log_callback = cbfnc
self.__dbuscon.add_signal_receiver(cbfnc,
signal_name='Log',
dbus_interface='net.openvpn.v3.backends',
bus_name='net.openvpn.v3.log',
path=self.__session_path)
-self.__session_intf.LogForward(True)
+self.__add_LogForward_receiver()
I'm wondering if this could be made cleared. The recursion is kinda
clever, but feels like it hides the purpose.
Wouldn't this code below work just as well (consider this more a concept
code than proper Python code)? Here there is no recursion and no
reference counting which could go wrong.
class Session(object):
[...]
self.__log_forward_enabled = False
def LogCallback(self, cbfnc):
if cbfnc is not None and self.__log_callback is None:
# Log Callback function is being enabled; not
# set before
self.__log_callback = cbfnc
self.__dbuscon.add_signal_receiver(cbfnc, ...)
self.__set_log_forward(True)
elif cbfnc is None and self.__log_callback is not None:
# Log Callback function is being disabled; can only
# happen because it was set
self.__dbuscon.remove_signal_receiver(self.__log_callback,
...)
self.__log_callback = None
try:
self.__set_log_forward(False)
except dbus.exception.DBusException:
pass
elif (cbfnc is not None and self.__log_callback is not None):
# In this case, the program must first disable the
# current LogCallback() before setting a new one.
raise RuntimeErrpr('LogCallback() is already enabled')
# No need to complain if unsetting an unset log callback
# function; this will not have any behavioral impact at all.
def __set_log_forward(self, enable):
# This method can only be called *after* callback
# function has been set in this object
if not self.__log_forward_enabled and enable:
# If log forwarding is disabled it can be enabled
self.__log_forward_enabled = True
self.__session_intf.LogForward(True)
elif self.__log_forward_enabled and not enable:
# Log forwarding can only be disabled if
# both Log and StatusChange callbacks are unset
if (self.__log_callback is None)
and (self.__status_callback is None):
self.__log_forward_enabled = False
self.__session_intf.LogForward(False)
The StatusChangeCallback() would need a similar implementation as
LogCallback() too.
In regards to multi-threading; I would not expect this code to be used
in a multi-threaded setup where different callbacks would be
enabled/disabled on the fly in parallel. But it might be good to add
this as a comment in general, that these methods are not considered
thread-safe. However, since the code snippets above does not use
reference counting, it should be a bit more robust as it bases the
decision on the value of the callback function pointers.
Thoughts?
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] ntlm: Clarify details on NTLM phase 3 decoding
On 02/08/2023 13:31, David Sommerseth wrote: From: David Sommerseth The code was very clear if we accept that the base64 decode of the There is a "not" missing in the line above: "The code was not very clear ..." I'm fine with fixing this at commit time. -- kind regards, David Sommerseth OpenVPN Inc NTLM challenge was truncated or not. Move the related code lines closer to where it first used and comment what we are not concerned about any truncation. If the decoded result is truncated, the NTLM server side will reject our new response to the challenge as it will be incorrect. The buffer size fixed and known to be in a cleared state before the decode starts. Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth --- src/openvpn/ntlm.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] ntlm: Clarify details on NTLM phase 3 decoding
From: David Sommerseth
The code was very clear if we accept that the base64 decode of the
NTLM challenge was truncated or not. Move the related code lines
closer to where it first used and comment what we are not concerned
about any truncation.
If the decoded result is truncated, the NTLM server side will reject
our new response to the challenge as it will be incorrect. The
buffer size fixed and known to be in a cleared state before the
decode starts.
Resolves: TOB-OVPN-14
Signed-off-by: David Sommerseth
---
src/openvpn/ntlm.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 0cb0a32f..2e772141 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -207,7 +207,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char
*phase_2,
*/
char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
-uint8_t buf2[128]; /* decoded reply from proxy */
uint8_t phase3[464];
uint8_t md4_hash[MD4_DIGEST_LENGTH + 5];
@@ -230,8 +229,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char
*phase_2,
bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2);
-CLEAR(buf2);
-
ASSERT(strlen(p->up.username) > 0);
ASSERT(strlen(p->up.password) > 0);
@@ -264,6 +261,12 @@ ntlm_phase_3(const struct http_proxy_info *p, const char
*phase_2,
/* pad to 21 bytes */
memset(md4_hash + MD4_DIGEST_LENGTH, 0, 5);
+/* If the decoded challenge is shorter than required by the protocol,
+ * the missing bytes will be NULL, as buf2 is known to be zeroed
+ * when this decode happens.
+ */
+uint8_t buf2[128]; /* decoded reply from proxy */
+CLEAR(buf2);
ret_val = openvpn_base64_decode(phase_2, buf2, -1);
if (ret_val < 0)
{
--
2.39.3
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH OpenVPN3] Add 'pull' to ignored options
On 27/07/2023 14:21, Merten Fermont wrote: Hi Arne, I changed my patch to check the client and client+pull options. Giving an error when neither options are declared. This however may break current implementations that depend on 'client' not being a required option? Greetings, Merten Subject: [PATCH] Check for client options Hi, Thanks for your patch. Changes looks reasonable to me as well, and I wanted to pull it in. But it turns out that the patch has been mangled somehow. Even good old 'patch' refuses to apply anything. This is not an unknown issue with gmail.com; which is why we generally recommend to use 'git send-mail' [1]. In this specific case, resending the patch as an attachment can also work. [1] <https://git-scm.com/docs/git-send-email> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Automatically restart Linux systemd OpenVPN client service on failure
On 14/05/2023 14:41, Gert Doering wrote: Hi, On Sun, May 14, 2023 at 02:38:06PM +0200, Arne Schwabe wrote: Yes the option we ignore to check if we have to reopen the tun device is quite short. We should probably turn this into a positive list instead of assuming that all options need to trigger to a tun reopen/close. True, but even so - shouldn't the systemd unit file just restart the openvpn client anyway? (I see myself having to restart the OpenSolaris Community VPN client ever so often...) We had this discussion back in the days when we added the automatic restart on servers. In the unit file for openvpn-server@.service we added: RestartSec=5s Restart=on-failure We ended up only enabling this on the server config by default, as it was some good points (which I don't recall right now) about not restarting the client configs automatically. It might have been due to avoid DDoS the server in larger deployments, if a bad option would be pushed to all clients or something like that. This is anyhow very easily added on a per-config bases using a systemd feature: # systemctl edit openvpn-client@CONFIGNAME.service In the file opened in the editor, just add "[Service]" and those two lines mentioned earlier. You might want to have a bit longer "Restart" timer, but that's up to the local sysadmin to judge best. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Add Apache2 linking with for new commits
On 26/04/2023 11:49, Arne Schwabe wrote: After first round of mailing people with more than 10 commits we have almost all committers have agreed. This put this license in the realm of having a realistic change to work. Had any of these contributers disagreed, rewriting all their code might have been not feasible. The rationale of adding this exception now is to avoid having to have a second round of agreement for new contributers and ensure that all new code will include the exemption. patch v2: add explaination and use exception rather than excemption patch v3: actually send v3 Change-Id: Ide83f914f383b53ef37ddf628e4da5a78e241bf0 Signed-off-by: Arne Schwabe LGTM and is (almost) the same text as the proposal [1] sent February 15, 2023. A little extra character has been added, which can be removed at commit time. See comment below in the diff. [1] Message-Id: <9160f6a3-1a61-d112-7a48-a7da4af38...@eurephia.org> <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26269.html> Acked-By: David Sommerseth --- COPYING | 47 +++ 1 file changed, 47 insertions(+) diff --git a/COPYING b/COPYING index e12c51414..a6f8a6f5f 100644 --- a/COPYING +++ b/COPYING @@ -31,6 +31,53 @@ OpenVPN license: file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. +Apache2 linking exception: +--- +OpenVPN is currently undergoing a license change to add an exception for +Apache 2 linking. The following exception is only valid for new contributions +after COMMITDATE and past contribution where the authors have already agreed +to the exception. + + In addition, as a special exception, OpenVPN Inc and the + contributors give permission to link the code of this program to + libraries (the "Libraries") licensed under the Apache License + version 2.0 (this work and any linked library the "Combined Work") + and copy and distribute the Combined Work without an obligation to + license the Libraries under the GNU General Public License v2 + (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an + obligation to refrain from imposing any additional restrictions in + the Apache License version 2 that are not in the GPL-2.0, as + required by Section 6 of the GPL-2.0. You must comply with the` The line above ends with an additional ` -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] openvpn3-config-manage: Fix description in man page
From: David Sommerseth Your patch has been applied to the master branch commit 97c729808a688364c16d17f7c34a4c7229ca0131 master Author: Frank Lichtenheld Date: Tue, 02 May 2023 12:02:27 + docs/man: Fix description in openvpn3-config-manage man page Signed-off-by: Frank Lichtenheld Message-Id: <20230502120227.30592-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26613.html Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux v20 released
- - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - Fedora 36, 37 and 38 (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 22.04, (amd64, arm64) The arm64 support on selected Debian and Ubuntu releases are considered tech-preview. We would like to get feedback from arm64 users how OpenVPN 3 Linux works here, then we can remove the tech-preview label for arm64. The non-LTS Ubuntu releases has been unlisted. The OpenVPN 3 Linux project will primarily focus the LTS releases. The non-LTS releases will still get builds, but they will no go through the same kind of testing before releases. Those builds will also not necessarily arrive at the same time as the builds for LTS releases. Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> Credits --- Since this is the first stable release, it's appropriate to give some credits to people who have contributed in various ways to this project so far. A huge thanks goes to: Antonio Quartulli Arne Schwabe Ben Yanke David Schneider dangerfish96 fldu Frank Lichtenheld Frans Klaver Heiko Hund Jagadeesh Kotra Johan Draaisma John Eismeier Kevin Lindsay Lev Stipakov Mykola Stolyarenko Raphael Mader Romain Loutrel Samuli Seppänen In addition comes all those who have tested OpenVPN 3 Linux and provided feedback through various channels through all these releases. You have all been important in ensuring this project has evolved and matured. I'm sorry I don't have a proper list of all you, but you would also deserve to be mentioned. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v20 <https://swupdate.openvpn.net/community/releases/openvpn3-linux-20.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-20.tar.xz.asc> SHA256 Checksums -- git references git repositories: <https://codeberg.org/OpenVPN/openvpn3-linux> (Primary) <https://gitlab.com/openvpn/openvpn3-linux> (mirror) <https://github.com/OpenVPN/openvpn3-linux> (mirror) git tag: v20 git commit: e7531f45d3743bfe58223a6b56794aa8bba01ba9 Changes from v19_beta to v20--- ------- David Sommerseth (47): Coding style update build/clang++: Fix build issues with clang++14 log: Add default initialising of LogEvent members log: Extend LogEvent with group/category parsing from strings log: Extend LogEvent with str() method ovpn3cli/log: Use the new LogEvent::str() method log: Adding Log::Journald::Parser and related classes ovpn3cli: New command - openvpn3-admin journal copyright: Use SPDX license tags core: Update to OpenVPN 3 Core library v3.7.2 Add .git-blame-ignore-revs with instructions cli/session-manage: Make --resume and --restart run in background log: Ensure extracted systemd-journald fields have correct length docs/man: Fix missing backslash in Makefile.am build: Unbreak non-systemd based builds again dbus: Add AUTH_PENDING related constants client: Implement support for CR_TEXT pending authentication tests: Extend requires-queue tests with ClientAttentionGroup::CHALLENGE_AUTH_PENDING common/dbus: Migrate g_variant_get() to GLibUtils::ExtractValue<>() selinux: Allow openvpn3_client_t to use syslog copyright: Fix typo in a license tag ovpn3cli: User credential input error handling input with session-start cli: Improve behaviour with incorrect PK passphrase or CONN_FAILED netcfg: Exit early if systemd-resolved cannot be reached common: Add support for comment fields in SingleCommand arg parser build: Add a check for the libselinux library ovpn3cli/admin: Add new init-config command log: Don't hard-code --journald in auto-start service docs: Update openvpn3-autoload documentation copyright: Update copyright years build: Ensure OPENVPN3_STATEDIR is properly set ovpn3cli/admin: Check chown/chmod return codes in init-config ovpn3cli/admin: Make init-config check SELinux status first docs: Clean up the "SEE ALSO" sections in some base man pages log: Filter out UNDEFINED LogGroup and LogCategory log/jourald: Don't provide strings for LogCategory/LogGroup::UNDEFINED ovpn3cli/admin: Make init-config also check for configs subdir ovpn3cli/admin: Clean up incorrect wording in init-config man: Updating openvpn3-linux.7 man page man: Use proper man
Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
On 14/03/2023 10:02, David Sommerseth wrote: On 14/03/2023 09:45, David Sommerseth wrote: On 11/03/2023 06:24, selva.n...@gmail.com wrote: From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is consolidated with sig to DER conversion as ecdsa_bin2der() and moved to xkey_helper.c In the past when we used OpenSSL hooks installed by pkcs11-helper, such a conversion was not required as it was internally handled by the library. Reported by: Tom Signed-off-by: Selva Nair Just FYI, this report appeared in the bugzilla for the Fedora packaging. This seems related to this patch. <https://bugzilla.redhat.com/show_bug.cgi?id=2177834> I will try to prepare a Fedora build with this patch added, for further testing. Fedora Koji builds of OpenVPN 2.6.1 with this patch included: Fedora 38: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680872> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680943> Fedora 37: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680878> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680991> Just got feedback from the reporter in the Fedora bugzilla; this patch works well on Fedora 38. I suggest adding this tag to the commit log. Feel free to add the URL tag to the bugzilla ticket too. Tested-by: flor...@apolloner.eu -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
On 14/03/2023 09:45, David Sommerseth wrote: On 11/03/2023 06:24, selva.n...@gmail.com wrote: From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is consolidated with sig to DER conversion as ecdsa_bin2der() and moved to xkey_helper.c In the past when we used OpenSSL hooks installed by pkcs11-helper, such a conversion was not required as it was internally handled by the library. Reported by: Tom Signed-off-by: Selva Nair Just FYI, this report appeared in the bugzilla for the Fedora packaging. This seems related to this patch. <https://bugzilla.redhat.com/show_bug.cgi?id=2177834> I will try to prepare a Fedora build with this patch added, for further testing. Fedora Koji builds of OpenVPN 2.6.1 with this patch included: Fedora 38: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680872> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680943> Fedora 37: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680878> x86_64 packages: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680991> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
On 11/03/2023 06:24, selva.n...@gmail.com wrote: From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is consolidated with sig to DER conversion as ecdsa_bin2der() and moved to xkey_helper.c In the past when we used OpenSSL hooks installed by pkcs11-helper, such a conversion was not required as it was internally handled by the library. Reported by: Tom Signed-off-by: Selva Nair Just FYI, this report appeared in the bugzilla for the Fedora packaging. This seems related to this patch. <https://bugzilla.redhat.com/show_bug.cgi?id=2177834> I will try to prepare a Fedora build with this patch added, for further testing. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dns option: remove support for exclude-domains
On 28/02/2023 05:41, Heiko Hund wrote: No DNS resolver currently supports this and it is not possible to emulate the behavior without the chance of errors. Finding the effective default system DNS server(s) to specify the exclude DNS routes is not trivial and cannot be verified to be correct without resolver internal knowledge. So, it is better to not support this instead of supporting it, but incorrectly. Signed-off-by: Heiko Hund --- doc/man-sections/client-options.rst | 14 +- src/openvpn/dns.c | 13 ++--- src/openvpn/dns.h | 7 --- src/openvpn/options.c | 16 4 files changed, 7 insertions(+), 43 deletions(-) I've only glared at the code and quickly done a few compile tests. LGTM. Change itself also makes sense. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN Linking Exception
OpenVPN 2.x is licensed under the GNU Public License v2.0 (GPL-2.0).
This license has served us well in the past and we are not trying to
change that. However, changes in licenses of our dependencies put us in
an unfortunate situation.
Both mbed TLS and OpenSSL nowadays use the Apache 2.x license (APL-2).
For the OpenSSL library we have a special exception that allows us
linking with it. For newer mbed TLS versions, we cannot do this any more.
The APL-2 allows very liberal use of its source code when including it
in other program (like BSD license). Unlike BSD licenses, the APL-2 has
a few additions that position it better in today's legal landscape. It
requires patent grant (in layman terms: you cannot contribute to an
APL-2 licensed project and later sue someone for using your patents on
the code you contributed). This is the most critical aspect where the
APL-2 is incompatible with GPL-2.0 according to Free Software Foundation
- <https://www.gnu.org/licenses/license-list.html#apache2>.
A short overview of APL-2 and license text can be found here:
<https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)#summary>
The OpenVPN community has discussed these issues with Pamela Chestek
<https://www.chesteklegal.com/> on the linking exception. She is a
renowned open source license legal expert. Various options for this
challenge have been studied and evaluated.
What is clear is that we will need a linking exception. The OpenSSL and
mbed TLS libraries may be considered system libraries on Linux systems
but cannot be considered as such for distributions of the OpenVPN binary
on Windows, macOS or Android.
The proposed linking exception for OpenVPN:
In addition, as a special exception, OpenVPN Inc and the
contributors give permission to link the code of this program to
libraries (the "Libraries") licensed under the Apache License
version 2.0 (this work and any linked library the "Combined Work")
and copy and distribute the Combined Work without an obligation to
license the Libraries under the GNU General Public License v2
(GPL-2.0) as required by Section 2 of the GPL-2.0, and without an
obligation to refrain from imposing any additional restrictions in
the Apache License version 2 that are not in the GPL-2.0, as
required by Section 6 of the GPL-2.0. You must comply with the
GPL-2.0 in all other respects for the Combined Work, including
the obligation to provide source code. If you modify this file, you
may extend this exception to your version of the file, but you are
not obligated to do so. If you do not wish to do so, delete this
exception statement from your version.
This exception is the verbatim copy from Pamela Chestek, and the content
in this copy above has been reviewed by her. There is some legalese
phrases there (in particular related to "Combined work") which may seem
odd, but this is common practice in legal definitions.
In plain non-legalese English this basically says:
* The intention for this license exception is to allow OpenVPN to be
linked against APL-2 licensed libraries, even where the GPL-2.0 and
APL-2 licenses conflict from a legal perspective.
* OpenVPN itself will stay GPL-2.0 and the code belonging to the
OpenVPN project must comply to the GPL-2.0 license. This is NOT
dual-licensing of the OpenVPN code base.
* This license exception DOES NOT require NOR expect a license change
of the APL-2 based library. This exception allows using the APL-2
library as-is. However, when distributing a compiled OpenVPN binary
linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is
that the APL-2 library MUST also be available on similar terms as in
GPL-2.0, like providing the source code of the library upon request,
except in the two specific ways mentioned.
* If the APL-2 based library forbids such linking and distribution,
this license exception DOES NOT overrule the restriction of the APL-2
based library. If the APL-2 library cannot satisfy the requirements
in this license exception, you CANNOT distribute an OpenVPN binary
linked with this library.
I hope we can reach an agreement and replace the current OpenSSL linking
exception with this new exception above.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.0 released
On 27/01/2023 12:32, André wrote: Hi, So download link in Forum Announcement should be corrected? https://forums.openvpn.net/viewtopic.php?t=35260 Yes, thank you! Updated! -- kind regards, David Sommerseth OpenVPN Inc --- Original Message --- On Friday, January 27th, 2023 at 01:53, David Sommerseth wrote: On 25/01/2023 20:50, Frank Lichtenheld wrote: [...snip...] On Red Hat derivatives we recommend using the Fedora Copr repository. https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ A slight update here. The repo above will be preserved for OpenVPN 2.5 releases. A new repository for OpenVPN 2.6 has been published: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/ -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.0 released
On 25/01/2023 20:50, Frank Lichtenheld wrote: [...snip...] On Red Hat derivatives we recommend using the Fedora Copr repository. <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/> A slight update here. The repo above will be preserved for OpenVPN 2.5 releases. A new repository for OpenVPN 2.6 has been published: <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dco: print proper message in case of transport disconnection
On 12/01/2023 09:43, Lev Stipakov wrote: Hi, -/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ This specific hunk is beyond my pay grade. I dug into this. License wise, GPL-2.0 is the same as GPL-2.0-only in the spdx.dev [1] specification. But the change isn't correct according to SPDX specification standard v3; the short versions (GPL-*.*) was deprecated in favor of the longer version (GPL-*.*-only). I would let this change pass now, as it doesn't change the license itself. Later on this can be unified to a specific SPDX specification standard across all files. [1] <https://spdx.dev/licenses/> -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] tests: platforminfo: skip DBus test if hostname service isn't available
From: David Sommerseth Thanks a lot! This patch was a by the book in every possible way, so this was really easy to review and apply. Acked-by: David Sommerseth - Your patch has been applied commit 1576e34a1f45133bd4c6df495eaef9387ecd1b4d master Author: Frans Klaver Date: Thu, 01 Dec 2022 07:50:13 + tests: platforminfo: skip DBus test if hostname service isn't available Signed-off-by: Frans Klaver Acked-by: David Sommerseth Patchwork-Id: 2880 URL: https://patchwork.openvpn.net/patch/2880/ -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v19 beta released
elease depends on what bugs and issues are discovered in this release and what kind of code changes are needed to complete the outstanding issues we want resolved for the stable release. Supported Linux distributions - - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - Fedora 35 and 36 (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 and 9 (x86_64, aarch64) - Ubuntu 18.04, 20.04, 21.10 and 22.04 (amd64, arm64) Both Fedora 37 and Ubuntu 22.10 will come in the near future as well, they are currently not made available yet. The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. We would like to get feedback from arm64 users how OpenVPN 3 Linux works here, then we can remove the tech-preview label for arm64. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v18 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-19_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-19_beta.tar.xz.asc> SHA256 Checksums -- git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> <https://codeberg.org/OpenVPN/openvpn3-linux> git tag: v19_beta git commit: 33da965fa4151a05f95f385f00f338fa028471a2 Changes from v18_beta to v19_beta -- David Sommerseth (74): tests: Improve MachineIDTest::get_systemd_api test build: Split up proxy-netcfg into a manager and device compilation unit core: Update to latest OpenVPN 3 Core Library 3.7 development shell: Fix proposing more options to --config shell completion shell: Fix trailing spaces in bash-completion build: Generate C compatible header file dbus: Add missing #include in glibutils.hpp log: Move LogTag into its own compilation unit log: Extend LogTag to enable/disable the tag mark encapsulation log: Extend LogTag with copy constructor log: Add new helper classes for log meta data log: Implement the new meta data log handling log: Extend LogMetaDataValue to process LogTag objects log: Extend LogMetaData with GetMetaDataRecords() method log: Use LogTag in Logger class instead of std::string common: Allow setting default filename in Configuration::File ctor common: Extend Configuration::File with Get/Set for more data types log: Re-implement configuration state saving log: Switch to GLibUtils::ExtractValue in LogEvent log: Implement LogTag prefix configuration setting log: Extend LogEvent with LogGroup/Category string extraction log: Add support for native systemd-journald logging log: Implement systemd-journald support in openvpn3-service-logger log: Split logwritter.hpp into its own compilation unit log: Split out StreamLogWriter and ColourStreamWriter log: Split out SyslogWriter to its own compilation unit log: Split out JournaldWriter to its own compilation unit log: Final change of the logwriter.hpp split-up refactoring log: Extend LogWriter API to provide backend info log: Extend net.openvpn.v3.log interface with log_method property cli/log: Provide information about logging method in use cli/log: Add admin --enable-log-prefix config setting log: Fix memory corruption with syslog/openlog() log: Rework initial opening information in logger service common: Extend Configuration::File with GetFilename() log: Extend state/config file option coverage log/logger: Simplify exclusive option check log/logger: Rework configuration/state loading log/logger: Extend with D-Bus property for config_file common: Add missing include files in cmdparser-exceptions.hpp cli/log: Add new options for logger config file management logger: Enable --journald as default log method build: Don't use space in PACKAGE_NAME docs/man: Add missing --auth-req option in openvpn3 session-auth docs: Added GitHub pull-request template log: Avoid halting logger startup on missing log-service.json dbus: Make bus_name and interface protected members in DBusProxy dbus/proxy: Check if property proxy is configured dbus/connection: Add extra connection tests in DBus constructors common: Add PlatformInfo API client: Send platform OS/distro peer information to server client: Simplify IV_GUI_VER string utils: Fix incorrect string concat in get_guiversion() tests/unit: Handle PlatformInfo::DBus error gracefully python: Use ssl.PROTOCOL_TLS_CLIENT in openvpn3-as configmgr:
Re: [Openvpn-devel] [PATCH] Improve documentation for --dev and --dev-node.
On 14/09/2022 09:38, Antonio Quartulli wrote: Hi, On 14/09/2022 09:33, David Sommerseth wrote: On 12/09/2022 09:41, Gert Doering wrote: During the research for commit a5cf4cfb77f745 it turned out that OpenVPN's behaviour regarding "--dev arbitrary-name" is very platform-specific and not very well documented. The referenced commit fixed DCO behaviour to be in line with non-DCO linux behaviour, this commit catches up on the documentation. Signed-off-by: Gert Doering --- doc/man-sections/vpn-network-options.rst | 38 +++- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 5b2f8470..559b2464 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -69,15 +69,34 @@ routing. dev tap4 dev ovpn - When the device name starts with :code:`tun` or :code:`tap`, the device - type is extracted automatically. Otherwise the ``--dev-type`` option - needs to be added as well. + What happens if the device name is not :code:`tun` or :code:`tap` is + platform dependent. + + On most platforms, :code:`tunN` (e.g. tun2, tun30) and :code:`tapN` + (e.g. tap3) will create a numbered tun/tap interface with the number + specified - this is useful if multiple OpenVPN instances are active, + and the instance-to-device mapping needs to be known. Some platforms + do not support "numbered tap", so trying ``--dev tap3`` will fail. + + Arbitrary names (e.g. ``--dev home``) will not work on most platforms, + with the exception of Linux and FreeBSD with the DCO kernel driver. + + There, arbitrary names are allowed, and will create a tun or DCO + device named as requested. + This is confusing and not quite right. I've used "--dev home" for a long time on Linux with tun devices. But it requires "--dev-type tun". There are no dependencies on DCO in this use case. The text refers to two cases: * Linux * FreeBSD with DCO maybe the wording made it sound different? Ahh, so FreeBSD don't support arbitrary names with plain tun interfaces? If so, then I misread the sentence. Perhaps this is clearer? -- Arbitrary names (e.g. ``--dev home``) will not work on most platforms. Linux supports arbitrary names in addition to FreeBSD when using the DCO kernel driver. This will require ``--dev-type`` to be set. -- [...snip...] @@ -93,6 +112,11 @@ routing. both the network connections control panel name and the GUID for each TAP-Win32 adapter. + On other platforms, ``--dev-node node`` will influence the naming of the + created tun/tap device, if supported on that platform. If OpenVPN cannot + figure out whether ``node`` is a TUN or TAP device based on the name, + you should also specify ``--dev-type tun`` or ``--dev-type tap``. IIRC correctly on Windows (too many years since last time with a more advanced setup there), --dev-node does not influence the naming of the tap-windows6 interface, but is a reference to the pre-created interface. Windows didn't use to create interfaces on-the-fly like on Linux/BSD/macOS. Not sure if that has changed with tap-windows6 and neither how this is with wintun or ovpn-dco-win. It has not changed, but the "other platforms" the text is talking about does not include Windows. Okay, then it's fine. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Improve documentation for --dev and --dev-node.
On 12/09/2022 09:41, Gert Doering wrote: During the research for commit a5cf4cfb77f745 it turned out that OpenVPN's behaviour regarding "--dev arbitrary-name" is very platform-specific and not very well documented. The referenced commit fixed DCO behaviour to be in line with non-DCO linux behaviour, this commit catches up on the documentation. Signed-off-by: Gert Doering --- doc/man-sections/vpn-network-options.rst | 38 +++- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 5b2f8470..559b2464 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -69,15 +69,34 @@ routing. dev tap4 dev ovpn - When the device name starts with :code:`tun` or :code:`tap`, the device - type is extracted automatically. Otherwise the ``--dev-type`` option - needs to be added as well. + What happens if the device name is not :code:`tun` or :code:`tap` is + platform dependent. + + On most platforms, :code:`tunN` (e.g. tun2, tun30) and :code:`tapN` + (e.g. tap3) will create a numbered tun/tap interface with the number + specified - this is useful if multiple OpenVPN instances are active, + and the instance-to-device mapping needs to be known. Some platforms + do not support "numbered tap", so trying ``--dev tap3`` will fail. + + Arbitrary names (e.g. ``--dev home``) will not work on most platforms, + with the exception of Linux and FreeBSD with the DCO kernel driver. + + There, arbitrary names are allowed, and will create a tun or DCO + device named as requested. + This is confusing and not quite right. I've used "--dev home" for a long time on Linux with tun devices. But it requires "--dev-type tun". There are no dependencies on DCO in this use case. [...snip...] @@ -93,6 +112,11 @@ routing. both the network connections control panel name and the GUID for each TAP-Win32 adapter. + On other platforms, ``--dev-node node`` will influence the naming of the + created tun/tap device, if supported on that platform. If OpenVPN cannot + figure out whether ``node`` is a TUN or TAP device based on the name, + you should also specify ``--dev-type tun`` or ``--dev-type tap``. IIRC correctly on Windows (too many years since last time with a more advanced setup there), --dev-node does not influence the naming of the tap-windows6 interface, but is a reference to the pre-created interface. Windows didn't use to create interfaces on-the-fly like on Linux/BSD/macOS. Not sure if that has changed with tap-windows6 and neither how this is with wintun or ovpn-dco-win. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] wolfSSL unit test failures
On 18/08/2022 22:06, Arne Schwabe wrote: But if we have to spend time going through support requests and to keep something maintained that we ourselves have no intrinsic motivation to support, I will advocate to set/change the status of wolfSSL in OpenVPN to "unmaintained". Agreed. If wolfSSL support is expected to work in OpenVPN, those interested in wolfSSL need to be far more active and follow the OpenVPN development to ensure the support still functions and performs as expected. The wolfSSL support has so far had quite little impact on growing the OpenVPN user or development base, so there is little motivation or even reasons for the OpenVPN community to take ownership of this. Don't expect the wolfSSL support to be tested much at all by the community developers. On the other side, we do see that wolfSSL has more a benefit of slamming the "works with OpenVPN" label on wolfSSL. But don't count on the OpenVPN community doing the grunt work for wolfSSL. Either be more actively involved - or accept we will move it to an unmaintained status - plausibly removing it if it stays broken for a longer time. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 3/4] Implement AUTH_FAIL, TEMP message support
On 20/05/2022 23:32, Arne Schwabe wrote:
This allows a server to indicate a temporary problem on the server and
allows the server to indicate how to proceed (i.e. move to the next server,
retry the same server, wait a certain time,...)
This adds options_utils.c/h to be able to unit test the new function.
Patch v2: Improve documentation, format man page better, comment that
protocol-flags is not a user usable option.
---
doc/man-sections/script-options.rst | 36 ++
src/openvpn/Makefile.am | 1 +
src/openvpn/init.c | 9 ++-
src/openvpn/openvpn.vcxproj | 2 +
src/openvpn/openvpn.vcxproj.filters | 3
+20220520213250.3126372-4-a...@rfc2549.org
src/openvpn/options.h| 9 ++-
src/openvpn/options_util.c | 104 +++
src/openvpn/options_util.h | 33 +
src/openvpn/push.c | 11 ++-
src/openvpn/ssl.c| 13 ++--
src/openvpn/ssl.h| 3 +
tests/unit_tests/openvpn/Makefile.am | 1 +
tests/unit_tests/openvpn/test_misc.c | 49 +
13 files changed, 266 insertions(+), 8 deletions(-)
create mode 100644 src/openvpn/options_util.c
create mode 100644 src/openvpn/options_util.h
[...snip...]
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 577294804..a619aac38 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -95,6 +95,7 @@ openvpn_SOURCES = \
pkcs11_mbedtls.c \
openvpn.c openvpn.h \
options.c options.h \
+options_util.c options_util.h \
Indent mismatch. Makefile.am uses tabs ... because traditional Make
needed it. Since the rest of our Makefile.am files uses tabs, we
continue with that for now.
[...snip...]
diff --git a/src/openvpn/options_util.c b/src/openvpn/options_util.c
new file mode 100644
index 0..d8a7e2343
--- /dev/null
+++ b/src/openvpn/options_util.c
@@ -0,0 +1,104 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2022 OpenVPN Inc
+ * Copyright (C) 2010-2021 Fox Crypto B.V.
^^
Does any of the code in this file come from Fox at all? If not, you
could probably consider removing that last line.
[...snip...]
+const char *
+parse_auth_failed_temp(struct options *o, const struct buffer *buf)
+{
The code here looks nice and clean; unit tests runs fine as well.
diff --git a/src/openvpn/options_util.h b/src/openvpn/options_util.h
new file mode 100644
index 0..9785bb239
--- /dev/null
+++ b/src/openvpn/options_util.h
@@ -0,0 +1,33 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2022 OpenVPN Inc
+ * Copyright (C) 2010-2021 Fox Crypto B.V.
Same copyright note as for the options_util.c.
[...snip...]
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -93,6 +93,9 @@
* result. */
#define IV_PROTO_NCP_P2P (1<<5)
+/** Support for AUTH_FAIL,TEMP messages */
+#define IV_PROTO_AUTH_FAIL_TEMP (1<<6)
+
This conflicts with IV_PROTO_DNS_OPTION which has already been merged to
git master.
[...snip...]
I've not yet tested this code in a functional test; it compiles fine
without warnings and unit tests runs fine. Since some minor changes are
need, I just wanted to get this feedback sent before I run some more
testing.
One thing I spotted, and I'm not sure if it's my Thunderbird fooling me
or what it is ... there were spurious indenting "errors" here and there.
But the patch I pulled down directly from Patchwork had no such issues
at all. I'll check that more carefully on my end. One issue I know is
real I've commented here already.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 1/4] Implement exit notification via control channel
On 20/05/2022 23:32, Arne Schwabe wrote:
Current exit notification relies on data channel messages with specific
prefix. Adding these to new data channel modules (DCO) adds unncessary
complexity for the data for messages that from their idea belong to the
control channel anyway.
This patch adds announcing support for control channel and sending/receving
it. We use the simple EXIT message for this.
Patch V2: add comment about protocol-flags to be not a user visible option,
fix various grammar mistakes, remove unused argument to
receive_exit_message
---
doc/man-sections/client-options.rst | 7 ++-
src/openvpn/crypto.h| 5 +
src/openvpn/forward.c | 4
src/openvpn/multi.c | 5 +
src/openvpn/options.c | 20
src/openvpn/push.c | 19 +++
src/openvpn/push.h | 2 ++
src/openvpn/sig.c | 27 +--
src/openvpn/ssl.c | 3 +++
src/openvpn/ssl.h | 3 +++
src/openvpn/ssl_ncp.c | 5 +
11 files changed, 97 insertions(+), 3 deletions(-)
[...snip...]
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9ff384d09..427d58392 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8326,6 +8326,8 @@ add_option(struct options *options,
}
else if (streq(p[0], "key-derivation") && p[1])
{
+/* NCP only option that is pushed by the server to enable EKM,
+ * should not be used by normal users in config files*/
This part seems unrelated.
VERIFY_PERMISSION(OPT_P_NCP)
#ifdef HAVE_EXPORT_KEYING_MATERIAL
if (streq(p[1], "tls-ekm"))
@@ -8338,6 +8340,24 @@ add_option(struct options *options,
msg(msglevel, "Unknown key-derivation method %s", p[1]);
}
}
+else if (streq(p[0], "protocol-flags") && p[1])
+{
+/* NCP only option that is pushed by the server to enable protocol
+ * features that are negotiated, should not be used by normal users
+ * in config files */
+VERIFY_PERMISSION(OPT_P_NCP)
+for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
+{
+if (streq(p[j], "cc-exit"))
+{
+options->data_channel_crypto_flags |= CO_USE_CC_EXIT_NOTIFY;
+}
+else
+{
+msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
+}
+}
+}
Isn't it possible to do this by pushing IV_PROTO from the server to the
client? That could be more compact than adding 22 more bytes to the
PUSH_REPLY while IV_PROTO takes less "space" on the wire to indicate a
feature. Plus the client already sends the IV_PROTO with the
CC_EXIT_NOTIFY feature flag to the server with this patch.
The rest of the code otherwise looks reasonable with the current "option
approach". The client also sends the IV_PROTO_CC_EXIT_NOTIFY flag to
the server, as expected.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Fix OpenVPN querying user/password if auth-token with user expires
On 17/02/2022 19:22, Arne Schwabe wrote: The problematic behaviour happens when start a profile without That sentence can be improved slightly; can be done commit time. I propose: The problematic behaviour happens when a profile is started without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again. The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Patch v2: Remove unrelated code change Patch v3: Rebase to master Signed-off-by: Arne Schwabe I've done several attempts to reproduce the ill behavior with OpenVPN 2.5.7, both local server (using the --management interface), OpenVPN Cloud and OpenVPN Access Server (auto-login profile) without being able to trigger this behavior. Maybe my testing just didn't run long enough. Connections was restarted, servers restarted to wipe state, etc. But it just reconnected again without any issues. So behavior this patch fixes is clearly in the "corner case" area of bugs. That said, the code looks fine and sane. I can understand the code path and I can see that username/passwords should - in theory - not be asked for when the auth-token expires with this fix; and that it would ask for it without this fix. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] configure.ac: replace set with env
On 06/01/2020 09:04, Christian Hesse wrote: From: Christian Hesse The shell builtin `set` produces different output for different shells: bash$ set | grep '^TERM=' TERM=xterm dash$ set | grep '^TERM=' TERM='xterm' This may break reproducible builds depending on what shell is used. Let's replace `set` with `env`, which is a real command and always produces identical output. Hi, Spotted this one now, lingering for way too long. And it looked trivial. Except it doesn't give the expected outcome on my RHEL-8 machine. The CONFIGURE_DEFINES macro in config.h ends up empty. Reverting this patch alone, and it comes back again. So, I'm sorry, I can't ack this one. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add ability to specify initialize flags for pkcs11 provider
On 19/06/2022 19:28, Selva Nair wrote: Hi, On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel <mailto:openvpn-devel@lists.sourceforge.net>> wrote: New pkcs11-helper interface allows to setup pkcs11 provider via properties: https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 <https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85> Also pkcs11-helper added ability to setup init args for pkcs11 provider: https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 <https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097> Signed-off-by: Petr Mikhalicin mailto:mkh199...@mail.ru>> Sorry for the long delay in getting back on this. I somehow also missed the related discussion on Trac (https://community.openvpn.net/openvpn/ticket/1453 <https://community.openvpn.net/openvpn/ticket/1453>) I don't quite understand the need for exposing "init-args" to the user. The only two supported flags in the cryptoki docs are related to the use of threads. But we are the application and we should know what flags to pass --- not the user --- isn't it? If CKF_OS_LOCKING_OK is required, can't we just set it unconditionally? That said, OpenVPN2 is single threaded, so why is there a "bug in openvpn" related to the use of pkcs11 library from multiple threads referred to in the trac ticket? I haven't dug too deep into the matter this time; and it depends also on the OS you are on. But there has been some issues with pkcs11-helper on hosts with systemd, due to some intricacies with openvpn doing a fork to kick off the password query mechanism with systemd colliding with some pkcs11-helper implementation details. For the systemd case, we added a workaround which made most people happy. For more details: <https://community.openvpn.net/openvpn/ticket/538> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied v2] GitHub Actions: trigger openvpn-build GHA on success
On 17/06/2022 13:06, David Sommerseth wrote: From: David Sommerseth Your patch has been applied commit 6a26cb51297024b563603faf78a33298b5d59f30 master Author: Lev Stipakov Date: Sun, 05 Jun 2022 00:40:13 + GitHub Actions: trigger openvpn-build GHA on success Signed-off-by: Lev Stipakov Patchwork-Id: 2508 URL: https://patchwork.openvpn.net/patch/2508/ Signed-off-by: David Sommerseth Unfortunately, my patchwork script failed when creating the reply message and I spotted it too late. The Acked-by line was stripped out. The proper reply message should have been: commit 6a26cb51297024b563603faf78a33298b5d59f30 master Author: Lev Stipakov Date: Sun, 05 Jun 2022 00:40:13 + GitHub Actions: trigger openvpn-build GHA on success Signed-off-by: Lev Stipakov Acked-by: Samuli Seppänen Patchwork-Id: 2508 URL: https://patchwork.openvpn.net/patch/2508/ Signed-off-by: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied v2] GitHub Actions: trigger openvpn-build GHA on success
From: David Sommerseth Your patch has been applied commit 6a26cb51297024b563603faf78a33298b5d59f30 master Author: Lev Stipakov Date: Sun, 05 Jun 2022 00:40:13 + GitHub Actions: trigger openvpn-build GHA on success Signed-off-by: Lev Stipakov Patchwork-Id: 2508 URL: https://patchwork.openvpn.net/patch/2508/ Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] [OpenVPN 2.5] Allow running a default configuration with TLS libraries without BF-CBC
On 03/06/2022 11:52, Arne Schwabe wrote: Modern TLS libraries might drop Blowfish by default or distributions might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC options with BF-CBC compatible strings. To avoid requiring BF-CBC for this, special this one usage of BF-CBC enough to avoid a hard requirement on Blowfish in the default configuration. This patch is cherry-picked from 79ff3f79 and the missing ciphername = "none"; has been added in the OCC code. Signed-off-by: Arne Schwabe --- src/openvpn/crypto_backend.h | 2 ++ src/openvpn/init.c | 37 +-- src/openvpn/options.c| 48 +++- 3 files changed, 73 insertions(+), 14 deletions(-) Just for the record. This patch has been included into Fedora 36 and EPEL-9 builds, released as openvpn-2.5.7-2. Fedora 36 users has reported that this patch resolves issues which surfaced when upgrading to openvpn-2.5.7-1. A few references: <https://bodhi.fedoraproject.org/updates/FEDORA-2022-8ca0f56650> <https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-dd161a4d75> <https://bugzilla.redhat.com/show_bug.cgi?id=2092800> <https://bugzilla.redhat.com/show_bug.cgi?id=2093069> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied OpenVPN3 2/2] omi: add support for ovpn-dco-win
From: David Sommerseth Your patch has been applied to the master branch commit 94848c3cc3f5ea1fec97ab6b18ba7eff6923561d master Author: Christopher Ng Date: Tue, 07 Jun 2022 16:30:49 + omi: add support for ovpn-dco-win Signed-off-by: Christopher Ng Acked-by: Lev Stipakov Patchwork-Id: 2509 URL: https://patchwork.openvpn.net/patch/2509/ Message-Id: <20220607163049.10056-2-fac...@gmail.com> Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied OpenVPN3 1/2] ovpnagent: fix quoting of omiclient parameters
From: David Sommerseth Your patch has been applied to the master branch commit 452e7cb6259d40ae0a1ff749d22a1634c7100fc9 master Author: Christopher Ng Date: Tue, 07 Jun 2022 16:30:48 + ovpnagent: fix quoting of omiclient parameters Signed-off-by: Christopher Ng Acked-by: Lev Stipakov Patchwork-Id: 2510 URL: https://patchwork.openvpn.net/patch/2510/ Message-Id: <20220607163049.10056-1-fac...@gmail.com> Signed-off-by: David Sommerseth -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] signal --dns support in peer info
On 13/05/2022 13:40, Arne Schwabe wrote: Am 13.05.22 um 13:22 schrieb David Sommerseth: On 13/05/2022 11:37, Heiko Hund wrote: Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund [...snip...] + /* support for the --dns option */ + iv_proto |= IV_PROTO_DNS_OPTION; + [...snip...] +#define IV_PROTO_DNS_OPTION (1<<6) + [...snip...] To be honest, I requested this flag but I don't think this is really what I want/need any more. I wanted to have a flag that tells me as a server that I can push --dns options instead of --dhcp-options and accept the client to evaluate them. But after some digging, I found that on platforms where dhcp-option is NOT parsed by openvpn itself (so anything but Android and Windows) and scripts are used to set DNS, these scripts will always use dhcp-options as they rely on foreign_option support. So they end up with no DNS configuration if only --dns is pushed and using --dhcp-option options if both are pushed unless the script is updated. As I remember it, this wasn't initially about Android and Windows clients. It was about the server pushing both --dhcp-option DNS and --dns at the same time, and that OpenVPN 2.5 and older clients would complain about --dns option warnings. By signalling to a server who wants to avoid this (like the Access Server), the server can chose if it wants to send --dns or --dhcp-options, based on this flag. Right? That the client side isn't parsing --dns options properly is to my understanding a different issue, which also needs a solution. And if my memory isn't completely corrupted, we had some brief talks about v2.6 clients adding some kind of "conversion" from --dns to --dhcp-options *data* for scripts/plug-ins - but only in a simplistic best-effort approach. If the strict --dhcp-option behavior is needed, that can be used with v2.6 clients for the time being if --dns causes troubles. But if both --dns and --dhcp-options are used, and the --dhcp-option provides a setting --dns support, --dns should take precedence. This should also work fine, as the --dns option is far more flexible in what it supports, while --dhcp-options are just simpler by design - and designed around a lesser dynamic Internet world. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] signal --dns support in peer info
On 13/05/2022 11:37, Heiko Hund wrote: Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund --- src/openvpn/ssl.c | 3 +++ src/openvpn/ssl.h | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996..24d7f3f4 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1940,6 +1940,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; +/* support for the --dns option */ +iv_proto |= IV_PROTO_DNS_OPTION; + /* support for receiving push_reply before sending * push request, also signal that the client wants * to get push-reply messages without without requiring a round diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 0ba86d3e..c8802707 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -93,6 +93,9 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) +/** Supports the --dns option introduced in version 2.6 */ +#define IV_PROTO_DNS_OPTION (1<<6) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" Only glared on the code and compile tested. LGTM. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] The Great Reformatting of 2022
From: David Sommerseth
It was agreed it was time to do a full reformat fix-up of the whole
source tree again. Over time (since late 2016) small changes has not
adhered to our uncrustify defined coding style. This realigns to our
current standards.
Signed-off-by: David Sommerseth
---
Note: One change was applied manually before reformatting the code.
The test_digest and good_sig const arrays had the starting
curly brace moved up after the equal sign. This was to avoid the
whole array data to be left aligned at column 0. Moving the curly
brace opening after the equal sign gave a nicer indenting of the
block.
---
sample/sample-plugins/defer/multi-auth.c | 23 ++--
.../keyingmaterialexporter.c | 2 +-
src/compat/compat-versionhelpers.h| 2 +-
src/openvpn/auth_token.c | 2 +-
src/openvpn/console_builtin.c | 2 +-
src/openvpn/crypto_backend.h | 9 +-
src/openvpn/crypto_mbedtls.c | 23 ++--
src/openvpn/crypto_openssl.c | 48 +
src/openvpn/cryptoapi.c | 16 +--
src/openvpn/dns.h | 2 +-
src/openvpn/error.c | 3 +-
src/openvpn/forward.c | 3 +-
src/openvpn/init.c| 56 +-
src/openvpn/init.h| 1 +
src/openvpn/manage.c | 2 +-
src/openvpn/misc.h| 4 +-
src/openvpn/mss.c | 12 +--
src/openvpn/mss.h | 2 +-
src/openvpn/mtu.c | 2 +-
src/openvpn/multi.c | 7 +-
src/openvpn/networking_sitnl.c| 2 +
src/openvpn/openssl_compat.h | 15 +--
src/openvpn/openvpn.c | 14 +--
src/openvpn/options.c | 74 ++---
src/openvpn/options.h | 8 +-
src/openvpn/pkcs11_openssl.c | 32 +++---
src/openvpn/platform.c| 8 +-
src/openvpn/push.c| 12 ++-
src/openvpn/ring_buffer.h | 2 +-
src/openvpn/route.c | 4 +-
src/openvpn/run_command.h | 2 +-
src/openvpn/socket.h | 8 +-
src/openvpn/socks.c | 2 +-
src/openvpn/ssl.c | 34 +++---
src/openvpn/ssl_backend.h | 2 +-
src/openvpn/ssl_common.h | 25 +++--
src/openvpn/ssl_mbedtls.c | 21 ++--
src/openvpn/ssl_mbedtls.h | 2 +-
src/openvpn/ssl_ncp.c | 32 +++---
src/openvpn/ssl_openssl.c | 26 ++---
src/openvpn/ssl_verify.c | 46
src/openvpn/ssl_verify_openssl.c | 2 +-
src/openvpn/syshead.h | 4 +-
src/openvpn/tun.c | 38 +++
src/openvpn/xkey_common.h | 14 +--
src/openvpn/xkey_helper.c | 26 ++---
src/openvpn/xkey_provider.c | 98 -
src/openvpnmsica/openvpnmsica.h | 8 +-
src/openvpnserv/common.c | 6 +-
src/openvpnserv/interactive.c | 101 +-
src/openvpnserv/service.c | 8 +-
src/plugins/auth-pam/auth-pam.c | 22 ++--
src/tapctl/main.c | 3 +-
src/tapctl/tap.c | 30 +++---
tests/unit_tests/openvpn/test_crypto.c| 10 +-
tests/unit_tests/openvpn/test_misc.c | 6 +-
tests/unit_tests/openvpn/test_ncp.c | 2 +-
tests/unit_tests/openvpn/test_provider.c | 60 ++-
tests/unit_tests/openvpn/test_tls_crypt.c | 2 +-
.../auth-pam/test_search_and_replace.c| 21 ++--
60 files changed, 549 insertions(+), 504 deletions(-)
diff --git a/sample/sample-plugins/defer/multi-auth.c
b/sample/sample-plugins/defer/multi-auth.c
index 20c9dac5..c2672981 100644
--- a/sample/sample-plugins/defer/multi-auth.c
+++ b/sample/sample-plugins/defer/multi-auth.c
@@ -72,7 +72,8 @@ struct plugin_context {
/* local wrapping of the log function, to add more details */
static plugin_vlog_t _plugin_vlog_func = NULL;
-static void plog(const struct plugin_context *ctx, int flags, char *fmt, ...)
+static void
+plog(const struct plugin_context *ctx, int flags, char *fmt, ...)
{
char logid[129];
@@ -243,11 +244,11 @@ do_auth_user_pass(struct plugin_context *context,
const char *username, const char *password)
{
plog(context, PLOG_NOTE,
-"expect_user=%s, received_user=%s, expect_passw=%s, received_pas
[Openvpn-devel] [PATCH 1/3] dev-tools: Remove no longer needed openvpn-plugin.h.in patching
From: David Sommerseth The bug in uncrustify 0.64 is no longer causing us issues as we now require at least v0.72. This workaround was added as part of the initial reformat-all inclusion, in commit 2417d55c4945d491e. Signed-off-by: David Sommerseth --- .../after_include_openvpn-plugin.h.in.patch | 13 - .../before_include_openvpn-plugin.h.in.patch| 13 - dev-tools/special-files.lst | 1 - 3 files changed, 27 deletions(-) delete mode 100644 dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch delete mode 100644 dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch diff --git a/dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch b/dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch deleted file mode 100644 index 100da078.. --- a/dev-tools/reformat-patches/after_include_openvpn-plugin.h.in.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in -index 05bffab..05b4b6a 100644 a/include/openvpn-plugin.h.in -+++ b/include/openvpn-plugin.h.in -@@ -169,7 +169,7 @@ typedef void *openvpn_plugin_handle_t; - /* - * We are compiling OpenVPN. - */ --/* #define OPENVPN_PLUGIN_DEFtypedef */ -+#define OPENVPN_PLUGIN_DEFtypedef - #define OPENVPN_PLUGIN_FUNC(name) (*name) - - #else /* ifdef OPENVPN_PLUGIN_H */ diff --git a/dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch b/dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch deleted file mode 100644 index 679c4149.. --- a/dev-tools/reformat-patches/before_include_openvpn-plugin.h.in.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in -index 34ad18b..f4c5472 100644 a/include/openvpn-plugin.h.in -+++ b/include/openvpn-plugin.h.in -@@ -169,7 +169,7 @@ typedef void *openvpn_plugin_handle_t; - /* - * We are compiling OpenVPN. - */ --#define OPENVPN_PLUGIN_DEFtypedef -+// #define OPENVPN_PLUGIN_DEFtypedef - #define OPENVPN_PLUGIN_FUNC(name) (*name) - - #else diff --git a/dev-tools/special-files.lst b/dev-tools/special-files.lst index f3f77ea3..64ee9e1a 100644 --- a/dev-tools/special-files.lst +++ b/dev-tools/special-files.lst @@ -1,4 +1,3 @@ E:doc/doxygen/doc_key_generation.h # @verbatim section gets mistreated, exclude it E:src/compat/compat-lz4.c # Preserve LZ4 upstream formatting E:src/compat/compat-lz4.h # Preserve LZ4 upstream formatting -P:include/openvpn-plugin.h.in # uncrustify segfaults, patch it before+after -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/3] dev-tools: Avoid uncrustify mangling MAC_FMT macro
From: David Sommerseth The MAC_FMT in src/openvpn/misc.h need to be formatted strictly, and uncrustify does not fully grasp the current code. So we tell it to not touch it. Signed-off-by: David Sommerseth --- src/openvpn/misc.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 7970b60d..d8a15650 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -212,7 +212,9 @@ struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc); #define _STRINGIFY(S) #S +/* *INDENT-OFF* - uncrustify need to ignore this macro */ #define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx) +/* *INDENT-ON* */ #define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], \ _mac[3], _mac[4], _mac[5] #define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], \ -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/3] dev-tools: Remove uncrusify -p
From: David Sommerseth
The -p option to uncrustify was providing debug information about
decisions done by uncrustify. This was useful when debugging why
certain formatting choices.
With newer versions of uncrusitfy the -p option can only be used on
individual files and not a list of files. Since still supporting this
would require a bigger rewrite of reformat-all.sh, it was chosen to
instead remove the usage of this option. If certain behaviours needs to
be debugged, running uncrusity on individual files directly will work
fine anyhow.
Signed-off-by: David Sommerseth
---
dev-tools/reformat-all.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dev-tools/reformat-all.sh b/dev-tools/reformat-all.sh
index dc2bfc4e..ff126b0f 100755
--- a/dev-tools/reformat-all.sh
+++ b/dev-tools/reformat-all.sh
@@ -80,8 +80,8 @@ cd "$srcroot"
# Kick off uncrustify
echo
-echo "** INFO ** Running: uncrustify -c $cfg --no-backup -l C -p
debug.uncr -F $files"
-uncrustify -c "$cfg" --no-backup -l C -p debug.uncr -F "$files" 2>&1
+echo "** INFO ** Running: uncrustify -c $cfg --no-backup -l C -F $files"
+uncrustify -c "$cfg" --no-backup -l C -F "$files" 2>&1
res=$?
echo "** INFO ** Uncrustify completed (exit code $res)"
} | tee "${log}-1" # Log needs to be closed here, to be processed in next
block
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Fix links to client docs
On 19/04/2022 15:09, David Schneider wrote: Hello This is my first contribution to this project. As stated in the README patches should be sent to the mailing list. Here is a small change to fix the wrong path to the client docs page. Please let me know if the patch should be submitted in any other form. Thanks a lot! This worked fine, I could easily do a 'git am' on your attachment. I've applied your patch, but slightly adjusted the commit message. commit b7d9bda52aee2f0577fd45e0adbf9ac3eaf8ae00 Author: David Schneider Date: Tue Apr 19 14:48:39 2022 +0200 docs: Fix incorrect doc paths in net.openvpn.v3.sessions docs Signed-off-by: David Schneider Signed-off-by: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Enable deferred auth for multiple plugins (RFC).
On 10/03/2022 12:57, Gert Doering wrote: Without this patch, OpenVPN behaviour if more than one plugin wants to do deferred user/password authentication not well-defined, as there is just one set of auth control files and a single plugin state. This patch changes "key state -> plugin_auth" from a single struct to an array of MAX_PLUGINS elements that have per-plugin auth-control files and auth status. All direct access is changed to iterating over this array. The actual plugin calls are no longer done with the "do them all" function plugin_call() (or plugin_call_ssl()) but plugin.c/plugin.h is changed to expose the "call one" function plugin_call_item(), and verify_user_pass_plugin() calls this for each loaded plugin, keeping track of "overall" state. key_state_test_plugin_auth() is introduced to do the "key_state_test_auth_control_file()" test for all plugins, and return "FAIL if one fails, PENDING if one is pending, SUCCESS if one was pending and succeeded now". This was tested with the "auth-multi" test plugin, with 5-7 plugins loaded (some deferred, some direct) and "some of them failing" or "all succeeding". Testing included "will it leak files if multiple deferred plugins are ongoing, and one of the earlier ones rejects authentication". This patch is not suitable for production use: - it's full of debug output - it will break compilation without ENABLE_PLUGINS - it stands to argue whether plugin_call_item() should be exposed, or key_state_test_plugin_auth() might be moved to plugin.c instead (with a null function if ENABLE_PLUGINS is not defined) Signed-off-by: Gert Doering --- src/openvpn/plugin.c | 2 +- src/openvpn/plugin.h | 9 +++ src/openvpn/ssl.c| 5 +- src/openvpn/ssl_common.h | 4 +- src/openvpn/ssl_verify.c | 127 --- 5 files changed, 123 insertions(+), 24 deletions(-) Hi, So I've had a deeper dive into this proposal. At the moment, I have only glared at the code and considered the overall implementation idea. TL;DR: This makes a lot of sense, and we should pursue this further. But there are room for some adjustments and further improvements. When it comes to exposing plugin_call_item(), I think it makes sense to refactor the changes you've added to verify_user_pass_plugin() into plugin_call_ssl() instead. This will make this implementation more generic and not having a special behavior only for auth-user-pass. I also had a quick look at verify_user_pass_script() as well, and I think this needs to be re-evaluated with this change as well. Scripts can now also do deferred authentication (which I believe is a new feature in git master/coming 2.6). We may hit the same undefined behavior here as well with at least --auth-user-pass-verify, possibly other too. The critical code path in regards to the authentication is in the new key_state_test_plugin_auth(). This implementation looks sane. I would probably suggest to use a different variable name than 'ret_one'. Perhaps 'plugin_state' is a better name? It was especially the last if() clause requiring me to re-read it a few times, as I missed the '_one' part and didn't quite understand the logic behind "ret = ACF_SUCCEEDED && ret != ACF_PENDING"; it made more sense when I grasped the first "ret" was supposed to be "ret_one". Also, in that function "&(ads[i])" isn't the prettiest approach, but will work. Could we do this nicer? Another improvement I think can be reasonable is to refactor plugin_n() to return an internal counter of loaded plug-ins instead of passing a pointer to a plugin struct. This allows the proposed changes to use plugin_n() more freely and to avoid iterating over MAX_PLUGINS. Now there is a mixture between iterating plugin_n() and MAX_PLUGINS, and in most configurations plugin_n() will return a lower value than MAX_PLUGINS. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 06/04/2022 14:44, Timo Rothenpieler wrote:
--- a/configure.ac
+++ b/configure.ac
@@ -794,6 +794,25 @@ dnl
esac
fi
+dnl
+dnl Depend on libcap-ng on Linux
+dnl
+case "$host" in
+ *-*-linux*)
+ PKG_CHECK_MODULES([LIBCAPNG],
+ [libcap-ng],
+ [have_libcapng="yes"],
do we really need have_libcapng? it seems it is not used further in
configure.ac
I have little to no experience with autotools, and I think this is
straight up copied from the openvpn3 setup.
That's probably right.
Can I just leave the line empty? Or put empty [] there?
Yes, [] should suffice. That said, it makes no big difference if it is
there or not. If needed to check ("test") if libcap-ng is available or
not, this checks needs to be added again though.
That said, we do not have a consistent way of using PKG_CHECK_MODULES()
in general. We have at least 4 different ways in use today.
Probably something to clean-up some day later.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 06/04/2022 14:44, Timo Rothenpieler wrote: 'man cap_change_id' does not mention setting errno at all. What do we expect to see with M_ERRNO? Every function it internally calls sets errno, so in case of failure errno will reflect what went wrong. Like, for example EPERM will be the most common cause of failure. capng_change_id() does several other lower level calls, like prctl(), setgroups(), setresgid() and setresuid(). They all set errno if an error occurs. The return code of capng_change_id() just reflects in which phase of dropping privileges/uid/gid it failed. For more details of the capng_change_id(), the implementation itself isn't that hard to read (but it does a several steps to harden the privilege drop): <https://github.com/stevegrubb/libcap-ng/blob/03b8572843b36bf071776a311c61f8d1dcfc4d53/src/cap-ng.c#L960> -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 31/03/2022 15:26, Gert Doering wrote: Hi, On Thu, Mar 31, 2022 at 03:20:59PM +0200, David Sommerseth wrote: I've also run a few tests using an --up script which modified /etc/resolv.conf, which also worked as expected with capabilities enabled. This is actually an interesting corner case. As far as I understand, --up runs before setuid, so that should always succeed - but if you do that, cleaning up resolv.conf in --down won't succeed. That is actually correct, and to be honest I didn't think about the order of when running as client. We could "fix" --down now, but I will not recommend it at all. We could add the CAP_DAC_OVERRIDE capability. But that's a massive sledge hammer, giving read/write access to any file on the system. Only security modules like SELinux, AppArmor and such can block access with this capability enabled. So this is definitely not the right capability to have in the main OpenVPN process now. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 30/03/2022 22:55, Timo Rothenpieler wrote: --- Using libcap-ng now configure.ac | 19 + distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- src/openvpn/init.c| 25 ++- src/openvpn/platform.c| 91 +++ src/openvpn/platform.h| 5 ++ 6 files changed, 140 insertions(+), 4 deletions(-) Since I worked closely with Timo on this patch version, I don't feel I should give it an ACK verdict alone. But I believe this is the right patch to include. I will just suggest a commit message: -- platform: Retain CAP_NET_ADMIN when dropping privileges On Linux, when dropping privileges, interaction with the network configuration, such as tearing down routes or ovpn-dco interfaces will fail when --user/--group are used. This patch set sets the CAP_NET_ADMIN capability, which grants the needed privileges during the lifetime of the OpenVPN process when dropping root privileges. Signed-off-by: Timo Rothenpieler Reviewed-By: David Sommerseth -- I have otherwise tested this patch on a Rocky Linux 8 distribution. Client test cases I ran when testing this was: * from the command line, with and without DCO * via systemd, with and without DCO With these 4 test cases, each of them were run with combinations of * no --user/--group * only --user * only --group * both --user and --group I've also run a few tests using an --up script which modified /etc/resolv.conf, which also worked as expected with capabilities enabled. There were no unexpected behavior with this final patch set, with one special exception which is outside the scope of this patch - SELinux. SELinux on Fedora and RHEL (which Rocky Linux inherits) denies the OpenVPN process when run via systemd to use the SET_PCAP capability. In addition, the SELinux reference policy also denies all interactions with the Generic Netlink interfaces used by ovpn-dco. I will follow up this with the upstream SELinux reference policy maintainers. Package maintainers needing SELinux can in the mean time, until an updated SELinux policy is available, provide an additional SELinux module which grants the needed privileges to openvpn_t labelled processes. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
On 31/03/2022 13:34, Gert Doering wrote: Hi, On Thu, Mar 31, 2022 at 01:29:28PM +0200, Timo Rothenpieler wrote: That's exactly what the patch does. Which I very much like :-) (I said that on IRC already, repeating here for the list archive) Only difference is that for sitnl, to avoid breaking existing setups, it will fall back to the old approach of switching user if the capability retaining approach failed. I'm a bit undecided if this is really something to worry about... but then, in an existing and working systemd environment with reduced capabilities it might break setups going 2.5 -> 2.6, so maybe "being careful about things" is the better way :-) Yeah, I agree with this. For v2.6, the time is too short to be dare too much potential breakage now. But we can consider further steps with v2.7. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges
ent) runs completely unprivileged, but gets its tun/ovpn-dco interface created by openvpn3-service-netcfg and the client passes VPN IP address, routes and DNS settings to this netcfg service which applies these changes. The netcfg service runs as openvpn:openvpn with CAP_NET_ADMIN (and a few optional other ones, depending on the system setup) and can only be approached by openvpn3-service-client processes. The rest of the OpenVPN 3 Linux stack runs completely unprivileged. On systems with SELinux enabled, both openvpn3-service-client and openvpn3-service-netcfg runs confined in their own separate SELinux contexts, with a strict policy what each of them can do. I am willing to work on making the netcfg service even less "OpenVPN 3 centric", and it has a potential to grow towards a generic VPN API on Linux. The current D-Bus interface it uses is highly inspired by the Android VPN API. But this won't happen in a short time and not in time for the OpenVPN 2.6 release. This is probably something which is more realistic for OpenVPN 2.8. But this needs to be discussed more thoroughly (next hackathon?). -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges
On 30/03/2022 10:51, David Sommerseth wrote:
On 29/03/2022 21:29, Timo Rothenpieler wrote:
---
This patch sits on top of the current dco branch, and will not apply to
latest master.
It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.
configure.ac | 3 ++
src/openvpn/init.c | 22 +-
src/openvpn/platform.c | 65 +-
src/openvpn/platform.h | 2 +-
4 files changed, 89 insertions(+), 3 deletions(-)
Thanks a lot! I've quickly looked through the code, and I have to NAK
this approach:
+#ifdef HAVE_LINUX_CAPABILITIES
+#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |=
1<<((cap)&31)
+
+static bool
+do_keep_caps(bool prepare)
+{
+ struct __user_cap_header_struct cap_hdr = {
_LINUX_CAPABILITY_VERSION_3 };
+ struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3]
= {};
+
+ if (syscall(SYS_capget, _hdr, cap_data) < 0)
We should really use libcap or libcap-ng and not avoid using syscalls
directly.
This did not come out well. Sorry about that.
We should really avoid using syscalls directly, as that binds us to
certain APIs and bindings.
Newer kernels may also require additional adjustments in the future, to
preserve the same behaviour. Which means we need to maintain this code
and also pay more attention to the security aspects of privilege
management, like new vulnerabilities and exploits.
The libcap or libcap-ng libraries are used by far more applications,
doing similar privilege management - and these libraries already pay
attention to the security aspects of new vulnerabilities and exploits.
The libcap-ng library is also recommended by more developers, due to its
simpler API.
It is possible to argue that sitnl does low-level calls to the kernel as
well. But potential libraries had an API which was making everything
far more complex on the OpenVPN side. For libcap-ng at least, that is
not the case; as the API it provides is pretty simple.
I have used libcap-ng in openvpn3-linux, both for preserving
capabilities and dropping root. It does all the right steps fairly easily.
The configure.ac detection, which for OpenVPN 2.x can be restricted when
DCO is going to be built into openvpn:
<https://github.com/OpenVPN/openvpn3-linux/blob/master/configure.ac#L113>
The code for preserving capabilities:
<https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L82>
And the code for dropping root, ensuring the capabilities are restricted
properly:
<https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L64>
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges
On 29/03/2022 21:29, Timo Rothenpieler wrote:
---
This patch sits on top of the current dco branch, and will not apply to
latest master.
It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.
configure.ac | 3 ++
src/openvpn/init.c | 22 +-
src/openvpn/platform.c | 65 +-
src/openvpn/platform.h | 2 +-
4 files changed, 89 insertions(+), 3 deletions(-)
Thanks a lot! I've quickly looked through the code, and I have to NAK
this approach:
+#ifdef HAVE_LINUX_CAPABILITIES
+#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |= 1<<((cap)&31)
+
+static bool
+do_keep_caps(bool prepare)
+{
+struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 };
+struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {};
+
+if (syscall(SYS_capget, _hdr, cap_data) < 0)
We should really use libcap or libcap-ng and not avoid using syscalls
directly.
I have used libcap-ng in openvpn3-linux, both for preserving
capabilities and dropping root. It does all the right steps fairly easily.
The configure.ac detection, which for OpenVPN 2.x can be restricted when
DCO is going to be built into openvpn:
<https://github.com/OpenVPN/openvpn3-linux/blob/master/configure.ac#L113>
The code for preserving capabilities:
<https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L82>
And the code for dropping root, ensuring the capabilities are restricted
properly:
<https://github.com/OpenVPN/openvpn3-linux/blob/c40218df43c8e652fedfa70304eae797b305e780/src/netcfg/openvpn3-service-netcfg.cpp#L64>
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins
From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v3 - Flipped NULL==var/NULL!=var to (var)/(!var) in if() block --- doc/tests/authentication-plugins.md | 153 + sample/sample-plugins/defer/README | 8 + sample/sample-plugins/defer/multi-auth.c | 413 +++ 3 files changed, 574 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index ..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + +plugin ./multi-auth.so D.1 2000 test pass +plugin ./multi-auth.so D.2 0 foo bar + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + +plugin ./multi-auth.so E1 1000 test1 pass1 +plugin ./multi-auth.so E2 2000 test2 pass2 + + Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git
[Openvpn-devel] [PATCH v2.4 v5 2/3] plug-ins: Disallow multiple deferred authentication plug-ins
From: David Sommerseth
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth
---
Note: The man page snippet is copied from the generated nroff formatting from
the git master generated man page.
v3 - flip CONSTANT==var to var==CONSTANT in if() clause
v4 - Use M_FATAL instead of M_ERR
v5 - Fix missing ) in if() clause
---
doc/openvpn.8| 13 +
src/openvpn/plugin.c | 33 ++---
2 files changed, 43 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 598d5fce..a6a5feb6 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify,
or
client\-connect), then
every module and script must return success (0) in order for
the connection to be authenticated.
+
+.INDENT 7.0
+.TP
+.B \fBWARNING\fP:
+Plug\-ins may do deferred execution, meaning the plug\-in will
+return the control back to the main OpenVPN process and provide
+the plug\-in result later on via a different thread or process.
+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
+\fBwhere more than one of them\fP do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
+.UNINDENT
+.UNINDENT
.\"*
.TP
.B \-\-keying\-material\-exporter label len
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0ab99ab5..a019ec77 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
const int n = plugin_n(pl);
bool success = false;
bool error = false;
-bool deferred = false;
+bool deferred_auth_done = false;
setenv_del(es, "script_type");
envp = make_env_array(es, false, );
@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
-deferred = true;
+if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+&& deferred_auth_done)
+{
+/*
+ * Do not allow deferred auth if a deferred auth has
+ * already been started. This should allow a single
+ * deferred auth call to happen, with one or more
+ * auth calls with an instant authentication result.
+ *
+ * The plug-in API is not designed for multiple
+ * deferred authentications to happen, as the
+ * auth_control_file file will be shared across all
+ * the plug-ins.
+ *
+ * Since this is considered a critical configuration
+ * error, we bail out and exit the OpenVPN process.
+ */
+error = true;
+msg(M_FATAL,
+"Exiting due to multiple authentication plug-ins "
+"performing deferred authentication. Only one "
+"authentication plug-in doing deferred auth is "
+"allowed. Ignoring the result and stopping now, "
+"the current authentication result is not to be "
+"trusted.");
+break;
+}
+deferred_auth_done = true;
break;
default:
@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
-else if (deferred)
+else if (deferred_auth_done)
{
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin
From: David Sommerseth
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth
---
sample/sample-plugins/defer/README | 3 -
sample/sample-plugins/defer/simple.c | 541 -
sample/sample-plugins/defer/simple.def | 6 -
3 files changed, 550 deletions(-)
delete mode 100644 sample/sample-plugins/defer/simple.c
delete mode 100755 sample/sample-plugins/defer/simple.def
diff --git a/sample/sample-plugins/defer/README
b/sample/sample-plugins/defer/README
index 4c032993..b20f4eea 100644
--- a/sample/sample-plugins/defer/README
+++ b/sample/sample-plugins/defer/README
@@ -2,9 +2,6 @@ OpenVPN plugin examples.
Examples provided:
-simple.c -- using the --auth-user-pass-verify callback,
-test deferred authentication.
-
multi-auth.c -- Test plug-in for testing multiple authentication
plug-ins in the same OpenVPN server configuration.
Only tested on Linux.
diff --git a/sample/sample-plugins/defer/simple.c
b/sample/sample-plugins/defer/simple.c
deleted file mode 100644
index 6f08bedd..
--- a/sample/sample-plugins/defer/simple.c
+++ /dev/null
@@ -1,541 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2018 OpenVPN Inc
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-/*
- * This file implements a simple OpenVPN plugin module which
- * will test deferred authentication and packet filtering.
- *
- * Will run on Windows or *nix.
- *
- * Sample usage:
- *
- * setenv test_deferred_auth 20
- * setenv test_packet_filter 10
- * plugin plugin/defer/simple.so
- *
- * This will enable deferred authentication to occur 20
- * seconds after the normal TLS authentication process,
- * and will cause a packet filter file to be generated 10
- * seconds after the initial TLS negotiation, using
- * {common-name}.pf as the source.
- *
- * Sample packet filter configuration:
- *
- * [CLIENTS DROP]
- * +otherclient
- * [SUBNETS DROP]
- * +10.0.0.0/8
- * -10.10.0.8
- * [END]
- *
- * See the README file for build instructions.
- */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#include "openvpn-plugin.h"
-
-/* Pointers to functions exported from openvpn */
-static plugin_log_t plugin_log = NULL;
-
-/*
- * Constants indicating minimum API and struct versions by the functions
- * in this plugin. Consult openvpn-plugin.h, look for:
- * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER
- *
- * Strictly speaking, this sample code only requires plugin_log, a feature
- * of structver version 1. However, '1' lines up with ancient versions
- * of openvpn that are past end-of-support. As such, we are requiring
- * structver '5' here to indicate a desire for modern openvpn, rather
- * than a need for any particular feature found in structver beyond '1'.
- */
-#define OPENVPN_PLUGIN_VERSION_MIN 3
-#define OPENVPN_PLUGIN_STRUCTVER_MIN 5
-
-/*
- * Our context, where we keep our state.
- */
-
-struct plugin_context {
-int test_deferred_auth;
-int test_packet_filter;
-};
-
-struct plugin_per_client_context {
-int n_calls;
-bool generated_pf_file;
-};
-
-/* module name for plugin_log() */
-static char *MODULE = "defer/simple";
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env(const char *name, const char *envp[])
-{
-if (envp)
-{
-int i;
-const int namelen = strlen(name);
-for (i = 0; envp[i]; ++i)
-{
-if (!strncmp(envp[i], name, namelen))
-{
-const char *cp = envp[i] + namelen;
-if (*cp == '=')
-{
-return cp + 1;
-}
-}
-}
-}
-return NULL;
-}
-
-/* used for safe printf of possible NULL strings */
-static const char *
-np(const char *
[Openvpn-devel] [PATCH v2.4 v5 0/3] Disable multiple deferred authentication plug-ins
From: David Sommerseth This is the same patch set as the v4 [1] patch set, just without the embarrassing syntax error in the second patch. [1] <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23935.html> Message-Id: 20220313200715.13518-1-open...@sf.lists.topphemmelig.net David Sommerseth (3): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins plug-ins: Remove defer/simple.c sample plugin doc/openvpn.8| 13 + doc/tests/authentication-plugins.md | 153 +++ sample/sample-plugins/defer/README | 9 +- sample/sample-plugins/defer/multi-auth.c | 413 + sample/sample-plugins/defer/simple.c | 541 --- sample/sample-plugins/defer/simple.def | 6 - src/openvpn/plugin.c | 33 +- 7 files changed, 616 insertions(+), 552 deletions(-) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v4 3/3] plug-ins: Remove defer/simple.c sample plugin
From: David Sommerseth
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth
---
sample/sample-plugins/defer/README | 3 -
sample/sample-plugins/defer/simple.c | 541 -
sample/sample-plugins/defer/simple.def | 6 -
3 files changed, 550 deletions(-)
delete mode 100644 sample/sample-plugins/defer/simple.c
delete mode 100755 sample/sample-plugins/defer/simple.def
diff --git a/sample/sample-plugins/defer/README
b/sample/sample-plugins/defer/README
index 4c032993..b20f4eea 100644
--- a/sample/sample-plugins/defer/README
+++ b/sample/sample-plugins/defer/README
@@ -2,9 +2,6 @@ OpenVPN plugin examples.
Examples provided:
-simple.c -- using the --auth-user-pass-verify callback,
-test deferred authentication.
-
multi-auth.c -- Test plug-in for testing multiple authentication
plug-ins in the same OpenVPN server configuration.
Only tested on Linux.
diff --git a/sample/sample-plugins/defer/simple.c
b/sample/sample-plugins/defer/simple.c
deleted file mode 100644
index 6f08bedd..
--- a/sample/sample-plugins/defer/simple.c
+++ /dev/null
@@ -1,541 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2018 OpenVPN Inc
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-/*
- * This file implements a simple OpenVPN plugin module which
- * will test deferred authentication and packet filtering.
- *
- * Will run on Windows or *nix.
- *
- * Sample usage:
- *
- * setenv test_deferred_auth 20
- * setenv test_packet_filter 10
- * plugin plugin/defer/simple.so
- *
- * This will enable deferred authentication to occur 20
- * seconds after the normal TLS authentication process,
- * and will cause a packet filter file to be generated 10
- * seconds after the initial TLS negotiation, using
- * {common-name}.pf as the source.
- *
- * Sample packet filter configuration:
- *
- * [CLIENTS DROP]
- * +otherclient
- * [SUBNETS DROP]
- * +10.0.0.0/8
- * -10.10.0.8
- * [END]
- *
- * See the README file for build instructions.
- */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#include "openvpn-plugin.h"
-
-/* Pointers to functions exported from openvpn */
-static plugin_log_t plugin_log = NULL;
-
-/*
- * Constants indicating minimum API and struct versions by the functions
- * in this plugin. Consult openvpn-plugin.h, look for:
- * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER
- *
- * Strictly speaking, this sample code only requires plugin_log, a feature
- * of structver version 1. However, '1' lines up with ancient versions
- * of openvpn that are past end-of-support. As such, we are requiring
- * structver '5' here to indicate a desire for modern openvpn, rather
- * than a need for any particular feature found in structver beyond '1'.
- */
-#define OPENVPN_PLUGIN_VERSION_MIN 3
-#define OPENVPN_PLUGIN_STRUCTVER_MIN 5
-
-/*
- * Our context, where we keep our state.
- */
-
-struct plugin_context {
-int test_deferred_auth;
-int test_packet_filter;
-};
-
-struct plugin_per_client_context {
-int n_calls;
-bool generated_pf_file;
-};
-
-/* module name for plugin_log() */
-static char *MODULE = "defer/simple";
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env(const char *name, const char *envp[])
-{
-if (envp)
-{
-int i;
-const int namelen = strlen(name);
-for (i = 0; envp[i]; ++i)
-{
-if (!strncmp(envp[i], name, namelen))
-{
-const char *cp = envp[i] + namelen;
-if (*cp == '=')
-{
-return cp + 1;
-}
-}
-}
-}
-return NULL;
-}
-
-/* used for safe printf of possible NULL strings */
-static const char *
-np(const char *
[Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins
From: David Sommerseth
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth
---
Note: The man page snippet is copied from the generated nroff formatting from
the git master generated man page.
v3 - flip CONSTANT==var to var==CONSTANT in if() clause
v4 - Use M_FATAL instead of M_ERR
---
doc/openvpn.8| 13 +
src/openvpn/plugin.c | 33 ++---
2 files changed, 43 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 598d5fce..a6a5feb6 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify,
or
client\-connect), then
every module and script must return success (0) in order for
the connection to be authenticated.
+
+.INDENT 7.0
+.TP
+.B \fBWARNING\fP:
+Plug\-ins may do deferred execution, meaning the plug\-in will
+return the control back to the main OpenVPN process and provide
+the plug\-in result later on via a different thread or process.
+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
+\fBwhere more than one of them\fP do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
+.UNINDENT
+.UNINDENT
.\"*
.TP
.B \-\-keying\-material\-exporter label len
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0ab99ab5..76d1b2e5 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
const int n = plugin_n(pl);
bool success = false;
bool error = false;
-bool deferred = false;
+bool deferred_auth_done = false;
setenv_del(es, "script_type");
envp = make_env_array(es, false, );
@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
-deferred = true;
+if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
+&& deferred_auth_done)
+{
+/*
+ * Do not allow deferred auth if a deferred auth has
+ * already been started. This should allow a single
+ * deferred auth call to happen, with one or more
+ * auth calls with an instant authentication result.
+ *
+ * The plug-in API is not designed for multiple
+ * deferred authentications to happen, as the
+ * auth_control_file file will be shared across all
+ * the plug-ins.
+ *
+ * Since this is considered a critical configuration
+ * error, we bail out and exit the OpenVPN process.
+ */
+error = true;
+msg(M_FATAL,
+"Exiting due to multiple authentication plug-ins "
+"performing deferred authentication. Only one "
+"authentication plug-in doing deferred auth is "
+"allowed. Ignoring the result and stopping now, "
+"the current authentication result is not to be "
+"trusted.");
+break;
+}
+deferred_auth_done = true;
break;
default:
@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
-else if (deferred)
+else if (deferred_auth_done)
{
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2.4 v4 1/3] sample-plugin: New plugin for testing multiple auth plugins
From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v3 - Flipped NULL==var/NULL!=var to (var)/(!var) in if() block --- doc/tests/authentication-plugins.md | 153 + sample/sample-plugins/defer/README | 8 + sample/sample-plugins/defer/multi-auth.c | 413 +++ 3 files changed, 574 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index ..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + +plugin ./multi-auth.so D.1 2000 test pass +plugin ./multi-auth.so D.2 0 foo bar + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + +plugin ./multi-auth.so E1 1000 test1 pass1 +plugin ./multi-auth.so E2 2000 test2 pass2 + + Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git
[Openvpn-devel] [PATCH v2.4 v4 0/3] Disable multiple deferred authentication plug-ins
From: David Sommerseth This is an adopted version of [0] for the OpenVPN 2.4 release branch. It was discovered an issue with OpenVPN 2.x when multiple --plugin modules were loaded and more than one of them used deferred authentication. To fix this properly will require a larger refactoring of the plug-in code, so it was decided in the mean time to disable the possibility to run an OpenVPN server with such a setup. This issue affects the OpenVPN server mode only. This patch set adds a new test plug-in and adds some test documentation on how to test various combinations of authentication plug-ins. Since this new plug-in (multi-auth.c) is fairly close to the simple.c plug-in, just more flexible for test setups, we remove the old one. The fix itself is isolated in a separate patch in this set. The order of patches are insignificant; there are no inter-dependencies between them. [0] <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23934.html> Message-ID: <20220313193154.9350-1-open...@sf.lists.topphemmelig.net> -- kind regards, David Sommerseth OpenVPN Inc David Sommerseth (3): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins plug-ins: Remove defer/simple.c sample plugin doc/openvpn.8| 13 + doc/tests/authentication-plugins.md | 153 +++ sample/sample-plugins/defer/README | 9 +- sample/sample-plugins/defer/multi-auth.c | 413 + sample/sample-plugins/defer/simple.c | 541 --- sample/sample-plugins/defer/simple.def | 6 - src/openvpn/plugin.c | 33 +- 7 files changed, 616 insertions(+), 552 deletions(-) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4 3/3] plugins: Remove defer/simple.c sample plugin
From: David Sommerseth
The use case for this plug-in is dubious now with the new multi-auth.c
plugin available. This new plugin is based on simple.c, but allows
far more flexibility for testing.
Signed-off-by: David Sommerseth
---
include/openvpn-plugin.h.in| 4 +-
sample/sample-plugins/Makefile.plugins | 1 -
sample/sample-plugins/README | 6 +-
sample/sample-plugins/defer/simple.c | 393 -
sample/sample-plugins/defer/simple.def | 6 -
5 files changed, 6 insertions(+), 404 deletions(-)
delete mode 100644 sample/sample-plugins/defer/simple.c
delete mode 100755 sample/sample-plugins/defer/simple.def
diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
index 087010a4..dc7c5306 100644
--- a/include/openvpn-plugin.h.in
+++ b/include/openvpn-plugin.h.in
@@ -584,8 +584,8 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t
OPENVPN_PLUGIN_FUNC(openvpn_plugin_op
*
* OpenVPN will delete the auth_control_file after it goes out of scope.
*
- * See plugin/defer/simple.c for an example on using asynchronous
- * authentication.
+ * See sample/sample-plugins/defer/multi-auth.c for an example on using
+ * asynchronous authentication.
*/
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2)
(openvpn_plugin_handle_t handle,
diff --git a/sample/sample-plugins/Makefile.plugins
b/sample/sample-plugins/Makefile.plugins
index 8bfbad09..917b02b6 100644
--- a/sample/sample-plugins/Makefile.plugins
+++ b/sample/sample-plugins/Makefile.plugins
@@ -7,7 +7,6 @@
# Plug-ins to build - listed entries should not carry any extensions
#
PLUGINS = \
- defer/simple \
defer/multi-auth \
keying-material-exporter-demo/keyingmaterialexporter \
log/log log/log_v3 \
diff --git a/sample/sample-plugins/README b/sample/sample-plugins/README
index cf1b355e..356f603d 100644
--- a/sample/sample-plugins/README
+++ b/sample/sample-plugins/README
@@ -5,8 +5,10 @@ Examples provided:
* authentication and logging
simple/simple.c -- using the --auth-user-pass-verify callback, verify
that the username/password is "foo"/"bar".
-defer/simple.c -- using the --auth-user-pass-verify callback,
- test deferred authentication.
+defer/multi-auth.c
+-- using the --auth-user-pass-verify callback,
+ test deferred authentication. Can be used to test multiple
+ authentication plugins in the same server config.
log/log.c -- Extended variant of simple/simple.c which adds more
logging of what is happening inside the plug-in
log/log_v3.c-- A variant of log/log.c, which makes use of the
diff --git a/sample/sample-plugins/defer/simple.c
b/sample/sample-plugins/defer/simple.c
deleted file mode 100644
index d2f614a5..
--- a/sample/sample-plugins/defer/simple.c
+++ /dev/null
@@ -1,393 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2022 OpenVPN Inc
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-/*
- * This file implements a simple OpenVPN plugin module which
- * will test deferred authentication and packet filtering.
- *
- * Will run on Windows or *nix.
- *
- * Sample usage:
- *
- * setenv test_deferred_auth 20
- * setenv test_packet_filter 10
- * plugin plugin/defer/simple.so
- *
- * This will enable deferred authentication to occur 20
- * seconds after the normal TLS authentication process,
- * and will cause a packet filter file to be generated 10
- * seconds after the initial TLS negotiation, using
- * {common-name}.pf as the source.
- *
- * Sample packet filter configuration:
- *
- * [CLIENTS DROP]
- * +otherclient
- * [SUBNETS DROP]
- * +10.0.0.0/8
- * -10.10.0.8
- * [END]
- *
- * See the README file for build instructions.
- */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#include "openvpn-plugin.h"
-
-/* Pointers to functions exported from openvpn */
-static plugin_log_t plugin_log = NULL;
-
-/*
- * Constants indicating m
[Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins
From: David Sommerseth
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth
---
v2 - flip CONSTANT==var to var==CONSTANT in if() clause
v3 - Use M_FATAL instead of M_ERR
---
doc/man-sections/plugin-options.rst | 9
src/openvpn/plugin.c| 33 ++---
2 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/doc/man-sections/plugin-options.rst
b/doc/man-sections/plugin-options.rst
index 51c574fe..6cbbc2f3 100644
--- a/doc/man-sections/plugin-options.rst
+++ b/doc/man-sections/plugin-options.rst
@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In
API.
(such as tls-verify, auth-user-pass-verify, or client-connect), then
every module and script must return success (:code:`0`) in order for the
connection to be authenticated.
+
+ **WARNING**:
+Plug-ins may do deferred execution, meaning the plug-in will
+return the control back to the main OpenVPN process and provide
+the plug-in result later on via a different thread or process.
+OpenVPN does **NOT** support multiple authentication plug-ins
+**where more than one of them** do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index e3a89293..8236e29e 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -802,7 +802,7 @@ plugin_call_ssl(const struct plugin_list *pl,
const char **envp;
const int n = plugin_n(pl);
bool error = false;
-bool deferred = false;
+bool deferred_auth_done = false;
setenv_del(es, "script_type");
envp = make_env_array(es, false, );
@@ -824,7 +824,34 @@ plugin_call_ssl(const struct plugin_list *pl,
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
-deferred = true;
+if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+&& deferred_auth_done)
+{
+/*
+ * Do not allow deferred auth if a deferred auth has
+ * already been started. This should allow a single
+ * deferred auth call to happen, with one or more
+ * auth calls with an instant authentication result.
+ *
+ * The plug-in API is not designed for multiple
+ * deferred authentications to happen, as the
+ * auth_control_file file will be shared across all
+ * the plug-ins.
+ *
+ * Since this is considered a critical configuration
+ * error, we bail out and exit the OpenVPN process.
+ */
+error = true;
+msg(M_FATAL,
+"Exiting due to multiple authentication plug-ins "
+"performing deferred authentication. Only one "
+"authentication plug-in doing deferred auth is "
+"allowed. Ignoring the result and stopping now, "
+"the current authentication result is not to be "
+"trusted.");
+break;
+}
+deferred_auth_done = true;
break;
default:
@@ -844,7 +871,7 @@ plugin_call_ssl(const struct plugin_list *pl,
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
-else if (deferred)
+else if (deferred_auth_done)
{
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4 1/3] sample-plugin: New plugin for testing multiple auth plugins
From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v2 - Flipped NULL==var to var==NULL --- doc/tests/authentication-plugins.md | 153 + sample/sample-plugins/Makefile.plugins | 1 + sample/sample-plugins/defer/multi-auth.c | 413 +++ 3 files changed, 567 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index ..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + + Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + +plugin ./multi-auth.so D.1 2000 test pass +plugin ./multi-auth.so D.2 0 foo bar + + Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + +plugin ./multi-auth.so E1 1000 test1 pass1 +plugin ./multi-auth.so E2 2000 test2 pass2 + + Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git a/sample/sample-plugins
[Openvpn-devel] [PATCH v4 0/3] Disable multiple deferred authentication
From: David Sommerseth
It was discovered an issue with OpenVPN 2.x when multiple --plugin
modules were loaded and more than one of them used deferred
authentication. To fix this properly will require a larger refactoring
of the plug-in code, so it was decided in the mean time to disable the
possibility to run an OpenVPN server with such a setup. This issue
affects the OpenVPN server mode only.
This patch set adds a new test plug-in and adds some test documentation
on how to test various combinations of authentication plug-ins. Since
this new plug-in (multi-auth.c) is fairly close to the simple.c plug-in,
just more flexible for test setups, we remove the old one. The fix
itself is isolated in a separate patch in this set.
The order of patches are insignificant; there are no inter-dependencies
between them.
--
kind regards,
David Sommerseth
OpenVPN Inc
---
David Sommerseth (3):
sample-plugin: New plugin for testing multiple auth plugins
plug-ins: Disallow multiple deferred authentication plug-ins
plugins: Remove defer/simple.c sample plugin
doc/man-sections/plugin-options.rst | 9 +
doc/tests/authentication-plugins.md | 153 +++
include/openvpn-plugin.h.in | 4 +-
sample/sample-plugins/Makefile.plugins| 2 +-
sample/sample-plugins/README | 6 +-
.../defer/{simple.c => multi-auth.c} | 248 ++
sample/sample-plugins/defer/simple.def| 6 -
src/openvpn/plugin.c | 33 ++-
8 files changed, 333 insertions(+), 128 deletions(-)
create mode 100644 doc/tests/authentication-plugins.md
rename sample/sample-plugins/defer/{simple.c => multi-auth.c} (61%)
delete mode 100755 sample/sample-plugins/defer/simple.def
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related
On 21/02/2022 12:19, Frank Lichtenheld wrote: - Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld --- doc/man-sections/protocol-options.rst | 34 +-- 1 file changed, 17 insertions(+), 17 deletions(-) Only glared at changes, and they looks good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v3] doc/options: clean up documentation for --proto and related options
On 15/02/2022 15:54, Frank Lichtenheld wrote: The family specific options were generally omitted. Cc: David Sommerseth Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 10 ++ doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 23 insertions(+), 9 deletions(-) v2: move #define around v3: reword --proto-force with input from David This looks good. Only glared at changes, and they looks good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3 v2] doc: fix misc documentation issues
On 14/02/2022 18:33, Frank Lichtenheld wrote: - Broken/missing formatting - Make it obvious which arguments are optional Only the files touched have been reviewed, all other files likely have similar issues. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 4 ++-- doc/man-sections/generic-options.rst | 34 doc/man-sections/link-options.rst| 26 + src/openvpn/options.c| 2 +- 4 files changed, 43 insertions(+), 23 deletions(-) v2: remove some changes David disliked. Not that important. > Regards, -- Frank Lichtenheld Thanks! This time I've only glared at the changes in diff format, but they all look sane and good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v2] doc/options: clean up documentation for --proto and related options
On 14/02/2022 13:41, Frank Lichtenheld wrote: David Sommerseth hat am 11.02.2022 21:39 geschrieben: On 10/02/2022 11:21, Frank Lichtenheld wrote: The family specific options were generally omitted. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 5 + doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 18 insertions(+), 9 deletions(-) v2: move #define around diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 73f1ea51..4c4a8707 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + [...] Perhaps something like the suggestion below might be somewhat clearer? Note that this specifically only affects the TCP/IP transport layer protocol (UDP/TCP), not the TCP/IP network layers (IPv4/IPv6). In practice it means it will only consider connection profiles using either TCP or UDP. This does not affect whether IPv4 or IPv6 is used as IP protocols. In this context, :code:`udp`, :code:`udp4` and :code:`udp6` are all considered the same. And similar with :code:`tcp`, :code:`tcp4` and :code:`tcp6` Thanks, I hate it ;) Seriously though, I find this too clunky. Yes, TCP/IP is technically the correct name, but isn't that even more confusing? Maybe we can find a compromise: Note that this specifically only filters by the transport layer protocol, i.e. UDP or TCP. This does not affect whether IPv4 or IPv6 is used as IP protocol. For implementation reasons the option accepts the :code:`4` and :code:`6` suffixes when specifying the protocol (i.e. :code:`udp4` / :code:`udp6` / :code:`tcp4` / :code:`tcp6`). However, these behave the same as without the suffix and should be avoided to prevent confusion. Thanks, that's better! Let's roll with that. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v2] doc/options: clean up documentation for --proto and related options
On 10/02/2022 11:21, Frank Lichtenheld wrote: The family specific options were generally omitted. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 5 + doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 18 insertions(+), 9 deletions(-) v2: move #define around diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 73f1ea51..4c4a8707 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + I'm sorry I didn't catch this at the previous round; somehow I mixed it with the --proto change below. The section above is related to --proto-force. May I suggest we clarify this text a bit more? As we have multiple definitions of protocol - whether it is the IP layer protocol or the TCP/UDP protocol on top of the IP layer. And in --proto we do indeed mix them up into a single option. Perhaps something like the suggestion below might be somewhat clearer? Note that this specifically only affects the TCP/IP transport layer protocol (UDP/TCP), not the TCP/IP network layers (IPv4/IPv6). In practice it means it will only consider connection profiles using either TCP or UDP. This does not affect whether IPv4 or IPv6 is used as IP protocols. In this context, :code:`udp`, :code:`udp4` and :code:`udp6` are all considered the same. And similar with :code:`tcp`, :code:`tcp4` and :code:`tcp6` The rest of the changes looks good now, and the relocation of the #define is better as well. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3] doc/options: clean up documentation for --proto and related options
On 09/12/2021 18:11, Frank Lichtenheld wrote:
The family specific options were generally omitted.
---
doc/man-sections/client-options.rst | 5 +
doc/man-sections/link-options.rst | 5 -
src/openvpn/options.c | 17 +
3 files changed, 18 insertions(+), 9 deletions(-)
diff --git a/doc/man-sections/client-options.rst
b/doc/man-sections/client-options.rst
index 3c0bce4b..3a836226 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -198,6 +198,11 @@ configuration.
When iterating through connection profiles, only consider profiles using
protocol ``p`` (:code:`tcp` \| :code:`udp`).
+ Note that this specifically only affects the protocol, not the inet
+ family (i.e. IPv4 vs. IPv6). While the option actually accepts
+ values like :code:`udp6`, there is no difference to specifying
+ :code:`udp`.
+
--pull
This option must be used on a client which is connecting to a
multi-client server. It indicates to OpenVPN that it should accept
diff --git a/doc/man-sections/link-options.rst
b/doc/man-sections/link-options.rst
index 901751bb..a4c3166b 100644
--- a/doc/man-sections/link-options.rst
+++ b/doc/man-sections/link-options.rst
@@ -258,7 +258,10 @@ the local and the remote host.
--proto p
Use protocol ``p`` for communicating with remote host. ``p`` can be
- :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`.
+ :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. You can also
+ limit OpenVPN to use only IPv4 or only IPv6 by specifying ``p`` as
+ :code:`udp4`, :code:`tcp4-client`, :code:`tcp4-server` or :code:`udp6`,
+ :code:`tcp6-client`, :code:`tcp6-server`, respectively.
The default protocol is :code:`udp` when ``--proto`` is not specified.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c1ec7ed0..c7cf3400 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -125,9 +125,11 @@ static const char usage_message[] =
"--remote-random-hostname : Add a random string to remote DNS name.\n"
"--mode m: Major mode, m = 'p2p' (default, point-to-point) or
'server'.\n"
"--proto p : Use protocol p for communicating with peer.\n"
-" p = udp (default), tcp-server, or tcp-client\n"
+" p = udp (default), tcp-server, tcp-client\n"
+" udp4, tcp4-server, tcp4-client\n"
+" udp6, tcp6-server, tcp6-client\n"
"--proto-force p : only consider protocol p in list of connection
profiles.\n"
-" p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
+" p = udp or tcp\n"
"--connect-retry n [m] : For client, number of seconds to wait between\n"
" connection retries (default=%d). On repeated retries\n"
" the wait time is exponentially increased to a maximum of
m\n"
@@ -2314,15 +2316,16 @@ options_postprocess_verify_ce(const struct options
*options,
}
if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
{
-msg(M_USAGE, "--mode server currently only supports "
-"--proto udp or --proto tcp-server or proto tcp6-server");
+#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
+"--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
+msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
The location of #define USAGE_VALID_SERVER_PROTOS is a bit odd. Because
it is also used outside of the if() scope where it is defined. I would
prefer if this would be defined higher up, maybe around line 2306, where
the whole MODE_SERVER option parsing starts. This makes it clearer it
is may be used more places.
I've just looked briefly at these changes. And it looks reasonable.
The ill-placed #define is the biggest issue for me in this patch. It
would be good to get a second-opinion on the added notes though, that
the man page info is correct. Otherwise this looks good.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3] doc: fix misc documentation issues
n. If an attacker knows or is able to control (parts of) the plain-text of packets that contain diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ac13412a..c1ec7ed0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -343,7 +343,7 @@ static const char usage_message[] = " and received from TCP/UDP (caps) or tun/tap (lc)\n" ": 6 to 11 -- debug messages of increasing verbosity\n" "--mute n: Log at most n consecutive messages in the same category.\n" -"--status file n : Write operational status to file every n seconds.\n" +"--status file [n] : Write operational status to file every n seconds.\n" This is also good! I've not commented all changes, just the generic ideas of changes here. There are lots of good things here, and most of it makes sense. I'd just be very careful moving the "Valid syntax" blocks around. If we just want security warnings in plain bold or wrapped in '*' is more a design/layout detail. I would suggest that we try to find better ways to highlight these security related aspects in a clear and visible way though. It doesn't mean it need to stay as it is today, though. The current approach was more or less a "this can work" approach. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/3] doc/Makefile: rebuild rst docs if input files change
On 09/12/2021 18:11, Frank Lichtenheld wrote: For now the dependencies are statically defined, which should be fine and is still a much better solution than to have no dependencies. Signed-off-by: Frank Lichtenheld --- doc/Makefile.am | 21 +++-- 1 file changed, 15 insertions(+), 6 deletions(-) Done code review and lightly tested it, where it does what it is intended to do. This change makes a lot of sense as well. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] msvc: cleanup
On 08/02/2022 21:59, Frank Lichtenheld wrote:
One thing I noticed while building:
FOR /F %i IN ('where rst2html.py') DO python %i "c:\OpenVPN\openvpn\/doc/openvpn.8.rst"
"c:\OpenVPN\openvpn\/doc/openvpn.8.html"
This is clearly outdated code from before the rst split. But probably not
something that needs to be addressed in this patch.
The openvpn.8.rst includes all the other .rst files and builds a
complete man page from there, so this isn't unexpected. It's part of
the man-split design.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] crypto: move OpenSSL specific FIPS check to its backend
On 03/02/2022 20:36, Antonio Quartulli wrote:
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
This way we move any OpenSSL specific bit to its own
backend and directly use the new cipher_valid_reason() API in the
generic code.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with:
544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth
Signed-off-by: Antonio Quartulli
---
Changes from v1:
* rebased
* don't return cipher, but true in cipher_valid_reason()
src/openvpn/crypto.c | 11 +++
src/openvpn/crypto_backend.h | 21 -
src/openvpn/crypto_mbedtls.c | 13 +
src/openvpn/crypto_openssl.c | 6 +-
4 files changed, 37 insertions(+), 14 deletions(-)
I've done test builds on RHEL-8 with both openssl-1.1.1k and
mbedtls-2.16.12-1 without any issues. Just done some lightweight
testing on top of reviewing code. This looks good to me.
Acked-By: David Sommerseth
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 1/2] crypto: move validation logic from cipher_get to cipher_valid
On 03/02/2022 20:36, Antonio Quartulli wrote:
With cipher validation performed in cipher_get(), a cipher is never
returned in any case if some check fails.
This prevents OpenVPN from operating on all ciphers provided by the SSL
library, like printing them to the user.
Move the validation logic to cipher_valid() so that checks are performed
only when OpenVPN really want to know if a cipher is usable or not.
Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in API")
Cc: Arne Schwabe
Cc: David Sommerseth
Signed-off-by: Antonio Quartulli
---
Changes from v1:
* properly release cipher in case of error in cipher_valid();
src/openvpn/crypto_openssl.c | 34 +++---
1 file changed, 15 insertions(+), 19 deletions(-)
I've done compile testing and some lightweight testing as well as code
review. These changes looks reasonable.
Acked-By: David Sommerseth
--
kind regards,
David Sommerseth
OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] crypto: move validation logic from cipher_get to cipher_valid
On 26/01/2022 17:28, Antonio Quartulli wrote:
With cipher validation performed in cipher_get(), a cipher is never
returned in any case if some check fails.
This prevents OpenVPN from operating on all ciphers provided by the SSL
library, like printing them to the user.
Move the validation logic to cipher_valid() so that checks are performed
only when OpenVPN really want to know if a cipher is usable or not.
Fixes: ce2954a0 ("Remove cipher_kt_t and change type to const char* in API")
Cc: Arne Schwabe
Signed-off-by: Antonio Quartulli
---
NOTE: mbedtls already follows this approach and did not require
any change.
src/openvpn/crypto_openssl.c | 30 +++---
1 file changed, 11 insertions(+), 19 deletions(-)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index a725306c..ea0147db 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -565,16 +565,19 @@ rand_bytes(uint8_t *output, int len)
static evp_cipher_type *
cipher_get(const char *ciphername)
{
-evp_cipher_type *cipher = NULL;
-
ASSERT(ciphername);
ciphername = translate_cipher_name_from_openvpn(ciphername);
-cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+return EVP_CIPHER_fetch(NULL, ciphername, NULL);
+}
-if (NULL == cipher)
+bool cipher_valid(const char *ciphername)
Nitpick - function return 'bool' should be on a line on its own.
[...]
@@ -585,7 +588,7 @@ cipher_get(const char *ciphername)
{
msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but "
"currently disabled by running in FIPS mode.",
ciphername);
-return NULL;
+return false;
It's missing an EVP_CIPHER_free(cipher) here.
}
#endif
if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH)
@@ -594,22 +597,11 @@ cipher_get(const char *ciphername)
"which is larger than " PACKAGE_NAME "'s current maximum key size
"
"(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher),
MAX_CIPHER_KEY_LENGTH);
-return NULL;
+return false;
Missing EVP_CIPHER_free(cipher) here as well.
}
-return cipher;
-}
-
-bool cipher_valid(const char *ciphername)
-{
-evp_cipher_type *cipher = cipher_get(ciphername);
-bool valid = (cipher != NULL);
-if (!valid)
-{
-crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername);
-}
EVP_CIPHER_free(cipher);
-return valid;
+return true;
Maybe it would be better to have a 'bool ret = true' defined in the
beginning and have an 'exit' label above the EVP_CIPHER_free() and at
those two failure locations just set ret = false and goto exit?
--
kind regards,
David Sommerseth
OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [RFC v2 0/7] Introduce ovpn-dco(-win) support
On 01/02/2022 15:56, Antonio Quartulli wrote: * COPR repo (Fedora, CentOS, RHEL) ** for openvpn2: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-dco/ ** for ovpn-dco: https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/ Just a few quick steps on how to test this on Fedora and RHEL (with clones). First, ensure you have the a functional 'yum copr' command. This is normally available by default on Fedora and RHEL-8 and up. Then run these commands: # yum copr enable dsommers/openvpn-dco # yum copr enable dsommers/openvpn3 # yum install kmod-ovpn-dco openvpn Then you can put your server configs into /etc/openvpn/server and client configs into /etc/openvpn/client. To start the OpenVPN server: # systemctl enable --now openvpn-server@CONFIG_NAME To start the OpenVPN client: # systemctl enable --now openvpn-client@CONFIG_NAME These steps will also start OpenVPN automatically upon boot. If you don't want that, just replace 'enable --now' with 'start'. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] update copyright year to 2022
On 25/01/2022 15:24, Antonio Quartulli wrote: Update performed by means of: dev-tools/update-copyright.sh Cc: David Sommerseth Signed-off-by: Antonio Quartulli --- COPYING | 2 +- ChangeLog | 2 +- Makefile.am | 4 ++-- PORTS | 2 +- build/Makefile.am | 2 +- build/msvc/Makefile.am | 2 +- build/msvc/msvc-generate/Makefile.am| 2 +- configure.ac| 2 +- dev-tools/gen-release-tarballs.sh | 2 +- dev-tools/reformat-all.sh | 2 +- dev-tools/update-copyright.sh | 4 ++-- distro/Makefile.am | 2 +- distro/systemd/Makefile.am | 2 +- doc/Makefile.am | 2 +- include/Makefile.am | 2 +- include/openvpn-msg.h | 2 +- include/openvpn-plugin.h.in | 2 +- sample/Makefile.am | 2 +- sample/sample-keys/gen-sample-keys.sh | 2 +- sample/sample-plugins/Makefile.am | 2 +- sample/sample-plugins/Makefile.plugins | 2 +- .../sample-plugins/client-connect/sample-client-connect.c | 2 +- sample/sample-plugins/defer/simple.c| 2 +- .../keying-material-exporter-demo/keyingmaterialexporter.c | 2 +- sample/sample-plugins/log/log.c | 2 +- sample/sample-plugins/log/log_v3.c | 4 ++-- sample/sample-plugins/simple/base64.c | 2 +- sample/sample-plugins/simple/simple.c | 2 +- src/Makefile.am | 2 +- src/compat/Makefile.am | 2 +- src/compat/compat-gettimeofday.c| 2 +- src/compat/compat-strsep.c | 2 +- src/openvpn/Makefile.am | 2 +- src/openvpn/argv.c | 2 +- src/openvpn/argv.h | 2 +- src/openvpn/auth_token.h| 2 +- src/openvpn/basic.h | 2 +- src/openvpn/block_dns.c | 2 +- src/openvpn/block_dns.h | 2 +- src/openvpn/buffer.c| 2 +- src/openvpn/buffer.h| 2 +- src/openvpn/circ_list.h | 2 +- src/openvpn/clinat.c| 2 +- src/openvpn/clinat.h| 2 +- src/openvpn/common.h| 2 +- src/openvpn/comp-lz4.c | 4 ++-- src/openvpn/comp-lz4.h | 4 ++-- src/openvpn/comp.c | 2 +- src/openvpn/comp.h | 2 +- src/openvpn/compstub.c | 2 +- src/openvpn/console.c | 4 ++-- src/openvpn/console.h | 4 ++-- src/openvpn/console_builtin.c | 4 ++-- src/openvpn/crypto.c| 2 +- src/openvpn/crypto.h| 2 +- src/openvpn/crypto_backend.h| 2 +- src/openvpn/crypto_mbedtls.c| 2 +- src/openvpn/crypto_mbedtls.h| 2 +- src/openvpn/crypto_openssl.c| 2 +- src/openvpn/crypto_openssl.h| 2 +- src/openvpn/dhcp.c | 2 +- src/openvpn/dhcp.h | 2 +- src/openvpn/env_set.c | 4 ++-- src/openvpn/env_set.h | 2 +- src/openvpn/errlevel.h | 2 +- src/openvpn/error.c | 2 +- src/openvpn/error.h | 2 +- src/openvpn/event.c | 2 +- src/openvpn/event.h | 2 +- src/openvpn/fdmisc.c
[Openvpn-devel] [PATCH] crypto: Fix mbedtls builds
From: David Sommerseth With commit 544330fefedc87, the openssl_compat.h got included in crypto.c. This caused issues when building against mbed TLS, which this compat layer is not targeting. This issue is resolved by only including this header when the OpenSSL library is in use. The OPENSSL_FIPS macro should never be set when compiling against the mbed TLS library. But we check against the main ENABLE_CRYPTO_OPENSSL macro here, in case future updates adds more OpenSSL specific fragments. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5f6ad675..d55ca099 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,7 +34,9 @@ #include "error.h" #include "integer.h" #include "platform.h" +#ifdef ENABLE_CRYPTO_OPENSSL #include "openssl_compat.h" +#endif #include "memdbg.h" -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds
On 19/01/2022 17:34, Selva Nair wrote:
Hi,
Sorry for chiming in late:
On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth
<mailto:open...@sf.lists.topphemmelig.net>> wrote:
From: David Sommerseth mailto:dav...@openvpn.net>>
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.
Without this fix, the following compilation error appears:
./src/openvpn/crypto.c: In function ‘print_cipher’:
./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first
use in this function); did you mean ‘iphdr’?
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &
EVP_CIPH_FLAG_FIPS))
^~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.
Signed-off-by: David Sommerseth mailto:dav...@openvpn.net>>
---
src/openvpn/crypto.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..e489d453 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
+ evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &
EVP_CIPH_FLAG_FIPS))
We need to check that cipher is not NULL. Fetch can return NULL while
EVP_CIPHER_flags() requires a non-null argument. Something like: if
(cipher && FIPS_mode && etc...) will do.
EVP_CIPHER_free() below can handle NULL, so no problem there.
Thanks! v3 is on its way.
--
kind regards,
David Sommerseth
OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.
Without this fix, the following compilation error appears:
./src/openvpn/crypto.c: In function ‘print_cipher’:
./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this
function); did you mean ‘iphdr’?
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
^~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.
Signed-off-by: David Sommerseth
---
src/openvpn/crypto.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..eb0b1254 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,10 +1705,15 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
-if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
+if (FIPS_mode()
+&& (NULL != cipher)
+&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
printf(", disabled by FIPS mode");
}
+EVP_CIPHER_free(cipher);
#endif
printf(")\n");
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.
Without this fix, the following compilation error appears:
./src/openvpn/crypto.c: In function ‘print_cipher’:
./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this
function); did you mean ‘iphdr’?
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
^~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.
Signed-off-by: David Sommerseth
---
src/openvpn/crypto.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..e489d453 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
+evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
printf(", disabled by FIPS mode");
}
+EVP_CIPHER_free(cipher);
#endif
printf(")\n");
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] crypto: Fix OPENSSL_FIPS enabled builds
On 19/01/2022 14:44, Antonio Quartulli wrote:
Hi David,
On 19/01/2022 12:34, David Sommerseth wrote:
From: David Sommerseth
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. This revealed some incompatible code with
the added DCO support.
Signed-off-by: David Sommerseth
---
src/openvpn/crypto.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..0415f59d 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,6 +1705,8 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
+ evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
from the commit message it is clear that there are incompatibilities,
but I am unable to guess what the real problem is.
Maybe you could extend your commit message or add a comment here?
Will do!
How is declaring a non-used variable going to help > Oh, now I see that cipher
is used but was never declared/initialized.
Still worth a word in the commit message? ;-)
Yes!
On top of that, anything returned by EVP_get_cipherbyname() must be
free'd later, or it will result in a memory leak.
Will fix!
On top of that ²: should we add some FIPS build to our GH Actions (for
another patch of course)?
This exploded on stock Fedora 35 inside a mock build chroot, no FIPS
enabling required. The devil in the detail is that the OPENSSL_FIPS
macro is defined unconditionally in
/usr/include/openssl/opensslconf-x86_64.h. So our OPENSSL_FIPS blocks
are always built on Fedora and related downstream distros.
--
kind regards,
David Sommerseth
OpenVPN Inc
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. This revealed some incompatible code with
the added DCO support.
Signed-off-by: David Sommerseth
---
src/openvpn/crypto.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..0415f59d 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,6 +1705,8 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
+evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
printf(", disabled by FIPS mode");
--
2.27.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v17 beta released
with the development stack on this distribution. Both the OpenVPN 3 Core library and the Linux client has been modified to be able to build successfully. * Distro: Python 3.6 or newer is now required As of this release, any Linux distribution with Python older than version 3.6 is no longer supported. This removes the support for Debian 9. Supported Linux distributions - - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - CentOS 7 (x86_64) - CentOS 8 (x86_64, aarch64) - Fedora 34, 35 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 21.04 (amd64, arm64) - Ubuntu 21.10 (amd64, arm64) is available for testing The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v17 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-17_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-17_beta.tar.xz.asc> SHA256 Checksums -- 9eba02c67d3e5606ee8d02e0d60032009d3f97a0564d42c91ff154fb06b47e61 openvpn3-linux-17_beta.tar.xz b1a3928074eed09ebde6ad03b51551883abd357fa2dd5f61bdb07285bf5b50d1 openvpn3-linux-17_beta.tar.xz.asc git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v17_beta git commit: 079e9da7f66f5cca59cf80ba8c548f0dedd433db Changes from v16 to v17 ------- David Sommerseth (61): cli/session-start: Add --background support log: Improve LogEvent formatting log: Use the LogEvent GVariant generator in LogSender log: Extend the LogSender::Log() with duplicate check client: Simplify BackendSignals::Log() client: Remove some not needed log duplication client: Don't switch to Reconnecting state on initial connect python: Remove aenum workaround for Python 3.5 or older python: Remove spurious import line from openvpn2 python: Ignore --mute-replay-warnings option python: Add --insecure-certs option to openvpn3-as git: Switch to https for submodules python: Extend ConfigParser to understand --tls-crypt-v2 python: Fix a few errors in ConfigParser sessionmgr: Fix incorrect LogEvent proxy format core-ext: Properly parse options which may be used more times common: Extend MachineID to support systemd API for machine-id python: Fix incorrect parsing of filenames with spaces client: Add support for static-challenge configurations common: Extend command line parser with alias command support ovpn3cli: Depreacte config-show in favour of config-dump core: Update to latest OpenVPN 3 Core library build: Avoid GNUism in Makefile.am configmgr/client: Remove support for forcing AES-CBC cipher configmgr: Extend with session ownership transfer flag ovpn3cli: Extend config-acl to support --transfer-owner-session sessionmgr: Respect the configuration profile transfer-ownership flag client: Parse the --verb option to set log-level client: Add support for 'log-level' override sessionmgr: Retrieve the client log-level for the session log-level sessionmgr: Proxy log-level settings in session to backend tests: Extend config-export-json-test to process files too core-ext: Fix incorrect handling of --static-challenge in JSON export systemd: Fix incorrect access to mainloop object in status handler systemd: Fix incorrect sd_notify() behaviour systemd: Add support for profiles needing user credentials common/shell: Fix bash-completion for options with optional arguments common: Don't throw an exception in ParsedArgs::GetValueLen() ovn3cli/session: Extend session-manage to set session log-level core: Update to latest OpenVPN 3 Core library dbus: Change the proxy call timeout to 5 seconds log: Don't throw exception on invalid LogGroup/LogCategory client: Use the proper index value to retrieve the --verb value client: Change default log-level to 3 systemd: Do not change the log level at startup by default client: Extend StatusEvent with stringstream formatting control cli/session: Extend the session module with session-auth cli/session: Extend session-auth to also list URL based auth cli/session: Implement completing on-going auth in session-auth cli/session: Add shell-completion support for session-auth cli/session: Remove "Auth URL" from sessions-list man: Add missing --log-level entry in o
Re: [Openvpn-devel] [PATCH] README.down-root: Fix plugin module name
On 07/11/2021 19:38, Frank Lichtenheld wrote: From: Ville Skyttä The module name is openvpn-plugin-down-root.so, not openvpn-down-root.so. Signed-off-by: Frank Lichtenheld --- src/plugins/down-root/README.down-root | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. PR: https://github.com/OpenVPN/openvpn/pull/98 diff --git a/src/plugins/down-root/README.down-root b/src/plugins/down-root/README.down-root index d337ffe9..98a3ee63 100644 --- a/src/plugins/down-root/README.down-root +++ b/src/plugins/down-root/README.down-root @@ -16,13 +16,13 @@ run in the same execution environment as the up script. BUILD Build this module with the "make" command. The plugin -module will be named openvpn-down-root.so +module will be named openvpn-plugin-down-root.so USAGE To use this module, add to your OpenVPN config file: - plugin openvpn-down-root.so "command ..." + plugin openvpn-plugin-down-root.so "command ..." CAVEATS This change is correct. And even according to src/plugins/down-root/Makefile.am: plugin_LTLIBRARIES = openvpn-plugin-down-root.la Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script
On 07/11/2021 18:40, Frank Lichtenheld wrote: From: Adrian The man page says: [!] -s, --source address[/mask][,...] Signed-off-by: Frank Lichtenheld --- sample/sample-config-files/firewall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh index 19d75ee9..456700ca 100755 --- a/sample/sample-config-files/firewall.sh +++ b/sample/sample-config-files/firewall.sh @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT This change makes sense to me. The syntax changed ages ago for iptables, where the negation needed to happen first. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script
On 08/11/2021 13:23, Frank Lichtenheld wrote: Arne Schwabe hat am 08.11.2021 12:36 geschrieben: Am 07.11.21 um 18:40 schrieb Frank Lichtenheld: From: Adrian The man page says: [!] -s, --source address[/mask][,...] Signed-off-by: Frank Lichtenheld --- sample/sample-config-files/firewall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh index 19d75ee9..456700ca 100755 --- a/sample/sample-config-files/firewall.sh +++ b/sample/sample-config-files/firewall.sh @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT I have a vague idea that this is actually different. Like one is that condition is not fulfilled and the other is that it is not part of the subnet if is different when there is different protocol but I might misremember. Certainly does not work with my iptables: # iptables -A OUTPUT -s ! 10.0.0.0/8 -j ACCEPT Bad argument `10.0.0.0/8' Try `iptables -h' or 'iptables --help' for more information. # iptables -A OUTPUT ! -s 10.0.0.0/8 -j ACCEPT # Regards, Frank I remember iptables announced it would redo the parsing logic for the command line interfaces ages ago, where the negation needed to happen before the "rule parameter" (-s in this case). It's probably closer to 8-10 years since this change, unless my memory is completely corrupted. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] resolvconf fails with -p
On 29/05/2021 03:35, sergio wrote:
From: "Sergio E. Nemirowski"
resolvconf -p
resolvconf: Error: Command not recognized
Signed-off-by: Sergio E. Nemirowski
---
contrib/pull-resolv-conf/client.up | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/pull-resolv-conf/client.up
b/contrib/pull-resolv-conf/client.up
index f0769740..220aeb74 100644
--- a/contrib/pull-resolv-conf/client.up
+++ b/contrib/pull-resolv-conf/client.up
@@ -91,7 +91,7 @@ out="# resolv.conf autogenerated by ${0}
(${dev})${nl}${dns}${ds}${domains}"
# use resolvconf if it's available
if type resolvconf >/dev/null 2>&1; then
- printf "%s\n" "${out}" | resolvconf -p -a "${dev}"
+ printf "%s\n" "${out}" | resolvconf -a "${dev}"
else
# Preserve the existing resolv.conf
if [ -e /etc/resolv.conf ] ; then
I quickly checked resolveconf on Ubuntu {18,20,21}.04 and Debian 9-11.
Neither of them supports the '-p' argument.
I've checked Fedora 34, RHEL-{7,8} too, where I could not find any
obvious alternative to the old version of resolvconf tool. On RHEL-8
and Fedora, systemd-resolved is available and provides a different
resolveconf which targets to replace this old utility. This replacement
neither support '-p'.
This option got added in commit 3adf2f558e157ef508 back in 2010, but
there's too little information why it was needed back then. But given
that neither relevant Linux distributions supports this option today,
it's reasonable to remove it now.
Acked-By: David Sommerseth
--
kind regards,
David Sommerseth
OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v16 beta released
d in OpenVPN 3, so instead we just ignore these options if found. * Build: Code has been made reproducible It should now be possible to rebuild the code with using the same host or image and get the exact same binary output. The only supported distribution not capable of being reproducible at the moment is the CentOS 7 builds. Supported Linux distributions: - Debian 9 (amd64) << !! Last update for this release !! - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - CentOS 7 (x86_64) - CentOS 8 (x86_64, aarch64) - Fedora 33, 34 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 21.04 (amd64, arm64) The next release will also add Ubuntu 21.10 support. The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. This will also be the last release which includes support for Debian 9. As of the next release Debian 10 and CentOS 7/RHEL 7 will be the oldest supported releases. The Data Channel Offload (DCO) tech-preview feature is supported in these distributions: - CentOS 8 - Fedora 33, 34 and Rawhide - Ubuntu 20.04 and 21.04 - Red Hat Enterprise Linux 8 We have not yet had any chances to test DCO on Debian 11 yet. Ubuntu 21.10 will also get ovpn-dco packages. This work will be part of the next release. -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v16 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-16_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-16_beta.tar.xz.asc> SHA256 Checksums -- 3c8a4e26feca72a7d8887426c496a148df4606b9656f720848853c1f17a030a4 openvpn3-linux-16_beta.tar.xz 7aa2ae44e8c7cfcf5b9129107ab7842b97ad6f026385c8e65c79045bb1500c9a openvpn3-linux-16_beta.tar.xz.asc git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v16_beta git commit: 713b35e908489579bf5246b577373880923cf6fe Changes from v15 to v16 --- Arne Schwabe (1): Implement WEB_AUTH auth pending method David Sommerseth (39): vendor: Upgrade to googletest 1.11 python: Harden openvpn3-as HTTPS connect ovpn3cli: Add --timeout support to session connect operations python: Remove connection attempt counting in openvpn3-autoload python: Add SessionManagerEventType constants python: Add SessionManagerEvent callback systemd: Add support for VPN session management via systemd sessionmgr: Grammar fix in an error message sessionmgr: Split out pure manager functions from OpenVPN3SessionProxy python: Use std namespace explicitly dbus: Add DBusProxy::Introspect() method tests: Make netcfg-proxy-unit test aware of other devices dbus/creds: Add new DBusCredentials::CheckACL_allowRoot() method sessionmgr: Grant root user access to read all session properties ovpn3cli/admin: Add sessionmgr-service command common: Fix duplicated imports of config.h sessionmgr: Simplify the ACL check for properties cli/sessionmgr: Simplify property extraction core: Update OpenVPN 3 Core library (DNS cache fix) common: Improve the OptionValueType::Present implementation common: Extend Configuration::File with an UnsetOption() method common: Configuration::File - Add backwards compat parsing for present opts cli/admin: Call instead Config::File::UnsetOption() on --config-unset common: Add private ParsedArgs::remove_arg() method common: Simplify ParsedArgs::ImportConfigFile() common: Don't throw on missing key in ParsedArgs::GetAllValues() cli/openvpn3: Fix missing space in config-remove warning cli/config: Fix incorrect spelling python: Handle CTRL-C in openvpn3-as gracefully python/openvpn3-as: Improve profile download error handling python/openvpn3-as: Fix incorrect exception type ovpn3cli: Fix session-start with dynamic challenge auth python: Fix dyn-challenge auth in openvpn2 cli/session: Not all connection failures are timeout related cli/session: Fix never ending session with failed 2FA lookup: Add error checking to sysconf() lookups common: Fix typo with MachineID::SourceType::NONE netcfg/resolved: Don't configure --dhcp-option DOMAIN as routing domains python: Add --data-ciphers and related options to the ignore list. Frank Lichtenheld (3): build: make gen-openvpn2-completion.py output reproducible on old Python build: Use timestamp of the constant.py source file build: Avoid generating broken bash
Re: [Openvpn-devel] [PATCH 1/2] Detect unusable ciphers on patched OpenSSL of RHEL/Centos
On 18/08/2021 23:33, Arne Schwabe wrote: OpenSSL on RHEL 8 and CentOS 8 system when these system are put into FIPS mode need extra code to figure out if a specific cipher algorithm is usable on these system. This is particularly problem in data-ciphers as the errors might occur much later when a client connects and as these cipher are not caught during config initialisation. This also prepares for adding Chacha20-Poly1305 when available to data-ciphers by making the detection logic used to check if cipher_kt_get returns non-NULL work on these systems. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 6 ++ src/openvpn/crypto_openssl.c | 10 ++ 2 files changed, 16 insertions(+) I've Looked at the code, built it on a RHEL-8.4 box with FIPS enabled and tested the binary with FIPS both enabled and disabled. It works smoothly there. The OPENSSL_FIPS macro is defined in /usr/include/openssl/opensslconf-x86_64.h. So is handled outside of OpenVPN, and without that macro we don't need to be concerned about the FIPS_mode() function. As mentioned in the community developer meeting today, there are some concerns about the recently released OpenSSL 3.0 and FIPS - but lets tackle that further down the road once we have distributions with the latest OpenSSL library more easily available. The bottom line is ... Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v15 beta released
Hi, The OpenVPN 3 Linux v15 (beta) is now available. This is primarily a bugfix release as a few issues appeared soon after the last release. * Bugfix: 2FA authentication with dynamic challenge protocol Servers (most commonly OpenVPN Access Server) deployed with 2FA based authentication would fail when the dynamic challenge protocol was utilized. The result would be a client disconnecting with a time-out error and in some cases the openvpn3 sessions-list' would enlist "ghost" sessions not responding. This command would also wait for a long time before reporting the complete list of sessions when such ghost sessions are present. This is fixed. Reported: <https://github.com/OpenVPN/openvpn3-linux/issues/55> * Bugfix: Fix misbehaviours with --tls-crypt-v2 This feature has been a known issue for a long time, but newer OpenVPN Access Servers now pushes tls-crypt-v2 profiles resulting in connections failing with NETWORK_EOF_ERROR errors in the log. This is finally fixed. Reported: <https://github.com/OpenVPN/openvpn3-linux/issues/55> * Feature: Added openvpn3-admin variables command This "openvpn3-admin variables" command will provide runtime information used by openvpn3-linux. First variable accessible is the value reported in the IV_HWADDR field sent to the VPN server. This can be seen using: # openvpn3-admin variables --machine-id Supported Linux distributions: - Debian 9 (amd64) - Debian 10 (amd64, arm64) - CentOS 7 (x86_64) - CentOS 8 (x86_64, aarch64) - Fedora 33, 34 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 (x86_64, aarch64) - Ubuntu 16.04 (amd64) - Ubuntu 18.04, 20.04, 20.10 and 21.04 (amd64, arm64) The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. The Data Channel Offload (DCO) tech-preview feature is supported in these distributions: - CentOS 8 - Fedora 33, 34 and Rawhide - Ubuntu 20.04, 20.10 and 21.04 - Red Hat Enterprise Linux 8 Remember to update the kmod-ovpn-dco package to the latest available version. Instructions how to install OpenVPN 3 Linux can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> -- kind regards, David Sommerseth OpenVPN Inc Source tarballs --- * OpenVPN 3 Linux v15 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-15_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-15_beta.tar.xz.asc> SHA256 Checksums -- 86a29c6cc8bc4dfa15aa913f696e048989ebf682bbc184ae050f61256f87e37f openvpn3-linux-15_beta.tar.xz be0fedded031a135ae2fe82edcac742b5352d17d16648643328b247476953c0f openvpn3-linux-15_beta.tar.xz.asc git references git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v15_beta git commit: 6c9bbc9e10d7c499339c1ac774d1614e8df88573 Changes from v14 to v15 --- David Sommerseth (5): docs: Update README.md with new DCO and SELinux info common: Extend MachineID to provide source information ovpn3cli/admin: Add a new 'variables' admin command Revert "client/core: Improve fatal exception handling in event()" core-ext: Add support for inline --tls-crypt-v2 OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] man: Clarify IV_HWADDR
From: David Sommerseth The IV_HWADDR description was only partially correct, as there are more implementations using other values than the MAC address of the default gateway. The intention of this value is to provide a unique identifier of the client and on some platforms this is not possible to retrieve other than to generate this information. The 64 bytes limitation is an arbitrary value, it is not enforced by OpenVPN 2.x. But it was considered a good idea to at least have some reasonable upper limit of how long this string can be, at least for those implementing support for this information. Signed-off-by: David Sommerseth --- v2 - Implement further clarifications from Gert --- doc/man-sections/server-options.rst | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 047f2270..71547335 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -467,8 +467,14 @@ fast hardware. SSL/TLS authentication must be used in this mode. When ``--push-peer-info`` is enabled the additional information consists of the following data: - :code:`IV_HWADDR=` -The MAC address of clients default gateway + :code:`IV_HWADDR=` +This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client's interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re-installations and upgrades. :code:`IV_SSL=` The ssl version used by the client, e.g. -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] man: Clarify IV_HWADDR
From: David Sommerseth The IV_HWADDR description was only partially correct, as there are more implementations using other values than the MAC address of the default gateway. The intention of this value is to provide a unique identifier of the client and on some platforms this is not possible to retrieve other than to generate this information. The 64 bytes limitation is an arbitrary value, it is not enforced by OpenVPN 2.x. But it was considered a good idea to at least have some reasonable upper limit of how long this string can be, at least for those implementing support for this information. Signed-off-by: David Sommerseth --- doc/man-sections/server-options.rst | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 047f2270..b026ac7b 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -467,8 +467,13 @@ fast hardware. SSL/TLS authentication must be used in this mode. When ``--push-peer-info`` is enabled the additional information consists of the following data: - :code:`IV_HWADDR=` -The MAC address of clients default gateway + :code:`IV_HWADDR=` +This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client's default gateway. If this string is generated by the +client, it should be consistent and preserved across independent +session and preferably re-installations and upgrades. :code:`IV_SSL=` The ssl version used by the client, e.g. -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] OpenVPN 3 Linux client - v14 beta released
Hi,
The OpenVPN 3 Linux v14 beta is now available.
The highlights of this release includes:
* Security: [CVE-2021-3547] --verify-x509-name overrides certificate
checks
The OpenVPN 3 Core library got support for --verify-x509-name in
commit 583986920236f7e (committed 2019-11-08). This implementation
would reset prior certificate checks. If a prior certificate check
failed and the --verify-x509-name check passed, the connection would
be accepted as valid. This has been fixed in the Core library as
of OpenVPN 3 Core library commit febf01ef68b84f.
* systemd-resolved - support for DNS scopes
This is the first step towards a better split-DNS support. It
implements the needed configuration settings to properly set up the
global or tunnel DNS resolver scopes in systemd-resolved. For the
resolv-conf based mode, this setting will be ignored (and logged as a
warning) as resolv-conf only supports a single DNS resolver.
Currently, the tunnel scope is very simplistic and will only result in
systemd-resolved not querying anything than pushed DOMAIN/DOMAIN-
SEARCH domains via the DNS servers for the VPN session. It is more a
reverse filter, than an explicit filter. All other "global" scopes
will also be queried. Domains *not* matching the DOMAIN/DOMAIN-SEARCH
settings will be *not* queried via this VPN link.
This behaviour is more how systemd-resolved is designed and this
behaviour will hopefully be further improved later on.
DNS scopes are configured via 'openvpn3 config-manage' on a pre-
imported configuration file.
* Improved SELinux policies
OpenVPN 3 Linux is now able to be run on CentOS, Fedora and Red Hat
Enterprise Linux with DCO enabled on VPN profiles and with SELinux
policies being enforced. The openvpn3-service-netcfg and
openvpn3-service-client processes will now run in their own confined
environment with further restricted access.
* The OpenVPN 3 client will report IV_HWADDR
When connecting, the client will report back some peer information to
the server. Until now, the IV_HWADDR has not been provided. This
value is supposed to be a fixed value per connecting host. The
reported information is a SHA256 hash of /etc/machine-id and some
more OpenVPN 3 Linux specific values. If this machine-id file is not
readable, it will generate its own value and store it under
/var/lib/openvpn3 for a persistent value.
* Support for querying the user for HTTP proxy credentials during
connection
* Support for inline --http-user-pass values in configuration files
* Support for inline --auth-user-pass values in configuration files
* DCO support can now be activated with openvpn3 session-start and
openvpn2 command line front-ends
* DCO device names will now carry the name of --dev in the configuration
In addition to several bug fixes and other improvements.
Supported Linux distributions:
- Debian 9, 10 (amd64, arm64)
- CentOS 7 (x86_64)
- CentOS 8 (x86_64, aarch64)
- Fedora 33, 34 and Rawhide (x86_64, aarch64, s390x)
- Red Hat Enterprise Linux 7 (x86_64)
- Red Hat Enterprise Linux 8 (x86_64, aarch64)
- Ubuntu 16.04 (amd64)
- Ubuntu 18.04, 20.04, 20.10 and 21.04 (amd64, arm64)
The arm64 support on selected Debian and Ubuntu releases are currently
considered a tech-preview.
The Data Channel Offload (DCO) tech-preview feature is supported in
these distributions:
- CentOS 8
- Fedora 33, 34 and Rawhide
- Ubuntu 20.04, 20.10 and 21.04
- Red Hat Enterprise Linux 8
If you have already installed the kmod-ovpn-dco package from our
repositories, remember to also update this package when upgrading
OpenVPN 3 Linux.
Instructions how to install OpenVPN 3 Linux can be found here:
<https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux>
--
kind regards,
David Sommerseth
OpenVPN Inc
Source tarballs ---
* OpenVPN 3 Linux v14 beta
<https://swupdate.openvpn.net/community/releases/openvpn3-linux-14_beta.tar.xz>
<https://swupdate.openvpn.net/community/releases/openvpn3-linux-14_beta.tar.xz.asc>
SHA256 Checksums --
211ec3d46398f36e2fae18f736fd4a47315f9ae574fc4150fea256e131850ccd
openvpn3-linux-14_beta.tar.xz
5e6c1e6d86ef3f6a2be9567f67812732d119fdec9265420a532bd864576cca0a
openvpn3-linux-14_beta.tar.xz.asc
git references
git repositories:
<https://gitlab.com/openvpn/openvpn3-linux>
<https://github.com/OpenVPN/openvpn3-linux>
git tag: v14_beta
git commit: 6ae8c77ffcfcdbe594dfc5a524a741726d9247d0
Changes from v13 to v14 ---
Antonio Quartulli (1):
ovpn-dco: adapt interfaces to new API format
Arne Schwabe (1):
Add Coverity to jenkins build
David Sommerseth (67):
build: Fix out-of-tree builds from git checkouts
dbus/signa
