[Openvpn-devel] [PATCH applied] Re: make t_server_null 'server alive?' check more robust
Thanks for the review. Indent fixed, that was a that sneaked in. Patch has been applied to the master branch. commit b322690394b75a9d4987d4b27107ccb01bbcd90e Author: Gert Doering Date: Wed Sep 18 18:29:17 2024 +0200 make t_server_null 'server alive?' check more robust Acked-by: Frank Lichtenheld Message-Id: <20240918162917.6809-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29314.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: socket: Change return types of link_socket_write* to ssize_t
This is fallout from the -Wconversion patch set (commit 53449cb61f) where it turned out that the whole link_socket* call chain used inconsistent return types - so now it's consistent with sendmsg() etc., all using ssize_t. Stared-at-code and asked GHA :-) Your patch has been applied to the master branch. commit 2cc77debf0221fa0cef3ea470c1328d25397d021 (master) Author: Frank Lichtenheld Date: Wed Sep 18 22:48:44 2024 +0200 socket: Change return types of link_socket_write* to ssize_t Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240918204844.2820-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29323.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Review use of standard AC macros
I admit that I have no deep understanding of autoconf, but I did check
that "about everything" has more recent autoconf versions than 2.60
("the gold standard" has been 2.69 for many years) and that all our
buildbots and GHA are building fine with these changes. Half of them
are typo fixes or whitespace cleanups anyway :-)
Your patch has been applied to the master branch.
commit b59620f24f5bc853e2aa92943f14abf74aa81511
Author: Frank Lichtenheld
Date: Wed Sep 18 22:45:50 2024 +0200
configure: Review use of standard AC macros
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240918204551.2530-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29321.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] socket: Change return types of link_socket_write* to ssize_t
From: Frank Lichtenheld This is the actual return value of send/sendto/sendmsg. We will leave it to the single caller of link_socket_write() to decide how to map that to the int buffer world. For now just cast it explicitly. Change-Id: I7852c06d331326c1dbab7b642254c0c00d4cebb8 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/740 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 40b7cc4..84c23b3 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1790,7 +1790,7 @@ socks_preprocess_outgoing_link(c, &to_addr, &size_delta); /* Send packet */ -size = link_socket_write(c->c2.link_socket, &c->c2.to_link, to_addr); +size = (int)link_socket_write(c->c2.link_socket, &c->c2.to_link, to_addr); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 17c5e76..6c790a0 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -3399,7 +3399,7 @@ * Socket Write Routines */ -int +ssize_t link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -3418,7 +3418,7 @@ #if ENABLE_IP_PKTINFO -size_t +ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 47083ad..bbdabfb 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -1099,9 +1099,9 @@ * Socket Write routines */ -int link_socket_write_tcp(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to); +ssize_t link_socket_write_tcp(struct link_socket *sock, + struct buffer *buf, + struct link_socket_actual *to); #ifdef _WIN32 @@ -1135,12 +1135,12 @@ #else /* ifdef _WIN32 */ -size_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to); +ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, +struct buffer *buf, +struct link_socket_actual *to); -static inline size_t +static inline ssize_t link_socket_write_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -1158,7 +1158,7 @@ (socklen_t) af_addr_size(to->dest.addr.sa.sa_family)); } -static inline size_t +static inline ssize_t link_socket_write_tcp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -1168,7 +1168,7 @@ #endif /* ifdef _WIN32 */ -static inline size_t +static inline ssize_t link_socket_write_udp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -1181,7 +1181,7 @@ } /* write a TCP or UDP packet to link */ -static inline int +static inline ssize_t link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] configure: Review use of standard AC macros
From: Frank Lichtenheld
- Increase required version to 2.60 since that is documented
minimum version for AC_USE_SYSTEM_EXTENSIONS
- Remove obsolete macros AC_C_CONST and AC_C_VOLATILE. They
are noops on every compiler we support.
- Add explicit call to AC_PROG_CC. We get this implictly as
dependency of other macros, but it is nicer to have it
explicitely as well.
- A few typo and whitespace fixes.
Change-Id: I7927a572611b7c1dc0b522fd6cdf05fd222a852d
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/674
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/configure.ac b/configure.ac
index 9ce826c..18538c5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,7 +23,7 @@
dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.59)
+AC_PREREQ(2.60)
m4_include(version.m4)
AC_INIT([PRODUCT_NAME], [PRODUCT_VERSION], [PRODUCT_BUGREPORT],
[PRODUCT_TARNAME])
@@ -387,6 +387,7 @@
pkg_config_found="(${PKG_CONFIG})"
fi
+AC_PROG_CC
AC_PROG_CPP
AC_PROG_INSTALL
AC_PROG_LN_S
@@ -443,9 +444,7 @@
]
)
-AC_C_CONST
AC_C_INLINE
-AC_C_VOLATILE
AC_TYPE_OFF_T
AC_TYPE_PID_T
AC_TYPE_SIZE_T
@@ -981,7 +980,7 @@
[AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
)
- # All supported OpenSSL version (>= 1.1.0)
+ # All supported OpenSSL versions (>= 1.1.0)
# have this feature
have_export_keying_material="yes"
@@ -1081,9 +1080,8 @@
elif test "${with_crypto_library}" = "wolfssl"; then
AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include
directory should
- contain the
regular wolfSSL header files but also the
- wolfSSL
OpenSSL header files. Ex: -I/usr/local/include
-
-I/usr/local/include/wolfssl])
+ contain the regular wolfSSL header files but also the wolfSSL OpenSSL header
files.
+ Ex: -I/usr/local/include -I/usr/local/include/wolfssl])
AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
saved_CFLAGS="${CFLAGS}"
@@ -1274,7 +1272,7 @@
[PKG_CHECK_MODULES([libsystemd], [libsystemd-daemon])]
)
-PKG_CHECK_EXISTS( [libsystemd > 216],
+PKG_CHECK_EXISTS([libsystemd > 216],
[AC_DEFINE([SYSTEMD_NEWER_THAN_216], [1],
[systemd is newer than v216])]
)
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] make t_server_null "server alive?" check more robust
- use "$RUN_SUDO kill -0 $pid" to test if a given process is running, not
"ps -p $pid" - the latter will not work if security.bsd.see_other_uids=0
is set
- produce proper error messages if pid files can not be found or are
empty at server shutdown time
---
tests/t_server_null_client.sh | 5 -
tests/t_server_null_server.sh | 5 +
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh
index e7dd3324..c1a25dfc 100755
--- a/tests/t_server_null_client.sh
+++ b/tests/t_server_null_client.sh
@@ -87,7 +87,10 @@ while [ $count -lt $server_max_wait ]; do
# the active server count as the processes won't be running.
for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do
server_pid=$(cat $i.pid 2> /dev/null)
-if ps -p $server_pid > /dev/null 2>&1; then
+if [ -z "$server_pid" ] ; then
+continue
+fi
+if $RUN_SUDO kill -0 $server_pid > /dev/null 2>&1; then
servers_up=$(( $servers_up + 1 ))
fi
done
diff --git a/tests/t_server_null_server.sh b/tests/t_server_null_server.sh
index e5906eec..32f0362d 100755
--- a/tests/t_server_null_server.sh
+++ b/tests/t_server_null_server.sh
@@ -82,6 +82,11 @@ for PID_FILE in $server_pid_files
do
SERVER_PID=$(cat "${PID_FILE}")
+if [ -z "$SERVER_PID" ] ; then
+echo "WARNING: could not kill server ${PID_FILE}!"
+ continue
+fi
+
if [ -z "${RUN_SUDO}" ]; then
$KILL_EXEC "${SERVER_PID}"
else
--
2.44.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Handle libnl-genl and libcap-ng consistent with other libs
Tested on ubuntu 2004 which needs all these, looked at the resulting Makefile.am/Makefile.in/Makefile and it works. I do wonder why we double all these variables, though... Your patch has been applied to the master branch. commit b236261f9ce14bc9fffbb81c61938e0e24b200d6 Author: Frank Lichtenheld Date: Tue Sep 17 15:32:53 2024 +0200 configure: Handle libnl-genl and libcap-ng consistent with other libs Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240917133253.19616-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29282.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] configure: Handle libnl-genl and libcap-ng consistent with other libs
From: Frank Lichtenheld
Do not communicate any of the flags via the global
CFLAGS and LIBS, so that users are not confused when
overriding them on the command line.
Github: closes OpenVPN/openvpn#586
Change-Id: I39a6f58b11b922f5dbd3e55a5bc8574eda8a83fe
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/724
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/configure.ac b/configure.ac
index 9ce826c..5c44822 100644
--- a/configure.ac
+++ b/configure.ac
@@ -824,8 +824,8 @@
AC_MSG_ERROR([libnl-genl-3.0 package
not found or too old. Is the development package and pkg-config
${pkg_config_found} installed? Must be version 3.4.0 or newer for DCO])
]
)
- CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}"
- LIBS="${LIBS} ${LIBNL_GENL_LIBS}"
+
OPTIONAL_LIBNL_GENL_CFLAGS="${LIBNL_GENL_CFLAGS}"
+ OPTIONAL_LIBNL_GENL_LIBS="${LIBNL_GENL_LIBS}"
AC_DEFINE(ENABLE_DCO, 1, [Enable shared data
channel offload])
AC_MSG_NOTICE([Enabled ovpn-dco support for
Linux])
@@ -865,7 +865,6 @@
dnl
case "$host" in
*-*-linux*)
- # We require pkg-config
PKG_CHECK_MODULES([LIBCAPNG],
[libcap-ng],
[],
@@ -873,8 +872,8 @@
)
AC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not
found!])])
- CFLAGS="${CFLAGS} ${LIBCAPNG_CFLAGS}"
- LIBS="${LIBS} ${LIBCAPNG_LIBS}"
+ OPTIONAL_LIBCAPNG_CFLAGS="${LIBCAPNG_CFLAGS}"
+ OPTIONAL_LIBCAPNG_LIBS="${LIBCAPNG_LIBS}"
AC_DEFINE(HAVE_LIBCAPNG, 1, [Enable libcap-ng support])
;;
esac
@@ -1414,7 +1413,7 @@
# When testing a compiler option, we add -Werror to force
# an error when the option is unsupported. This is not
-# required for gcc, but some compilers such as clang needs it.
+# required for gcc, but some compilers such as clang need it.
AC_DEFUN([ACL_CHECK_ADD_COMPILE_FLAGS], [
old_cflags="$CFLAGS"
CFLAGS="$1 -Werror $CFLAGS"
@@ -1490,6 +1489,10 @@
AC_SUBST([OPTIONAL_SELINUX_LIBS])
AC_SUBST([OPTIONAL_CRYPTO_CFLAGS])
AC_SUBST([OPTIONAL_CRYPTO_LIBS])
+AC_SUBST([OPTIONAL_LIBCAPNG_CFLAGS])
+AC_SUBST([OPTIONAL_LIBCAPNG_LIBS])
+AC_SUBST([OPTIONAL_LIBNL_GENL_CFLAGS])
+AC_SUBST([OPTIONAL_LIBNL_GENL_LIBS])
AC_SUBST([OPTIONAL_LZO_CFLAGS])
AC_SUBST([OPTIONAL_LZO_LIBS])
AC_SUBST([OPTIONAL_LZ4_CFLAGS])
@@ -1534,10 +1537,11 @@
AM_CONDITIONAL([ENABLE_UNITTESTS], [test "${enable_unit_tests}" = "yes" -a
"${have_cmocka}" = "yes" ])
AC_SUBST([ENABLE_UNITTESTS])
-TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS}"
+TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS}
${OPTIONAL_LIBCAPNG_LIBS}"
+TEST_LDFLAGS="${TEST_LDFLAGS} ${OPTIONAL_LIBNL_GENL_LIBS}"
TEST_LDFLAGS="${TEST_LDFLAGS} ${OPTIONAL_LZO_LIBS} ${CMOCKA_LIBS}"
-TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS}"
-TEST_CFLAGS="${TEST_CFLAGS} ${OPTIONAL_LZO_CFLAGS}"
+TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS}
${OPTIONAL_LIBCAPNG_CFLAGS}"
+TEST_CFLAGS="${TEST_CFLAGS} ${OPTIONAL_LIBNL_GENL_CFLAGS}
${OPTIONAL_LZO_CFLAGS}"
TEST_CFLAGS="${TEST_CFLAGS} -I\$(top_srcdir)/include ${CMOCKA_CFLAGS}"
AC_SUBST([TEST_LDFLAGS])
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 56cce9d..3784a98 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -24,6 +24,8 @@
AM_CFLAGS = \
$(TAP_CFLAGS) \
$(OPTIONAL_CRYPTO_CFLAGS) \
+ $(OPTIONAL_LIBCAPNG_CFLAGS) \
+ $(OPTIONAL_LIBNL_GENL_CFLAGS) \
$(OPTIONAL_LZO_CFLAGS) \
$(OPTIONAL_LZ4_CFLAGS) \
$(OPTIONAL_PKCS11_HELPER_CFLAGS) \
@@ -147,6 +149,8 @@
openvpn_LDADD = \
$(top_builddir)/src/compat/libcompat.la \
$(SOCKETS_LIBS) \
+ $(OPTIONAL_LIBCAPNG_LIBS) \
+ $(OPTIONAL_LIBNL_GENL_LIBS) \
$(OPTIONAL_LZO_LIBS) \
$(OPTIONAL_LZ4_LIBS) \
$(OPTIONAL_PKCS11_HELPER_LIBS) \
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin
I haven't tested this "for real", but the explanation makes sense and the change is trivial enough. I have word-smithed the Subject: and also the comment line a bit. Your patch has been applied to the master branch. (Not really a issue on "non Android", it seems, and that one builds on top of master only - so not applying to release/2.6) commit b620025b9570a3d66ad3598dc22aa1b07c90fa31 (master) Author: Arne Schwabe Date: Fri Jul 19 15:10:16 2024 +0200 Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240719131016.75042-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28941.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Route: remove incorrect routes on exit
This is a good find, and a somewhat stupid oversight - even if not easy
to trigger. What you need so this has an effect is a pre-existing host
route to the VPN server and then a "route add" fail (easy to trigger on
the BSDs, EEXIST because "only 1 route can exist") - and because we do not
remember, we try "route delete" later on and delete the *other* route,
messing up our routing table. Which is something t_client even checks
for ("is 'route print' the same as before?") but you need a host route
to begin with - added t_client tests, breaks without the patch, works
with the patch. Thanks :-)
I've changed the commit message slightly ("Trac: #1457" is the standard
format).
Your patch has been applied to the master and release/2.6 branch (bugfix).
commit 14d2db6cd41fb6414992869caf109972d7a8275e (master)
commit 4ad3aa5a2b6838650ca98fd92994eab7108c1e8b (release/2.6)
Author: Gianmarco De Gregori
Date: Wed Feb 21 12:18:14 2024 +0100
Route: remove incorrect routes on exit
Signed-off-by: Gianmarco De Gregori
Acked-by: Frank Lichtenheld
Message-Id: <2024022814.942965-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28290.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix check_addr_clash argument order
Good find. I tested this as instructed in gerrit, also enabling the #if 0 debug code - this is a p2p setup with --topology subnet, to actually have a subnet to check against. Test 1, "--local" in the "--ifconfig" subnet: 2024-09-17 11:25:45 CHECK_ADDR_CLASH type=2 public=10.204.8.7 local=10.204.8.2, remote_netmask=255.255.255.0 2024-09-17 11:25:45 WARNING: potential conflict between --local address [10.204.8.7] and --ifconfig address pair [10.204.8.2, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) "works". Test 2, "--remote" in the "--ifconfig" subnet: 2024-09-17 11:27:03 CHECK_ADDR_CLASH type=2 public=10.204.8.8 local=10.204.8.2, remote_netmask=255.255.255.0 2024-09-17 11:27:03 WARNING: potential conflict between --remote address [10.204.8.8] and --ifconfig address pair [10.204.8.2, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) Test 3, no "--topology subnet": 2024-09-17 11:36:28 CHECK_ADDR_CLASH type=2 public=10.204.8.250 local=10.204.8.2, remote_netmask=10.204.8.1 2024-09-17 11:36:28 WARNING: potential conflict between --local address [10.204.8.250] and --ifconfig address pair [10.204.8.2, 10.204.8.1] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) 2024-09-17 11:36:28 CHECK_ADDR_CLASH type=2 public=10.204.8.220 local=10.204.8.2, remote_netmask=10.204.8.1 2024-09-17 11:36:28 WARNING: potential conflict between --remote address [10.204.8.220] and --ifconfig address pair [10.204.8.2, 10.204.8.1] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) .. it "works as designed", but does raise questions... see below. So, while this patch is actually fixing the first problem with this code, I have some ideas how to improve things further ;-) - the line wrapping "one function argument per line" is not how we do things today, so a future (master-only) patch could improve that - the check as implemented today checks "within the same /24", so if I do "--ifconfig 10.204.8.2 255.255.255.128 --remote 10.204.8.220" (which is perfectly sane) I get 2024-09-17 11:30:44 CHECK_ADDR_CLASH type=2 public=10.204.8.220 local=10.204.8.2, remote_netmask=255.255.255.128 2024-09-17 11:30:44 WARNING: potential conflict between --remote address [10.204.8.220] and --ifconfig address pair [10.204.8.2, 255.255.255.128] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) ... which is not making any sense. Computers can do math, AND the code actually knows the netmask there, but uses /24 always (the TAP check code actually uses the netmask...). So I think this code needs to be taught about "--topology subnet", and only does the /24 heuristic for p2p/net30 (if at all). Your patch has been applied to the master and release/26 branch (bugfix). commit 7d345b19e20f30cb2ecbea71682b5a41e6cff454 (master) commit 7e6723aa7096bee80eb42a473fbfde7de4362b0f (release/2.6) Author: Ralf Lici Date: Tue Sep 17 11:14:33 2024 +0200 Fix check_addr_clash argument order Signed-off-by: Ralf Lici Acked-by: Frank Lichtenheld Message-Id: <20240917091433.24092-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29261.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Fix check_addr_clash argument order
From: Ralf Lici
In init_tun() make sure to pass the --local and --remote addresses in
the host order so that they can be compared to the --ifconfig addresses.
Change-Id: I5adbe0a79f078221c4bb5f3d39391a81b4d8adce
Signed-off-by: Ralf Lici
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/737
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 739e008..1cd6ad2 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -877,9 +877,10 @@
{
if (curele->ai_family == AF_INET)
{
+const in_addr_t local = ntohl(((struct sockaddr_in
*)curele->ai_addr)->sin_addr.s_addr);
check_addr_clash("local",
tt->type,
- ((struct sockaddr_in
*)curele->ai_addr)->sin_addr.s_addr,
+ local,
tt->local,
tt->remote_netmask);
}
@@ -889,9 +890,10 @@
{
if (curele->ai_family == AF_INET)
{
+const in_addr_t remote = ntohl(((struct sockaddr_in
*)curele->ai_addr)->sin_addr.s_addr);
check_addr_clash("remote",
tt->type,
- ((struct sockaddr_in
*)curele->ai_addr)->sin_addr.s_addr,
+ remote,
tt->local,
tt->remote_netmask);
}
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Make read/write_tun_header static
Verified that it's not used outside tun.c, test built OpenBSD (which uses this). Your patch has been applied to the master branch. commit ac3a7fd93542420f12d58e5c7490076b5741fb5a Author: Arne Schwabe Date: Mon Sep 16 15:34:35 2024 +0200 Make read/write_tun_header static Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240916133436.29943-1-g...@greenie.muc.de> Signed-off-by: Gert Doering URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29249.html -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Make read/write_tun_header static
From: Arne Schwabe
These functions are not used outside tun.c
Change-Id: I028634dba74a273c725b0beb16b674897b3c23fa
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/745
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 1f0eadd..0832375 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1822,7 +1822,7 @@
}
}
-int
+static int
write_tun_header(struct tuntap *tt, uint8_t *buf, int len)
{
if (tt->type == DEV_TYPE_TUN)
@@ -1855,7 +1855,7 @@
}
}
-int
+static int
read_tun_header(struct tuntap *tt, uint8_t *buf, int len)
{
if (tt->type == DEV_TYPE_TUN)
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Move cipher/data-ciphers warning to D_LOW (verb 4)
From: Arne Schwabe
These warnings served a purpose in OpenVPN 2.6.x to warn people
about the changed behaviour. But for 2.7 this is will be more
log spam than a helpful message. So only show this warning on a
high verbosity level.
Change-Id: Ie2797a82ad769cb640440d1ba7dfeb416e7b932d
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/746
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 61f6285..6009e5f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3546,7 +3546,7 @@
* parts of OpenVPN assert that the ciphername is set */
o->ciphername = "BF-CBC";
-msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
+msg(D_LOW, "Note: --cipher is not set. OpenVPN versions before 2.5 "
"defaulted to BF-CBC as fallback when cipher negotiation "
"failed in this case. If you need this fallback please add "
"'--data-ciphers-fallback BF-CBC' to your configuration "
@@ -3555,7 +3555,7 @@
else if (!o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
{
-msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
+msg(D_LOW, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
"--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
"negotiations. ",
o->ciphername, o->ncp_ciphers);
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: Enable t_server_null tests
"GHA says this works". So let's excercise it a bit more :-)
Your patch has been applied to the master branch.
commit 65985905c5abc69c1ee34c4cab6fdf8b73da7f50
Author: Frank Lichtenheld
Date: Thu Sep 12 19:49:10 2024 +0200
GHA: Enable t_server_null tests
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240912174910.21058-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29231.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] GHA: Enable t_server_null tests
From: Frank Lichtenheld
Change-Id: I86203b8f9a6d3cfc5e56d3ce9452af694fd11011
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/743
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 8f0a7b5..361d457 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -172,8 +172,11 @@
run: ./configure --with-crypto-library=${{matrix.ssllib}}
${{matrix.extraconf}} --enable-werror
- name: make all
run: make -j3
+ - name: configure checks
+if: ${{ matrix.extraconf != '--disable-management' }}
+run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc
- name: make check
-run: make check VERBOSE=1
+run: make -j3 check VERBOSE=1
ubuntu-clang-asan:
strategy:
@@ -199,8 +202,10 @@
run: CFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all
-fno-omit-frame-pointer -O2" CC=clang ./configure
--with-crypto-library=${{matrix.ssllib}} --enable-werror
- name: make all
run: make -j3
+ - name: configure checks
+run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc
- name: make check
-run: make check VERBOSE=1
+run: make -j3 check VERBOSE=1
macos:
strategy:
@@ -258,8 +263,10 @@
run: ./configure --enable-werror ${{matrix.configureflags}}
${{matrix.configuressllib}}
- name: make all
run: make -j4
+ - name: configure checks
+run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc
- name: make check
-run: make check VERBOSE=1
+run: make -j4 check VERBOSE=1
msvc:
strategy:
@@ -369,8 +376,10 @@
run: ./configure --with-crypto-library=openssl
${{matrix.configureflags}} --enable-werror
- name: make all
run: make -j3
+ - name: configure checks
+run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc
- name: make check
-run: make check VERBOSE=1
+run: make -j3 check VERBOSE=1
mbedtls3:
strategy:
@@ -422,5 +431,7 @@
run: ./configure --with-crypto-library=mbedtls
- name: make all
run: make -j3
+ - name: configure checks
+run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc
- name: make check
-run: make check VERBOSE=1
+run: make -j3 check VERBOSE=1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
Trivial enough, and makes sense... not tested further (not that easy to reproduce). Your patch has been applied to the master branch. commit 45bef145f3cc39c4c13609866f07b6cf9f8960a6 Author: Antonio Quartulli Date: Thu Sep 12 18:53:39 2024 +0200 dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe Message-Id: <20240912165339.21058-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29226.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
From: Antonio Quartulli
some extra DCO calls may be made after receiving the DEL_PEER
notification (i.e. due to timeout), but this will result in
an error message due to the peer having disappeared already.
An extra call might be, for example, an explicit DEL_PEER
in the attempt of cleaning the peer state.
For this reason, inform userspace that there is no peer in
kernel anymore and prevent errors which may result confusing.
Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56
Signed-off-by: Antonio Quartulli
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/744
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 40b7cc4..374ba47 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1256,6 +1256,8 @@
switch (dco->dco_message_type)
{
case OVPN_CMD_DEL_PEER:
+/* peer is gone, unset ID to prevent more kernel calls */
+c->c2.tls_multi->dco_peer_id = -1;
if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
{
msg(D_DCO_DEBUG, "%s: received peer expired notification of
for peer-id "
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove check for anonymous unions from configure and cmake config
I have no idea what that stuff does, but less #ifdef is good :-) - and supposedly no currently supported system needs this. Your patch has been applied to the master branch. commit b8b2d17f473e80b1a0b66e49cc1f34ce88d9502d Author: Arne Schwabe Date: Wed Jul 10 18:02:38 2024 +0200 Remove check for anonymous unions from configure and cmake config Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710160238.190189-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28914.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tun: removed unnecessary route installations
Thanks for this. I'm not sure why this code was there originally, but
I guess one of the BSDs needed it ("15 years ago!") and I just assumed
the others would, too. I have tested this on NetBSD, OpenBSD and
MacOS, with all variants I thought might make a difference (tun/p2p,
tun/subnet, tun/subnet with a non-/64 IPv6 mask, tap) and it turns out
that this extra route is needed on none of them.
MacOS has no easily accessible TAP anymore (system security, kext loading)
so this was not tested - but I see no reason why it would break this.
.. and testing this really trivial patch took me about 2 days of
fighting with VMs, macOS, buildbots, ... *sigh*
Your patch has been applied to the master branch.
commit 992da812ad56d2cff44fd4f171dd85c808e1ed50
Author: Marco Baffo
Date: Thu Sep 12 16:24:21 2024 +0200
tun: removed unnecessary route installations
Signed-off-by: Marco Baffo
Acked-by: Gert Doering
Message-Id: <20240912142421.703-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29217.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] tun: removed unnecessary route installations
From: Marco Baffo Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun opening in OpenBSD, NetBSD and Darwin. Change-Id: I235891212b15277349810913c9c1763da5c48587 Signed-off-by: Marco Baffo Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/731 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 739e008..82c5c00 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1008,8 +1008,7 @@ #endif /* ifdef _WIN32 */ } -#if defined(_WIN32)\ -|| defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) +#if defined(_WIN32) /* some of the platforms will auto-add a "network route" pointing * to the interface on "ifconfig tunX 2001:db8::1/64", others need @@ -1200,11 +1199,6 @@ "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); #endif -#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ -|| defined(TARGET_DARWIN) -/* and, hooray, we explicitly need to add a route... */ -add_route_connected_v6_net(tt, es); -#endif #elif defined(TARGET_AIX) argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
GHA says "this builds fine", and so we apply it :-) (And the worries that 3.6.x would break with TLS 1.3 due to missing key-exporter are alleviated by our mbedtls builds disabling 1.3 anyway, due to missing key-exporter...) Your patch has been applied to the master branch. commit f4d7cec855aea3c453b75fe68a1c151400793661 Author: Frank Lichtenheld Date: Wed Sep 11 16:42:31 2024 +0200 GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240911144231.32553-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29208.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
From: Frank Lichtenheld Requires submodule checkout. Change-Id: I86ceceb4e1c716b33c6c6ec8853eca0fb4b394f1 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/741 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6207c95..8f0a7b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -404,9 +404,10 @@ uses: actions/checkout@v4 with: path: mbedtls + submodules: true # versioning=semver-coerced repository: Mbed-TLS/mbedtls - ref: v3.5.2 + ref: v3.6.1 - name: "mbedtls: make no_test" run: make -j3 no_test SHARED=1 working-directory: mbedtls ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
Thanks for fixing this so quickly. Now this seems to be an... interesting API to work with... :-) I do not have something really interesting set up in terms of cert files and storage, so I just did basic client side testing with OSSL 3.x (works). Your patch has been applied to the master branch (bugfix, but offending code not in 2.6). commit e9ad1b31a04799de98f15220eb39225c3d9eaa64 Author: Selva Nair Date: Wed Sep 11 12:49:41 2024 +0200 Do not stop reading from file/uri when OPENSSL_STORE_load() returns error Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20240911104941.19429-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29187.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: generate_auth_token: simplify code
Has an ACK from the owner of the code :-) - plus full test with the server instance that does auth-tokens (including expiry + regen) and a bit of stare-at-the-code. Your patch has been applied to the master branch. commit 3c77d328911bab5169d6981fbef34e8398c5b7b7 Author: Frank Lichtenheld Date: Tue Sep 10 19:00:05 2024 +0200 generate_auth_token: simplify code Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910170005.5586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29178.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
From: Selva Nair
OPENSSL_STORE_load() can error and return NULL even when the file or URI
still has readable objects left.
Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid
misleading messages printed at the end by crypto_print_openssl_errors().
Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3
Signed-off-by: Selva Nair
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/742
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 0d845f4..5fd6572 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -813,6 +813,15 @@
}
return 0;
}
+
+static void
+clear_ossl_store_error(OSSL_STORE_CTX *store_ctx)
+{
+if (OSSL_STORE_error(store_ctx))
+{
+ERR_clear_error();
+}
+}
#endif /* defined(HAVE_OPENSSL_STORE_API) */
/**
@@ -864,7 +873,19 @@
{
goto end;
}
-info = OSSL_STORE_load(store_ctx);
+while (1)
+{
+info = OSSL_STORE_load(store_ctx);
+if (info || OSSL_STORE_eof(store_ctx))
+{
+break;
+}
+/* OPENSSL_STORE_load can return error and still have usable objects
to follow.
+ * ref: man OPENSSL_STORE_open
+ * Clear error and recurse through the file if info = NULL and eof not
reached
+ */
+clear_ossl_store_error(store_ctx);
+}
if (!info)
{
goto end;
@@ -1099,7 +1120,19 @@
goto end;
}
-info = OSSL_STORE_load(store_ctx);
+while (1)
+{
+info = OSSL_STORE_load(store_ctx);
+if (info || OSSL_STORE_eof(store_ctx))
+{
+break;
+}
+/* OPENSSL_STORE_load can return error and still have usable objects
to follow.
+ * ref: man OPENSSL_STORE_open
+ * Clear error and recurse through the file if info = NULL and eof not
reached.
+ */
+clear_ossl_store_error(store_ctx);
+}
if (!info)
{
goto end;
@@ -1120,9 +1153,14 @@
OSSL_STORE_INFO_free(info);
/* iterate through the store and add extra certificates if any to the
chain */
-info = OSSL_STORE_load(store_ctx);
-while (info && !OSSL_STORE_eof(store_ctx))
+while (!OSSL_STORE_eof(store_ctx))
{
+info = OSSL_STORE_load(store_ctx);
+if (!info)
+{
+clear_ossl_store_error(store_ctx);
+continue;
+}
x = OSSL_STORE_INFO_get1_CERT(info);
if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1)
{
@@ -1131,7 +1169,6 @@
break;
}
OSSL_STORE_INFO_free(info);
-info = OSSL_STORE_load(store_ctx);
}
end:
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v11] Implement support for larger packet counter sizes
Hi,
On Tue, Sep 10, 2024 at 09:51:45PM +0200, Steffan Karger wrote:
> TL;DR: I don't think this should be merged yet.
> [..]
> So if we want to improve things for AES-GCM, we probably need other
> optimizations. I have some ideas, but was hoping to do some research and a
> write-up during the train ride to the hackathon, so we could discuss it
> further in Karlsruhe.
Thanks for having a look. This ruins my planned work for today :-) - but
since we are not in a great hurry *and* Karlsruhe is just next week, it
will not harm to delay for a few weeks if the end result gets better.
Just for the record - I've done all the testing on v11 yesterday, and
it behaves very well interoping with "older peers" (no DATA_V3) and
also "falling back to DATA_V2 if DCO is active" (as there is no code
yet to do V3 with DCO). master-to-master negotiates DATA_V3 and still
pings :-) - so, the code we have is good to be merged, if we decide to
keep it that way. If not, I know what I need to test and how.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] generate_auth_token: simplify code
From: Frank Lichtenheld The previous code went through some hoops to avoid compiler warnings. But there is a much easier way by just telling it exactly what you want to do. Also fix typo in variable name while I'm here. Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/310 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index c4b59b9..192c7c2 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -182,24 +182,18 @@ char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc); char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX); -char *old_tsamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; +char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; /* * We null terminate the old token just after the session ID to let * our base64 decode function only decode the session ID */ -old_tsamp_initial[12] = '\0'; -ASSERT(openvpn_base64_decode(old_tsamp_initial, old_tstamp_decode, 9) == 9); +old_tstamp_initial[12] = '\0'; +ASSERT(openvpn_base64_decode(old_tstamp_initial, old_tstamp_decode, 9) == 9); -/* - * Avoid old gcc (4.8.x) complaining about strict aliasing - * by using a temporary variable instead of doing it in one - * line - */ -uint64_t *tstamp_ptr = (uint64_t *) old_tstamp_decode; -initial_timestamp = *tstamp_ptr; +memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp)); -old_tsamp_initial[0] = '\0'; +old_tstamp_initial[0] = '\0'; ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN); } else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN)) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v11] Implement support for larger packet counter sizes
From: Arne Schwabe
With DCO and possible future hardware assisted OpenVPN acceleration we
are approaching the point where 32 bit IVs are not cutting it any more.
To illustrate the problem, some back of the envelope math here:
If we want to keep the current 3600s renegotiation interval and have
a safety margin of 25% (when we trigger renegotiation) we have about
3.2 million packets (2*32 * 0.7) to work with. That translates to
about 835k packets per second.
With 1300 Byte packets that translates into 8-9 Gbit/s. That is far
from unrealistic any more. Current DCO implementations are already in
spitting distance to that or might even reach (for a single client
connection) that if you have extremely fast
single core performance CPU.
This introduces the 64bit packet counters for AEAD data channel
ciphers in TLS mode ciphers. No effort has been made to support
larger packet counters in any other scenario since those are all legacy.
While we still keep the old --secret logic around we use the same
weird unix timestamp + packet counter format to avoid refactoring the
code now and again when we remove --secret code but DCO
implementations are free to use just a single 64 bit counter. One
other small downside of this approach is that when rollover happens
and we get reordering all the older packets are thrown away since
the distance between the packet before and after the rollover is
quite large as we probably jump forward more than 1s (or more than
2^32 packet ids). But this is an obscure edge that we can
(currently) live with.
While this implementation under hood allows one of the two
to be enabled individually we do not expose this functionality
but require the two protocol flags aead-tag-end and pkt-id-64-bit
to be always come together. This allows other data channel
implementations to only support a limited set of data channel
formats.
Change-Id: I01e258e97351b5aa4b9e561f5b35ddc2318569e2
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/507
This mail reflects revision 11 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index c226727..6a639b7 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -68,6 +68,7 @@
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
uint8_t *mac_out = NULL;
const int mac_len = OPENVPN_AEAD_TAG_LENGTH;
+bool longiv = opt->flags & CO_64_BIT_PKT_ID;
/* IV, packet-ID and implicit IV required for this mode. */
ASSERT(ctx->cipher);
@@ -86,7 +87,7 @@
buf_set_write(&iv_buffer, iv, iv_len);
/* IV starts with packet id to make the IV unique for packet */
-if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false))
+if (!packet_id_write_flat(&opt->packet_id.send, &iv_buffer, longiv))
{
msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
goto err;
@@ -355,6 +356,9 @@
* Set buf->len to 0 and return false on decrypt error.
*
* On success, buf is set to point to plaintext, true is returned.
+ *
+ * This method assumes that everything between ad_start and BPTR(buf) is
+ * authenticated data and therefore has no ad_len parameter
*/
static bool
openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
@@ -384,7 +388,11 @@
/* IV and Packet ID required for this mode */
ASSERT(packet_id_initialized(&opt->packet_id));
-/* Combine IV from explicit part from packet and implicit part from
context */
+bool longiv = opt->flags & CO_64_BIT_PKT_ID;
+
+/* Combine IV from explicit part from packet and implicit part from
context.
+ * packet_iv_len and implicit_iv are initialised in init_key_contexts
+ * when keys are initialised as well */
{
uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 };
const int iv_len = cipher_ctx_iv_length(ctx->cipher);
@@ -409,7 +417,7 @@
}
/* Read packet ID from packet */
-if (!packet_id_read(&pin, buf, false))
+if (!packet_id_read_flat(&pin, buf, longiv))
{
CRYPT_ERROR("error reading packet-id");
}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 61184bc..ccaba7c 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -248,8 +248,10 @@
* OpenVPN process startups. */
#define CO_PACKET_ID_LONG_FORM (1<<0)
-/**< Bit-flag indicating whether to use
-* OpenVPN's long packet ID format. */
+/**< Bit-flag indicating whether to use OpenVPN's long packet ID format.
+ * This format puts [4 byte counter][4byte timestamp] on the wire in
+ * big endian/network endian format.
+ **/
#define CO_IGNORE_PACKET_ID (1<<1)
/**< Bit-flag indicating whether to ignore
* the packet ID of a received packet.
@@ -283,6 +285,20 @@
[Openvpn-devel] [PATCH applied] Re: Various fixes for -Wconversion errors
I'm not a great fan of patches that do nothing more than "appease compilers",
and some of the conversions should really not be necessary - OTOH,
compilers have become better at spotting implicit conversions that *are*
not intended, losing precision and breaking things in the long run - so
better be explicit about int types...
I have stared-at-code (in addition to the ACK by Arne, recorded in Gerrit,
which somehow did not make it into the mail) - looks good. Also, gave
it some basic tests on Linux and FreeBSD + GHA (-Werror builds), and
all fine..
Your patch has been applied to the master branch.
commit 53449cb61ff569c4862926c7999d50f634030fd9
Author: Frank Lichtenheld
Date: Tue Sep 10 14:20:08 2024 +0200
Various fixes for -Wconversion errors
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240910122008.23507-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29172.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v6] Various fixes for -Wconversion errors
From: Frank Lichtenheld
These are all fixes I considered "safe". They either
- Have sufficient checks/shifts for a cast to be safe
- Fix the type of a variable without requiring code changes
- Are in non-critical unittest code
v2:
- add min_size instead of abusing min_int
v6:
- remove change of return value of link_socket_write.
Move to separate patch.
Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f
Signed-off-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/267
This mail reflects revision 6 of this Change.
Acked-by according to Gerrit (reflected above):
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index abe6a9c..9ee76aa 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -326,7 +326,7 @@
return false;
}
-const int size = write(fd, BPTR(buf), BLEN(buf));
+const ssize_t size = write(fd, BPTR(buf), BLEN(buf));
if (size != BLEN(buf))
{
msg(M_ERRNO, "Write error on file '%s'", filename);
@@ -863,7 +863,7 @@
{
break;
}
-line[n++] = c;
+line[n++] = (char)c;
}
while (c);
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index c226727..12ad0b9 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -26,6 +26,8 @@
#include "config.h"
#endif
+#include
+
#include "syshead.h"
#include
@@ -1283,8 +1285,8 @@
hex_byte[hb_index++] = c;
if (hb_index == 2)
{
-unsigned int u;
-ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1);
+uint8_t u;
+ASSERT(sscanf((const char *)hex_byte, "%" SCNx8, &u)
== 1);
*out++ = u;
hb_index = 0;
if (++count == keylen)
@@ -1546,13 +1548,13 @@
ASSERT(cipher_kt_key_size(kt->cipher) <= MAX_CIPHER_KEY_LENGTH
&& md_kt_size(kt->digest) <= MAX_HMAC_KEY_LENGTH);
-const uint8_t cipher_length = cipher_kt_key_size(kt->cipher);
+const uint8_t cipher_length = (uint8_t)cipher_kt_key_size(kt->cipher);
if (!buf_write(buf, &cipher_length, 1))
{
return false;
}
-uint8_t hmac_length = md_kt_size(kt->digest);
+uint8_t hmac_length = (uint8_t)md_kt_size(kt->digest);
if (!buf_write(buf, &hmac_length, 1))
{
diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h
index a1acaf9..34088ab 100644
--- a/src/openvpn/integer.h
+++ b/src/openvpn/integer.h
@@ -28,12 +28,12 @@
#ifndef htonll
#define htonll(x) ((1==htonl(1)) ? (x) : \
- ((uint64_t)htonl((x) & 0x) << 32) | htonl((x) >>
32))
+ ((uint64_t)htonl((uint32_t)((x) & 0x)) << 32) |
htonl((uint32_t)((x) >> 32)))
#endif
#ifndef ntohll
#define ntohll(x) ((1==ntohl(1)) ? (x) : \
- ((uint64_t)ntohl((x) & 0x) << 32) | ntohl((x) >>
32))
+ ((uint64_t)ntohl((uint32_t)((x) & 0x)) << 32) |
ntohl((uint32_t)((x) >> 32)))
#endif
static inline int
@@ -72,6 +72,19 @@
}
}
+static inline size_t
+min_size(size_t x, size_t y)
+{
+if (x < y)
+{
+return x;
+}
+else
+{
+return y;
+}
+}
+
static inline int
max_int(int x, int y)
{
diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c
index 635557c..ebdec25 100644
--- a/src/openvpn/mss.c
+++ b/src/openvpn/mss.c
@@ -165,7 +165,7 @@
return;
}
-for (olen = hlen - sizeof(struct openvpn_tcphdr),
+for (olen = hlen - (int) sizeof(struct openvpn_tcphdr),
opt = (uint8_t *)(tc + 1);
olen > 1;
olen -= optlen, opt += optlen)
diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c
index 3cde574..d77c99e 100644
--- a/src/openvpn/otime.c
+++ b/src/openvpn/otime.c
@@ -105,7 +105,7 @@
/* format a time_t as ascii, or use current time if 0 */
const char *
-time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
+time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(64, gc);
struct timeval tv;
diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h
index c37673e..9543732 100644
--- a/src/openvpn/otime.h
+++ b/src/openvpn/otime.h
@@ -43,7 +43,7 @@
bool frequency_limit_event_allowed(struct frequency_limit *f);
/* format a time_t as ascii, or use current time if 0 */
-const char *time_string(time_t t, int usec, bool show_usec, struct gc_arena
*gc);
+const char *time_string(time_t t, long usec, bool show_usec, struct gc_arena
*gc);
/* struct timeval functions */
diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
index be28999..fb962e4 100644
--- a/src/openvpn/packet_id.c
+++ b/src/openvpn/packet_id.c
@@ -588,14 +588,14 @@
}
[Openvpn-devel] [PATCH applied] Re: Fix more of uninitialized struct user_pass local vars
Acked-by: Gert Doering Thanks. Not tested beyond "does it compile", as the changes are very straightforward :-) Your patch has been applied to the master and released/2.6 branch. commit aa1dd09b5fc196499c84d2ef9b0c254ebb1745d8 (master) commit f9ab7edbebd6dfb3fd384b56626aabb3171ac0ad (release/2.6) Author: Selva Nair Date: Mon Sep 9 16:48:29 2024 -0400 Fix more of uninitialized struct user_pass local vars Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20240909204829.10379-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29152.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Static-challenge concatenation option
Hi, On Mon, Sep 09, 2024 at 12:01:54PM -0400, Selva Nair wrote: > > Is the GUI support already committed? I seem to remember seeing a PR > > for that "weeks ago"... and someone needs to bring Tunnelblick on board. > > I've sent a note to Jon about the change. Thanks :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] dco-win: support for data_v3 features
From: Lev Stipakov
Since version 1.4, dco-win drivere supports data_v3 features
such as:
- AEAD tag at the end
- 64bit pktid
We have to:
- check in runtime if driver supports data_v3 features (we might be
running with the older driver)
- if those features are negotiated, we pass them to the driver
as bit flags via the (newly added) NEW_KEY_V2 ioctl
Introduce NEW_KEY_V2 ioctl, which accepts a new OVPN_CRYPTO_DATA_V2
structure, which includes a field for bit flags for the new
crypto options.
Make dco_supports_data_v3() implementation platform-dependend (as it
should be) and indicate data_v3 support by dco-win if the driver version
is at least 1.4. Extend the Windows-specific struct dco_context and
store data_v3 support there so that when dco_new_key() is called, we
know which API to use.
Change the dco internal API and pass crypto options flags to dco_new_key().
Change-Id: I2e0c50d33f8a57c023120cf348f95d34acbfcde5
Signed-off-by: Lev Stipakov
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/725
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7f0d53d..baaeb95 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -70,7 +70,7 @@
int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot,
encrypt_key, encrypt_iv,
decrypt_key, decrypt_iv,
- ciphername);
+ ciphername, ks->crypto_options.flags);
if ((ret == 0) && (multi->dco_keys_installed < 2))
{
multi->dco_keys_installed++;
diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index 3ce2c31..ec4ec42 100644
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -253,11 +253,7 @@
* Return whether the dco implementation supports the new protocol features of
* a 64 bit packet counter and AEAD tag at the end.
*/
-static inline bool
-dco_supports_data_v3(struct context *c)
-{
-return false;
-}
+bool dco_supports_data_v3(struct context *c);
#else /* if defined(ENABLE_DCO) */
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 9a90f5c..4516cd5 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -415,14 +415,14 @@
dco_key_slot_t slot,
const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
-const char *ciphername)
+const char *ciphername, unsigned int co_flags)
{
struct ifdrv drv;
nvlist_t *nvl;
int ret;
-msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s",
-__func__, slot, keyid, peerid, ciphername);
+msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags
%u",
+__func__, slot, keyid, peerid, ciphername, co_flags);
nvl = nvlist_create(0);
@@ -778,4 +778,11 @@
return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
}
+bool
+dco_supports_data_v3(struct context *c)
+{
+/* not implemented */
+return false;
+}
+
#endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */
diff --git a/src/openvpn/dco_internal.h b/src/openvpn/dco_internal.h
index 624c110..35500a4 100644
--- a/src/openvpn/dco_internal.h
+++ b/src/openvpn/dco_internal.h
@@ -70,7 +70,7 @@
dco_key_slot_t slot,
const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
-const char *ciphername);
+const char *ciphername, unsigned int co_flags);
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot);
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 277cd64..4197d30 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -557,10 +557,10 @@
dco_key_slot_t slot,
const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
-const char *ciphername)
+const char *ciphername, unsigned int co_flags)
{
-msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s",
-__func__, slot, keyid, peerid, ciphername);
+msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags
%u",
+__func__, slot, keyid, peerid, ciphername, co_flags);
const size_t key_len = cipher_kt_key_size(ciphername);
const int nonce_tail_len = 8;
@@ -1058,4 +1058,11 @@
return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
}
+bool
+dco_supports_data_v3(struct context *c)
+{
+/* not implemented */
+return false;
+}
+
#endif /* defined(ENABLE_DCO) && defined(TARGET_LINUX) */
diff
[Openvpn-devel] [PATCH v1] tun: removed unnecessary route installations
From: Marco Baffo
Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun
opening in OpenBSD, NetBSD and Darwin.
Change-Id: I235891212b15277349810913c9c1763da5c48587
Signed-off-by: Marco Baffo
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/731
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 71b5b42..31a634a 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -2244,9 +2244,6 @@
{
argv_printf_cat(&argv, "-link -iface %s", device);
}
-/* FIX ME: in NetBSD in TUN mode, the route is already added by ifconfig
- * so add_route_ipv6 fail with 'Invalid argument' or 'File exists'
- */
argv_msg(D_ROUTE, &argv);
bool ret = openvpn_execve_check(&argv, es, 0,
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index d878161..7bdc6c4 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1010,8 +1010,7 @@
#endif /* ifdef _WIN32 */
}
-#if defined(_WIN32)\
-|| defined(TARGET_DARWIN) || defined(TARGET_NETBSD) ||
defined(TARGET_OPENBSD)
+#if defined(_WIN32)
/* some of the platforms will auto-add a "network route" pointing
* to the interface on "ifconfig tunX 2001:db8::1/64", others need
@@ -1203,11 +1202,6 @@
"FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed");
#endif
-#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \
-|| defined(TARGET_DARWIN)
-/* and, hooray, we explicitly need to add a route... */
-add_route_connected_v6_net(tt, es, is_multipoint);
-#endif
#elif defined(TARGET_AIX)
argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname,
ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Ensures all params are ready before invoking dco_set_peer()
Hi, On Mon, Sep 09, 2024 at 01:39:30PM +0200, Gert Doering wrote: > Your patch has been applied to the master branch. Note: while this is a bugfix, it does not need to go to 2.6 - there is no mssfix support in-kernel for DCO v2, and the upcoming DCOv3-no-called- "ovpn" will be 2.7-only. (FreeBSD DCO does not support mssfix either, as of today) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Ensures all params are ready before invoking dco_set_peer()
I did not have an obvious way to trigger this, so I first just fed it to the DCO-enabled server/client testbed (nothing broke). Then, after quite a bit of discussion, it was made clear that this is for "UDP p2mp server configs". To see the effect, one needs to run with DCO debugging (--verb 7), and then it will show the difference: Old: Sep 9 07:00:26 ubuntu2004 tun-udp-p2mp[1926430]: freebsd-74-amd64/194.97.140.3:64742 peer-id=0 dco_set_peer: peer-id 0, keepalive 10/60, mss 0 Sep 9 07:02:55 ubuntu2004 tun-udp-p2mp[1926430]: freebsd-14-amd64/2001:608:0:814::fb00:14 peer-id=1 dco_set_peer: peer-id 1, keepalive 10/60, mss 0 Sep 9 07:03:15 ubuntu2004 tun-udp-p2mp[1926430]: dco_set_peer: peer-id 2, keepalive 10/60, mss 0 Sep 9 07:03:30 ubuntu2004 tun-udp-p2mp[1926430]: dco_set_peer: peer-id 1, keepalive 10/60, mss 0 New: Sep 9 12:05:56 ubuntu2004 tun-udp-p2mp[1951062]: freebsd-74-amd64/194.97.140.3:51648 peer-id=0 dco_set_peer: peer-id 0, keepalive 10/60, mss 1380 Sep 9 12:08:31 ubuntu2004 tun-udp-p2mp[1951062]: freebsd-14-amd64/2001:608:0:814::fb00:14 peer-id=1 dco_set_peer: peer-id 1, keepalive 10/60, mss 1380 Sep 9 12:08:50 ubuntu2004 tun-udp-p2mp[1951062]: dco_set_peer: peer-id 2, keepalive 10/60, mss 1380 Sep 9 12:09:06 ubuntu2004 tun-udp-p2mp[1951062]: dco_set_peer: peer-id 1, keepalive 10/60, mss 1380 (not sure why half the log lines have a peer-name prefix and the other half don't, but this is outside the patch in question) Since the currently active DCO implementations for Linux and FreeBSD do not support MSSFIX this is a bit moot today, as the kernel side will just ignore the value anyway - but with the upcoming new Linux "in tree" version, at least setting the correct information is needed so the kernel can eventually do the right thing with it. As discussed on IRC, I have updated the comment before the dco_set_peer() call to more correctly reflect what it does. Also, I have reworded the commit message a bit to make it more clear that this is fixing a "p2mp server" issue, and that why p2p_set_dco_keepalive() has been removed. Your patch has been applied to the master branch. commit 32e748bd3320cd07b9e7671ee0cec95f4fd85935 (master) Author: Gianmarco De Gregori Date: Fri Sep 6 16:57:45 2024 +0200 Ensures all params are ready before invoking dco_set_peer() Signed-off-by: Gianmarco De Gregori Acked-by: Lev Stipakov Message-Id: <20240906145745.67596-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29086.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tun: use is_tun_p2p more consistently
Sorry for taking so long to handle this. These old code ruins make my head spin... Anyway. Arne has ACKed it, GHA likes it, my server and client test rigs find nothing to complain. Did stare-at-code while the tests were running... all reasonable changes, nothing should have a behavioural change (except the fix in ifconfig_sanity_check()). Good catch on print_topology() ;-) Quite a few of the old "else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)" are my doing, I think... seems "if (tun)" was really very unclear... Also thanks for restructuring the Darwin section to be "just as all the other platforms" :-) Your patch has been applied to the master branch. commit 976a65346d2193181f4f5664f798e16fcbf43345 Author: Frank Lichtenheld Date: Fri Sep 6 18:25:14 2024 +0200 tun: use is_tun_p2p more consistently Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240906162514.78671-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29091.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors
Your patch has been applied to the master branch. commit 611fa55ed1ef7e78e6015e77ace19aa4b2bf744e Author: Ilia Shipitsin Date: Mon Jul 8 23:08:22 2024 +0200 tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors Signed-off-by: Ilia Shipitsin Acked-by: Frank Lichtenheld Message-Id: <20240708210912.566-6-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28882.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/5] src/openvpn/auth_token.c: handle strdup errors
Hi,
On Mon, Jul 08, 2024 at 11:08:20PM +0200, Ilia Shipitsin wrote:
> multi->auth_token = strdup((char *)BPTR(&session_token));
> +if (!multi->auth_token)
> +{
> +msg( M_FATAL, "Failed allocate memory for multi->auth_token");
> +}
I do wonder if this is the right approach here. For "openvpn itself"
we have the check_malloc_return() macro, which will purposely not call
msg() - as msg() does internal malloc()s, and if we cannot allocate
20 bytes for an auth_token, the chance that msg() will not succeed is
fairly high...
In plugins or unit tests, the infrastructure is different, but for 3/ and
4/, please resend with
multi->auth_token = strdup((char *)BPTR(&session_token));
+check_malloc_return(multi->auth_token);
(etc)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: sample/sample-plugins/defer/multi-auth.c: handle strdup errors
Stared-at-code, and compile-tested. Agree with Frank :-) Your patch has been applied to the master branch. commit aef8a872aa51331f781265fdb6b3c340463637a8 Author: Ilia Shipitsin Date: Mon Jul 8 23:08:19 2024 +0200 sample/sample-plugins/defer/multi-auth.c: handle strdup errors Signed-off-by: Ilia Shipitsin Acked-by: Frank Lichtenheld Message-Id: <20240708210912.566-3-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28886.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: src/openvpn/init.c: handle strdup failures
Acked-by: Gert Doering Taken the "patchset looks great" from Antonio as ACK, fixed the "msg( M_FATAL," space on the go (trivial whitespace fixes are acceptable). Not tested beyond minimal compile test and stare-at-code. Your patch has been applied to the master branch. commit b7c6920eab5d56067a69805f64239b8dd5a0ae27 Author: Ilia Shipitsin Date: Mon Jul 8 23:08:18 2024 +0200 src/openvpn/init.c: handle strdup failures Signed-off-by: Ilia Shipitsin Acked-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20240708210912.566-2-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28884.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Static-challenge concatenation option
Thanks for your patience, and sorry for taking so long... vacation and other excuses. Haven't actually tested for good (a --static-challenge setup is on my TODO list since like 100 years...), but the code looks reasonable, it passes all "non-challenge" tests, and has an ACK from Frank :-) - and a few basic tests with "run client from cli, look what plugin-auth-pam reports on the other end" confirm that it does the job. Is the GUI support already committed? I seem to remember seeing a PR for that "weeks ago"... and someone needs to bring Tunnelblick on board. Your patch has been applied to the master branch. commit 6f6a0f362f845f042a965f797b731f8931310372 (master) Author: Selva Nair Date: Fri Jul 19 15:14:07 2024 +0200 Static-challenge concatenation option Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240719131407.75746-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28943.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add test for static-challenge concatenation option
Tests are always good :-) - and this expect_string()/will_return() stuff looks outright magic... cool stuff. Your patch has been applied to the master branch. commit bb8f193615032f5a7dd3ae9230e2edfb92b70ab7 Author: Selva Nair Date: Fri Aug 30 10:18:24 2024 -0400 Add test for static-challenge concatenation option Signed-off-by: Selva Nair Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240830141824.108599-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29054.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Initialize before use struct user_pass in ui_reader()
Acked-by: Gert Doering Thanks :-) (not much to test here) Your patch has been applied to the master branch. commit 67124dcf317460609860a2ea7cb7a55ceed4a4ce Author: Selva Nair Date: Sun Sep 8 18:42:20 2024 -0400 Initialize before use struct user_pass in ui_reader() Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20240908224220.478684-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29114.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add a test for loading certificate and key using file: URI
Again, an easy-to-test one :-) - only unit tests, and those pass on
various OpenSSL and mbedTLS versions ("SKIPPED"), including the GHA
windows unit tests.
Your patch has been applied to the master branch.
commit f086a49b5511adcd5ad0835f7cbac7d403dbf4af
Author: Selva Nair
Date: Fri Sep 6 12:39:00 2024 +0200
Add a test for loading certificate and key using file: URI
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
Message-Id: <20240906103900.37037-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29076.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add a test for loading certificate and key to ssl context
Testing this one was easy - look at the patch "only test code affected",
and run "make check" on a few different machines :-) - passes FreeBSD + ossl3,
FreeBSD + mbedTLS, FreeBSD + ossl 1.1.1w, Gentoo + ossl 1.1.1 (and all
the GH builds, with various OpenSSL and mbedTLS versions).
Your patch has been applied to the master branch.
release/2.6 does not have enough backported unit test code for this to
apply (but given the way our patches flow, always master -> release/x,
this is not a big loss).
commit 0fe3a9877468ecfb3b97c67ecca5495eed7a8683 (master)
Author: Selva Nair
Date: Fri Sep 6 12:38:14 2024 +0200
Add a test for loading certificate and key to ssl context
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
Message-Id: <20240906103814.36839-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29074.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Interpret --key and --cert option argument as URI
I have not tested this beyond basic "do t_client and server tests
still work" - no suitable OpenSSL provider infrastructure here, and
stalling the patch until I find time to set up more tests is not
helping anyone, given that Frank has done quite heavy testing already.
I've stared a bit at the code and things seem reasonable :-) - and
come with a unit test! (well, in the next patch)
I'm a bit curious about the new ui_reader() function - it says
"wrapper for pem_password_callback()" but the actuall call there
seems hidden in "SSL_CTX_get_default_passwd_cb()" - is my interpretation
correct? But anyway, there might be an undefined variable lurking
in
/* If pkcs#11 Use custom prompt similar to pkcs11-helper */
if (strstr(prompt, "PKCS#11"))
{
struct user_pass up;
get_user_pass(&up, NULL, "PKCS#11 token", ...
"up" is not initialized, and the first thing get_user_pass_cr() does
is look at "if (!up->defined)". So if I'm not misreading this, a
followup patch to initialize "up" would be good. At this point it
might be nice to add a comment explaining how the wrapping of
"pem_password_callback()" works ;-)
Your patch has been applied to the master branch.
commit 3512e8d3ada4fa7d04925a89fd9f3669655c7887 (master)
Author: Selva Nair
Date: Fri Sep 6 12:37:34 2024 +0200
Interpret --key and --cert option argument as URI
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
Message-Id: <20240906103734.36633-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Protect cached username, password and token on client
Thanks for taking up the challenge :-) - and I think the approach is
quite reasonable, and also extensible should one of the other OSes come
up with a similar memory protection function one day ("crypt with a key
outside the program's own memory").
I have test compiled this "for windows" via GHA/MSVC and locally with
MinGW. Haven't actually tested the windows binary.
More important, since this adds an ASSERT() to a few server-side code path,
fed to the server-side testbed which has user+pass & auth-token instances,
and this all still works :-)
Your patch has been applied to the master and release/2.6 branch
(security hardening). 2.6 lacks the test_user_pass.c file, so that
hunk was omitted.
commit 12a9c357b6a7b55bea929eb5d9669e6386ab0d0e (master)
commit 9e1598de43383ac655fd71bd34021026ac105f23 (release/2.6)
Author: Selva Nair
Date: Fri Sep 6 13:29:08 2024 +0200
Protect cached username, password and token on client
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
Message-Id: <20240906112908.1009-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: proxy.c: Clear sensitive data after use
Thanks for looking into this - and I agree with the conclusion on
keeping the scope of this patch to "purge this", not refactor the
overall code to get rid of that copy completely.
I have not tested this "for real" as I do not currently have a proxy
setup that requires authentication - just stared at the code, and run
the normal client->proxy tests (and nothing broke).
Your patch has been applied to the master and release/2.6 branch
(useful and fairly isolated change, adding a bit of hardening).
commit dbe7e456954bf001420c4552c2b6e184ec6e068c (master)
commit 534609a2a7f0dcd56c8eab764c9c9c99834dcc6f (release/2.6)
Author: Selva Nair
Date: Thu Sep 5 12:07:24 2024 +0200
proxy.c: Clear sensitive data after use
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
Message-Id: <20240905100724.4105-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29061.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Try to use pkg-config to detect mbedTLS
Lightly tested on a FreeBSD (no .pc) and a Gentoo system (.pc), both find mbedtls & build fine. Discovered "" while at it... in case someone else wonders what that is, it's part of mbedTLS but is not installed in the normal mbedtls include path, because, why should it... (*roll eyes*). Your patch has been applied to the master branch. commit c829f57096cb6951aa4698eff388aeebf9310334 Author: Frank Lichtenheld Date: Fri Sep 6 18:05:10 2024 +0200 configure: Try to use pkg-config to detect mbedTLS Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906160510.76387-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: Configure Renovate
Your patch has been applied to the master branch. The Author info in gerrit is a bit funny, but from the context it's clear that Frank wrote this - and we want persons in the git log, not robots :-) - so adjusted the From: before committing. Lightly tested the GHA changes by building in my GH repo. commit 4788aaba0739eeaae853d31075ae533a9228a61b Author: Frank Lichtenheld Date: Fri Sep 6 17:12:43 2024 +0200 GHA: Configure Renovate Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906151243.69549-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29087.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Allow to detect git checkout if .git is not a directory
Have done a bit of testing with "in-tree build, git", "out of tree build, git" and "in-tree build, tarball" and it seems to always do the right thing. Haven't a need for git submodules, so I have not tested that. Your patch has been applied to the master branch. commit dac076fe406adace826766f6cc3cfdadc5f06be4 Author: Frank Lichtenheld Date: Fri Sep 6 19:21:12 2024 +0200 configure: Allow to detect git checkout if .git is not a directory Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Yuriy Darnobyt Message-Id: <20240906172112.87148-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29092.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Protect cached username, password and token on client
From: Selva Nair
Keep the memory segment containing username and password in
"struct user_pass" encrypted. Works only on Windows.
Username and auth-token cached by the server are not covered
here.
v2: Encrypt username and password separately as it looks more
robust. We continue to depend on the username and password buffer
sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16,
which is the case now. An error is logged if this is not the case.
v3: move up ASSERT in auth_token.c
Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/728
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 6787ea7..5de65cb 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -301,6 +301,7 @@
* Base64 is <= input and input is < USER_PASS_LEN, so using USER_PASS_LEN
* is safe here but a bit overkill
*/
+ASSERT(up && !up->protected);
uint8_t b64decoded[USER_PASS_LEN];
int decoded_len = openvpn_base64_decode(up->password +
strlen(SESSION_ID_PREFIX),
b64decoded, USER_PASS_LEN);
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 598fbae..ef4ab69 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -223,6 +223,7 @@
bool password_from_stdin = false;
bool response_from_stdin = true;
+unprotect_user_pass(up);
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
{
msg(M_WARN, "Note: previous '%s' credentials failed", prefix);
@@ -479,14 +480,18 @@
secure_memzero(up, sizeof(*up));
up->nocache = nocache;
}
-/*
- * don't show warning if the pass has been replaced by a token: this is an
- * artificial "auth-nocache"
- */
-else if (!warn_shown)
+else
{
-msg(M_WARN, "WARNING: this configuration may cache passwords in memory
-- use the auth-nocache option to prevent this");
-warn_shown = true;
+protect_user_pass(up);
+/*
+ * don't show warning if the pass has been replaced by a token: this
is an
+ * artificial "auth-nocache"
+ */
+if (!warn_shown)
+{
+msg(M_WARN, "WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this");
+warn_shown = true;
+}
}
}
@@ -495,6 +500,7 @@
{
if (strlen(token))
{
+unprotect_user_pass(tk);
strncpynt(tk->password, token, USER_PASS_LEN);
tk->token_defined = true;
@@ -505,6 +511,7 @@
{
tk->defined = true;
}
+protect_user_pass(tk);
}
}
@@ -513,6 +520,7 @@
{
if (strlen(username))
{
+unprotect_user_pass(tk);
/* Clear the username before decoding to ensure no old material is left
* and also allow decoding to not use all space to ensure the last
byte is
* always 0 */
@@ -523,6 +531,7 @@
{
msg(D_PUSH, "Error decoding auth-token-username");
}
+protect_user_pass(tk);
}
}
@@ -779,3 +788,43 @@
return combined_path;
}
+
+void
+protect_user_pass(struct user_pass *up)
+{
+if (up->protected)
+{
+return;
+}
+#ifdef _WIN32
+if (protect_buffer_win32(up->username, sizeof(up->username))
+&& protect_buffer_win32(up->password, sizeof(up->password)))
+{
+up->protected = true;
+}
+else
+{
+purge_user_pass(up, true);
+}
+#endif
+}
+
+void
+unprotect_user_pass(struct user_pass *up)
+{
+if (!up->protected)
+{
+return;
+}
+#ifdef _WIN32
+if (unprotect_buffer_win32(up->username, sizeof(up->username))
+&& unprotect_buffer_win32(up->password, sizeof(up->password)))
+{
+up->protected = false;
+}
+else
+{
+purge_user_pass(up, true);
+}
+#endif
+}
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 963f3e6..a967ec8 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -60,6 +60,7 @@
* use this second bool to track if the token (password) is defined */
bool token_defined;
bool nocache;
+bool protected;
/* max length of username/password */
#ifdef ENABLE_PKCS11
@@ -207,6 +208,19 @@
struct buffer
prepend_dir(const char *dir, const char *path, struct gc_arena *gc);
+/**
+ * Encrypt username and password buffers in user_pass
+ */
+void
+protect_user_pass(struct user_pass *up);
+
+/**
+ * Decrypt username and password buffers in user_pass
+ */
+void
+unprotect_user_pass(struct user_pass *up);
+
+
#define _STRINGIFY(S) #S
/* *INDENT-OFF* - uncrustify need
[Openvpn-devel] [PATCH v1] proxy.c: Clear sensitive data after use
From: Selva Nair
Usage of credentials is a bit odd in this file.
Actually the copy of "struct user_pass" kept in p->up is not
required at all. It just defeats the purpose of auth-nocahe
as it never gets cleared.
Removing it is beyond the scope of this patch -- we just ensure
it's purged after use.
Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34
Signed-off-by: Selva Nair
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/727
This mail reflects revision 1 of this Change.
Signed-off-by line for the author was added as per our policy.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 5de0da4..eddacc9 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -247,7 +247,9 @@
struct buffer out = alloc_buf_gc(strlen(p->up.username) +
strlen(p->up.password) + 2, gc);
ASSERT(strlen(p->up.username) > 0);
buf_printf(&out, "%s:%s", p->up.username, p->up.password);
-return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc);
+char *ret = (char *)make_base64_string((const uint8_t *)BSTR(&out), gc);
+secure_memzero(BSTR(&out), out.len);
+return ret;
}
static void
@@ -736,6 +738,9 @@
ASSERT(0);
}
+/* clear any sensitive content in buf */
+secure_memzero(buf, sizeof(buf));
+
/* send empty CR, LF */
if (!send_crlf(sd))
{
@@ -983,6 +988,8 @@
{
goto error;
}
+/* clear any sensitive content in buf */
+secure_memzero(buf, sizeof(buf));
/* receive reply from proxy */
if (!recv_line(sd, buf, sizeof(buf),
get_server_poll_remaining_time(server_poll_timeout), true, NULL,
signal_received))
@@ -1086,10 +1093,12 @@
#endif
done:
+purge_user_pass(&p->up, true);
gc_free(&gc);
return ret;
error:
+purge_user_pass(&p->up, true);
register_signal(sig_info, SIGUSR1, "HTTP proxy error"); /* SOFT-SIGUSR1 --
HTTP proxy error */
gc_free(&gc);
return ret;
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Implement support for AEAD tag at the end
After some discussion it was decided to keep the "two independent options", partially because "these two patches have been out there for a while, been stared-at, and tested quite a bit" - also, IV_PROTO_V4 might end up with a different combination, we'll see. 507 will ensure that for IV_PROTO_V3 the two new options (AEAD at the end and 64 bit counters) will only ever be used together, or not at all - reduce the amount of protocol versions to implement in all datapaths, and combinations to test. I have tested this against older code (t_client -> 2.6 etc, and t_server <- 2.2...2.6) and nothing broke. Also, tested against itself, and that worked as well. Of course it does not actually *do* anything yet, as the logic to push "aead-tag-end" does not exist... (FTR, in case one of you is wondering - this is v3, and gerrit has "v8" of the patch - but it's the same code change, just being pushed again as part of "other pushes" after being rebased) Your patch has been applied to the master branch. commit 233e10aeec7de02d34fa5c517b44612d38ccc00f Author: Arne Schwabe Date: Wed Feb 14 14:27:19 2024 +0100 Implement support for AEAD tag at the end Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240214132719.3031492-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28239.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Use a more robust way to get dco-win version
Stared at code here and on the driver side, looks very reasonable and also backward-compatible in both directions. Not actually tested, just test compiled via GHA. Your patch has been applied to the master and release/2.6 branch (long-term compat). commit e5a8ea36a0228c30cdbee8791d44a1f0fbaffa9f (master) commit 41fe48585ebd005e65d191452c2860ab9c089c55 (release/2.6) Author: Lev Stipakov Date: Fri Aug 9 21:22:56 2024 +0200 Use a more robust way to get dco-win version Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20240809192257.24208-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29009.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: test_pkcs11.c: set file offset to 0 after ftruncate
Acked-by: Gert Doering
"explanation makes sense, man ftruncate clearly says 'fd is not modified'"
smoke tested ("make check") on linux with --enable-pkcs11
Your patch has been applied to the master branch.
Not applied to 2.6 because the code in question does not exist there.
commit dcf735009c8caabf5e4a9feeb0d32907aafe8f17 (master)
Author: Selva Nair
Date: Mon Aug 12 19:21:58 2024 -0400
test_pkcs11.c: set file offset to 0 after ftruncate
Signed-off-by: Selva Nair
Acked-by: Gert Doering
Message-Id: <20240812232158.3776869-1-selva.n...@gmail.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29010.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Use a more robust way to get dco-win version
From: Lev Stipakov
The current way doesn't work if the device is already in use.
Starting from 1.3.0, dco-win creates a non-exclusive
control device \\.\ovpn-dco-ver which can be opened by
multiple apps and supports a single IOCTL to get
a version number.
https://github.com/OpenVPN/ovpn-dco-win/pull/76
This will be expecially handy later when checking which
features driver supports.
Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf
Signed-off-by: Lev Stipakov
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/723
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index e3ada76..3ec946f 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -389,9 +389,16 @@
OVPN_VERSION version;
ZeroMemory(&version, sizeof(OVPN_VERSION));
-/* try to open device by symbolic name */
-HANDLE h = CreateFile(".\\ovpn-dco", GENERIC_READ | GENERIC_WRITE,
- 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM |
FILE_FLAG_OVERLAPPED, NULL);
+/* first, try a non-exclusive control device, available from 1.3.0 */
+HANDLE h = CreateFile(".\\ovpn-dco-ver", GENERIC_READ,
+ 0, NULL, OPEN_EXISTING, 0, NULL);
+
+if (h == INVALID_HANDLE_VALUE)
+{
+/* fallback to a "normal" device, this will fail if device is already
in use */
+h = CreateFile(".\\ovpn-dco", GENERIC_READ,
+ 0, NULL, OPEN_EXISTING, 0, NULL);
+}
if (h == INVALID_HANDLE_VALUE)
{
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: console_systemd: rename query_user_exec to query_user_systemd
Simplification of code, less #ifdef/#undef tricks, good :-) - stared at code, and compile tested (FreeBSD + GHA). Your patch has been applied to the master branch. commit 418463ad27c13f56adb5b02cfd62018b7d634ee8 (master) Author: Frank Lichtenheld Date: Fri Jul 26 12:40:32 2024 +0200 console_systemd: rename query_user_exec to query_user_systemd Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240726104032.2112-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28983.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] console_systemd: rename query_user_exec to query_user_systemd
From: Frank Lichtenheld
This allows us to override query_user_exec for unit
tests more consistently without having to jump through
weird hoops.
Fixes running test_pkcs11 with --enable-systemd.
While here also fix documentation comments for
query_user_exec*.
Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/670
This mail reflects revision 4 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/console.h b/src/openvpn/console.h
index 7358299..72ae8e0 100644
--- a/src/openvpn/console.h
+++ b/src/openvpn/console.h
@@ -65,11 +65,10 @@
/**
- * Executes a configured setup, using the built-in method for querying the
user.
+ * Loop through configured query_user slots, using the built-in method for
+ * querying the user.
* This method uses the console/TTY directly.
*
- * @param setupPointer to the setup defining what to ask the user
- *
* @return True if executing all the defined steps completed successfully
*/
bool query_user_exec_builtin(void);
@@ -77,21 +76,34 @@
#if defined(ENABLE_SYSTEMD)
/**
- * Executes a configured setup, using the compiled method for querying the user
- *
- * @param setupPointer to the setup defining what to ask the user
+ * Loop through configured query_user slots, using the systemd method for
+ * querying the user.
+ * If systemd is not running it will fall back to use
+ * query_user_exec_builtin() instead.
*
* @return True if executing all the defined steps completed successfully
*/
-bool query_user_exec(void);
+bool query_user_exec_systemd(void);
-#else /* ENABLE_SYSTEMD not defined*/
+/**
+ * Loop through configured query_user slots, using the compiled method for
+ * querying the user.
+ *
+ * @return True if executing all the defined steps completed successfully
+ */
+static inline bool
+query_user_exec(void)
+{
+return query_user_exec_systemd();
+}
+
+#else /* ENABLE_SYSTEMD not defined */
/**
* Wrapper function enabling query_user_exec() if no alternative methods have
* been enabled
*
*/
-static bool
+static inline bool
query_user_exec(void)
{
return query_user_exec_builtin();
diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c
index c7cf1ad..cc91cd1 100644
--- a/src/openvpn/console_systemd.c
+++ b/src/openvpn/console_systemd.c
@@ -96,7 +96,7 @@
*
*/
bool
-query_user_exec(void)
+query_user_exec_systemd(void)
{
bool ret = true; /* Presume everything goes okay */
int i;
diff --git a/tests/unit_tests/openvpn/test_pkcs11.c
b/tests/unit_tests/openvpn/test_pkcs11.c
index 6d283a2..5518fa1 100644
--- a/tests/unit_tests/openvpn/test_pkcs11.c
+++ b/tests/unit_tests/openvpn/test_pkcs11.c
@@ -75,6 +75,14 @@
{
assert_true(0);
}
+#if defined(ENABLE_SYSTEMD)
+bool
+query_user_exec_systemd(void)
+{
+assert_true(0);
+return false;
+}
+#endif
bool
query_user_exec_builtin(void)
{
diff --git a/tests/unit_tests/openvpn/test_user_pass.c
b/tests/unit_tests/openvpn/test_user_pass.c
index b43e655..de60291 100644
--- a/tests/unit_tests/openvpn/test_user_pass.c
+++ b/tests/unit_tests/openvpn/test_user_pass.c
@@ -26,10 +26,6 @@
#include "config.h"
#endif
-#undef ENABLE_SYSTEMD
-/* avoid redefining ENABLE_SYSTEMD in misc.c */
-#undef HAVE_CONFIG_H
-
#include "syshead.h"
#include "manage.h"
@@ -44,6 +40,13 @@
struct management *management; /* global */
/* mocking */
+#if defined(ENABLE_SYSTEMD)
+bool
+query_user_exec_systemd(void)
+{
+return query_user_exec_builtin();
+}
+#endif
bool
query_user_exec_builtin(void)
{
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: add and send IV_PROTO_DNS_OPTION_V2 flag
I have not tested this beyond "does it compile". My understanding is that this is to align openvpn 2.x and 3.x in regards to "if this bit is set, the client understands the new variants in `--dns`" and since the "new code" is only in master, so is this patch. Your patch has been applied to the master branch. commit 8991f0d5c6c06d1e42919d1d6a0813ca1c46f8a1 (master) Author: Heiko Hund Date: Thu Jul 25 13:22:48 2024 +0200 add and send IV_PROTO_DNS_OPTION_V2 flag Signed-off-by: Heiko Hund Acked-by: Arne Schwabe Message-Id: <20240725112248.21075-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28970.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] add and send IV_PROTO_DNS_OPTION_V2 flag
From: Heiko Hund Incompatible changes to the --dns server address and --dns server exclude-domains options were introduced after the code for handling them was released. Add and send a new IV_PROTO flag, so servers which act on the flags set can differentiate between clients which have implemented --dns and those which just support the new option. This enables them to decide which variant of options to send to the client. Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff Signed-off-by: Heiko Hund Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/680 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e0e9591..14c38cf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1900,8 +1900,8 @@ /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; -/* support for the --dns option */ -iv_proto |= IV_PROTO_DNS_OPTION; +/* support for the latest --dns option */ +iv_proto |= IV_PROTO_DNS_OPTION_V2; /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 1a45048..6c2bfc3 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -94,7 +94,7 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) -/** Supports the --dns option introduced in version 2.6 */ +/** Supports the --dns option introduced in version 2.6. Not sent anymore. */ #define IV_PROTO_DNS_OPTION (1<<6) /** Support for explicit exit notify via control channel @@ -107,6 +107,9 @@ /** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */ #define IV_PROTO_DYN_TLS_CRYPT (1<<9) +/** Supports the --dns option after all the incompatible changes */ +#define IV_PROTO_DNS_OPTION_V2 (1<<11) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add Ubuntu 24.04 runner to Github Actions
Your patch has been applied to the master branch.
I tried to apply it to release/2.6 as well, but the mbedtls builds
fail (on 24.04) with error messages like this:
crypto_backend.h:352:6: note: previous declaration of `cipher_ctx_init' with
type `void(cipher_ctx_t *, const uint8_t *, const char *, int)' {aka
`void(mbedtls_cipher_context_t *, const unsigned char *, const char *, int)'}
so it seems we need some mbedtls compat backport first, or stop building
2.6 + 24.04 + mbedtls.
Details:
https://github.com/cron2/openvpn/actions/runs/10041826490/job/27750800767
(looking more closely, 24.04 + ossl 3 fails as well, with
"configure: error: PKCS11 enabled but libpkcs11-helper is missing")
commit 856065b2eb37286c389550593472bf180bc5be9d (master)
Author: Arne Schwabe
Date: Fri Jul 19 15:11:41 2024 +0200
Add Ubuntu 24.04 runner to Github Actions
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240719131141.75324-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28942.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix missing spaces in various messages
Went through the individual messages, all very welcome fixes. Test compiled, just to be sure no quote or anything escaped. Your patch has been applied to the master and release/2.6 branch (bugfix). commit 824fe9ce497bd26a9609abb7324427e906ead6a4 (master) commit 02346806adafd3c656f018a7a1b3fb2c585a1cea (release/2.6) Author: Frank Lichtenheld Date: Mon Jul 22 14:10:34 2024 +0200 Fix missing spaces in various messages Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240722121034.10816-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28950.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Fix missing spaces in various messages
From: Frank Lichtenheld
These result from broken up literals where it
is easy to miss the missing space.
Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/679
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 78243b1..7f0d53d 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -185,7 +185,7 @@
}
else
{
-msg(D_DCO_DEBUG, "Swapping primary and secondary keys to"
+msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
"primary-id=%d secondary-id=(to be deleted)",
primary->key_id);
}
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 162b23e..03177bb 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1804,7 +1804,7 @@
}
else if (dco_enabled(o))
{
-msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing "
+msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
"requires DATA_V2. Dropping client.");
auth_set_client_reason(tls_multi, "Data channel negotiation "
"failed (missing DATA_V2)");
@@ -1815,7 +1815,7 @@
* not accept our pushed ciphers */
if (proto & IV_PROTO_NCP_P2P)
{
-msg(M_WARN, "Note: peer reports running in P2P mode (no
--pull/--client"
+msg(M_WARN, "Note: peer reports running in P2P mode (no
--pull/--client "
"option). It will not negotiate ciphers with this server. "
"Expect this connection to fail.");
}
@@ -2027,7 +2027,7 @@
/* Not EOF but other error -> fall through to error state */
default:
/* We received an unknown/unexpected value. Assume failure. */
-msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
+msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
"client-connect resultfile");
ret = CC_RET_FAILED;
}
@@ -2427,7 +2427,7 @@
*/
if (!mi->context.c2.push_ifconfig_defined)
{
-msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
+msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote "
"--ifconfig address is available for %s",
multi_instance_string(mi, false, &gc));
}
@@ -2443,7 +2443,7 @@
print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
/* JYFIXME -- this should cause the connection to fail */
-msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
+msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) "
"violates tunnel network/netmask constraint (%s/%s)",
multi_instance_string(mi, false, &gc),
print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
@@ -2492,7 +2492,7 @@
}
else if (mi->context.options.iroutes)
{
-msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
+msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute
"
"only works with tun-style tunnels",
multi_instance_string(mi, false, &gc));
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 64e67aa..ba9b05e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -7033,7 +7033,7 @@
}
else if (streq(p[0], "max-routes") && !p[2])
{
-msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
+msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
"The number of routes is unlimited as of OpenVPN 2.4. "
"This option will be removed in a future version, "
"please remove it from your configuration.");
@@ -9328,7 +9328,7 @@
s++;
}
msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the
"
-"--x509-username-field parameter to '%s'; please
update your"
+"--x509-username-field parameter to '%s'; please
update your "
"configuration", p[j]);
}
}
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 93
[Openvpn-devel] [PATCH applied] Re: configure: Switch to C11 by default
As discussed before, this breaks OpenBSD 6.8 builds (and, generally, other systems with very old compilers). Not sure the benefit of getting rid of a few hoops for anonymous unions is worth it, but then, it's not like people on those systems couldn't just update... Your patch has been applied to the master branch. commit 37b696a207548df88fe65aa130fe6d522e7ce920 (master) Author: Frank Lichtenheld Date: Wed Jul 10 18:03:06 2024 +0200 configure: Switch to C11 by default Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240710160306.190351-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28916.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow trailing \r and \n in control channel message
Stared at code, reviewed, and fed to my test case where the server
replies with "AUTH_FAIL,you stink\r\n" - which wasn't working with
the previous code (and was overlooked during testing), now works.
2024-07-17 20:54:32 AUTH: Received control message: AUTH_FAILED,you stink
Also, unit tests, yay :-)
Your patch has been applied to the master and release/2.6 branch
(backport will be applied to 2.5).
commit be31325e1dfdffbb152374985c2ae7b6644e3519 (master)
commit 343573990135023d855d151fcd9248e5c26d9f8b (release/2.6)
Author: Arne Schwabe
Date: Wed Jul 10 16:06:23 2024 +0200
Allow trailing \r and \n in control channel message
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240710140623.172829-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow trailing \r and \n in control channel message
Acked-by: Gert Doering Thanks for the backport. Verified that it's the same change (without the unit test, and having extract_command_buffer() in forward.c), and that it gets the job done :-) Your patch has been applied to the release/2.5 branch. commit dddb87f126a6e87e61de830a9efe0bc257a71e2b (release/2.5) Author: Arne Schwabe Date: Thu Jul 11 13:30:22 2024 +0200 Allow trailing \r and \n in control channel message Signed-off-by: Arne Schwabe Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <2024073022.52076-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28923.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] configure: Switch to C11 by default
Hi,
On Wed, Jul 10, 2024 at 06:03:06PM +0200, Frank Lichtenheld wrote:
> Mostly so we can use anonymous structs without jumping through
> hoops or relying on unofficial support.
>
> Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186
> Signed-off-by: Frank Lichtenheld
> Acked-by: Arne Schwabe
> ---
>
> This change was reviewed on Gerrit and approved by at least one
> developer. I request to merge it to master.
This breaks all OpenBSD 6.8 builds. Are you intentionally ignoring
this ("this OS is out of support, we'll discontinue this buildbot"? If
yes, we might want to point out that this change has fallout on older
"build environments" - not sure what is problematic here, C compiler or
system headers, or libc...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: t_server_null: multiple improvements and fixes
Thanks for the good work on this - now all the more exotic platforms (with stubborn sysadmins) pass "the basic tests", and we can move onwards to more creative setups, and towards better diagnostic output. Tested on the buildbots (via gerrit). Your patch has been applied to the master branch. commit f8f477139804b06183b515a529c982f524547d18 Author: Samuli Seppänen Date: Thu Jul 4 15:33:36 2024 +0200 t_server_null: multiple improvements and fixes Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <2024070417.26595-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28871.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] t_server_null: multiple improvements and fixes
From: Samuli Seppänen
- exit after a timeout if unable to kill servers
- use sudo or equivalent only for server stop/start
- use /bin/sh directly instead of through /usr/bin/env
- simplify sudo call in the sample rc file
- remove misleading and outdated documentation
- make it work on OpenBSD 7.5
- make it work on NetBSD 10.0
- make server logs readable by normal users
Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a
Signed-off-by: Samuli Seppänen
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/669
This mail reflects revision 5 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst
index e3a098a..5fe9080 100644
--- a/doc/t_server_null.rst
+++ b/doc/t_server_null.rst
@@ -43,6 +43,12 @@
* run as root
* a privilege escalation tool (sudo, doas, su) and the permission to become
root
+If you use "doas" you should enable nopass feature in */etc/doas.conf*. For
+example to allow users in the *wheel* group to run commands without a password
+prompt::
+
+permit nopass keepenv :wheel
+
Technical implementation
@@ -73,13 +79,6 @@
* Waits until servers have launched. Then launch all clients, wait for
them to exit and then check test results by parsing the client log files. Each
client kills itself after some delay using an "--up" script.
-Note that "make check" moves on once *t_server_null_client.sh* has exited. At
-that point *t_server_null_server.sh* is still running, because it exists only
-after waiting a few seconds for more client connections to potentially appear.
-This is a feature and not a bug, but means that launching "make check" runs too
-quickly might cause test failures or unexpected behavior such as leftover
-OpenVPN server processes.
-
Configuration
-
diff --git a/tests/t_server_null.rc-sample b/tests/t_server_null.rc-sample
index 28c3773..98d7869 100644
--- a/tests/t_server_null.rc-sample
+++ b/tests/t_server_null.rc-sample
@@ -1,6 +1,5 @@
# Uncomment to run tests with sudo
-#SUDO_EXEC=`which sudo`
-#RUN_SUDO="${SUDO_EXEC} -E"
+#RUN_SUDO="sudo -E"
TEST_RUN_LIST="1 2 3 10 11"
diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh
index 0e53ba4..7627edf 100755
--- a/tests/t_server_null.sh
+++ b/tests/t_server_null.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
#
TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}"
@@ -57,12 +57,7 @@
srcdir="${srcdir:-.}"
-if [ -z "${RUN_SUDO}" ]; then
-"${srcdir}/t_server_null_server.sh" &
-else
-$RUN_SUDO "${srcdir}/t_server_null_server.sh" &
-fi
-
+"${srcdir}/t_server_null_server.sh" &
"${srcdir}/t_server_null_client.sh"
retval=$?
diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh
index 8890007..e7dd332 100755
--- a/tests/t_server_null_client.sh
+++ b/tests/t_server_null_client.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
launch_client() {
test_name=$1
@@ -76,19 +76,22 @@
count=0
server_max_wait=15
while [ $count -lt $server_max_wait ]; do
-server_pids=""
-server_count=$(set|grep 'SERVER_NAME_'|wc -l)
+servers_up=0
+server_count=$(echo $TEST_SERVER_LIST|wc -w)
# We need to trim single-quotes because some shells return quoted values
# and some don't. Using "set -o posix" which would resolve this problem is
# not supported in all shells.
+#
+# While inactive server configurations may get checked they won't increase
+# the active server count as the processes won't be running.
for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do
server_pid=$(cat $i.pid 2> /dev/null)
-server_pids="${server_pids} ${server_pid}"
+if ps -p $server_pid > /dev/null 2>&1; then
+servers_up=$(( $servers_up + 1 ))
+fi
done
-servers_up=$(ps -p $server_pids 2>/dev/null|sed '1d'|wc -l)
-
echo "OpenVPN test servers up: ${servers_up}/${server_count}"
if [ $servers_up -ge $server_count ]; then
@@ -101,6 +104,7 @@
if [ $count -eq $server_max_wait ]; then
retval=1
+exit $retval
fi
done
diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc
index 63b6bcd..825bb52 100755
--- a/tests/t_server_null_default.rc
+++ b/tests/t_server_null_default.rc
@@ -24,7 +24,7 @@
MAX_CLIENTS="10"
CLIENT_MATCH="Test-Client"
SERVER_EXEC="${top_builddir}/src/openvpn/openvpn"
-SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet
--server 10.29.41.0 255.255.255.0 --max-clients $MAX_CLIENTS --persist-tun
--verb 3"
+SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet
--max-clients $MAX_CLIENTS --persist-tun --verb 3"
SERVER_CIPHER_OPTS=""
SERVER_CERT_OPTS="--ca ${CA} --dh ${DH} --cert ${SERVER_CERT} --key
${SERVE
[Openvpn-devel] [PATCH applied] Re: mbedtls: Warn if --tls-version-min is too low
Thanks for that. This fixes my server test rig, which sets --tls-version-min to accept connections from very old clients - it will now (still) fail old clients that can not do TLS 1.2 (namely, OpenVPN 2.2(!) - 2.3 and up are fine), but it will not fail "everything else" as the current code did. Your patch has been applied to the master branch. commit c535fa7afe45937bbc7dda435b2b05e57f7ecd53 (master) Author: Max Fillinger Date: Wed Jul 3 19:41:58 2024 +0200 mbedtls: Warn if --tls-version-min is too low Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240703174158.7137-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] mbedtls: Warn if --tls-version-min is too low
From: Max Fillinger
Recent versions of mbedtls only support TLS 1.2. When the minimum
version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the
actual minimum version.
Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e
Signed-off-by: Max Fillinger
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/684
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dbe1425..64e67aa 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8942,6 +8942,15 @@
msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
goto err;
}
+
+#ifdef ENABLE_CRYPTO_MBEDTLS
+if (ver < TLS_VER_1_2)
+{
+msg(M_WARN, "--tls-version-min %s is not supported by mbedtls,
using 1.2", p[1]);
+ver = TLS_VER_1_2;
+}
+#endif
+
options->ssl_flags &=
~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Try to detect LZO with pkg-config
Detailed test reports are in the gerrit notes... so not repeating them here :-) - but finally, we have something that just detects LZO "wherever it is", as long as a pkg-config entry is there - the need to have LZO_CFLAGS/LZO_LIBS on all the *BSDs has irked me since 2.1 or so... (thanks!) Sanity-tested the 2.6 branch via GHA. Your patch has been applied to the master and release/2.6 branch (no real code change, maintenance). commit 0ea51261d096b54281287bbd2a6899041c4dbd43 (master) commit 3c43b016e9767df74909ea5644399e8872e38c97 (release/2.6) Author: Frank Lichtenheld Date: Wed Jun 26 18:19:21 2024 +0200 configure: Try to detect LZO with pkg-config Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240626161921.179301-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Http-proxy: fix bug preventing proxy credentials caching
The original ACK came from Frank, I'm just ACKing the change v8 -> v10
(rebased, and add (void) to function declaration / prototypes where missing).
I do not have a test setup to properly test this right now - I do have
proxies, but they do not need auth, and especially the "cache on reconnect"
needs a different client-side driving framework to verify client behaviour
(volunteers for a t_client.sh-alike using the management interface?). But
I am told that Frank and Gianmarco have tested this very extensively, and
it does not break any of the things I *can* test (basic auth-user-pass and
token). So in it goes :-)
Your patch has been applied to the master and release/2.6 branch (bugfix).
commit 3cfd6f961d5c92bec283ac3616e1633b4e16760c (master)
commit ad0c2c078ea505436b19255ebfbc8365044c5953 (release/2.6)
Author: Gianmarco De Gregori
Date: Sun Jun 23 22:05:51 2024 +0200
Http-proxy: fix bug preventing proxy credentials caching
Signed-off-by: Gianmarco De Gregori
Acked-by: Gert Doering
Acked-by: Frank Lichtenheld
Message-Id: <20240623200551.20092-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v10] Http-proxy: fix bug preventing proxy credentials caching
From: Gianmarco De Gregori
Caching proxy credentials was not working due to the
lack of handling already defined creds in get_user_pass(),
which prevented the caching from working properly.
Fix this issue by getting the value of c->first_time,
that indicates if we're at the first iteration
of the main loop and use it as second argument of the
get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP
upon instance context restart credentials would be erased
every time.
The nocache member has been added to the struct
http_proxy_options and also a getter method to retrieve
that option from ssl has been added, by doing this
we're able to erase previous queried user credentials
to ensure correct operation.
Fixes: Trac #1187
Signed-off-by: Gianmarco De Gregori
Acked-by: Gert Doering
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/523
This mail reflects revision 10 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index eb9cf28..ba9376b 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -19,9 +19,6 @@
When using ``--auth-nocache`` in combination with a user/password file
and ``--chroot`` or ``--daemon``, make sure to use an absolute path.
- This directive does not affect the ``--http-proxy`` username/password.
- It is always cached.
-
--cd dir
Change directory to ``dir`` prior to reading any files such as
configuration files, key files, scripts, etc. ``dir`` should be an
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b081b2f..a49e563 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -691,6 +691,8 @@
if (c->options.ce.http_proxy_options)
{
+c->options.ce.http_proxy_options->first_time = c->first_time;
+
/* Possible HTTP proxy user/pass input */
c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
if (c->c1.http_proxy)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f2c7536..dbe1425 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1650,6 +1650,7 @@
SHOW_STR(auth_file);
SHOW_STR(auth_file_up);
SHOW_BOOL(inline_creds);
+SHOW_BOOL(nocache);
SHOW_STR(http_version);
SHOW_STR(user_agent);
for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
@@ -3151,6 +3152,11 @@
ce->flags |= CE_DISABLED;
}
+if (ce->http_proxy_options)
+{
+ce->http_proxy_options->nocache = ssl_get_auth_nocache();
+}
+
/* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
* so fall back to IPv4-only (trac #1221)
*/
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index ba3d87c..5de0da4 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -276,7 +276,7 @@
{
auth_file = p->options.auth_file_up;
}
-if (p->queried_creds)
+if (p->queried_creds && !static_proxy_user_pass.nocache)
{
flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
}
@@ -288,9 +288,14 @@
auth_file,
UP_TYPE_PROXY,
flags);
-p->queried_creds = true;
-p->up = static_proxy_user_pass;
+static_proxy_user_pass.nocache = p->options.nocache;
}
+
+/*
+ * Using cached credentials
+ */
+p->queried_creds = true;
+p->up = static_proxy_user_pass;
}
#if 0
@@ -542,7 +547,7 @@
* we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
-get_user_pass_http(p, true);
+get_user_pass_http(p, p->options.first_time);
}
#if !NTLM
@@ -656,6 +661,11 @@
|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
+
+if (p->up.nocache)
+{
+clear_user_pass_http();
+}
}
/* are we being called again after getting the digest server nonce in the
previous transaction? */
@@ -1036,13 +1046,6 @@
}
goto error;
}
-
-/* clear state */
-if (p->options.auth_retry)
-{
-clear_user_pass_http();
-}
-store_proxy_authenticate(p, NULL);
}
/* check return code, success = 200 */
diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h
index a502c9d..d9e598c 100644
--- a/src/openvpn/proxy.h
+++ b/src/openvpn/proxy.h
@@ -57,6 +57,8 @@
const char *user_agent;
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER];
bool inline_creds; /* auth_
[Openvpn-devel] [PATCH applied] Re: configure: Add -Wstrict-prototypes and -Wold-style-definition
"Because it makes sense" - we try to keep our style consistent and clean,
and this will ensure we'll notice new commits with func() instead of
func(void) prototypes. Plus fixing the inconsistencies we already had.
The buildbots and GH say "this works on all supported platforms", so in
it goes.
Your patch has been applied to the master branch.
commit 56355924b4945ec808500b18c714c111387697f9
Author: Frank Lichtenheld
Date: Thu Jun 20 16:42:30 2024 +0200
configure: Add -Wstrict-prototypes and -Wold-style-definition
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240620144230.19586-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] configure: Add -Wstrict-prototypes and -Wold-style-definition
From: Frank Lichtenheld
These are not covered by -Wall (nor -Wextra) but we want
to enforce them.
Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/667
This mail reflects revision 4 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/configure.ac b/configure.ac
index 2e5ab6a..c01ad09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1408,6 +1408,8 @@
)
ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation])
+ACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes])
+ACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition])
ACL_CHECK_ADD_COMPILE_FLAGS([-Wall])
if test "${enable_pedantic}" = "yes"; then
diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index 50ebb35..035474f 100644
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -247,7 +247,7 @@
*
* @return list of colon-separated ciphers
*/
-const char *dco_get_supported_ciphers();
+const char *dco_get_supported_ciphers(void);
#else /* if defined(ENABLE_DCO) */
@@ -375,7 +375,7 @@
}
static inline const char *
-dco_get_supported_ciphers()
+dco_get_supported_ciphers(void)
{
return "";
}
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 7c8b29c..9a90f5c 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -773,7 +773,7 @@
}
const char *
-dco_get_supported_ciphers()
+dco_get_supported_ciphers(void)
{
return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
}
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index b2584b9..277cd64 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -1053,7 +1053,7 @@
}
const char *
-dco_get_supported_ciphers()
+dco_get_supported_ciphers(void)
{
return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
}
diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
index 3caedc0..772fa4e 100644
--- a/src/openvpn/pkcs11.h
+++ b/src/openvpn/pkcs11.h
@@ -35,7 +35,7 @@
);
void
-pkcs11_terminate();
+pkcs11_terminate(void);
bool
pkcs11_addProvider(
@@ -46,10 +46,10 @@
);
int
-pkcs11_logout();
+pkcs11_logout(void);
int
-pkcs11_management_id_count();
+pkcs11_management_id_count(void);
bool
pkcs11_management_id_get(
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
index cfbd942..8323f0d 100644
--- a/src/openvpn/sig.c
+++ b/src/openvpn/sig.c
@@ -448,7 +448,7 @@
}
void
-halt_low_priority_signals()
+halt_low_priority_signals(void)
{
#ifndef _WIN32
struct sigaction sa;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2054eb4..17078c9 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -277,7 +277,7 @@
#endif
void
-enable_auth_user_pass()
+enable_auth_user_pass(void)
{
auth_user_pass_enabled = true;
}
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 98e59e8..0e2a43f 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -381,7 +381,7 @@
void pem_password_setup(const char *auth_file);
/* Enables the use of user/password authentication */
-void enable_auth_user_pass();
+void enable_auth_user_pass(void);
/*
* Setup authentication username and password. If auth_file is given, use the
diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c
index 283c95d..b68fb43 100644
--- a/src/openvpn/xkey_helper.c
+++ b/src/openvpn/xkey_helper.c
@@ -49,7 +49,7 @@
XKEY_EXTERNAL_SIGN_fn xkey_management_sign;
static void
-print_openssl_errors()
+print_openssl_errors(void)
{
unsigned long e;
while ((e = ERR_get_error()))
diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c
index f5fc956..964d2eb 100644
--- a/src/openvpn/xkey_provider.c
+++ b/src/openvpn/xkey_provider.c
@@ -155,7 +155,7 @@
keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]);
static XKEY_KEYDATA *
-keydata_new()
+keydata_new(void)
{
xkey_dmsg(D_XKEY, "entry");
diff --git a/tests/unit_tests/openvpn/test_common.h
b/tests/unit_tests/openvpn/test_common.h
index f219e93..52503c6 100644
--- a/tests/unit_tests/openvpn/test_common.h
+++ b/tests/unit_tests/openvpn/test_common.h
@@ -33,7 +33,7 @@
* methods
*/
static inline void
-openvpn_unit_test_setup()
+openvpn_unit_test_setup(void)
{
assert_int_equal(setvbuf(stdout, NULL, _IONBF, BUFSIZ), 0);
assert_int_equal(setvbuf(stderr, NULL, _IONBF, BUFSIZ), 0);
diff --git a/tests/unit_tests/openvpn/test_pkcs11.c
b/tests/unit_tests/openvpn/test_pkcs11.c
index 84ebb29..6d283a2 100644
--- a/tests/unit_tests/openvpn/test_pkcs11.c
+++ b/tests/unit_tests/openvpn/test_pkcs11.c
@@ -134,7 +134,7 @@
/* Fill-in certs[] array */
void
-init_cert_data()
+init_cert_data(void)
{
struct test_cert certs_local[] = {
[Openvpn-devel] [PATCH v2] configure: Add -Wstrict-prototypes and -Wold-style-definition
From: Frank Lichtenheld
These are not covered by -Wall (nor -Wextra) but we want
to enforce them.
Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/667
This mail reflects revision 2 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/configure.ac b/configure.ac
index 2e5ab6a..c01ad09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1408,6 +1408,8 @@
)
ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation])
+ACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes])
+ACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition])
ACL_CHECK_ADD_COMPILE_FLAGS([-Wall])
if test "${enable_pedantic}" = "yes"; then
diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index 50ebb35..035474f 100644
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -247,7 +247,7 @@
*
* @return list of colon-separated ciphers
*/
-const char *dco_get_supported_ciphers();
+const char *dco_get_supported_ciphers(void);
#else /* if defined(ENABLE_DCO) */
@@ -375,7 +375,7 @@
}
static inline const char *
-dco_get_supported_ciphers()
+dco_get_supported_ciphers(void)
{
return "";
}
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 7c8b29c..9a90f5c 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -773,7 +773,7 @@
}
const char *
-dco_get_supported_ciphers()
+dco_get_supported_ciphers(void)
{
return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
}
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index b2584b9..277cd64 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -1053,7 +1053,7 @@
}
const char *
-dco_get_supported_ciphers()
+dco_get_supported_ciphers(void)
{
return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
}
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
index cfbd942..8323f0d 100644
--- a/src/openvpn/sig.c
+++ b/src/openvpn/sig.c
@@ -448,7 +448,7 @@
}
void
-halt_low_priority_signals()
+halt_low_priority_signals(void)
{
#ifndef _WIN32
struct sigaction sa;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2054eb4..17078c9 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -277,7 +277,7 @@
#endif
void
-enable_auth_user_pass()
+enable_auth_user_pass(void)
{
auth_user_pass_enabled = true;
}
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 98e59e8..0e2a43f 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -381,7 +381,7 @@
void pem_password_setup(const char *auth_file);
/* Enables the use of user/password authentication */
-void enable_auth_user_pass();
+void enable_auth_user_pass(void);
/*
* Setup authentication username and password. If auth_file is given, use the
diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c
index 283c95d..b68fb43 100644
--- a/src/openvpn/xkey_helper.c
+++ b/src/openvpn/xkey_helper.c
@@ -49,7 +49,7 @@
XKEY_EXTERNAL_SIGN_fn xkey_management_sign;
static void
-print_openssl_errors()
+print_openssl_errors(void)
{
unsigned long e;
while ((e = ERR_get_error()))
diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c
index f5fc956..964d2eb 100644
--- a/src/openvpn/xkey_provider.c
+++ b/src/openvpn/xkey_provider.c
@@ -155,7 +155,7 @@
keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]);
static XKEY_KEYDATA *
-keydata_new()
+keydata_new(void)
{
xkey_dmsg(D_XKEY, "entry");
diff --git a/tests/unit_tests/openvpn/test_common.h
b/tests/unit_tests/openvpn/test_common.h
index f219e93..52503c6 100644
--- a/tests/unit_tests/openvpn/test_common.h
+++ b/tests/unit_tests/openvpn/test_common.h
@@ -33,7 +33,7 @@
* methods
*/
static inline void
-openvpn_unit_test_setup()
+openvpn_unit_test_setup(void)
{
assert_int_equal(setvbuf(stdout, NULL, _IONBF, BUFSIZ), 0);
assert_int_equal(setvbuf(stderr, NULL, _IONBF, BUFSIZ), 0);
diff --git a/tests/unit_tests/openvpn/test_provider.c
b/tests/unit_tests/openvpn/test_provider.c
index 934b2d3..cfe9ac3 100644
--- a/tests/unit_tests/openvpn/test_provider.c
+++ b/tests/unit_tests/openvpn/test_provider.c
@@ -119,7 +119,7 @@
}
static void
-init_test()
+init_test(void)
{
openvpn_unit_test_setup();
prov[0] = OSSL_PROVIDER_load(NULL, "default");
@@ -135,7 +135,7 @@
}
static void
-uninit_test()
+uninit_test(void)
{
for (size_t i = 0; i < _countof(prov); i++)
{
diff --git a/tests/unit_tests/openvpn/test_ssl.c
b/tests/unit_tests/openvpn/test_ssl.c
index a9a3137..5da5b1c 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -81,7 +81,7 @@
"-EN
[Openvpn-devel] [PATCH applied] Re: t_server_null.sh: Fix failure case
Yeah, obvious in hindsight :-) Your patch has been applied to the master branch. commit c9f29e35cd475f18c34aa96eb5fad452210404f9 Author: Frank Lichtenheld Date: Thu Jun 20 12:37:48 2024 +0200 t_server_null.sh: Fix failure case Signed-off-by: Frank Lichtenheld Acked-by: Samuli Seppänen Message-Id: <20240620103749.7923-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] t_server_null.sh: Fix failure case
From: Frank Lichtenheld
The changes for POSIX shell compatibility and parallel
make compatibility broke actually failing the test
when a subtest fails.
Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391
Signed-off-by: Frank Lichtenheld
Acked-by: Samuli Seppänen
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/668
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Samuli Seppänen
diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh
index cfca5ee..0e53ba4 100755
--- a/tests/t_server_null.sh
+++ b/tests/t_server_null.sh
@@ -64,9 +64,12 @@
fi
"${srcdir}/t_server_null_client.sh"
+retval=$?
# When running make jobs in parallel ("make -j check") we need to ensure
# that this script does not exit before all --dev null servers are dead and
# their network interfaces are gone. Otherwise t_client.sh will fail because
# pre and post ifconfig output does not match.
wait
+
+exit $retval
diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh
index 5d5542b..8890007 100755
--- a/tests/t_server_null_client.sh
+++ b/tests/t_server_null_client.sh
@@ -130,7 +130,7 @@
eval test_name=\"\$TEST_NAME_$SUF\"
eval should_pass=\"\$SHOULD_PASS_$SUF\"
-(get_client_test_result "${test_name}" "${should_pass}")
+get_client_test_result "${test_name}" "${should_pass}"
done
exit $retval
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Improve access control for gui<->service pipe
Indeed, the patch differs only in a single line, related to the snprintf() cleanup (which is only in master). Thanks, Lev, and Selva. Stared at code differences (fine) and test compiled via GHA and local ubuntu/mingw - all good. Your patch has been applied to the master branch. commit babf312ee0486e50ff1f7db5b544afc72ff7c922 Author: Lev Stipakov Date: Wed Jun 19 17:46:08 2024 +0300 interactive.c: Improve access control for gui<->service pipe Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240619144629.1718-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28808.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Improve access control for gui<->service pipe
This is another "developed in secrecy on the security@ mailing list" patch, because it has security implications. It affects windows builds, where it is possible to have two different processes provide a pipe with the same name (e!), and a connecting client will might not end up at the interactive service but at "some random process". This is not a major issue in itself, but the GUI sends a "user credentials token" (so openvpn.exe can be run as "normal user" later on) and this can be abused by a malicious process to get access to the user running openvpn-gui.exe - now, it's a somewhat theoretical attack (malicious software having sufficient privileges to do use a user token, but not having either "that user access" or "system privs" to start with) - but it's worth fixing. So, just stay calm, don't panic, and upgrade to 2.6.11 ;-) I have not tested this beyond "does it compile?" on a local ubuntu/mingw build and on GHA. Lev, Selva and Heiko did all the grunt work on coming up with a solution and testing the patch. Your patch has been applied to the release/2.6 branch. A rebase to master is in the works (this conflicted with the snprintf() cleanup patch, which is "only in master" and was merged right after *this* was developed and tested). Backport to release/2.5 is not fully straightforward either - there have been a number of fixes to interactive.c, and not all of them have been backported. OTOH, we do not intend to provide 2.5.x windows binaries ever again (and said so at 2.5.10 release), so now is the time to upgrade your windows clients to 2.6.x commit 51301eb6c233c284270e3f4ed0c7f5781f2b5c62 (release/2.6) Author: Lev Stipakov Date: Wed Jun 19 16:44:23 2024 +0300 interactive.c: Improve access control for gui<->service pipe Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240619134451.222-1-...@openvpn.net> URL: https://www.mail-archive.com/search?l=mid&q=20240619134451.222-1-...@openvpn.net Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: mbedtls: Remove support for old TLS versions
Hi, On Wed, Jun 19, 2024 at 01:38:46PM +, Maximilian Fillinger wrote: > I *think* I reproduced the problem you're encountering. > > If I put > > setenv opt tls-version-min 1.0 > > in the server config, then *every* connection attempt will trigger a fatal > error in the server. Doesn't matter what TLS versions the client supports. > > If I put that option into the client config, the client will exit with an > error during startup. > > It's not clear to me what the expected behavior is when tls-version-min is an > unsupported version, but if it's an error, it should happen during start-up. I would argue for - we log "minimum supported version is 1.2" and go on or - we log "minimum supported version is 1.2" and exit both is acceptable. It will break people's setups in different ways, though... the first will pretend all is well, and older clients can no longer connect, while the second one will break everything, so making it more obvious. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Properly handle null bytes and invalid characters in control messages
I have tested this with lots of well-behaved peers - namely, client against
2.3/2.4/2.5 servers, and (master) server against 2.2-master clients. All
works :-) (I did not test with a malicious endpoint).
Also, it has unit tests ;-)
Your patch has been applied to the master, release/2.6 and release/2.5 branch.
The 2.6 pullup pulls in "other unit tests" that have been master-only
so far. Which is a bit of an annoyance, but having the UTs is good,
they *pass* on 2.6, and it's easier on me than trying to only bring in
this new test.
On the 2.5 pullup I have left out the unit tests, and had to amend the
code lightly to remove the EXIT and AUTH_PENDING message handling.
release/2.4 is considered end of maintenance.
commit 414f428fa29694090ec4c46b10a8aba419c85659 (master)
commit 90e7a858e5594d9a019ad2b4ac6154124986291a (release/2.6)
commit d4921ba22f5ae4537d808986743a228617c86328 (release/2.5)
Author: Arne Schwabe
Date: Mon May 27 15:02:41 2024 +0200
Properly handle null bytes and invalid characters in control messages
Signed-off-by: Arne Schwabe
Acked-by: Antonio Quartulli
Message-Id: <20240619103004.56460-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Properly handle null bytes and invalid characters in control messages
Hi,
On Wed, Jun 19, 2024 at 12:30:04PM +0200, Gert Doering wrote:
> From: Arne Schwabe
>
> This makes OpenVPN more picky in accepting control message in two aspects:
> - Characters are checked in the whole buffer and not until the first
> NUL byte
> - if the message contains invalid characters, we no longer continue
> evaluating a fixed up version of the message but rather stop
> processing it completely.
[..]
> CVE: 2024-5594
So, for the record - this patch was discussed and reviewed "in private"
on the secur...@openvpn.net list, because it was seen as having security
implications.
2.6.11 release will happen today or tomorrow, so I'm posting this patch
to the public list now for transparency, and will proceed with testing
and merging.
The security impact is fairly moderate - namely, a malicious peer can
send (hand crafted) control channel messages that mess up logging(!) on
the other side. No breach of crypto, leak of information, or remote code
execution. But still an annoyance to be fixed and properly documented.
Thanks, Reynir, for reading our sources with so much passion for details :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Properly handle null bytes and invalid characters in control messages
From: Arne Schwabe
This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rather stop
processing it completely.
Previously it was possible to get invalid characters to end up in log
files or on a terminal.
This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.
This patch also include several improvement suggestion from Reynir
(thanks!).
CVE: 2024-5594
Reported-By: Reynir Bj�rnsson
Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9
Signed-off-by: Arne Schwabe
Acked-by: Antonio Quartulli
---
src/openvpn/buffer.c | 17
src/openvpn/buffer.h | 12 +++
src/openvpn/forward.c | 123 -
tests/unit_tests/openvpn/test_buffer.c | 24 +
4 files changed, 132 insertions(+), 44 deletions(-)
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index 3a8069c56..abe6a9c89 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -1087,6 +1087,23 @@ string_mod(char *str, const unsigned int inclusive,
const unsigned int exclusive
return ret;
}
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const
unsigned int exclusive)
+{
+ASSERT(buf);
+
+for (int i = 0; i < BLEN(buf); i++)
+{
+char c = BSTR(buf)[i];
+
+if (!char_inc_exc(c, inclusive, exclusive))
+{
+return false;
+}
+}
+return true;
+}
+
const char *
string_mod_const(const char *str,
const unsigned int inclusive,
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index 27c319952..8a40010bc 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -943,6 +943,18 @@ bool string_class(const char *str, const unsigned int
inclusive, const unsigned
*/
bool string_mod(char *str, const unsigned int inclusive, const unsigned int
exclusive, const char replace);
+
+/**
+ * Check a buffer if it only consists of allowed characters.
+ *
+ * @param buf The buffer to be checked.
+ * @param inclusive The character classes that are allowed.
+ * @param exclusive Character classes that are not allowed even if they are
also in inclusive.
+ * @return True if the string consists only of allowed characters, false
otherwise.
+ */
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const
unsigned int exclusive);
+
/**
* Returns a copy of a string with certain classes of characters of it
replaced with a specified
* character.
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 01165b2ed..ef35bc619 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -230,6 +230,51 @@ check_tls(struct context *c)
}
}
+static void
+parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
+{
+if (buf_string_match_head_str(buf, "AUTH_FAILED"))
+{
+receive_auth_failed(c, buf);
+}
+else if (buf_string_match_head_str(buf, "PUSH_"))
+{
+incoming_push_message(c, buf);
+}
+else if (buf_string_match_head_str(buf, "RESTART"))
+{
+server_pushed_signal(c, buf, true, 7);
+}
+else if (buf_string_match_head_str(buf, "HALT"))
+{
+server_pushed_signal(c, buf, false, 4);
+}
+else if (buf_string_match_head_str(buf, "INFO_PRE"))
+{
+server_pushed_info(c, buf, 8);
+}
+else if (buf_string_match_head_str(buf, "INFO"))
+{
+server_pushed_info(c, buf, 4);
+}
+else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
+{
+receive_cr_response(c, buf);
+}
+else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
+{
+receive_auth_pending(c, buf);
+}
+else if (buf_string_match_head_str(buf, "EXIT"))
+{
+receive_exit_message(c);
+}
+else
+{
+msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s",
BSTR(buf));
+}
+}
+
/*
* Handle incoming configuration
* messages on the control channel.
@@ -245,51 +290,41 @@ check_incoming_control_channel(struct context *c)
struct buffer buf = alloc_buf_gc(len, &gc);
if (tls_rec_payload(c->c2.tls_multi, &buf))
{
-/* force null termination of message */
-buf_null_terminate(&buf);
-
-/* enforce character class restrictions */
-string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
-if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
+while (BLEN(&buf) > 1)
{
-receive_auth_failed(c, &buf);
-}
-else if (buf_string_match_head_str(&buf, "PUSH_"))
-{
-incoming_push_message
[Openvpn-devel] [PATCH applied] Re: Implement server_poll_timeout for socks
Took me long enough, but now it's in :-) - thanks, and thanks ValdikSS
for reporting test success.
I've run this on the server side test bed (which will not excercise SOCKS
paths, but to verify that "nothing unrelated got hit") and on the client,
with a few SOCKs proxy tests. These are all "fast proxies" so do not
excercise the new timeout handling - and I did not find time to build
something with dummynet to make it actually test on a "really slow proxy".
Testing using an unreachable IP didn't yield proper results (because
the TCP connect is still goverened by the "base" timeout), so you
need something which answers TCP/1080, and then "is slow"...
Testing using a "dead" netcat 'socks server' ("nc -k -l 1080") leads to
- old code: give up after 5 seconds ("TCP port read timeout"), always
- new code: respect --connect-timeout (shorter or longer than 5s)
Your patch has been applied to the master and release/2.6 branch
(I consider it a bugfix, and while the code touches a few places, it
only really changes very localized socks.c code).
commit b3a68b85a729628ca8b97f9f0c2813f795289cfc (master)
commit 94bfb712366ece1ca3605d18e99580f482f0232b (release/2.6)
Author: 5andr0
Date: Fri Mar 15 17:20:11 2024 +0100
Implement server_poll_timeout for socks
Signed-off-by: 5andr0
Acked-by: Frank Lichtenheld
Message-Id: <20240315162011.1661139-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28408.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: mbedtls: Remove support for old TLS versions
Hi, this breaks *all* client connects on my server testbed. No matter if 2.2 or 2.5 client, when building with mbedtls (2.28.7), the resulting binary refuses ALL incoming connection with Jun 19 10:21:44 gentoo tap-udp-p2mp[1723]: 2001:608:0:814::f000:16 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:21:44 gentoo tap-tcp-p2p[1770]: tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:21:59 gentoo tun-tcp-p2mp[1708]: tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:22:32 gentoo tun-udp-p2mp[1713]: 194.97.140.21:49229 tls_version_to_ssl_version: invalid or unsupported TLS version 2 Jun 19 10:23:05 gentoo tun-udp-p2mp-topology-subnet[1718]: 194.97.140.21:45789 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:24:11 gentoo tun-udp-p2mp-fragment[1746]: 194.97.140.21:14517 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:44:49 gentoo tun-udp-p2mp-112-mask[1741]: 194.97.140.21:42810 tls_version_to_ssl_version: invalid or unsupported TLS version 1 so my guess would be that on mbedTLS builds that *do* support 1.1/1.2, incoming client connects with 1.1/1.2 cause "something to get upset" in the TLS version printer. Sorry for not testing this more thoroughly before merging. gert On Tue, Jun 18, 2024 at 06:30:05PM +0200, Gert Doering wrote: > Mildly tested via GHA builds. > > Not sure we want this in release/2.6 - I tend to "not", because it might > break someone's (non-recommended) setup... > > Your patch has been applied to the master branch. > > commit 013c119af96bc57c41e04e4a8f64b5d80e2e9ba6 > Author: Max Fillinger > Date: Tue Jun 18 14:02:19 2024 +0200 > > mbedtls: Remove support for old TLS versions > > Signed-off-by: Max Fillinger > Acked-by: Arne Schwabe > Message-Id: <20240618120219.5053-1-g...@greenie.muc.de> > URL: > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28773.html > Signed-off-by: Gert Doering > > > -- > kind regards, > > Gert Doering > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add t_server_null test suite
I have not tested this yet, just looked at a few details - we've discussed using @SHELL@ to get a known-working shell, which is more likely to succeed than assuming "#!/usr/bin/env" will exist, or that the "sh" it finds will be useful (Solaris, I'm looking at you...). Also, documenting that scripts do not properly get waited for does not make it a feature... But anyway. Let's move onwards, and improve iteratively. Your patch has been applied to the master branch. commit 06c7ce5d1fc3b17e0da731d22002e58b9e2d4994 Author: Samuli Seppänen Date: Thu Jun 13 10:14:22 2024 +0200 Add t_server_null test suite Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <20240613081422.139493-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28750.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove experimental denotation for --fast-io
Documentation is good :-) - not tested besides a local build ("are all
the double quotes still in the right spot").
Your patch has been applied to the master and release/2.6 branch (docs).
commit f6ee77d1f6149cf8f8982998aee6d433f58be507 (master)
commit d5c4c643f36637987d830494b407f2855c5e3fea (release/2.6)
Author: Frank Lichtenheld
Date: Tue Jun 18 14:01:56 2024 +0200
Remove experimental denotation for --fast-io
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240618120156.4836-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix MBEDTLS_DEPRECATED_REMOVED build errors
Mildly tested via GHA compilation. Not sure what option I need to really trigger an "it would break without that patch" scenario so not really tested that much. Your patch has been applied to the master branch. commit 8eb397de3656402872f9c9584c6f703b87b50762 Author: rein.vanbaaren Date: Tue Jun 18 14:01:26 2024 +0200 Fix MBEDTLS_DEPRECATED_REMOVED build errors Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240618120127.4564-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28771.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: mbedtls: Remove support for old TLS versions
Mildly tested via GHA builds.
Not sure we want this in release/2.6 - I tend to "not", because it might
break someone's (non-recommended) setup...
Your patch has been applied to the master branch.
commit 013c119af96bc57c41e04e4a8f64b5d80e2e9ba6
Author: Max Fillinger
Date: Tue Jun 18 14:02:19 2024 +0200
mbedtls: Remove support for old TLS versions
Signed-off-by: Max Fillinger
Acked-by: Arne Schwabe
Message-Id: <20240618120219.5053-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28773.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] mbedtls: Remove support for old TLS versions
From: Max Fillinger
Recent versions of mbedtls have dropped support for TLS 1.0 and 1.1.
Rather than checking which versions are supported, drop support for
everything before 1.2.
Change-Id: Ia3883a26ac26df6bbb5353fb074a2e0f814737be
Signed-off-by: Max Fillinger
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/682
This mail reflects revision 2 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index a68588e..ec9ec13 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1040,12 +1040,8 @@
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
return TLS_VER_1_2;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_1)
-return TLS_VER_1_1;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1)
-return TLS_VER_1_0;
#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
-#error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2."
+#error "mbedtls is compiled without support for TLS 1.2."
#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
}
@@ -1067,20 +1063,6 @@
switch (tls_ver)
{
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
-case TLS_VER_1_0:
-*major = MBEDTLS_SSL_MAJOR_VERSION_3;
-*minor = MBEDTLS_SSL_MINOR_VERSION_1;
-break;
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
-case TLS_VER_1_1:
-*major = MBEDTLS_SSL_MAJOR_VERSION_3;
-*minor = MBEDTLS_SSL_MINOR_VERSION_2;
-break;
-#endif
-
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
case TLS_VER_1_2:
*major = MBEDTLS_SSL_MAJOR_VERSION_3;
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove "experimental" denotation for --fast-io
From: Frank Lichtenheld This option is very old (from SVN days) and has been used by Access Server for many years. I don't think it makes sense to claim that it is "experimental" at this point. Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/664 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f8a0f48..eb9cf28 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -215,7 +215,7 @@ are supported by OpenSSL. --fast-io - (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to + Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which diff --git a/src/openvpn/options.c b/src/openvpn/options.c index abcde89..f2c7536 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -268,7 +268,7 @@ #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif -"--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n" +"--fast-io : Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] Fix MBEDTLS_DEPRECATED_REMOVED build errors
From: rein.vanbaaren
This commit allows compiling OpenVPN with recent versions of mbed TLS
if MBEDTLS_DEPRECATED_REMOVED is defined.
Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9
Signed-off-by: Max Fillinger
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/681
This mail reflects revision 4 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index d742b54..8559c2e 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -40,6 +40,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -51,6 +52,12 @@
#include
#endif
+#if MBEDTLS_VERSION_NUMBER >= 0x0300
+typedef uint16_t mbedtls_compat_group_id;
+#else
+typedef mbedtls_ecp_group_id mbedtls_compat_group_id;
+#endif
+
static inline void
mbedtls_compat_psa_crypto_init(void)
{
@@ -64,6 +71,16 @@
#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
}
+static inline mbedtls_compat_group_id
+mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info)
+{
+#if MBEDTLS_VERSION_NUMBER >= 0x0300
+return curve_info->tls_id;
+#else
+return curve_info->grp_id;
+#endif
+}
+
/*
* In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an
* error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret()
@@ -124,6 +141,34 @@
}
#if MBEDTLS_VERSION_NUMBER < 0x03020100
+typedef enum {
+MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet
negotiated. */
+MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */
+MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */
+} mbedtls_ssl_protocol_version;
+
+static inline void
+mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf,
mbedtls_ssl_protocol_version tls_version)
+{
+int major = (tls_version >> 8) & 0xff;
+int minor = tls_version & 0xff;
+mbedtls_ssl_conf_min_version(conf, major, minor);
+}
+
+static inline void
+mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf,
mbedtls_ssl_protocol_version tls_version)
+{
+int major = (tls_version >> 8) & 0xff;
+int minor = tls_version & 0xff;
+mbedtls_ssl_conf_max_version(conf, major, minor);
+}
+
+static inline void
+mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id
*groups)
+{
+mbedtls_ssl_conf_curves(conf, groups);
+}
+
static inline size_t
mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher)
{
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ec9ec13..bb88da9 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -402,7 +402,7 @@
/* Get number of groups and allocate an array in ctx */
int groups_count = get_num_elements(groups, ':');
-ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_ecp_group_id, groups_count + 1)
+ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1)
/* Parse allowed ciphers, getting IDs */
int i = 0;
@@ -419,11 +419,15 @@
}
else
{
-ctx->groups[i] = ci->grp_id;
+ctx->groups[i] = mbedtls_compat_get_group_id(ci);
i++;
}
}
-ctx->groups[i] = MBEDTLS_ECP_DP_NONE;
+
+/* Recent mbedtls versions state that the list of groups must be terminated
+ * with 0. Older versions state that it must be terminated with
MBEDTLS_ECP_DP_NONE
+ * which is also 0, so this works either way. */
+ctx->groups[i] = 0;
gc_free(&gc);
}
@@ -1046,33 +1050,30 @@
}
/**
- * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and
- * minor ssl version number).
+ * Convert an OpenVPN tls-version variable to mbed TLS format
*
* @param tls_ver The tls-version variable to convert.
- * @param major Returns the TLS major version in mbed TLS format.
- * Must be a valid pointer.
- * @param minor Returns the TLS minor version in mbed TLS format.
- * Must be a valid pointer.
+ *
+ * @return Translated mbedTLS SSL version from OpenVPN TLS version.
*/
-static void
-tls_version_to_major_minor(int tls_ver, int *major, int *minor)
+mbedtls_ssl_protocol_version
+tls_version_to_ssl_version(int tls_ver)
{
-ASSERT(major);
-ASSERT(minor);
-
switch (tls_ver)
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
case TLS_VER_1_2:
-*major = MBEDTLS_SSL_MAJOR_VERSION_3;
-*minor = MBEDTLS_SSL_MINOR_VERSION_3;
-break;
+return MBEDTLS_SSL_VERSION_TLS1_2;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+case TLS_VER_1_3:
+return MBEDTLS_SSL_VERSION_TLS1_3;
#endif
default:
msg(M_FATAL, "%s: invalid or unsupported TLS version %d
Re: [Openvpn-devel] windows client tests needed
Hi,
if you think this is a useful security enhancement, and would like to have
it in a "short term" 2.6.x release, we need test results...
please!
gert
On Thu, Jun 06, 2024 at 02:23:33PM +0200, Gert Doering wrote:
> Hi,
>
> we have new code in master that helps with the "TunnelCrack" and
> "TunnelVision" attacks, that is, packets intended to go into the
> VPN being leaked away by means of a malicious DHCP server (= routing
> points outside the tunnel, so packets never hit OpenVPN).
>
> We used to have
>
> block-outside-dns
>
> to prevent Windows from doing DNS lookups "around the VPN" - the main
> intent of this was "make sure split DNS works", but a side effect has
> also been "avoid DNS leaks".
>
> Heiko has now extended this code to be able to "block everything not
> going into the VPN". To activate this, you need
>
> redirect-gateway def1 block-local
>
> in your config ("block-local" is the keyword, but without "def1" you
> end up with a split-tunnel and "nothing else is allowed", which is rarely
> a really good combination).
>
> Repeat: if "redirect-gateway block-local" is active, NO packets leave
> via LAN/WiFi/... interfaces, except those sourced by the openvpn.exe
> process. This is important for maximum privacy, especially if you
> roam into a network with an untrusted DHCP server.
>
>
> Now - this code has been merged into "git master", and installers
> are here:
>
>https://github.com/OpenVPN/openvpn-build/actions/runs/9391365526?pr=641
>
> (bottom of the page, "Artifacts", .zip files with a .msi inside).
>
>
> I want to have this in 2.6 as well, as it's sort of important for certain
> classes of users (and also VPN providers, offering this as a service) - but
> I do not feel it has been tested enough yet.
>
> So: PLEASE test these windows installers, in all 3 variants
>
> 1.
> 2. block-outside-dns
> (DNS is blocked, everything else not routed into the VPN tunnel - like
> "your local printer" etc - still works)
> 3. redirect-gateway def1 block-local
> (ONLY VPN works)
>
> and report back to us.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany g...@greenie.muc.de
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Implement Windows CA template match for Crypto-API selector
Hi,
On Thu, Jun 06, 2024 at 01:33:24PM +0200, Gert Doering wrote:
> As instructed I have removed the "and fallback requested" part
> from the comment where "fallback" was removed from the code.
>
> Your patch has been applied to the master branch.
>
> commit 13ee7f902f18e27b981f8e440facd2e6515c6c83 (master)
... and to release/2.6, as this functionality is seen as useful, and
the change is very non-intrusive. So it will be part of 2.6.11
"release planned in about 2 weeks".
commit dfbe11ac1842df400327be22951d0ba373534254 (release/2.6)
Author: Heiko Wundram
Date: Thu Jun 6 12:34:41 2024 +0200
Implement Windows CA template match for Crypto-API selector
Compile-tested via GHA.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
