[Openvpn-devel] [PATCH applied] Re: make t_server_null 'server alive?' check more robust
Thanks for the review. Indent fixed, that was a that sneaked in. Patch has been applied to the master branch. commit b322690394b75a9d4987d4b27107ccb01bbcd90e Author: Gert Doering Date: Wed Sep 18 18:29:17 2024 +0200 make t_server_null 'server alive?' check more robust Acked-by: Frank Lichtenheld Message-Id: <20240918162917.6809-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29314.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: socket: Change return types of link_socket_write* to ssize_t
This is fallout from the -Wconversion patch set (commit 53449cb61f) where it turned out that the whole link_socket* call chain used inconsistent return types - so now it's consistent with sendmsg() etc., all using ssize_t. Stared-at-code and asked GHA :-) Your patch has been applied to the master branch. commit 2cc77debf0221fa0cef3ea470c1328d25397d021 (master) Author: Frank Lichtenheld Date: Wed Sep 18 22:48:44 2024 +0200 socket: Change return types of link_socket_write* to ssize_t Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240918204844.2820-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29323.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Review use of standard AC macros
I admit that I have no deep understanding of autoconf, but I did check that "about everything" has more recent autoconf versions than 2.60 ("the gold standard" has been 2.69 for many years) and that all our buildbots and GHA are building fine with these changes. Half of them are typo fixes or whitespace cleanups anyway :-) Your patch has been applied to the master branch. commit b59620f24f5bc853e2aa92943f14abf74aa81511 Author: Frank Lichtenheld Date: Wed Sep 18 22:45:50 2024 +0200 configure: Review use of standard AC macros Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240918204551.2530-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29321.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] socket: Change return types of link_socket_write* to ssize_t
From: Frank Lichtenheld This is the actual return value of send/sendto/sendmsg. We will leave it to the single caller of link_socket_write() to decide how to map that to the int buffer world. For now just cast it explicitly. Change-Id: I7852c06d331326c1dbab7b642254c0c00d4cebb8 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/740 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 40b7cc4..84c23b3 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1790,7 +1790,7 @@ socks_preprocess_outgoing_link(c, &to_addr, &size_delta); /* Send packet */ -size = link_socket_write(c->c2.link_socket, &c->c2.to_link, to_addr); +size = (int)link_socket_write(c->c2.link_socket, &c->c2.to_link, to_addr); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 17c5e76..6c790a0 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -3399,7 +3399,7 @@ * Socket Write Routines */ -int +ssize_t link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -3418,7 +3418,7 @@ #if ENABLE_IP_PKTINFO -size_t +ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 47083ad..bbdabfb 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -1099,9 +1099,9 @@ * Socket Write routines */ -int link_socket_write_tcp(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to); +ssize_t link_socket_write_tcp(struct link_socket *sock, + struct buffer *buf, + struct link_socket_actual *to); #ifdef _WIN32 @@ -1135,12 +1135,12 @@ #else /* ifdef _WIN32 */ -size_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, - struct buffer *buf, - struct link_socket_actual *to); +ssize_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, +struct buffer *buf, +struct link_socket_actual *to); -static inline size_t +static inline ssize_t link_socket_write_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -1158,7 +1158,7 @@ (socklen_t) af_addr_size(to->dest.addr.sa.sa_family)); } -static inline size_t +static inline ssize_t link_socket_write_tcp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -1168,7 +1168,7 @@ #endif /* ifdef _WIN32 */ -static inline size_t +static inline ssize_t link_socket_write_udp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -1181,7 +1181,7 @@ } /* write a TCP or UDP packet to link */ -static inline int +static inline ssize_t link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] configure: Review use of standard AC macros
From: Frank Lichtenheld - Increase required version to 2.60 since that is documented minimum version for AC_USE_SYSTEM_EXTENSIONS - Remove obsolete macros AC_C_CONST and AC_C_VOLATILE. They are noops on every compiler we support. - Add explicit call to AC_PROG_CC. We get this implictly as dependency of other macros, but it is nicer to have it explicitely as well. - A few typo and whitespace fixes. Change-Id: I7927a572611b7c1dc0b522fd6cdf05fd222a852d Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/674 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/configure.ac b/configure.ac index 9ce826c..18538c5 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script. -AC_PREREQ(2.59) +AC_PREREQ(2.60) m4_include(version.m4) AC_INIT([PRODUCT_NAME], [PRODUCT_VERSION], [PRODUCT_BUGREPORT], [PRODUCT_TARNAME]) @@ -387,6 +387,7 @@ pkg_config_found="(${PKG_CONFIG})" fi +AC_PROG_CC AC_PROG_CPP AC_PROG_INSTALL AC_PROG_LN_S @@ -443,9 +444,7 @@ ] ) -AC_C_CONST AC_C_INLINE -AC_C_VOLATILE AC_TYPE_OFF_T AC_TYPE_PID_T AC_TYPE_SIZE_T @@ -981,7 +980,7 @@ [AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])] ) - # All supported OpenSSL version (>= 1.1.0) + # All supported OpenSSL versions (>= 1.1.0) # have this feature have_export_keying_material="yes" @@ -1081,9 +1080,8 @@ elif test "${with_crypto_library}" = "wolfssl"; then AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should - contain the regular wolfSSL header files but also the - wolfSSL OpenSSL header files. Ex: -I/usr/local/include - -I/usr/local/include/wolfssl]) + contain the regular wolfSSL header files but also the wolfSSL OpenSSL header files. + Ex: -I/usr/local/include -I/usr/local/include/wolfssl]) AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) saved_CFLAGS="${CFLAGS}" @@ -1274,7 +1272,7 @@ [PKG_CHECK_MODULES([libsystemd], [libsystemd-daemon])] ) -PKG_CHECK_EXISTS( [libsystemd > 216], +PKG_CHECK_EXISTS([libsystemd > 216], [AC_DEFINE([SYSTEMD_NEWER_THAN_216], [1], [systemd is newer than v216])] ) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] make t_server_null "server alive?" check more robust
- use "$RUN_SUDO kill -0 $pid" to test if a given process is running, not "ps -p $pid" - the latter will not work if security.bsd.see_other_uids=0 is set - produce proper error messages if pid files can not be found or are empty at server shutdown time --- tests/t_server_null_client.sh | 5 - tests/t_server_null_server.sh | 5 + 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index e7dd3324..c1a25dfc 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -87,7 +87,10 @@ while [ $count -lt $server_max_wait ]; do # the active server count as the processes won't be running. for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do server_pid=$(cat $i.pid 2> /dev/null) -if ps -p $server_pid > /dev/null 2>&1; then +if [ -z "$server_pid" ] ; then +continue +fi +if $RUN_SUDO kill -0 $server_pid > /dev/null 2>&1; then servers_up=$(( $servers_up + 1 )) fi done diff --git a/tests/t_server_null_server.sh b/tests/t_server_null_server.sh index e5906eec..32f0362d 100755 --- a/tests/t_server_null_server.sh +++ b/tests/t_server_null_server.sh @@ -82,6 +82,11 @@ for PID_FILE in $server_pid_files do SERVER_PID=$(cat "${PID_FILE}") +if [ -z "$SERVER_PID" ] ; then +echo "WARNING: could not kill server ${PID_FILE}!" + continue +fi + if [ -z "${RUN_SUDO}" ]; then $KILL_EXEC "${SERVER_PID}" else -- 2.44.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Handle libnl-genl and libcap-ng consistent with other libs
Tested on ubuntu 2004 which needs all these, looked at the resulting Makefile.am/Makefile.in/Makefile and it works. I do wonder why we double all these variables, though... Your patch has been applied to the master branch. commit b236261f9ce14bc9fffbb81c61938e0e24b200d6 Author: Frank Lichtenheld Date: Tue Sep 17 15:32:53 2024 +0200 configure: Handle libnl-genl and libcap-ng consistent with other libs Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240917133253.19616-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29282.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] configure: Handle libnl-genl and libcap-ng consistent with other libs
From: Frank Lichtenheld Do not communicate any of the flags via the global CFLAGS and LIBS, so that users are not confused when overriding them on the command line. Github: closes OpenVPN/openvpn#586 Change-Id: I39a6f58b11b922f5dbd3e55a5bc8574eda8a83fe Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/724 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/configure.ac b/configure.ac index 9ce826c..5c44822 100644 --- a/configure.ac +++ b/configure.ac @@ -824,8 +824,8 @@ AC_MSG_ERROR([libnl-genl-3.0 package not found or too old. Is the development package and pkg-config ${pkg_config_found} installed? Must be version 3.4.0 or newer for DCO]) ] ) - CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}" - LIBS="${LIBS} ${LIBNL_GENL_LIBS}" + OPTIONAL_LIBNL_GENL_CFLAGS="${LIBNL_GENL_CFLAGS}" + OPTIONAL_LIBNL_GENL_LIBS="${LIBNL_GENL_LIBS}" AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload]) AC_MSG_NOTICE([Enabled ovpn-dco support for Linux]) @@ -865,7 +865,6 @@ dnl case "$host" in *-*-linux*) - # We require pkg-config PKG_CHECK_MODULES([LIBCAPNG], [libcap-ng], [], @@ -873,8 +872,8 @@ ) AC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not found!])]) - CFLAGS="${CFLAGS} ${LIBCAPNG_CFLAGS}" - LIBS="${LIBS} ${LIBCAPNG_LIBS}" + OPTIONAL_LIBCAPNG_CFLAGS="${LIBCAPNG_CFLAGS}" + OPTIONAL_LIBCAPNG_LIBS="${LIBCAPNG_LIBS}" AC_DEFINE(HAVE_LIBCAPNG, 1, [Enable libcap-ng support]) ;; esac @@ -1414,7 +1413,7 @@ # When testing a compiler option, we add -Werror to force # an error when the option is unsupported. This is not -# required for gcc, but some compilers such as clang needs it. +# required for gcc, but some compilers such as clang need it. AC_DEFUN([ACL_CHECK_ADD_COMPILE_FLAGS], [ old_cflags="$CFLAGS" CFLAGS="$1 -Werror $CFLAGS" @@ -1490,6 +1489,10 @@ AC_SUBST([OPTIONAL_SELINUX_LIBS]) AC_SUBST([OPTIONAL_CRYPTO_CFLAGS]) AC_SUBST([OPTIONAL_CRYPTO_LIBS]) +AC_SUBST([OPTIONAL_LIBCAPNG_CFLAGS]) +AC_SUBST([OPTIONAL_LIBCAPNG_LIBS]) +AC_SUBST([OPTIONAL_LIBNL_GENL_CFLAGS]) +AC_SUBST([OPTIONAL_LIBNL_GENL_LIBS]) AC_SUBST([OPTIONAL_LZO_CFLAGS]) AC_SUBST([OPTIONAL_LZO_LIBS]) AC_SUBST([OPTIONAL_LZ4_CFLAGS]) @@ -1534,10 +1537,11 @@ AM_CONDITIONAL([ENABLE_UNITTESTS], [test "${enable_unit_tests}" = "yes" -a "${have_cmocka}" = "yes" ]) AC_SUBST([ENABLE_UNITTESTS]) -TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS}" +TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS} ${OPTIONAL_LIBCAPNG_LIBS}" +TEST_LDFLAGS="${TEST_LDFLAGS} ${OPTIONAL_LIBNL_GENL_LIBS}" TEST_LDFLAGS="${TEST_LDFLAGS} ${OPTIONAL_LZO_LIBS} ${CMOCKA_LIBS}" -TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS}" -TEST_CFLAGS="${TEST_CFLAGS} ${OPTIONAL_LZO_CFLAGS}" +TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS} ${OPTIONAL_LIBCAPNG_CFLAGS}" +TEST_CFLAGS="${TEST_CFLAGS} ${OPTIONAL_LIBNL_GENL_CFLAGS} ${OPTIONAL_LZO_CFLAGS}" TEST_CFLAGS="${TEST_CFLAGS} -I\$(top_srcdir)/include ${CMOCKA_CFLAGS}" AC_SUBST([TEST_LDFLAGS]) diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 56cce9d..3784a98 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -24,6 +24,8 @@ AM_CFLAGS = \ $(TAP_CFLAGS) \ $(OPTIONAL_CRYPTO_CFLAGS) \ + $(OPTIONAL_LIBCAPNG_CFLAGS) \ + $(OPTIONAL_LIBNL_GENL_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) \ $(OPTIONAL_LZ4_CFLAGS) \ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ @@ -147,6 +149,8 @@ openvpn_LDADD = \ $(top_builddir)/src/compat/libcompat.la \ $(SOCKETS_LIBS) \ + $(OPTIONAL_LIBCAPNG_LIBS) \ + $(OPTIONAL_LIBNL_GENL_LIBS) \ $(OPTIONAL_LZO_LIBS) \ $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) \ ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin
I haven't tested this "for real", but the explanation makes sense and the change is trivial enough. I have word-smithed the Subject: and also the comment line a bit. Your patch has been applied to the master branch. (Not really a issue on "non Android", it seems, and that one builds on top of master only - so not applying to release/2.6) commit b620025b9570a3d66ad3598dc22aa1b07c90fa31 (master) Author: Arne Schwabe Date: Fri Jul 19 15:10:16 2024 +0200 Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240719131016.75042-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28941.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Route: remove incorrect routes on exit
This is a good find, and a somewhat stupid oversight - even if not easy to trigger. What you need so this has an effect is a pre-existing host route to the VPN server and then a "route add" fail (easy to trigger on the BSDs, EEXIST because "only 1 route can exist") - and because we do not remember, we try "route delete" later on and delete the *other* route, messing up our routing table. Which is something t_client even checks for ("is 'route print' the same as before?") but you need a host route to begin with - added t_client tests, breaks without the patch, works with the patch. Thanks :-) I've changed the commit message slightly ("Trac: #1457" is the standard format). Your patch has been applied to the master and release/2.6 branch (bugfix). commit 14d2db6cd41fb6414992869caf109972d7a8275e (master) commit 4ad3aa5a2b6838650ca98fd92994eab7108c1e8b (release/2.6) Author: Gianmarco De Gregori Date: Wed Feb 21 12:18:14 2024 +0100 Route: remove incorrect routes on exit Signed-off-by: Gianmarco De Gregori Acked-by: Frank Lichtenheld Message-Id: <2024022814.942965-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28290.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix check_addr_clash argument order
Good find. I tested this as instructed in gerrit, also enabling the #if 0 debug code - this is a p2p setup with --topology subnet, to actually have a subnet to check against. Test 1, "--local" in the "--ifconfig" subnet: 2024-09-17 11:25:45 CHECK_ADDR_CLASH type=2 public=10.204.8.7 local=10.204.8.2, remote_netmask=255.255.255.0 2024-09-17 11:25:45 WARNING: potential conflict between --local address [10.204.8.7] and --ifconfig address pair [10.204.8.2, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) "works". Test 2, "--remote" in the "--ifconfig" subnet: 2024-09-17 11:27:03 CHECK_ADDR_CLASH type=2 public=10.204.8.8 local=10.204.8.2, remote_netmask=255.255.255.0 2024-09-17 11:27:03 WARNING: potential conflict between --remote address [10.204.8.8] and --ifconfig address pair [10.204.8.2, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) Test 3, no "--topology subnet": 2024-09-17 11:36:28 CHECK_ADDR_CLASH type=2 public=10.204.8.250 local=10.204.8.2, remote_netmask=10.204.8.1 2024-09-17 11:36:28 WARNING: potential conflict between --local address [10.204.8.250] and --ifconfig address pair [10.204.8.2, 10.204.8.1] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) 2024-09-17 11:36:28 CHECK_ADDR_CLASH type=2 public=10.204.8.220 local=10.204.8.2, remote_netmask=10.204.8.1 2024-09-17 11:36:28 WARNING: potential conflict between --remote address [10.204.8.220] and --ifconfig address pair [10.204.8.2, 10.204.8.1] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) .. it "works as designed", but does raise questions... see below. So, while this patch is actually fixing the first problem with this code, I have some ideas how to improve things further ;-) - the line wrapping "one function argument per line" is not how we do things today, so a future (master-only) patch could improve that - the check as implemented today checks "within the same /24", so if I do "--ifconfig 10.204.8.2 255.255.255.128 --remote 10.204.8.220" (which is perfectly sane) I get 2024-09-17 11:30:44 CHECK_ADDR_CLASH type=2 public=10.204.8.220 local=10.204.8.2, remote_netmask=255.255.255.128 2024-09-17 11:30:44 WARNING: potential conflict between --remote address [10.204.8.220] and --ifconfig address pair [10.204.8.2, 255.255.255.128] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) ... which is not making any sense. Computers can do math, AND the code actually knows the netmask there, but uses /24 always (the TAP check code actually uses the netmask...). So I think this code needs to be taught about "--topology subnet", and only does the /24 heuristic for p2p/net30 (if at all). Your patch has been applied to the master and release/26 branch (bugfix). commit 7d345b19e20f30cb2ecbea71682b5a41e6cff454 (master) commit 7e6723aa7096bee80eb42a473fbfde7de4362b0f (release/2.6) Author: Ralf Lici Date: Tue Sep 17 11:14:33 2024 +0200 Fix check_addr_clash argument order Signed-off-by: Ralf Lici Acked-by: Frank Lichtenheld Message-Id: <20240917091433.24092-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29261.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Fix check_addr_clash argument order
From: Ralf Lici In init_tun() make sure to pass the --local and --remote addresses in the host order so that they can be compared to the --ifconfig addresses. Change-Id: I5adbe0a79f078221c4bb5f3d39391a81b4d8adce Signed-off-by: Ralf Lici Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/737 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 739e008..1cd6ad2 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -877,9 +877,10 @@ { if (curele->ai_family == AF_INET) { +const in_addr_t local = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); check_addr_clash("local", tt->type, - ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr, + local, tt->local, tt->remote_netmask); } @@ -889,9 +890,10 @@ { if (curele->ai_family == AF_INET) { +const in_addr_t remote = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); check_addr_clash("remote", tt->type, - ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr, + remote, tt->local, tt->remote_netmask); } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Make read/write_tun_header static
Verified that it's not used outside tun.c, test built OpenBSD (which uses this). Your patch has been applied to the master branch. commit ac3a7fd93542420f12d58e5c7490076b5741fb5a Author: Arne Schwabe Date: Mon Sep 16 15:34:35 2024 +0200 Make read/write_tun_header static Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240916133436.29943-1-g...@greenie.muc.de> Signed-off-by: Gert Doering URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29249.html -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Make read/write_tun_header static
From: Arne Schwabe These functions are not used outside tun.c Change-Id: I028634dba74a273c725b0beb16b674897b3c23fa Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/745 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 1f0eadd..0832375 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1822,7 +1822,7 @@ } } -int +static int write_tun_header(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) @@ -1855,7 +1855,7 @@ } } -int +static int read_tun_header(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Move cipher/data-ciphers warning to D_LOW (verb 4)
From: Arne Schwabe These warnings served a purpose in OpenVPN 2.6.x to warn people about the changed behaviour. But for 2.7 this is will be more log spam than a helpful message. So only show this warning on a high verbosity level. Change-Id: Ie2797a82ad769cb640440d1ba7dfeb416e7b932d Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/746 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 61f6285..6009e5f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3546,7 +3546,7 @@ * parts of OpenVPN assert that the ciphername is set */ o->ciphername = "BF-CBC"; -msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 " +msg(D_LOW, "Note: --cipher is not set. OpenVPN versions before 2.5 " "defaulted to BF-CBC as fallback when cipher negotiation " "failed in this case. If you need this fallback please add " "'--data-ciphers-fallback BF-CBC' to your configuration " @@ -3555,7 +3555,7 @@ else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) { -msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in " +msg(D_LOW, "DEPRECATED OPTION: --cipher set to '%s' but missing in " "--data-ciphers (%s). OpenVPN ignores --cipher for cipher " "negotiations. ", o->ciphername, o->ncp_ciphers); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: Enable t_server_null tests
"GHA says this works". So let's excercise it a bit more :-) Your patch has been applied to the master branch. commit 65985905c5abc69c1ee34c4cab6fdf8b73da7f50 Author: Frank Lichtenheld Date: Thu Sep 12 19:49:10 2024 +0200 GHA: Enable t_server_null tests Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240912174910.21058-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29231.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] GHA: Enable t_server_null tests
From: Frank Lichtenheld Change-Id: I86203b8f9a6d3cfc5e56d3ce9452af694fd11011 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/743 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8f0a7b5..361d457 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -172,8 +172,11 @@ run: ./configure --with-crypto-library=${{matrix.ssllib}} ${{matrix.extraconf}} --enable-werror - name: make all run: make -j3 + - name: configure checks +if: ${{ matrix.extraconf != '--disable-management' }} +run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc - name: make check -run: make check VERBOSE=1 +run: make -j3 check VERBOSE=1 ubuntu-clang-asan: strategy: @@ -199,8 +202,10 @@ run: CFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -O2" CC=clang ./configure --with-crypto-library=${{matrix.ssllib}} --enable-werror - name: make all run: make -j3 + - name: configure checks +run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc - name: make check -run: make check VERBOSE=1 +run: make -j3 check VERBOSE=1 macos: strategy: @@ -258,8 +263,10 @@ run: ./configure --enable-werror ${{matrix.configureflags}} ${{matrix.configuressllib}} - name: make all run: make -j4 + - name: configure checks +run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc - name: make check -run: make check VERBOSE=1 +run: make -j4 check VERBOSE=1 msvc: strategy: @@ -369,8 +376,10 @@ run: ./configure --with-crypto-library=openssl ${{matrix.configureflags}} --enable-werror - name: make all run: make -j3 + - name: configure checks +run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc - name: make check -run: make check VERBOSE=1 +run: make -j3 check VERBOSE=1 mbedtls3: strategy: @@ -422,5 +431,7 @@ run: ./configure --with-crypto-library=mbedtls - name: make all run: make -j3 + - name: configure checks +run: echo 'RUN_SUDO="sudo -E"' >tests/t_server_null.rc - name: make check -run: make check VERBOSE=1 +run: make -j3 check VERBOSE=1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
Trivial enough, and makes sense... not tested further (not that easy to reproduce). Your patch has been applied to the master branch. commit 45bef145f3cc39c4c13609866f07b6cf9f8960a6 Author: Antonio Quartulli Date: Thu Sep 12 18:53:39 2024 +0200 dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe Message-Id: <20240912165339.21058-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29226.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
From: Antonio Quartulli some extra DCO calls may be made after receiving the DEL_PEER notification (i.e. due to timeout), but this will result in an error message due to the peer having disappeared already. An extra call might be, for example, an explicit DEL_PEER in the attempt of cleaning the peer state. For this reason, inform userspace that there is no peer in kernel anymore and prevent errors which may result confusing. Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56 Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/744 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 40b7cc4..374ba47 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1256,6 +1256,8 @@ switch (dco->dco_message_type) { case OVPN_CMD_DEL_PEER: +/* peer is gone, unset ID to prevent more kernel calls */ +c->c2.tls_multi->dco_peer_id = -1; if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED) { msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove check for anonymous unions from configure and cmake config
I have no idea what that stuff does, but less #ifdef is good :-) - and supposedly no currently supported system needs this. Your patch has been applied to the master branch. commit b8b2d17f473e80b1a0b66e49cc1f34ce88d9502d Author: Arne Schwabe Date: Wed Jul 10 18:02:38 2024 +0200 Remove check for anonymous unions from configure and cmake config Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710160238.190189-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28914.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tun: removed unnecessary route installations
Thanks for this. I'm not sure why this code was there originally, but I guess one of the BSDs needed it ("15 years ago!") and I just assumed the others would, too. I have tested this on NetBSD, OpenBSD and MacOS, with all variants I thought might make a difference (tun/p2p, tun/subnet, tun/subnet with a non-/64 IPv6 mask, tap) and it turns out that this extra route is needed on none of them. MacOS has no easily accessible TAP anymore (system security, kext loading) so this was not tested - but I see no reason why it would break this. .. and testing this really trivial patch took me about 2 days of fighting with VMs, macOS, buildbots, ... *sigh* Your patch has been applied to the master branch. commit 992da812ad56d2cff44fd4f171dd85c808e1ed50 Author: Marco Baffo Date: Thu Sep 12 16:24:21 2024 +0200 tun: removed unnecessary route installations Signed-off-by: Marco Baffo Acked-by: Gert Doering Message-Id: <20240912142421.703-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29217.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] tun: removed unnecessary route installations
From: Marco Baffo Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun opening in OpenBSD, NetBSD and Darwin. Change-Id: I235891212b15277349810913c9c1763da5c48587 Signed-off-by: Marco Baffo Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/731 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 739e008..82c5c00 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1008,8 +1008,7 @@ #endif /* ifdef _WIN32 */ } -#if defined(_WIN32)\ -|| defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) +#if defined(_WIN32) /* some of the platforms will auto-add a "network route" pointing * to the interface on "ifconfig tunX 2001:db8::1/64", others need @@ -1200,11 +1199,6 @@ "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); #endif -#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ -|| defined(TARGET_DARWIN) -/* and, hooray, we explicitly need to add a route... */ -add_route_connected_v6_net(tt, es); -#endif #elif defined(TARGET_AIX) argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
GHA says "this builds fine", and so we apply it :-) (And the worries that 3.6.x would break with TLS 1.3 due to missing key-exporter are alleviated by our mbedtls builds disabling 1.3 anyway, due to missing key-exporter...) Your patch has been applied to the master branch. commit f4d7cec855aea3c453b75fe68a1c151400793661 Author: Frank Lichtenheld Date: Wed Sep 11 16:42:31 2024 +0200 GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240911144231.32553-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29208.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
From: Frank Lichtenheld Requires submodule checkout. Change-Id: I86ceceb4e1c716b33c6c6ec8853eca0fb4b394f1 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/741 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6207c95..8f0a7b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -404,9 +404,10 @@ uses: actions/checkout@v4 with: path: mbedtls + submodules: true # versioning=semver-coerced repository: Mbed-TLS/mbedtls - ref: v3.5.2 + ref: v3.6.1 - name: "mbedtls: make no_test" run: make -j3 no_test SHARED=1 working-directory: mbedtls ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
Thanks for fixing this so quickly. Now this seems to be an... interesting API to work with... :-) I do not have something really interesting set up in terms of cert files and storage, so I just did basic client side testing with OSSL 3.x (works). Your patch has been applied to the master branch (bugfix, but offending code not in 2.6). commit e9ad1b31a04799de98f15220eb39225c3d9eaa64 Author: Selva Nair Date: Wed Sep 11 12:49:41 2024 +0200 Do not stop reading from file/uri when OPENSSL_STORE_load() returns error Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20240911104941.19429-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29187.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: generate_auth_token: simplify code
Has an ACK from the owner of the code :-) - plus full test with the server instance that does auth-tokens (including expiry + regen) and a bit of stare-at-the-code. Your patch has been applied to the master branch. commit 3c77d328911bab5169d6981fbef34e8398c5b7b7 Author: Frank Lichtenheld Date: Tue Sep 10 19:00:05 2024 +0200 generate_auth_token: simplify code Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910170005.5586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29178.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
From: Selva Nair OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/742 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ +if (OSSL_STORE_error(store_ctx)) +{ +ERR_clear_error(); +} +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } -info = OSSL_STORE_load(store_ctx); +while (1) +{ +info = OSSL_STORE_load(store_ctx); +if (info || OSSL_STORE_eof(store_ctx)) +{ +break; +} +/* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ +clear_ossl_store_error(store_ctx); +} if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } -info = OSSL_STORE_load(store_ctx); +while (1) +{ +info = OSSL_STORE_load(store_ctx); +if (info || OSSL_STORE_eof(store_ctx)) +{ +break; +} +/* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ +clear_ossl_store_error(store_ctx); +} if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ -info = OSSL_STORE_load(store_ctx); -while (info && !OSSL_STORE_eof(store_ctx)) +while (!OSSL_STORE_eof(store_ctx)) { +info = OSSL_STORE_load(store_ctx); +if (!info) +{ +clear_ossl_store_error(store_ctx); +continue; +} x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); -info = OSSL_STORE_load(store_ctx); } end: ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v11] Implement support for larger packet counter sizes
Hi, On Tue, Sep 10, 2024 at 09:51:45PM +0200, Steffan Karger wrote: > TL;DR: I don't think this should be merged yet. > [..] > So if we want to improve things for AES-GCM, we probably need other > optimizations. I have some ideas, but was hoping to do some research and a > write-up during the train ride to the hackathon, so we could discuss it > further in Karlsruhe. Thanks for having a look. This ruins my planned work for today :-) - but since we are not in a great hurry *and* Karlsruhe is just next week, it will not harm to delay for a few weeks if the end result gets better. Just for the record - I've done all the testing on v11 yesterday, and it behaves very well interoping with "older peers" (no DATA_V3) and also "falling back to DATA_V2 if DCO is active" (as there is no code yet to do V3 with DCO). master-to-master negotiates DATA_V3 and still pings :-) - so, the code we have is good to be merged, if we decide to keep it that way. If not, I know what I need to test and how. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] generate_auth_token: simplify code
From: Frank Lichtenheld The previous code went through some hoops to avoid compiler warnings. But there is a much easier way by just telling it exactly what you want to do. Also fix typo in variable name while I'm here. Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/310 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index c4b59b9..192c7c2 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -182,24 +182,18 @@ char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc); char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX); -char *old_tsamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; +char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; /* * We null terminate the old token just after the session ID to let * our base64 decode function only decode the session ID */ -old_tsamp_initial[12] = '\0'; -ASSERT(openvpn_base64_decode(old_tsamp_initial, old_tstamp_decode, 9) == 9); +old_tstamp_initial[12] = '\0'; +ASSERT(openvpn_base64_decode(old_tstamp_initial, old_tstamp_decode, 9) == 9); -/* - * Avoid old gcc (4.8.x) complaining about strict aliasing - * by using a temporary variable instead of doing it in one - * line - */ -uint64_t *tstamp_ptr = (uint64_t *) old_tstamp_decode; -initial_timestamp = *tstamp_ptr; +memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp)); -old_tsamp_initial[0] = '\0'; +old_tstamp_initial[0] = '\0'; ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN); } else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN)) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v11] Implement support for larger packet counter sizes
From: Arne Schwabe With DCO and possible future hardware assisted OpenVPN acceleration we are approaching the point where 32 bit IVs are not cutting it any more. To illustrate the problem, some back of the envelope math here: If we want to keep the current 3600s renegotiation interval and have a safety margin of 25% (when we trigger renegotiation) we have about 3.2 million packets (2*32 * 0.7) to work with. That translates to about 835k packets per second. With 1300 Byte packets that translates into 8-9 Gbit/s. That is far from unrealistic any more. Current DCO implementations are already in spitting distance to that or might even reach (for a single client connection) that if you have extremely fast single core performance CPU. This introduces the 64bit packet counters for AEAD data channel ciphers in TLS mode ciphers. No effort has been made to support larger packet counters in any other scenario since those are all legacy. While we still keep the old --secret logic around we use the same weird unix timestamp + packet counter format to avoid refactoring the code now and again when we remove --secret code but DCO implementations are free to use just a single 64 bit counter. One other small downside of this approach is that when rollover happens and we get reordering all the older packets are thrown away since the distance between the packet before and after the rollover is quite large as we probably jump forward more than 1s (or more than 2^32 packet ids). But this is an obscure edge that we can (currently) live with. While this implementation under hood allows one of the two to be enabled individually we do not expose this functionality but require the two protocol flags aead-tag-end and pkt-id-64-bit to be always come together. This allows other data channel implementations to only support a limited set of data channel formats. Change-Id: I01e258e97351b5aa4b9e561f5b35ddc2318569e2 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/507 This mail reflects revision 11 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index c226727..6a639b7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -68,6 +68,7 @@ const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; uint8_t *mac_out = NULL; const int mac_len = OPENVPN_AEAD_TAG_LENGTH; +bool longiv = opt->flags & CO_64_BIT_PKT_ID; /* IV, packet-ID and implicit IV required for this mode. */ ASSERT(ctx->cipher); @@ -86,7 +87,7 @@ buf_set_write(&iv_buffer, iv, iv_len); /* IV starts with packet id to make the IV unique for packet */ -if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false)) +if (!packet_id_write_flat(&opt->packet_id.send, &iv_buffer, longiv)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); goto err; @@ -355,6 +356,9 @@ * Set buf->len to 0 and return false on decrypt error. * * On success, buf is set to point to plaintext, true is returned. + * + * This method assumes that everything between ad_start and BPTR(buf) is + * authenticated data and therefore has no ad_len parameter */ static bool openvpn_decrypt_aead(struct buffer *buf, struct buffer work, @@ -384,7 +388,11 @@ /* IV and Packet ID required for this mode */ ASSERT(packet_id_initialized(&opt->packet_id)); -/* Combine IV from explicit part from packet and implicit part from context */ +bool longiv = opt->flags & CO_64_BIT_PKT_ID; + +/* Combine IV from explicit part from packet and implicit part from context. + * packet_iv_len and implicit_iv are initialised in init_key_contexts + * when keys are initialised as well */ { uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 }; const int iv_len = cipher_ctx_iv_length(ctx->cipher); @@ -409,7 +417,7 @@ } /* Read packet ID from packet */ -if (!packet_id_read(&pin, buf, false)) +if (!packet_id_read_flat(&pin, buf, longiv)) { CRYPT_ERROR("error reading packet-id"); } diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 61184bc..ccaba7c 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -248,8 +248,10 @@ * OpenVPN process startups. */ #define CO_PACKET_ID_LONG_FORM (1<<0) -/**< Bit-flag indicating whether to use -* OpenVPN's long packet ID format. */ +/**< Bit-flag indicating whether to use OpenVPN's long packet ID format. + * This format puts [4 byte counter][4byte timestamp] on the wire in + * big endian/network endian format. + **/ #define CO_IGNORE_PACKET_ID (1<<1) /**< Bit-flag indicating whether to ignore * the packet ID of a received packet. @@ -283,6 +285,20 @@
[Openvpn-devel] [PATCH applied] Re: Various fixes for -Wconversion errors
I'm not a great fan of patches that do nothing more than "appease compilers", and some of the conversions should really not be necessary - OTOH, compilers have become better at spotting implicit conversions that *are* not intended, losing precision and breaking things in the long run - so better be explicit about int types... I have stared-at-code (in addition to the ACK by Arne, recorded in Gerrit, which somehow did not make it into the mail) - looks good. Also, gave it some basic tests on Linux and FreeBSD + GHA (-Werror builds), and all fine.. Your patch has been applied to the master branch. commit 53449cb61ff569c4862926c7999d50f634030fd9 Author: Frank Lichtenheld Date: Tue Sep 10 14:20:08 2024 +0200 Various fixes for -Wconversion errors Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910122008.23507-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29172.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v6] Various fixes for -Wconversion errors
From: Frank Lichtenheld These are all fixes I considered "safe". They either - Have sufficient checks/shifts for a cast to be safe - Fix the type of a variable without requiring code changes - Are in non-critical unittest code v2: - add min_size instead of abusing min_int v6: - remove change of return value of link_socket_write. Move to separate patch. Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f Signed-off-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/267 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index abe6a9c..9ee76aa 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -326,7 +326,7 @@ return false; } -const int size = write(fd, BPTR(buf), BLEN(buf)); +const ssize_t size = write(fd, BPTR(buf), BLEN(buf)); if (size != BLEN(buf)) { msg(M_ERRNO, "Write error on file '%s'", filename); @@ -863,7 +863,7 @@ { break; } -line[n++] = c; +line[n++] = (char)c; } while (c); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index c226727..12ad0b9 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -26,6 +26,8 @@ #include "config.h" #endif +#include + #include "syshead.h" #include @@ -1283,8 +1285,8 @@ hex_byte[hb_index++] = c; if (hb_index == 2) { -unsigned int u; -ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1); +uint8_t u; +ASSERT(sscanf((const char *)hex_byte, "%" SCNx8, &u) == 1); *out++ = u; hb_index = 0; if (++count == keylen) @@ -1546,13 +1548,13 @@ ASSERT(cipher_kt_key_size(kt->cipher) <= MAX_CIPHER_KEY_LENGTH && md_kt_size(kt->digest) <= MAX_HMAC_KEY_LENGTH); -const uint8_t cipher_length = cipher_kt_key_size(kt->cipher); +const uint8_t cipher_length = (uint8_t)cipher_kt_key_size(kt->cipher); if (!buf_write(buf, &cipher_length, 1)) { return false; } -uint8_t hmac_length = md_kt_size(kt->digest); +uint8_t hmac_length = (uint8_t)md_kt_size(kt->digest); if (!buf_write(buf, &hmac_length, 1)) { diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index a1acaf9..34088ab 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -28,12 +28,12 @@ #ifndef htonll #define htonll(x) ((1==htonl(1)) ? (x) : \ - ((uint64_t)htonl((x) & 0x) << 32) | htonl((x) >> 32)) + ((uint64_t)htonl((uint32_t)((x) & 0x)) << 32) | htonl((uint32_t)((x) >> 32))) #endif #ifndef ntohll #define ntohll(x) ((1==ntohl(1)) ? (x) : \ - ((uint64_t)ntohl((x) & 0x) << 32) | ntohl((x) >> 32)) + ((uint64_t)ntohl((uint32_t)((x) & 0x)) << 32) | ntohl((uint32_t)((x) >> 32))) #endif static inline int @@ -72,6 +72,19 @@ } } +static inline size_t +min_size(size_t x, size_t y) +{ +if (x < y) +{ +return x; +} +else +{ +return y; +} +} + static inline int max_int(int x, int y) { diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 635557c..ebdec25 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -165,7 +165,7 @@ return; } -for (olen = hlen - sizeof(struct openvpn_tcphdr), +for (olen = hlen - (int) sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1; olen -= optlen, opt += optlen) diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index 3cde574..d77c99e 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -105,7 +105,7 @@ /* format a time_t as ascii, or use current time if 0 */ const char * -time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc) +time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); struct timeval tv; diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h index c37673e..9543732 100644 --- a/src/openvpn/otime.h +++ b/src/openvpn/otime.h @@ -43,7 +43,7 @@ bool frequency_limit_event_allowed(struct frequency_limit *f); /* format a time_t as ascii, or use current time if 0 */ -const char *time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc); +const char *time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc); /* struct timeval functions */ diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index be28999..fb962e4 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -588,14 +588,14 @@ }
[Openvpn-devel] [PATCH applied] Re: Fix more of uninitialized struct user_pass local vars
Acked-by: Gert Doering Thanks. Not tested beyond "does it compile", as the changes are very straightforward :-) Your patch has been applied to the master and released/2.6 branch. commit aa1dd09b5fc196499c84d2ef9b0c254ebb1745d8 (master) commit f9ab7edbebd6dfb3fd384b56626aabb3171ac0ad (release/2.6) Author: Selva Nair Date: Mon Sep 9 16:48:29 2024 -0400 Fix more of uninitialized struct user_pass local vars Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20240909204829.10379-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29152.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Static-challenge concatenation option
Hi, On Mon, Sep 09, 2024 at 12:01:54PM -0400, Selva Nair wrote: > > Is the GUI support already committed? I seem to remember seeing a PR > > for that "weeks ago"... and someone needs to bring Tunnelblick on board. > > I've sent a note to Jon about the change. Thanks :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] dco-win: support for data_v3 features
From: Lev Stipakov Since version 1.4, dco-win drivere supports data_v3 features such as: - AEAD tag at the end - 64bit pktid We have to: - check in runtime if driver supports data_v3 features (we might be running with the older driver) - if those features are negotiated, we pass them to the driver as bit flags via the (newly added) NEW_KEY_V2 ioctl Introduce NEW_KEY_V2 ioctl, which accepts a new OVPN_CRYPTO_DATA_V2 structure, which includes a field for bit flags for the new crypto options. Make dco_supports_data_v3() implementation platform-dependend (as it should be) and indicate data_v3 support by dco-win if the driver version is at least 1.4. Extend the Windows-specific struct dco_context and store data_v3 support there so that when dco_new_key() is called, we know which API to use. Change the dco internal API and pass crypto options flags to dco_new_key(). Change-Id: I2e0c50d33f8a57c023120cf348f95d34acbfcde5 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/725 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7f0d53d..baaeb95 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -70,7 +70,7 @@ int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv, decrypt_key, decrypt_iv, - ciphername); + ciphername, ks->crypto_options.flags); if ((ret == 0) && (multi->dco_keys_installed < 2)) { multi->dco_keys_installed++; diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 3ce2c31..ec4ec42 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -253,11 +253,7 @@ * Return whether the dco implementation supports the new protocol features of * a 64 bit packet counter and AEAD tag at the end. */ -static inline bool -dco_supports_data_v3(struct context *c) -{ -return false; -} +bool dco_supports_data_v3(struct context *c); #else /* if defined(ENABLE_DCO) */ diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 9a90f5c..4516cd5 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -415,14 +415,14 @@ dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, -const char *ciphername) +const char *ciphername, unsigned int co_flags) { struct ifdrv drv; nvlist_t *nvl; int ret; -msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", -__func__, slot, keyid, peerid, ciphername); +msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags %u", +__func__, slot, keyid, peerid, ciphername, co_flags); nvl = nvlist_create(0); @@ -778,4 +778,11 @@ return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } +bool +dco_supports_data_v3(struct context *c) +{ +/* not implemented */ +return false; +} + #endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */ diff --git a/src/openvpn/dco_internal.h b/src/openvpn/dco_internal.h index 624c110..35500a4 100644 --- a/src/openvpn/dco_internal.h +++ b/src/openvpn/dco_internal.h @@ -70,7 +70,7 @@ dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, -const char *ciphername); +const char *ciphername, unsigned int co_flags); int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot); diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 277cd64..4197d30 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -557,10 +557,10 @@ dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, -const char *ciphername) +const char *ciphername, unsigned int co_flags) { -msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", -__func__, slot, keyid, peerid, ciphername); +msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags %u", +__func__, slot, keyid, peerid, ciphername, co_flags); const size_t key_len = cipher_kt_key_size(ciphername); const int nonce_tail_len = 8; @@ -1058,4 +1058,11 @@ return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"; } +bool +dco_supports_data_v3(struct context *c) +{ +/* not implemented */ +return false; +} + #endif /* defined(ENABLE_DCO) && defined(TARGET_LINUX) */ diff
[Openvpn-devel] [PATCH v1] tun: removed unnecessary route installations
From: Marco Baffo Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun opening in OpenBSD, NetBSD and Darwin. Change-Id: I235891212b15277349810913c9c1763da5c48587 Signed-off-by: Marco Baffo Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/731 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 71b5b42..31a634a 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -2244,9 +2244,6 @@ { argv_printf_cat(&argv, "-link -iface %s", device); } -/* FIX ME: in NetBSD in TUN mode, the route is already added by ifconfig - * so add_route_ipv6 fail with 'Invalid argument' or 'File exists' - */ argv_msg(D_ROUTE, &argv); bool ret = openvpn_execve_check(&argv, es, 0, diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index d878161..7bdc6c4 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1010,8 +1010,7 @@ #endif /* ifdef _WIN32 */ } -#if defined(_WIN32)\ -|| defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) +#if defined(_WIN32) /* some of the platforms will auto-add a "network route" pointing * to the interface on "ifconfig tunX 2001:db8::1/64", others need @@ -1203,11 +1202,6 @@ "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); #endif -#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ -|| defined(TARGET_DARWIN) -/* and, hooray, we explicitly need to add a route... */ -add_route_connected_v6_net(tt, es, is_multipoint); -#endif #elif defined(TARGET_AIX) argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Ensures all params are ready before invoking dco_set_peer()
Hi, On Mon, Sep 09, 2024 at 01:39:30PM +0200, Gert Doering wrote: > Your patch has been applied to the master branch. Note: while this is a bugfix, it does not need to go to 2.6 - there is no mssfix support in-kernel for DCO v2, and the upcoming DCOv3-no-called- "ovpn" will be 2.7-only. (FreeBSD DCO does not support mssfix either, as of today) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Ensures all params are ready before invoking dco_set_peer()
I did not have an obvious way to trigger this, so I first just fed it to the DCO-enabled server/client testbed (nothing broke). Then, after quite a bit of discussion, it was made clear that this is for "UDP p2mp server configs". To see the effect, one needs to run with DCO debugging (--verb 7), and then it will show the difference: Old: Sep 9 07:00:26 ubuntu2004 tun-udp-p2mp[1926430]: freebsd-74-amd64/194.97.140.3:64742 peer-id=0 dco_set_peer: peer-id 0, keepalive 10/60, mss 0 Sep 9 07:02:55 ubuntu2004 tun-udp-p2mp[1926430]: freebsd-14-amd64/2001:608:0:814::fb00:14 peer-id=1 dco_set_peer: peer-id 1, keepalive 10/60, mss 0 Sep 9 07:03:15 ubuntu2004 tun-udp-p2mp[1926430]: dco_set_peer: peer-id 2, keepalive 10/60, mss 0 Sep 9 07:03:30 ubuntu2004 tun-udp-p2mp[1926430]: dco_set_peer: peer-id 1, keepalive 10/60, mss 0 New: Sep 9 12:05:56 ubuntu2004 tun-udp-p2mp[1951062]: freebsd-74-amd64/194.97.140.3:51648 peer-id=0 dco_set_peer: peer-id 0, keepalive 10/60, mss 1380 Sep 9 12:08:31 ubuntu2004 tun-udp-p2mp[1951062]: freebsd-14-amd64/2001:608:0:814::fb00:14 peer-id=1 dco_set_peer: peer-id 1, keepalive 10/60, mss 1380 Sep 9 12:08:50 ubuntu2004 tun-udp-p2mp[1951062]: dco_set_peer: peer-id 2, keepalive 10/60, mss 1380 Sep 9 12:09:06 ubuntu2004 tun-udp-p2mp[1951062]: dco_set_peer: peer-id 1, keepalive 10/60, mss 1380 (not sure why half the log lines have a peer-name prefix and the other half don't, but this is outside the patch in question) Since the currently active DCO implementations for Linux and FreeBSD do not support MSSFIX this is a bit moot today, as the kernel side will just ignore the value anyway - but with the upcoming new Linux "in tree" version, at least setting the correct information is needed so the kernel can eventually do the right thing with it. As discussed on IRC, I have updated the comment before the dco_set_peer() call to more correctly reflect what it does. Also, I have reworded the commit message a bit to make it more clear that this is fixing a "p2mp server" issue, and that why p2p_set_dco_keepalive() has been removed. Your patch has been applied to the master branch. commit 32e748bd3320cd07b9e7671ee0cec95f4fd85935 (master) Author: Gianmarco De Gregori Date: Fri Sep 6 16:57:45 2024 +0200 Ensures all params are ready before invoking dco_set_peer() Signed-off-by: Gianmarco De Gregori Acked-by: Lev Stipakov Message-Id: <20240906145745.67596-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29086.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tun: use is_tun_p2p more consistently
Sorry for taking so long to handle this. These old code ruins make my head spin... Anyway. Arne has ACKed it, GHA likes it, my server and client test rigs find nothing to complain. Did stare-at-code while the tests were running... all reasonable changes, nothing should have a behavioural change (except the fix in ifconfig_sanity_check()). Good catch on print_topology() ;-) Quite a few of the old "else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)" are my doing, I think... seems "if (tun)" was really very unclear... Also thanks for restructuring the Darwin section to be "just as all the other platforms" :-) Your patch has been applied to the master branch. commit 976a65346d2193181f4f5664f798e16fcbf43345 Author: Frank Lichtenheld Date: Fri Sep 6 18:25:14 2024 +0200 tun: use is_tun_p2p more consistently Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240906162514.78671-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29091.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors
Your patch has been applied to the master branch. commit 611fa55ed1ef7e78e6015e77ace19aa4b2bf744e Author: Ilia Shipitsin Date: Mon Jul 8 23:08:22 2024 +0200 tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors Signed-off-by: Ilia Shipitsin Acked-by: Frank Lichtenheld Message-Id: <20240708210912.566-6-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28882.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/5] src/openvpn/auth_token.c: handle strdup errors
Hi, On Mon, Jul 08, 2024 at 11:08:20PM +0200, Ilia Shipitsin wrote: > multi->auth_token = strdup((char *)BPTR(&session_token)); > +if (!multi->auth_token) > +{ > +msg( M_FATAL, "Failed allocate memory for multi->auth_token"); > +} I do wonder if this is the right approach here. For "openvpn itself" we have the check_malloc_return() macro, which will purposely not call msg() - as msg() does internal malloc()s, and if we cannot allocate 20 bytes for an auth_token, the chance that msg() will not succeed is fairly high... In plugins or unit tests, the infrastructure is different, but for 3/ and 4/, please resend with multi->auth_token = strdup((char *)BPTR(&session_token)); +check_malloc_return(multi->auth_token); (etc) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: sample/sample-plugins/defer/multi-auth.c: handle strdup errors
Stared-at-code, and compile-tested. Agree with Frank :-) Your patch has been applied to the master branch. commit aef8a872aa51331f781265fdb6b3c340463637a8 Author: Ilia Shipitsin Date: Mon Jul 8 23:08:19 2024 +0200 sample/sample-plugins/defer/multi-auth.c: handle strdup errors Signed-off-by: Ilia Shipitsin Acked-by: Frank Lichtenheld Message-Id: <20240708210912.566-3-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28886.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: src/openvpn/init.c: handle strdup failures
Acked-by: Gert Doering Taken the "patchset looks great" from Antonio as ACK, fixed the "msg( M_FATAL," space on the go (trivial whitespace fixes are acceptable). Not tested beyond minimal compile test and stare-at-code. Your patch has been applied to the master branch. commit b7c6920eab5d56067a69805f64239b8dd5a0ae27 Author: Ilia Shipitsin Date: Mon Jul 8 23:08:18 2024 +0200 src/openvpn/init.c: handle strdup failures Signed-off-by: Ilia Shipitsin Acked-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20240708210912.566-2-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28884.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Static-challenge concatenation option
Thanks for your patience, and sorry for taking so long... vacation and other excuses. Haven't actually tested for good (a --static-challenge setup is on my TODO list since like 100 years...), but the code looks reasonable, it passes all "non-challenge" tests, and has an ACK from Frank :-) - and a few basic tests with "run client from cli, look what plugin-auth-pam reports on the other end" confirm that it does the job. Is the GUI support already committed? I seem to remember seeing a PR for that "weeks ago"... and someone needs to bring Tunnelblick on board. Your patch has been applied to the master branch. commit 6f6a0f362f845f042a965f797b731f8931310372 (master) Author: Selva Nair Date: Fri Jul 19 15:14:07 2024 +0200 Static-challenge concatenation option Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240719131407.75746-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28943.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add test for static-challenge concatenation option
Tests are always good :-) - and this expect_string()/will_return() stuff looks outright magic... cool stuff. Your patch has been applied to the master branch. commit bb8f193615032f5a7dd3ae9230e2edfb92b70ab7 Author: Selva Nair Date: Fri Aug 30 10:18:24 2024 -0400 Add test for static-challenge concatenation option Signed-off-by: Selva Nair Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240830141824.108599-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29054.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Initialize before use struct user_pass in ui_reader()
Acked-by: Gert Doering Thanks :-) (not much to test here) Your patch has been applied to the master branch. commit 67124dcf317460609860a2ea7cb7a55ceed4a4ce Author: Selva Nair Date: Sun Sep 8 18:42:20 2024 -0400 Initialize before use struct user_pass in ui_reader() Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20240908224220.478684-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29114.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add a test for loading certificate and key using file: URI
Again, an easy-to-test one :-) - only unit tests, and those pass on various OpenSSL and mbedTLS versions ("SKIPPED"), including the GHA windows unit tests. Your patch has been applied to the master branch. commit f086a49b5511adcd5ad0835f7cbac7d403dbf4af Author: Selva Nair Date: Fri Sep 6 12:39:00 2024 +0200 Add a test for loading certificate and key using file: URI Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103900.37037-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29076.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add a test for loading certificate and key to ssl context
Testing this one was easy - look at the patch "only test code affected", and run "make check" on a few different machines :-) - passes FreeBSD + ossl3, FreeBSD + mbedTLS, FreeBSD + ossl 1.1.1w, Gentoo + ossl 1.1.1 (and all the GH builds, with various OpenSSL and mbedTLS versions). Your patch has been applied to the master branch. release/2.6 does not have enough backported unit test code for this to apply (but given the way our patches flow, always master -> release/x, this is not a big loss). commit 0fe3a9877468ecfb3b97c67ecca5495eed7a8683 (master) Author: Selva Nair Date: Fri Sep 6 12:38:14 2024 +0200 Add a test for loading certificate and key to ssl context Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103814.36839-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29074.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Interpret --key and --cert option argument as URI
I have not tested this beyond basic "do t_client and server tests still work" - no suitable OpenSSL provider infrastructure here, and stalling the patch until I find time to set up more tests is not helping anyone, given that Frank has done quite heavy testing already. I've stared a bit at the code and things seem reasonable :-) - and come with a unit test! (well, in the next patch) I'm a bit curious about the new ui_reader() function - it says "wrapper for pem_password_callback()" but the actuall call there seems hidden in "SSL_CTX_get_default_passwd_cb()" - is my interpretation correct? But anyway, there might be an undefined variable lurking in /* If pkcs#11 Use custom prompt similar to pkcs11-helper */ if (strstr(prompt, "PKCS#11")) { struct user_pass up; get_user_pass(&up, NULL, "PKCS#11 token", ... "up" is not initialized, and the first thing get_user_pass_cr() does is look at "if (!up->defined)". So if I'm not misreading this, a followup patch to initialize "up" would be good. At this point it might be nice to add a comment explaining how the wrapping of "pem_password_callback()" works ;-) Your patch has been applied to the master branch. commit 3512e8d3ada4fa7d04925a89fd9f3669655c7887 (master) Author: Selva Nair Date: Fri Sep 6 12:37:34 2024 +0200 Interpret --key and --cert option argument as URI Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103734.36633-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Protect cached username, password and token on client
Thanks for taking up the challenge :-) - and I think the approach is quite reasonable, and also extensible should one of the other OSes come up with a similar memory protection function one day ("crypt with a key outside the program's own memory"). I have test compiled this "for windows" via GHA/MSVC and locally with MinGW. Haven't actually tested the windows binary. More important, since this adds an ASSERT() to a few server-side code path, fed to the server-side testbed which has user+pass & auth-token instances, and this all still works :-) Your patch has been applied to the master and release/2.6 branch (security hardening). 2.6 lacks the test_user_pass.c file, so that hunk was omitted. commit 12a9c357b6a7b55bea929eb5d9669e6386ab0d0e (master) commit 9e1598de43383ac655fd71bd34021026ac105f23 (release/2.6) Author: Selva Nair Date: Fri Sep 6 13:29:08 2024 +0200 Protect cached username, password and token on client Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906112908.1009-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: proxy.c: Clear sensitive data after use
Thanks for looking into this - and I agree with the conclusion on keeping the scope of this patch to "purge this", not refactor the overall code to get rid of that copy completely. I have not tested this "for real" as I do not currently have a proxy setup that requires authentication - just stared at the code, and run the normal client->proxy tests (and nothing broke). Your patch has been applied to the master and release/2.6 branch (useful and fairly isolated change, adding a bit of hardening). commit dbe7e456954bf001420c4552c2b6e184ec6e068c (master) commit 534609a2a7f0dcd56c8eab764c9c9c99834dcc6f (release/2.6) Author: Selva Nair Date: Thu Sep 5 12:07:24 2024 +0200 proxy.c: Clear sensitive data after use Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240905100724.4105-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29061.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Try to use pkg-config to detect mbedTLS
Lightly tested on a FreeBSD (no .pc) and a Gentoo system (.pc), both find mbedtls & build fine. Discovered "" while at it... in case someone else wonders what that is, it's part of mbedTLS but is not installed in the normal mbedtls include path, because, why should it... (*roll eyes*). Your patch has been applied to the master branch. commit c829f57096cb6951aa4698eff388aeebf9310334 Author: Frank Lichtenheld Date: Fri Sep 6 18:05:10 2024 +0200 configure: Try to use pkg-config to detect mbedTLS Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906160510.76387-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: Configure Renovate
Your patch has been applied to the master branch. The Author info in gerrit is a bit funny, but from the context it's clear that Frank wrote this - and we want persons in the git log, not robots :-) - so adjusted the From: before committing. Lightly tested the GHA changes by building in my GH repo. commit 4788aaba0739eeaae853d31075ae533a9228a61b Author: Frank Lichtenheld Date: Fri Sep 6 17:12:43 2024 +0200 GHA: Configure Renovate Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906151243.69549-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29087.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Allow to detect git checkout if .git is not a directory
Have done a bit of testing with "in-tree build, git", "out of tree build, git" and "in-tree build, tarball" and it seems to always do the right thing. Haven't a need for git submodules, so I have not tested that. Your patch has been applied to the master branch. commit dac076fe406adace826766f6cc3cfdadc5f06be4 Author: Frank Lichtenheld Date: Fri Sep 6 19:21:12 2024 +0200 configure: Allow to detect git checkout if .git is not a directory Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Yuriy Darnobyt Message-Id: <20240906172112.87148-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29092.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Protect cached username, password and token on client
From: Selva Nair Keep the memory segment containing username and password in "struct user_pass" encrypted. Works only on Windows. Username and auth-token cached by the server are not covered here. v2: Encrypt username and password separately as it looks more robust. We continue to depend on the username and password buffer sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16, which is the case now. An error is logged if this is not the case. v3: move up ASSERT in auth_token.c Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/728 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 6787ea7..5de65cb 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -301,6 +301,7 @@ * Base64 is <= input and input is < USER_PASS_LEN, so using USER_PASS_LEN * is safe here but a bit overkill */ +ASSERT(up && !up->protected); uint8_t b64decoded[USER_PASS_LEN]; int decoded_len = openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX), b64decoded, USER_PASS_LEN); diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 598fbae..ef4ab69 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -223,6 +223,7 @@ bool password_from_stdin = false; bool response_from_stdin = true; +unprotect_user_pass(up); if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) { msg(M_WARN, "Note: previous '%s' credentials failed", prefix); @@ -479,14 +480,18 @@ secure_memzero(up, sizeof(*up)); up->nocache = nocache; } -/* - * don't show warning if the pass has been replaced by a token: this is an - * artificial "auth-nocache" - */ -else if (!warn_shown) +else { -msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); -warn_shown = true; +protect_user_pass(up); +/* + * don't show warning if the pass has been replaced by a token: this is an + * artificial "auth-nocache" + */ +if (!warn_shown) +{ +msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); +warn_shown = true; +} } } @@ -495,6 +500,7 @@ { if (strlen(token)) { +unprotect_user_pass(tk); strncpynt(tk->password, token, USER_PASS_LEN); tk->token_defined = true; @@ -505,6 +511,7 @@ { tk->defined = true; } +protect_user_pass(tk); } } @@ -513,6 +520,7 @@ { if (strlen(username)) { +unprotect_user_pass(tk); /* Clear the username before decoding to ensure no old material is left * and also allow decoding to not use all space to ensure the last byte is * always 0 */ @@ -523,6 +531,7 @@ { msg(D_PUSH, "Error decoding auth-token-username"); } +protect_user_pass(tk); } } @@ -779,3 +788,43 @@ return combined_path; } + +void +protect_user_pass(struct user_pass *up) +{ +if (up->protected) +{ +return; +} +#ifdef _WIN32 +if (protect_buffer_win32(up->username, sizeof(up->username)) +&& protect_buffer_win32(up->password, sizeof(up->password))) +{ +up->protected = true; +} +else +{ +purge_user_pass(up, true); +} +#endif +} + +void +unprotect_user_pass(struct user_pass *up) +{ +if (!up->protected) +{ +return; +} +#ifdef _WIN32 +if (unprotect_buffer_win32(up->username, sizeof(up->username)) +&& unprotect_buffer_win32(up->password, sizeof(up->password))) +{ +up->protected = false; +} +else +{ +purge_user_pass(up, true); +} +#endif +} diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 963f3e6..a967ec8 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -60,6 +60,7 @@ * use this second bool to track if the token (password) is defined */ bool token_defined; bool nocache; +bool protected; /* max length of username/password */ #ifdef ENABLE_PKCS11 @@ -207,6 +208,19 @@ struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc); +/** + * Encrypt username and password buffers in user_pass + */ +void +protect_user_pass(struct user_pass *up); + +/** + * Decrypt username and password buffers in user_pass + */ +void +unprotect_user_pass(struct user_pass *up); + + #define _STRINGIFY(S) #S /* *INDENT-OFF* - uncrustify need
[Openvpn-devel] [PATCH v1] proxy.c: Clear sensitive data after use
From: Selva Nair Usage of credentials is a bit odd in this file. Actually the copy of "struct user_pass" kept in p->up is not required at all. It just defeats the purpose of auth-nocahe as it never gets cleared. Removing it is beyond the scope of this patch -- we just ensure it's purged after use. Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34 Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/727 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 5de0da4..eddacc9 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -247,7 +247,9 @@ struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc); ASSERT(strlen(p->up.username) > 0); buf_printf(&out, "%s:%s", p->up.username, p->up.password); -return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc); +char *ret = (char *)make_base64_string((const uint8_t *)BSTR(&out), gc); +secure_memzero(BSTR(&out), out.len); +return ret; } static void @@ -736,6 +738,9 @@ ASSERT(0); } +/* clear any sensitive content in buf */ +secure_memzero(buf, sizeof(buf)); + /* send empty CR, LF */ if (!send_crlf(sd)) { @@ -983,6 +988,8 @@ { goto error; } +/* clear any sensitive content in buf */ +secure_memzero(buf, sizeof(buf)); /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -1086,10 +1093,12 @@ #endif done: +purge_user_pass(&p->up, true); gc_free(&gc); return ret; error: +purge_user_pass(&p->up, true); register_signal(sig_info, SIGUSR1, "HTTP proxy error"); /* SOFT-SIGUSR1 -- HTTP proxy error */ gc_free(&gc); return ret; ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Implement support for AEAD tag at the end
After some discussion it was decided to keep the "two independent options", partially because "these two patches have been out there for a while, been stared-at, and tested quite a bit" - also, IV_PROTO_V4 might end up with a different combination, we'll see. 507 will ensure that for IV_PROTO_V3 the two new options (AEAD at the end and 64 bit counters) will only ever be used together, or not at all - reduce the amount of protocol versions to implement in all datapaths, and combinations to test. I have tested this against older code (t_client -> 2.6 etc, and t_server <- 2.2...2.6) and nothing broke. Also, tested against itself, and that worked as well. Of course it does not actually *do* anything yet, as the logic to push "aead-tag-end" does not exist... (FTR, in case one of you is wondering - this is v3, and gerrit has "v8" of the patch - but it's the same code change, just being pushed again as part of "other pushes" after being rebased) Your patch has been applied to the master branch. commit 233e10aeec7de02d34fa5c517b44612d38ccc00f Author: Arne Schwabe Date: Wed Feb 14 14:27:19 2024 +0100 Implement support for AEAD tag at the end Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240214132719.3031492-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28239.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Use a more robust way to get dco-win version
Stared at code here and on the driver side, looks very reasonable and also backward-compatible in both directions. Not actually tested, just test compiled via GHA. Your patch has been applied to the master and release/2.6 branch (long-term compat). commit e5a8ea36a0228c30cdbee8791d44a1f0fbaffa9f (master) commit 41fe48585ebd005e65d191452c2860ab9c089c55 (release/2.6) Author: Lev Stipakov Date: Fri Aug 9 21:22:56 2024 +0200 Use a more robust way to get dco-win version Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20240809192257.24208-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29009.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: test_pkcs11.c: set file offset to 0 after ftruncate
Acked-by: Gert Doering "explanation makes sense, man ftruncate clearly says 'fd is not modified'" smoke tested ("make check") on linux with --enable-pkcs11 Your patch has been applied to the master branch. Not applied to 2.6 because the code in question does not exist there. commit dcf735009c8caabf5e4a9feeb0d32907aafe8f17 (master) Author: Selva Nair Date: Mon Aug 12 19:21:58 2024 -0400 test_pkcs11.c: set file offset to 0 after ftruncate Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20240812232158.3776869-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29010.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Use a more robust way to get dco-win version
From: Lev Stipakov The current way doesn't work if the device is already in use. Starting from 1.3.0, dco-win creates a non-exclusive control device \\.\ovpn-dco-ver which can be opened by multiple apps and supports a single IOCTL to get a version number. https://github.com/OpenVPN/ovpn-dco-win/pull/76 This will be expecially handy later when checking which features driver supports. Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf Signed-off-by: Lev Stipakov Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/723 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index e3ada76..3ec946f 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -389,9 +389,16 @@ OVPN_VERSION version; ZeroMemory(&version, sizeof(OVPN_VERSION)); -/* try to open device by symbolic name */ -HANDLE h = CreateFile(".\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, - 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL); +/* first, try a non-exclusive control device, available from 1.3.0 */ +HANDLE h = CreateFile(".\\ovpn-dco-ver", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); + +if (h == INVALID_HANDLE_VALUE) +{ +/* fallback to a "normal" device, this will fail if device is already in use */ +h = CreateFile(".\\ovpn-dco", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); +} if (h == INVALID_HANDLE_VALUE) { ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: console_systemd: rename query_user_exec to query_user_systemd
Simplification of code, less #ifdef/#undef tricks, good :-) - stared at code, and compile tested (FreeBSD + GHA). Your patch has been applied to the master branch. commit 418463ad27c13f56adb5b02cfd62018b7d634ee8 (master) Author: Frank Lichtenheld Date: Fri Jul 26 12:40:32 2024 +0200 console_systemd: rename query_user_exec to query_user_systemd Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240726104032.2112-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28983.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] console_systemd: rename query_user_exec to query_user_systemd
From: Frank Lichtenheld This allows us to override query_user_exec for unit tests more consistently without having to jump through weird hoops. Fixes running test_pkcs11 with --enable-systemd. While here also fix documentation comments for query_user_exec*. Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/670 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 7358299..72ae8e0 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -65,11 +65,10 @@ /** - * Executes a configured setup, using the built-in method for querying the user. + * Loop through configured query_user slots, using the built-in method for + * querying the user. * This method uses the console/TTY directly. * - * @param setupPointer to the setup defining what to ask the user - * * @return True if executing all the defined steps completed successfully */ bool query_user_exec_builtin(void); @@ -77,21 +76,34 @@ #if defined(ENABLE_SYSTEMD) /** - * Executes a configured setup, using the compiled method for querying the user - * - * @param setupPointer to the setup defining what to ask the user + * Loop through configured query_user slots, using the systemd method for + * querying the user. + * If systemd is not running it will fall back to use + * query_user_exec_builtin() instead. * * @return True if executing all the defined steps completed successfully */ -bool query_user_exec(void); +bool query_user_exec_systemd(void); -#else /* ENABLE_SYSTEMD not defined*/ +/** + * Loop through configured query_user slots, using the compiled method for + * querying the user. + * + * @return True if executing all the defined steps completed successfully + */ +static inline bool +query_user_exec(void) +{ +return query_user_exec_systemd(); +} + +#else /* ENABLE_SYSTEMD not defined */ /** * Wrapper function enabling query_user_exec() if no alternative methods have * been enabled * */ -static bool +static inline bool query_user_exec(void) { return query_user_exec_builtin(); diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c index c7cf1ad..cc91cd1 100644 --- a/src/openvpn/console_systemd.c +++ b/src/openvpn/console_systemd.c @@ -96,7 +96,7 @@ * */ bool -query_user_exec(void) +query_user_exec_systemd(void) { bool ret = true; /* Presume everything goes okay */ int i; diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 6d283a2..5518fa1 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -75,6 +75,14 @@ { assert_true(0); } +#if defined(ENABLE_SYSTEMD) +bool +query_user_exec_systemd(void) +{ +assert_true(0); +return false; +} +#endif bool query_user_exec_builtin(void) { diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index b43e655..de60291 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -26,10 +26,6 @@ #include "config.h" #endif -#undef ENABLE_SYSTEMD -/* avoid redefining ENABLE_SYSTEMD in misc.c */ -#undef HAVE_CONFIG_H - #include "syshead.h" #include "manage.h" @@ -44,6 +40,13 @@ struct management *management; /* global */ /* mocking */ +#if defined(ENABLE_SYSTEMD) +bool +query_user_exec_systemd(void) +{ +return query_user_exec_builtin(); +} +#endif bool query_user_exec_builtin(void) { ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: add and send IV_PROTO_DNS_OPTION_V2 flag
I have not tested this beyond "does it compile". My understanding is that this is to align openvpn 2.x and 3.x in regards to "if this bit is set, the client understands the new variants in `--dns`" and since the "new code" is only in master, so is this patch. Your patch has been applied to the master branch. commit 8991f0d5c6c06d1e42919d1d6a0813ca1c46f8a1 (master) Author: Heiko Hund Date: Thu Jul 25 13:22:48 2024 +0200 add and send IV_PROTO_DNS_OPTION_V2 flag Signed-off-by: Heiko Hund Acked-by: Arne Schwabe Message-Id: <20240725112248.21075-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28970.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] add and send IV_PROTO_DNS_OPTION_V2 flag
From: Heiko Hund Incompatible changes to the --dns server address and --dns server exclude-domains options were introduced after the code for handling them was released. Add and send a new IV_PROTO flag, so servers which act on the flags set can differentiate between clients which have implemented --dns and those which just support the new option. This enables them to decide which variant of options to send to the client. Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff Signed-off-by: Heiko Hund Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/680 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e0e9591..14c38cf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1900,8 +1900,8 @@ /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; -/* support for the --dns option */ -iv_proto |= IV_PROTO_DNS_OPTION; +/* support for the latest --dns option */ +iv_proto |= IV_PROTO_DNS_OPTION_V2; /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 1a45048..6c2bfc3 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -94,7 +94,7 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) -/** Supports the --dns option introduced in version 2.6 */ +/** Supports the --dns option introduced in version 2.6. Not sent anymore. */ #define IV_PROTO_DNS_OPTION (1<<6) /** Support for explicit exit notify via control channel @@ -107,6 +107,9 @@ /** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */ #define IV_PROTO_DYN_TLS_CRYPT (1<<9) +/** Supports the --dns option after all the incompatible changes */ +#define IV_PROTO_DNS_OPTION_V2 (1<<11) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add Ubuntu 24.04 runner to Github Actions
Your patch has been applied to the master branch. I tried to apply it to release/2.6 as well, but the mbedtls builds fail (on 24.04) with error messages like this: crypto_backend.h:352:6: note: previous declaration of `cipher_ctx_init' with type `void(cipher_ctx_t *, const uint8_t *, const char *, int)' {aka `void(mbedtls_cipher_context_t *, const unsigned char *, const char *, int)'} so it seems we need some mbedtls compat backport first, or stop building 2.6 + 24.04 + mbedtls. Details: https://github.com/cron2/openvpn/actions/runs/10041826490/job/27750800767 (looking more closely, 24.04 + ossl 3 fails as well, with "configure: error: PKCS11 enabled but libpkcs11-helper is missing") commit 856065b2eb37286c389550593472bf180bc5be9d (master) Author: Arne Schwabe Date: Fri Jul 19 15:11:41 2024 +0200 Add Ubuntu 24.04 runner to Github Actions Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240719131141.75324-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28942.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix missing spaces in various messages
Went through the individual messages, all very welcome fixes. Test compiled, just to be sure no quote or anything escaped. Your patch has been applied to the master and release/2.6 branch (bugfix). commit 824fe9ce497bd26a9609abb7324427e906ead6a4 (master) commit 02346806adafd3c656f018a7a1b3fb2c585a1cea (release/2.6) Author: Frank Lichtenheld Date: Mon Jul 22 14:10:34 2024 +0200 Fix missing spaces in various messages Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240722121034.10816-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28950.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Fix missing spaces in various messages
From: Frank Lichtenheld These result from broken up literals where it is easy to miss the missing space. Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/679 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 78243b1..7f0d53d 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -185,7 +185,7 @@ } else { -msg(D_DCO_DEBUG, "Swapping primary and secondary keys to" +msg(D_DCO_DEBUG, "Swapping primary and secondary keys to " "primary-id=%d secondary-id=(to be deleted)", primary->key_id); } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 162b23e..03177bb 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1804,7 +1804,7 @@ } else if (dco_enabled(o)) { -msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing " +msg(M_INFO, "Client does not support DATA_V2. Data channel offloading " "requires DATA_V2. Dropping client."); auth_set_client_reason(tls_multi, "Data channel negotiation " "failed (missing DATA_V2)"); @@ -1815,7 +1815,7 @@ * not accept our pushed ciphers */ if (proto & IV_PROTO_NCP_P2P) { -msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client" +msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client " "option). It will not negotiate ciphers with this server. " "Expect this connection to fail."); } @@ -2027,7 +2027,7 @@ /* Not EOF but other error -> fall through to error state */ default: /* We received an unknown/unexpected value. Assume failure. */ -msg(M_WARN, "WARNING: Unknown/unexpected value in deferred" +msg(M_WARN, "WARNING: Unknown/unexpected value in deferred " "client-connect resultfile"); ret = CC_RET_FAILED; } @@ -2427,7 +2427,7 @@ */ if (!mi->context.c2.push_ifconfig_defined) { -msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote" +msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote " "--ifconfig address is available for %s", multi_instance_string(mi, false, &gc)); } @@ -2443,7 +2443,7 @@ print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc); /* JYFIXME -- this should cause the connection to fail */ -msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)" +msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) " "violates tunnel network/netmask constraint (%s/%s)", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), @@ -2492,7 +2492,7 @@ } else if (mi->context.options.iroutes) { -msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute" +msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute " "only works with tun-style tunnels", multi_instance_string(mi, false, &gc)); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 64e67aa..ba9b05e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7033,7 +7033,7 @@ } else if (streq(p[0], "max-routes") && !p[2]) { -msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored." +msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. " "The number of routes is unlimited as of OpenVPN 2.4. " "This option will be removed in a future version, " "please remove it from your configuration."); @@ -9328,7 +9328,7 @@ s++; } msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " -"--x509-username-field parameter to '%s'; please update your" +"--x509-username-field parameter to '%s'; please update your " "configuration", p[j]); } } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 93
[Openvpn-devel] [PATCH applied] Re: configure: Switch to C11 by default
As discussed before, this breaks OpenBSD 6.8 builds (and, generally, other systems with very old compilers). Not sure the benefit of getting rid of a few hoops for anonymous unions is worth it, but then, it's not like people on those systems couldn't just update... Your patch has been applied to the master branch. commit 37b696a207548df88fe65aa130fe6d522e7ce920 (master) Author: Frank Lichtenheld Date: Wed Jul 10 18:03:06 2024 +0200 configure: Switch to C11 by default Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240710160306.190351-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28916.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow trailing \r and \n in control channel message
Stared at code, reviewed, and fed to my test case where the server replies with "AUTH_FAIL,you stink\r\n" - which wasn't working with the previous code (and was overlooked during testing), now works. 2024-07-17 20:54:32 AUTH: Received control message: AUTH_FAILED,you stink Also, unit tests, yay :-) Your patch has been applied to the master and release/2.6 branch (backport will be applied to 2.5). commit be31325e1dfdffbb152374985c2ae7b6644e3519 (master) commit 343573990135023d855d151fcd9248e5c26d9f8b (release/2.6) Author: Arne Schwabe Date: Wed Jul 10 16:06:23 2024 +0200 Allow trailing \r and \n in control channel message Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710140623.172829-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow trailing \r and \n in control channel message
Acked-by: Gert Doering Thanks for the backport. Verified that it's the same change (without the unit test, and having extract_command_buffer() in forward.c), and that it gets the job done :-) Your patch has been applied to the release/2.5 branch. commit dddb87f126a6e87e61de830a9efe0bc257a71e2b (release/2.5) Author: Arne Schwabe Date: Thu Jul 11 13:30:22 2024 +0200 Allow trailing \r and \n in control channel message Signed-off-by: Arne Schwabe Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <2024073022.52076-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28923.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] configure: Switch to C11 by default
Hi, On Wed, Jul 10, 2024 at 06:03:06PM +0200, Frank Lichtenheld wrote: > Mostly so we can use anonymous structs without jumping through > hoops or relying on unofficial support. > > Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186 > Signed-off-by: Frank Lichtenheld > Acked-by: Arne Schwabe > --- > > This change was reviewed on Gerrit and approved by at least one > developer. I request to merge it to master. This breaks all OpenBSD 6.8 builds. Are you intentionally ignoring this ("this OS is out of support, we'll discontinue this buildbot"? If yes, we might want to point out that this change has fallout on older "build environments" - not sure what is problematic here, C compiler or system headers, or libc... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: t_server_null: multiple improvements and fixes
Thanks for the good work on this - now all the more exotic platforms (with stubborn sysadmins) pass "the basic tests", and we can move onwards to more creative setups, and towards better diagnostic output. Tested on the buildbots (via gerrit). Your patch has been applied to the master branch. commit f8f477139804b06183b515a529c982f524547d18 Author: Samuli Seppänen Date: Thu Jul 4 15:33:36 2024 +0200 t_server_null: multiple improvements and fixes Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <2024070417.26595-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28871.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] t_server_null: multiple improvements and fixes
From: Samuli Seppänen - exit after a timeout if unable to kill servers - use sudo or equivalent only for server stop/start - use /bin/sh directly instead of through /usr/bin/env - simplify sudo call in the sample rc file - remove misleading and outdated documentation - make it work on OpenBSD 7.5 - make it work on NetBSD 10.0 - make server logs readable by normal users Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/669 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst index e3a098a..5fe9080 100644 --- a/doc/t_server_null.rst +++ b/doc/t_server_null.rst @@ -43,6 +43,12 @@ * run as root * a privilege escalation tool (sudo, doas, su) and the permission to become root +If you use "doas" you should enable nopass feature in */etc/doas.conf*. For +example to allow users in the *wheel* group to run commands without a password +prompt:: + +permit nopass keepenv :wheel + Technical implementation @@ -73,13 +79,6 @@ * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. -Note that "make check" moves on once *t_server_null_client.sh* has exited. At -that point *t_server_null_server.sh* is still running, because it exists only -after waiting a few seconds for more client connections to potentially appear. -This is a feature and not a bug, but means that launching "make check" runs too -quickly might cause test failures or unexpected behavior such as leftover -OpenVPN server processes. - Configuration - diff --git a/tests/t_server_null.rc-sample b/tests/t_server_null.rc-sample index 28c3773..98d7869 100644 --- a/tests/t_server_null.rc-sample +++ b/tests/t_server_null.rc-sample @@ -1,6 +1,5 @@ # Uncomment to run tests with sudo -#SUDO_EXEC=`which sudo` -#RUN_SUDO="${SUDO_EXEC} -E" +#RUN_SUDO="sudo -E" TEST_RUN_LIST="1 2 3 10 11" diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index 0e53ba4..7627edf 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh # TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}" @@ -57,12 +57,7 @@ srcdir="${srcdir:-.}" -if [ -z "${RUN_SUDO}" ]; then -"${srcdir}/t_server_null_server.sh" & -else -$RUN_SUDO "${srcdir}/t_server_null_server.sh" & -fi - +"${srcdir}/t_server_null_server.sh" & "${srcdir}/t_server_null_client.sh" retval=$? diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 8890007..e7dd332 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh launch_client() { test_name=$1 @@ -76,19 +76,22 @@ count=0 server_max_wait=15 while [ $count -lt $server_max_wait ]; do -server_pids="" -server_count=$(set|grep 'SERVER_NAME_'|wc -l) +servers_up=0 +server_count=$(echo $TEST_SERVER_LIST|wc -w) # We need to trim single-quotes because some shells return quoted values # and some don't. Using "set -o posix" which would resolve this problem is # not supported in all shells. +# +# While inactive server configurations may get checked they won't increase +# the active server count as the processes won't be running. for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do server_pid=$(cat $i.pid 2> /dev/null) -server_pids="${server_pids} ${server_pid}" +if ps -p $server_pid > /dev/null 2>&1; then +servers_up=$(( $servers_up + 1 )) +fi done -servers_up=$(ps -p $server_pids 2>/dev/null|sed '1d'|wc -l) - echo "OpenVPN test servers up: ${servers_up}/${server_count}" if [ $servers_up -ge $server_count ]; then @@ -101,6 +104,7 @@ if [ $count -eq $server_max_wait ]; then retval=1 +exit $retval fi done diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index 63b6bcd..825bb52 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -24,7 +24,7 @@ MAX_CLIENTS="10" CLIENT_MATCH="Test-Client" SERVER_EXEC="${top_builddir}/src/openvpn/openvpn" -SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet --server 10.29.41.0 255.255.255.0 --max-clients $MAX_CLIENTS --persist-tun --verb 3" +SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet --max-clients $MAX_CLIENTS --persist-tun --verb 3" SERVER_CIPHER_OPTS="" SERVER_CERT_OPTS="--ca ${CA} --dh ${DH} --cert ${SERVER_CERT} --key ${SERVE
[Openvpn-devel] [PATCH applied] Re: mbedtls: Warn if --tls-version-min is too low
Thanks for that. This fixes my server test rig, which sets --tls-version-min to accept connections from very old clients - it will now (still) fail old clients that can not do TLS 1.2 (namely, OpenVPN 2.2(!) - 2.3 and up are fine), but it will not fail "everything else" as the current code did. Your patch has been applied to the master branch. commit c535fa7afe45937bbc7dda435b2b05e57f7ecd53 (master) Author: Max Fillinger Date: Wed Jul 3 19:41:58 2024 +0200 mbedtls: Warn if --tls-version-min is too low Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240703174158.7137-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] mbedtls: Warn if --tls-version-min is too low
From: Max Fillinger Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Signed-off-by: Max Fillinger Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/684 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dbe1425..64e67aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8942,6 +8942,15 @@ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } + +#ifdef ENABLE_CRYPTO_MBEDTLS +if (ver < TLS_VER_1_2) +{ +msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]); +ver = TLS_VER_1_2; +} +#endif + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: configure: Try to detect LZO with pkg-config
Detailed test reports are in the gerrit notes... so not repeating them here :-) - but finally, we have something that just detects LZO "wherever it is", as long as a pkg-config entry is there - the need to have LZO_CFLAGS/LZO_LIBS on all the *BSDs has irked me since 2.1 or so... (thanks!) Sanity-tested the 2.6 branch via GHA. Your patch has been applied to the master and release/2.6 branch (no real code change, maintenance). commit 0ea51261d096b54281287bbd2a6899041c4dbd43 (master) commit 3c43b016e9767df74909ea5644399e8872e38c97 (release/2.6) Author: Frank Lichtenheld Date: Wed Jun 26 18:19:21 2024 +0200 configure: Try to detect LZO with pkg-config Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240626161921.179301-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Http-proxy: fix bug preventing proxy credentials caching
The original ACK came from Frank, I'm just ACKing the change v8 -> v10 (rebased, and add (void) to function declaration / prototypes where missing). I do not have a test setup to properly test this right now - I do have proxies, but they do not need auth, and especially the "cache on reconnect" needs a different client-side driving framework to verify client behaviour (volunteers for a t_client.sh-alike using the management interface?). But I am told that Frank and Gianmarco have tested this very extensively, and it does not break any of the things I *can* test (basic auth-user-pass and token). So in it goes :-) Your patch has been applied to the master and release/2.6 branch (bugfix). commit 3cfd6f961d5c92bec283ac3616e1633b4e16760c (master) commit ad0c2c078ea505436b19255ebfbc8365044c5953 (release/2.6) Author: Gianmarco De Gregori Date: Sun Jun 23 22:05:51 2024 +0200 Http-proxy: fix bug preventing proxy credentials caching Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Acked-by: Frank Lichtenheld Message-Id: <20240623200551.20092-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v10] Http-proxy: fix bug preventing proxy credentials caching
From: Gianmarco De Gregori Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Fix this issue by getting the value of c->first_time, that indicates if we're at the first iteration of the main loop and use it as second argument of the get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP upon instance context restart credentials would be erased every time. The nocache member has been added to the struct http_proxy_options and also a getter method to retrieve that option from ssl has been added, by doing this we're able to erase previous queried user credentials to ensure correct operation. Fixes: Trac #1187 Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/523 This mail reflects revision 10 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index eb9cf28..ba9376b 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -19,9 +19,6 @@ When using ``--auth-nocache`` in combination with a user/password file and ``--chroot`` or ``--daemon``, make sure to use an absolute path. - This directive does not affect the ``--http-proxy`` username/password. - It is always cached. - --cd dir Change directory to ``dir`` prior to reading any files such as configuration files, key files, scripts, etc. ``dir`` should be an diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b081b2f..a49e563 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -691,6 +691,8 @@ if (c->options.ce.http_proxy_options) { +c->options.ce.http_proxy_options->first_time = c->first_time; + /* Possible HTTP proxy user/pass input */ c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); if (c->c1.http_proxy) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2c7536..dbe1425 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1650,6 +1650,7 @@ SHOW_STR(auth_file); SHOW_STR(auth_file_up); SHOW_BOOL(inline_creds); +SHOW_BOOL(nocache); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) @@ -3151,6 +3152,11 @@ ce->flags |= CE_DISABLED; } +if (ce->http_proxy_options) +{ +ce->http_proxy_options->nocache = ssl_get_auth_nocache(); +} + /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index ba3d87c..5de0da4 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -276,7 +276,7 @@ { auth_file = p->options.auth_file_up; } -if (p->queried_creds) +if (p->queried_creds && !static_proxy_user_pass.nocache) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } @@ -288,9 +288,14 @@ auth_file, UP_TYPE_PROXY, flags); -p->queried_creds = true; -p->up = static_proxy_user_pass; +static_proxy_user_pass.nocache = p->options.nocache; } + +/* + * Using cached credentials + */ +p->queried_creds = true; +p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +547,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { -get_user_pass_http(p, true); +get_user_pass_http(p, p->options.first_time); } #if !NTLM @@ -656,6 +661,11 @@ || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); + +if (p->up.nocache) +{ +clear_user_pass_http(); +} } /* are we being called again after getting the digest server nonce in the previous transaction? */ @@ -1036,13 +1046,6 @@ } goto error; } - -/* clear state */ -if (p->options.auth_retry) -{ -clear_user_pass_http(); -} -store_proxy_authenticate(p, NULL); } /* check return code, success = 200 */ diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index a502c9d..d9e598c 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -57,6 +57,8 @@ const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; /* auth_
[Openvpn-devel] [PATCH applied] Re: configure: Add -Wstrict-prototypes and -Wold-style-definition
"Because it makes sense" - we try to keep our style consistent and clean, and this will ensure we'll notice new commits with func() instead of func(void) prototypes. Plus fixing the inconsistencies we already had. The buildbots and GH say "this works on all supported platforms", so in it goes. Your patch has been applied to the master branch. commit 56355924b4945ec808500b18c714c111387697f9 Author: Frank Lichtenheld Date: Thu Jun 20 16:42:30 2024 +0200 configure: Add -Wstrict-prototypes and -Wold-style-definition Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240620144230.19586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] configure: Add -Wstrict-prototypes and -Wold-style-definition
From: Frank Lichtenheld These are not covered by -Wall (nor -Wextra) but we want to enforce them. Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/667 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/configure.ac b/configure.ac index 2e5ab6a..c01ad09 100644 --- a/configure.ac +++ b/configure.ac @@ -1408,6 +1408,8 @@ ) ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition]) ACL_CHECK_ADD_COMPILE_FLAGS([-Wall]) if test "${enable_pedantic}" = "yes"; then diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 50ebb35..035474f 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -247,7 +247,7 @@ * * @return list of colon-separated ciphers */ -const char *dco_get_supported_ciphers(); +const char *dco_get_supported_ciphers(void); #else /* if defined(ENABLE_DCO) */ @@ -375,7 +375,7 @@ } static inline const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return ""; } diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 7c8b29c..9a90f5c 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -773,7 +773,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b2584b9..277cd64 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -1053,7 +1053,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index 3caedc0..772fa4e 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -35,7 +35,7 @@ ); void -pkcs11_terminate(); +pkcs11_terminate(void); bool pkcs11_addProvider( @@ -46,10 +46,10 @@ ); int -pkcs11_logout(); +pkcs11_logout(void); int -pkcs11_management_id_count(); +pkcs11_management_id_count(void); bool pkcs11_management_id_get( diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index cfbd942..8323f0d 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -448,7 +448,7 @@ } void -halt_low_priority_signals() +halt_low_priority_signals(void) { #ifndef _WIN32 struct sigaction sa; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..17078c9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -277,7 +277,7 @@ #endif void -enable_auth_user_pass() +enable_auth_user_pass(void) { auth_user_pass_enabled = true; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 98e59e8..0e2a43f 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -381,7 +381,7 @@ void pem_password_setup(const char *auth_file); /* Enables the use of user/password authentication */ -void enable_auth_user_pass(); +void enable_auth_user_pass(void); /* * Setup authentication username and password. If auth_file is given, use the diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index 283c95d..b68fb43 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -49,7 +49,7 @@ XKEY_EXTERNAL_SIGN_fn xkey_management_sign; static void -print_openssl_errors() +print_openssl_errors(void) { unsigned long e; while ((e = ERR_get_error())) diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index f5fc956..964d2eb 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -155,7 +155,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); static XKEY_KEYDATA * -keydata_new() +keydata_new(void) { xkey_dmsg(D_XKEY, "entry"); diff --git a/tests/unit_tests/openvpn/test_common.h b/tests/unit_tests/openvpn/test_common.h index f219e93..52503c6 100644 --- a/tests/unit_tests/openvpn/test_common.h +++ b/tests/unit_tests/openvpn/test_common.h @@ -33,7 +33,7 @@ * methods */ static inline void -openvpn_unit_test_setup() +openvpn_unit_test_setup(void) { assert_int_equal(setvbuf(stdout, NULL, _IONBF, BUFSIZ), 0); assert_int_equal(setvbuf(stderr, NULL, _IONBF, BUFSIZ), 0); diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 84ebb29..6d283a2 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -134,7 +134,7 @@ /* Fill-in certs[] array */ void -init_cert_data() +init_cert_data(void) { struct test_cert certs_local[] = {
[Openvpn-devel] [PATCH v2] configure: Add -Wstrict-prototypes and -Wold-style-definition
From: Frank Lichtenheld These are not covered by -Wall (nor -Wextra) but we want to enforce them. Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/667 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/configure.ac b/configure.ac index 2e5ab6a..c01ad09 100644 --- a/configure.ac +++ b/configure.ac @@ -1408,6 +1408,8 @@ ) ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition]) ACL_CHECK_ADD_COMPILE_FLAGS([-Wall]) if test "${enable_pedantic}" = "yes"; then diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 50ebb35..035474f 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -247,7 +247,7 @@ * * @return list of colon-separated ciphers */ -const char *dco_get_supported_ciphers(); +const char *dco_get_supported_ciphers(void); #else /* if defined(ENABLE_DCO) */ @@ -375,7 +375,7 @@ } static inline const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return ""; } diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 7c8b29c..9a90f5c 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -773,7 +773,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b2584b9..277cd64 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -1053,7 +1053,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index cfbd942..8323f0d 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -448,7 +448,7 @@ } void -halt_low_priority_signals() +halt_low_priority_signals(void) { #ifndef _WIN32 struct sigaction sa; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..17078c9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -277,7 +277,7 @@ #endif void -enable_auth_user_pass() +enable_auth_user_pass(void) { auth_user_pass_enabled = true; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 98e59e8..0e2a43f 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -381,7 +381,7 @@ void pem_password_setup(const char *auth_file); /* Enables the use of user/password authentication */ -void enable_auth_user_pass(); +void enable_auth_user_pass(void); /* * Setup authentication username and password. If auth_file is given, use the diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index 283c95d..b68fb43 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -49,7 +49,7 @@ XKEY_EXTERNAL_SIGN_fn xkey_management_sign; static void -print_openssl_errors() +print_openssl_errors(void) { unsigned long e; while ((e = ERR_get_error())) diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index f5fc956..964d2eb 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -155,7 +155,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); static XKEY_KEYDATA * -keydata_new() +keydata_new(void) { xkey_dmsg(D_XKEY, "entry"); diff --git a/tests/unit_tests/openvpn/test_common.h b/tests/unit_tests/openvpn/test_common.h index f219e93..52503c6 100644 --- a/tests/unit_tests/openvpn/test_common.h +++ b/tests/unit_tests/openvpn/test_common.h @@ -33,7 +33,7 @@ * methods */ static inline void -openvpn_unit_test_setup() +openvpn_unit_test_setup(void) { assert_int_equal(setvbuf(stdout, NULL, _IONBF, BUFSIZ), 0); assert_int_equal(setvbuf(stderr, NULL, _IONBF, BUFSIZ), 0); diff --git a/tests/unit_tests/openvpn/test_provider.c b/tests/unit_tests/openvpn/test_provider.c index 934b2d3..cfe9ac3 100644 --- a/tests/unit_tests/openvpn/test_provider.c +++ b/tests/unit_tests/openvpn/test_provider.c @@ -119,7 +119,7 @@ } static void -init_test() +init_test(void) { openvpn_unit_test_setup(); prov[0] = OSSL_PROVIDER_load(NULL, "default"); @@ -135,7 +135,7 @@ } static void -uninit_test() +uninit_test(void) { for (size_t i = 0; i < _countof(prov); i++) { diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index a9a3137..5da5b1c 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -81,7 +81,7 @@ "-EN
[Openvpn-devel] [PATCH applied] Re: t_server_null.sh: Fix failure case
Yeah, obvious in hindsight :-) Your patch has been applied to the master branch. commit c9f29e35cd475f18c34aa96eb5fad452210404f9 Author: Frank Lichtenheld Date: Thu Jun 20 12:37:48 2024 +0200 t_server_null.sh: Fix failure case Signed-off-by: Frank Lichtenheld Acked-by: Samuli Seppänen Message-Id: <20240620103749.7923-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] t_server_null.sh: Fix failure case
From: Frank Lichtenheld The changes for POSIX shell compatibility and parallel make compatibility broke actually failing the test when a subtest fails. Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391 Signed-off-by: Frank Lichtenheld Acked-by: Samuli Seppänen --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/668 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Samuli Seppänen diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index cfca5ee..0e53ba4 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -64,9 +64,12 @@ fi "${srcdir}/t_server_null_client.sh" +retval=$? # When running make jobs in parallel ("make -j check") we need to ensure # that this script does not exit before all --dev null servers are dead and # their network interfaces are gone. Otherwise t_client.sh will fail because # pre and post ifconfig output does not match. wait + +exit $retval diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 5d5542b..8890007 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -130,7 +130,7 @@ eval test_name=\"\$TEST_NAME_$SUF\" eval should_pass=\"\$SHOULD_PASS_$SUF\" -(get_client_test_result "${test_name}" "${should_pass}") +get_client_test_result "${test_name}" "${should_pass}" done exit $retval ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Improve access control for gui<->service pipe
Indeed, the patch differs only in a single line, related to the snprintf() cleanup (which is only in master). Thanks, Lev, and Selva. Stared at code differences (fine) and test compiled via GHA and local ubuntu/mingw - all good. Your patch has been applied to the master branch. commit babf312ee0486e50ff1f7db5b544afc72ff7c922 Author: Lev Stipakov Date: Wed Jun 19 17:46:08 2024 +0300 interactive.c: Improve access control for gui<->service pipe Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240619144629.1718-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28808.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Improve access control for gui<->service pipe
This is another "developed in secrecy on the security@ mailing list" patch, because it has security implications. It affects windows builds, where it is possible to have two different processes provide a pipe with the same name (e!), and a connecting client will might not end up at the interactive service but at "some random process". This is not a major issue in itself, but the GUI sends a "user credentials token" (so openvpn.exe can be run as "normal user" later on) and this can be abused by a malicious process to get access to the user running openvpn-gui.exe - now, it's a somewhat theoretical attack (malicious software having sufficient privileges to do use a user token, but not having either "that user access" or "system privs" to start with) - but it's worth fixing. So, just stay calm, don't panic, and upgrade to 2.6.11 ;-) I have not tested this beyond "does it compile?" on a local ubuntu/mingw build and on GHA. Lev, Selva and Heiko did all the grunt work on coming up with a solution and testing the patch. Your patch has been applied to the release/2.6 branch. A rebase to master is in the works (this conflicted with the snprintf() cleanup patch, which is "only in master" and was merged right after *this* was developed and tested). Backport to release/2.5 is not fully straightforward either - there have been a number of fixes to interactive.c, and not all of them have been backported. OTOH, we do not intend to provide 2.5.x windows binaries ever again (and said so at 2.5.10 release), so now is the time to upgrade your windows clients to 2.6.x commit 51301eb6c233c284270e3f4ed0c7f5781f2b5c62 (release/2.6) Author: Lev Stipakov Date: Wed Jun 19 16:44:23 2024 +0300 interactive.c: Improve access control for gui<->service pipe Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240619134451.222-1-...@openvpn.net> URL: https://www.mail-archive.com/search?l=mid&q=20240619134451.222-1-...@openvpn.net Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: mbedtls: Remove support for old TLS versions
Hi, On Wed, Jun 19, 2024 at 01:38:46PM +, Maximilian Fillinger wrote: > I *think* I reproduced the problem you're encountering. > > If I put > > setenv opt tls-version-min 1.0 > > in the server config, then *every* connection attempt will trigger a fatal > error in the server. Doesn't matter what TLS versions the client supports. > > If I put that option into the client config, the client will exit with an > error during startup. > > It's not clear to me what the expected behavior is when tls-version-min is an > unsupported version, but if it's an error, it should happen during start-up. I would argue for - we log "minimum supported version is 1.2" and go on or - we log "minimum supported version is 1.2" and exit both is acceptable. It will break people's setups in different ways, though... the first will pretend all is well, and older clients can no longer connect, while the second one will break everything, so making it more obvious. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Properly handle null bytes and invalid characters in control messages
I have tested this with lots of well-behaved peers - namely, client against 2.3/2.4/2.5 servers, and (master) server against 2.2-master clients. All works :-) (I did not test with a malicious endpoint). Also, it has unit tests ;-) Your patch has been applied to the master, release/2.6 and release/2.5 branch. The 2.6 pullup pulls in "other unit tests" that have been master-only so far. Which is a bit of an annoyance, but having the UTs is good, they *pass* on 2.6, and it's easier on me than trying to only bring in this new test. On the 2.5 pullup I have left out the unit tests, and had to amend the code lightly to remove the EXIT and AUTH_PENDING message handling. release/2.4 is considered end of maintenance. commit 414f428fa29694090ec4c46b10a8aba419c85659 (master) commit 90e7a858e5594d9a019ad2b4ac6154124986291a (release/2.6) commit d4921ba22f5ae4537d808986743a228617c86328 (release/2.5) Author: Arne Schwabe Date: Mon May 27 15:02:41 2024 +0200 Properly handle null bytes and invalid characters in control messages Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20240619103004.56460-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Properly handle null bytes and invalid characters in control messages
Hi, On Wed, Jun 19, 2024 at 12:30:04PM +0200, Gert Doering wrote: > From: Arne Schwabe > > This makes OpenVPN more picky in accepting control message in two aspects: > - Characters are checked in the whole buffer and not until the first > NUL byte > - if the message contains invalid characters, we no longer continue > evaluating a fixed up version of the message but rather stop > processing it completely. [..] > CVE: 2024-5594 So, for the record - this patch was discussed and reviewed "in private" on the secur...@openvpn.net list, because it was seen as having security implications. 2.6.11 release will happen today or tomorrow, so I'm posting this patch to the public list now for transparency, and will proceed with testing and merging. The security impact is fairly moderate - namely, a malicious peer can send (hand crafted) control channel messages that mess up logging(!) on the other side. No breach of crypto, leak of information, or remote code execution. But still an annoyance to be fixed and properly documented. Thanks, Reynir, for reading our sources with so much passion for details :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Properly handle null bytes and invalid characters in control messages
From: Arne Schwabe This makes OpenVPN more picky in accepting control message in two aspects: - Characters are checked in the whole buffer and not until the first NUL byte - if the message contains invalid characters, we no longer continue evaluating a fixed up version of the message but rather stop processing it completely. Previously it was possible to get invalid characters to end up in log files or on a terminal. This also prepares the logic a bit in the direction of having a proper framing of control messages separated by null bytes instead of relying on the TLS framing for that. All OpenVPN implementations write the 0 bytes between control commands. This patch also include several improvement suggestion from Reynir (thanks!). CVE: 2024-5594 Reported-By: Reynir Bj�rnsson Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/buffer.c | 17 src/openvpn/buffer.h | 12 +++ src/openvpn/forward.c | 123 - tests/unit_tests/openvpn/test_buffer.c | 24 + 4 files changed, 132 insertions(+), 44 deletions(-) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 3a8069c56..abe6a9c89 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -1087,6 +1087,23 @@ string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive return ret; } +bool +string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive) +{ +ASSERT(buf); + +for (int i = 0; i < BLEN(buf); i++) +{ +char c = BSTR(buf)[i]; + +if (!char_inc_exc(c, inclusive, exclusive)) +{ +return false; +} +} +return true; +} + const char * string_mod_const(const char *str, const unsigned int inclusive, diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 27c319952..8a40010bc 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -943,6 +943,18 @@ bool string_class(const char *str, const unsigned int inclusive, const unsigned */ bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace); + +/** + * Check a buffer if it only consists of allowed characters. + * + * @param buf The buffer to be checked. + * @param inclusive The character classes that are allowed. + * @param exclusive Character classes that are not allowed even if they are also in inclusive. + * @return True if the string consists only of allowed characters, false otherwise. + */ +bool +string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive); + /** * Returns a copy of a string with certain classes of characters of it replaced with a specified * character. diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 01165b2ed..ef35bc619 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -230,6 +230,51 @@ check_tls(struct context *c) } } +static void +parse_incoming_control_channel_command(struct context *c, struct buffer *buf) +{ +if (buf_string_match_head_str(buf, "AUTH_FAILED")) +{ +receive_auth_failed(c, buf); +} +else if (buf_string_match_head_str(buf, "PUSH_")) +{ +incoming_push_message(c, buf); +} +else if (buf_string_match_head_str(buf, "RESTART")) +{ +server_pushed_signal(c, buf, true, 7); +} +else if (buf_string_match_head_str(buf, "HALT")) +{ +server_pushed_signal(c, buf, false, 4); +} +else if (buf_string_match_head_str(buf, "INFO_PRE")) +{ +server_pushed_info(c, buf, 8); +} +else if (buf_string_match_head_str(buf, "INFO")) +{ +server_pushed_info(c, buf, 4); +} +else if (buf_string_match_head_str(buf, "CR_RESPONSE")) +{ +receive_cr_response(c, buf); +} +else if (buf_string_match_head_str(buf, "AUTH_PENDING")) +{ +receive_auth_pending(c, buf); +} +else if (buf_string_match_head_str(buf, "EXIT")) +{ +receive_exit_message(c); +} +else +{ +msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf)); +} +} + /* * Handle incoming configuration * messages on the control channel. @@ -245,51 +290,41 @@ check_incoming_control_channel(struct context *c) struct buffer buf = alloc_buf_gc(len, &gc); if (tls_rec_payload(c->c2.tls_multi, &buf)) { -/* force null termination of message */ -buf_null_terminate(&buf); - -/* enforce character class restrictions */ -string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0); -if (buf_string_match_head_str(&buf, "AUTH_FAILED")) +while (BLEN(&buf) > 1) { -receive_auth_failed(c, &buf); -} -else if (buf_string_match_head_str(&buf, "PUSH_")) -{ -incoming_push_message
[Openvpn-devel] [PATCH applied] Re: Implement server_poll_timeout for socks
Took me long enough, but now it's in :-) - thanks, and thanks ValdikSS for reporting test success. I've run this on the server side test bed (which will not excercise SOCKS paths, but to verify that "nothing unrelated got hit") and on the client, with a few SOCKs proxy tests. These are all "fast proxies" so do not excercise the new timeout handling - and I did not find time to build something with dummynet to make it actually test on a "really slow proxy". Testing using an unreachable IP didn't yield proper results (because the TCP connect is still goverened by the "base" timeout), so you need something which answers TCP/1080, and then "is slow"... Testing using a "dead" netcat 'socks server' ("nc -k -l 1080") leads to - old code: give up after 5 seconds ("TCP port read timeout"), always - new code: respect --connect-timeout (shorter or longer than 5s) Your patch has been applied to the master and release/2.6 branch (I consider it a bugfix, and while the code touches a few places, it only really changes very localized socks.c code). commit b3a68b85a729628ca8b97f9f0c2813f795289cfc (master) commit 94bfb712366ece1ca3605d18e99580f482f0232b (release/2.6) Author: 5andr0 Date: Fri Mar 15 17:20:11 2024 +0100 Implement server_poll_timeout for socks Signed-off-by: 5andr0 Acked-by: Frank Lichtenheld Message-Id: <20240315162011.1661139-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28408.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: mbedtls: Remove support for old TLS versions
Hi, this breaks *all* client connects on my server testbed. No matter if 2.2 or 2.5 client, when building with mbedtls (2.28.7), the resulting binary refuses ALL incoming connection with Jun 19 10:21:44 gentoo tap-udp-p2mp[1723]: 2001:608:0:814::f000:16 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:21:44 gentoo tap-tcp-p2p[1770]: tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:21:59 gentoo tun-tcp-p2mp[1708]: tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:22:32 gentoo tun-udp-p2mp[1713]: 194.97.140.21:49229 tls_version_to_ssl_version: invalid or unsupported TLS version 2 Jun 19 10:23:05 gentoo tun-udp-p2mp-topology-subnet[1718]: 194.97.140.21:45789 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:24:11 gentoo tun-udp-p2mp-fragment[1746]: 194.97.140.21:14517 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:44:49 gentoo tun-udp-p2mp-112-mask[1741]: 194.97.140.21:42810 tls_version_to_ssl_version: invalid or unsupported TLS version 1 so my guess would be that on mbedTLS builds that *do* support 1.1/1.2, incoming client connects with 1.1/1.2 cause "something to get upset" in the TLS version printer. Sorry for not testing this more thoroughly before merging. gert On Tue, Jun 18, 2024 at 06:30:05PM +0200, Gert Doering wrote: > Mildly tested via GHA builds. > > Not sure we want this in release/2.6 - I tend to "not", because it might > break someone's (non-recommended) setup... > > Your patch has been applied to the master branch. > > commit 013c119af96bc57c41e04e4a8f64b5d80e2e9ba6 > Author: Max Fillinger > Date: Tue Jun 18 14:02:19 2024 +0200 > > mbedtls: Remove support for old TLS versions > > Signed-off-by: Max Fillinger > Acked-by: Arne Schwabe > Message-Id: <20240618120219.5053-1-g...@greenie.muc.de> > URL: > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28773.html > Signed-off-by: Gert Doering > > > -- > kind regards, > > Gert Doering > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add t_server_null test suite
I have not tested this yet, just looked at a few details - we've discussed using @SHELL@ to get a known-working shell, which is more likely to succeed than assuming "#!/usr/bin/env" will exist, or that the "sh" it finds will be useful (Solaris, I'm looking at you...). Also, documenting that scripts do not properly get waited for does not make it a feature... But anyway. Let's move onwards, and improve iteratively. Your patch has been applied to the master branch. commit 06c7ce5d1fc3b17e0da731d22002e58b9e2d4994 Author: Samuli Seppänen Date: Thu Jun 13 10:14:22 2024 +0200 Add t_server_null test suite Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <20240613081422.139493-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28750.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove experimental denotation for --fast-io
Documentation is good :-) - not tested besides a local build ("are all the double quotes still in the right spot"). Your patch has been applied to the master and release/2.6 branch (docs). commit f6ee77d1f6149cf8f8982998aee6d433f58be507 (master) commit d5c4c643f36637987d830494b407f2855c5e3fea (release/2.6) Author: Frank Lichtenheld Date: Tue Jun 18 14:01:56 2024 +0200 Remove experimental denotation for --fast-io Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240618120156.4836-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix MBEDTLS_DEPRECATED_REMOVED build errors
Mildly tested via GHA compilation. Not sure what option I need to really trigger an "it would break without that patch" scenario so not really tested that much. Your patch has been applied to the master branch. commit 8eb397de3656402872f9c9584c6f703b87b50762 Author: rein.vanbaaren Date: Tue Jun 18 14:01:26 2024 +0200 Fix MBEDTLS_DEPRECATED_REMOVED build errors Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240618120127.4564-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28771.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: mbedtls: Remove support for old TLS versions
Mildly tested via GHA builds. Not sure we want this in release/2.6 - I tend to "not", because it might break someone's (non-recommended) setup... Your patch has been applied to the master branch. commit 013c119af96bc57c41e04e4a8f64b5d80e2e9ba6 Author: Max Fillinger Date: Tue Jun 18 14:02:19 2024 +0200 mbedtls: Remove support for old TLS versions Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240618120219.5053-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28773.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] mbedtls: Remove support for old TLS versions
From: Max Fillinger Recent versions of mbedtls have dropped support for TLS 1.0 and 1.1. Rather than checking which versions are supported, drop support for everything before 1.2. Change-Id: Ia3883a26ac26df6bbb5353fb074a2e0f814737be Signed-off-by: Max Fillinger Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/682 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index a68588e..ec9ec13 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1040,12 +1040,8 @@ { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) return TLS_VER_1_2; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_1) -return TLS_VER_1_1; -#elif defined(MBEDTLS_SSL_PROTO_TLS1) -return TLS_VER_1_0; #else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ -#error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2." +#error "mbedtls is compiled without support for TLS 1.2." #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ } @@ -1067,20 +1063,6 @@ switch (tls_ver) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) -case TLS_VER_1_0: -*major = MBEDTLS_SSL_MAJOR_VERSION_3; -*minor = MBEDTLS_SSL_MINOR_VERSION_1; -break; -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) -case TLS_VER_1_1: -*major = MBEDTLS_SSL_MAJOR_VERSION_3; -*minor = MBEDTLS_SSL_MINOR_VERSION_2; -break; -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case TLS_VER_1_2: *major = MBEDTLS_SSL_MAJOR_VERSION_3; ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove "experimental" denotation for --fast-io
From: Frank Lichtenheld This option is very old (from SVN days) and has been used by Access Server for many years. I don't think it makes sense to claim that it is "experimental" at this point. Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/664 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f8a0f48..eb9cf28 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -215,7 +215,7 @@ are supported by OpenSSL. --fast-io - (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to + Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which diff --git a/src/openvpn/options.c b/src/openvpn/options.c index abcde89..f2c7536 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -268,7 +268,7 @@ #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif -"--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n" +"--fast-io : Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] Fix MBEDTLS_DEPRECATED_REMOVED build errors
From: rein.vanbaaren This commit allows compiling OpenVPN with recent versions of mbed TLS if MBEDTLS_DEPRECATED_REMOVED is defined. Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9 Signed-off-by: Max Fillinger Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/681 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index d742b54..8559c2e 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +52,12 @@ #include #endif +#if MBEDTLS_VERSION_NUMBER >= 0x0300 +typedef uint16_t mbedtls_compat_group_id; +#else +typedef mbedtls_ecp_group_id mbedtls_compat_group_id; +#endif + static inline void mbedtls_compat_psa_crypto_init(void) { @@ -64,6 +71,16 @@ #endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ } +static inline mbedtls_compat_group_id +mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info) +{ +#if MBEDTLS_VERSION_NUMBER >= 0x0300 +return curve_info->tls_id; +#else +return curve_info->grp_id; +#endif +} + /* * In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an * error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret() @@ -124,6 +141,34 @@ } #if MBEDTLS_VERSION_NUMBER < 0x03020100 +typedef enum { +MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ +MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */ +MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */ +} mbedtls_ssl_protocol_version; + +static inline void +mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ +int major = (tls_version >> 8) & 0xff; +int minor = tls_version & 0xff; +mbedtls_ssl_conf_min_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ +int major = (tls_version >> 8) & 0xff; +int minor = tls_version & 0xff; +mbedtls_ssl_conf_max_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups) +{ +mbedtls_ssl_conf_curves(conf, groups); +} + static inline size_t mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher) { diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ec9ec13..bb88da9 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -402,7 +402,7 @@ /* Get number of groups and allocate an array in ctx */ int groups_count = get_num_elements(groups, ':'); -ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_ecp_group_id, groups_count + 1) +ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1) /* Parse allowed ciphers, getting IDs */ int i = 0; @@ -419,11 +419,15 @@ } else { -ctx->groups[i] = ci->grp_id; +ctx->groups[i] = mbedtls_compat_get_group_id(ci); i++; } } -ctx->groups[i] = MBEDTLS_ECP_DP_NONE; + +/* Recent mbedtls versions state that the list of groups must be terminated + * with 0. Older versions state that it must be terminated with MBEDTLS_ECP_DP_NONE + * which is also 0, so this works either way. */ +ctx->groups[i] = 0; gc_free(&gc); } @@ -1046,33 +1050,30 @@ } /** - * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and - * minor ssl version number). + * Convert an OpenVPN tls-version variable to mbed TLS format * * @param tls_ver The tls-version variable to convert. - * @param major Returns the TLS major version in mbed TLS format. - * Must be a valid pointer. - * @param minor Returns the TLS minor version in mbed TLS format. - * Must be a valid pointer. + * + * @return Translated mbedTLS SSL version from OpenVPN TLS version. */ -static void -tls_version_to_major_minor(int tls_ver, int *major, int *minor) +mbedtls_ssl_protocol_version +tls_version_to_ssl_version(int tls_ver) { -ASSERT(major); -ASSERT(minor); - switch (tls_ver) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case TLS_VER_1_2: -*major = MBEDTLS_SSL_MAJOR_VERSION_3; -*minor = MBEDTLS_SSL_MINOR_VERSION_3; -break; +return MBEDTLS_SSL_VERSION_TLS1_2; +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +case TLS_VER_1_3: +return MBEDTLS_SSL_VERSION_TLS1_3; #endif default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d
Re: [Openvpn-devel] windows client tests needed
Hi, if you think this is a useful security enhancement, and would like to have it in a "short term" 2.6.x release, we need test results... please! gert On Thu, Jun 06, 2024 at 02:23:33PM +0200, Gert Doering wrote: > Hi, > > we have new code in master that helps with the "TunnelCrack" and > "TunnelVision" attacks, that is, packets intended to go into the > VPN being leaked away by means of a malicious DHCP server (= routing > points outside the tunnel, so packets never hit OpenVPN). > > We used to have > > block-outside-dns > > to prevent Windows from doing DNS lookups "around the VPN" - the main > intent of this was "make sure split DNS works", but a side effect has > also been "avoid DNS leaks". > > Heiko has now extended this code to be able to "block everything not > going into the VPN". To activate this, you need > > redirect-gateway def1 block-local > > in your config ("block-local" is the keyword, but without "def1" you > end up with a split-tunnel and "nothing else is allowed", which is rarely > a really good combination). > > Repeat: if "redirect-gateway block-local" is active, NO packets leave > via LAN/WiFi/... interfaces, except those sourced by the openvpn.exe > process. This is important for maximum privacy, especially if you > roam into a network with an untrusted DHCP server. > > > Now - this code has been merged into "git master", and installers > are here: > >https://github.com/OpenVPN/openvpn-build/actions/runs/9391365526?pr=641 > > (bottom of the page, "Artifacts", .zip files with a .msi inside). > > > I want to have this in 2.6 as well, as it's sort of important for certain > classes of users (and also VPN providers, offering this as a service) - but > I do not feel it has been tested enough yet. > > So: PLEASE test these windows installers, in all 3 variants > > 1. > 2. block-outside-dns > (DNS is blocked, everything else not routed into the VPN tunnel - like > "your local printer" etc - still works) > 3. redirect-gateway def1 block-local > (ONLY VPN works) > > and report back to us. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Implement Windows CA template match for Crypto-API selector
Hi, On Thu, Jun 06, 2024 at 01:33:24PM +0200, Gert Doering wrote: > As instructed I have removed the "and fallback requested" part > from the comment where "fallback" was removed from the code. > > Your patch has been applied to the master branch. > > commit 13ee7f902f18e27b981f8e440facd2e6515c6c83 (master) ... and to release/2.6, as this functionality is seen as useful, and the change is very non-intrusive. So it will be part of 2.6.11 "release planned in about 2 weeks". commit dfbe11ac1842df400327be22951d0ba373534254 (release/2.6) Author: Heiko Wundram Date: Thu Jun 6 12:34:41 2024 +0200 Implement Windows CA template match for Crypto-API selector Compile-tested via GHA. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel