With the patchsets to add DNS configuration on Unix+MacOS systems, and
the addition of test stanzas to excercise and verify the OS specific
"dns-updown" script, it becomes important to trace test failures
("did it not ping because the DNS was not installed, or did something
else fail?") and also verify that DNS config is properly restored at
the end of each test.
Linux is probed with "resolvectl status", if available, and
"cat resolv.conf" if not. MacOS uses scutil --dns.
All other platforms use "cat resolv.conf" for now (because even if
"a tool to maintain DNS config" is available, in the end resolv.conf
is always where the final config lands).
Include a bit of restructuring to handle linux iproute2 testing in the
"Linux" branch, and make the control flow more amenable to having a
second case / esac block.
Change-Id: I9cae7314203424e4a604073c5445559260172477
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250505142224.24935-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes an internal server error condition that can be triggered by a
malicous authenticated client, a very unlucky corruption of packets in
transit or by an attacker that is able to inject a specially created
packet at the right time and is able to observe the traffic to construct
the packet.
The error condition results in an ASSERT statement being triggered,
NOTE: due to the security sensitive nature, this patch was prepared
under embargo on the security@openvpn.net mailing list, and thus has
no publically available "mailing list discussion before merge" URL.
CVE: 2025-2704
Change-Id: I07c1352204d308e5bde5f0b85e561a5dd0bc63c8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <385d88f0-d7c9-4330-82ff-9f5931183afd@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Trying to verify some of the negotiation parts.
Change-Id: I47d95eee8a00b9878331fd6cd6a7db12665f5537
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Samuli Seppänen <sasepp@proton.me>
Message-Id: <20250327094700.305156-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31258.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With DCO and possible future hardware assisted OpenVPN acceleration we
are approaching the point where 32 bit IVs are not cutting it any more,
especially if we are limiting the IVs to the safe limits of AES-GCM where
the limit is more 2^29.
To illustrate the problem, some back of the envelope math here:
If we want to keep the current 3600s renegotiation interval and have
a safety margin of 25% (when we trigger renegotiation) we have about
3.2 million packets (2*32 * 0.7) to work with. That translates to
about 835k packets per second. Currently, implementation trigger the
renegotiation at 0xff00000000 or at 7/8 of the AEAD usage limit.
With 1300 Byte packets that translates into 8-9 Gbit/s. That is far
from unrealistic any more. Current DCO implementations are already in
spitting distance to that or might even reach (for a single client
connection) that if you have extremely fast
single core performance CPU.
With the AEAD usage limit, these limits are almost a factor of 8 lower
so with the limit becomes 1-2 GBit/s. This is already reached without
DCO on some platforms.
This introduces the epoch data format for AEAD data channel
ciphers in TLS mode ciphers. No effort has been made to support
larger packet counters in any other scenario since those are all legacy.
This uses the same approach of epoch keys as (D)TLS 1.3 does and switches
the data channel regularly for affected AEAD ciphers when reaching the
usage limit.
For Chacha20-Poly1305, which does not suffer the same problems as AES-GCM,
the full 48 bit of packet counter are used only after that the same logic
to switch to a new key as with AES-GCM is done.
Change-Id: I00751c42cb04e30205ba8e6584530831e0d143c5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250212161311.16888-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30845.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we introduce aead at the end and epoch data keys together
and only allow the aead tag at the end if epoch data keys are
used, we can use just one flag for both of them
Change-Id: I9e9433b56dcbaa538d9bed30e50cf74948c647cc
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250109212803.11505-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30395.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This implements functions that allow these keys to be generated and
managed. It does not yet implement using them for the data channel.
Change-Id: Id7d6a576ca8c9560cb2dfae82fc62175820e9b80
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250109180537.27686-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30390.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This adds support for parsing DEFAULT in data-ciphers, the idea is that people
can modify the default without repeating the default ciphers.
In the past we have seem that people will use data-ciphers BF-CBC or
data-ciphers AES-128-CBC when getting the warning that the cipher is not
supported by the server. This commit aims to provide a better way for
these situation as we still want people to rely on default cipher selection
from OpenVPN when possible.
Change-Id: Ia1c5209022d3ab4c0dac6438c41891c7d059f812
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241227124632.110920-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30245.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This introduces a new structure key_parameters. The reason is that the
current struct serves both as an internal struct as well as an
on-wire/in-file format. Separate these two different usages to allow
extending the struct.
Change-Id: I4a981c5a70717e2276d89bf83a06c7fdbe6712d7
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241227111133.5893-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30228.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The LLVM/clang compiler warning and error message are easier too read
than their MSVC cl counterparts. Also compiling/running tests on Windows
with a different compiler has the benefit of a better coverage.
This includes a few minor changes to allow clang-cl to compile the
project.
Change-Id: I43d84034f3e920a45731c4aab4f851a60921290d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241227112209.11572-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30231.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to get rid of multiple casts and also prepares for the
larger packet id used by epoch data format.
Change-Id: If470af2eb456b2b10f9f2806933e026842188c42
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241225142131.12543-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30199.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is really more a function of initialising the data cipher and key
context and putting it into the init_key_ctx_bi makes more sense.
It will allow calling init_key_ctx_bi to fully initialise a
data channel key without calling some extra functions after that
which will make the (upcoming) epoch key implementation cleaner.
Also ensure that free_ctx_bi actually also sets initialized to false.
Change-Id: Id223612c7bcab91d49c013fb775024bd64ab0836
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241222214541.11021-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30170.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use crypto_epoch.c/h for the new functions since they are
linked to the epoch key usage in OpenVPN.
Change-Id: I3a1c6561f4d9a69e2a441d49dff620b4258a1bcc
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221222404.10266-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30149.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This implements the limitation of AEAD key usage[1] with a confidentiality
margin of 2^-57, the same as TLS 1.3. In this implementation, unlike
TLS 1.3 that counts the number of records, we count the actual number of
packets and plaintext blocks. TLS 1.3 can reasonable assume that for
large data transfers, full records are used and therefore the maximum
record size of 2**14 (2*10 blocks) is used to calculate the number of
records before a new key needs to be used.
For a VPN like OpenVPN, the same calculation would either require using a
pessimistic assumption of using a MTU size of 65k which limits us to
2^24 packets, which equals only 24 GB with more common MTU/MSS of 1400
or requiring a dynamic calculation which includes the actual MTU that
we allow to send. For 1500 the calculation yields 2*29.4 which is a
quite significant higher number of packets (923 GB at 1400 MSS/MTU).
To avoid this dynamic calculation and also avoid needing to know the
MSS/MTU size in the crypto layer, this implementation foregoes the
simplification of counting just packets but will count blocks and packets
instead and determines the limit from that.
This also has the side effect that connections with a lot of small packets
(like TCP ACKs) mixed with large packets will be able to keep using the same
key much longer until requiring a renegotiation.
This patch will set the limit where to trigger the renegotiation at 7/8
of the recommended maximum value.
[1] https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html
Testing instructions:
The easiest way to test if this patch works as
intended is to manually change the return value of cipher_get_aead_limits
to some silly low value like 2048. After a bit of VPN traffic, a soft
reset should occur that indicates being over the
TLS: soft reset sec=41/3600 bytes=59720/-1 pkts=78/0 aead_limit_send=1883/1792 aead_limit_recv=1937/1792
Here the send limit is over the limit (1792 = 2048 * 8/7).
Change-Id: I057f007577f10c6ac917ee4620ee3d2559187dc7
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221153731.1755-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30144.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This change prepares the extended packet id data where also the packet id
part of the IV will be derived using xor. Using xor also in the AEAD
case where this degenerates to a concatenation allows using the same
IV generation code later.
Change-Id: I74216d776d3e0a8dc987ec7b1671c8e8dcccdbd6
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241212143845.4090-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30097.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not really important but prevents running the NTLM
t_client tests with ASAN enabled.
Change-Id: If472398d4ff8323de485f084a07160b365dfc501
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241209194957.358-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30049.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
By using wait in a more inventive way we can avoid using a marker file
to detect the "server could not be killed gracefully" situation.
Change-Id: Ib385080e1dd1c3046c54e6267db8aa7d5c09e2fb
Signed-off-by: Samuli Seppänen <samuli.seppanen@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241026092515.30559-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29664.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The goal is to help debug issues with t_server_null. The immediate goal
is to be able to debug server startup issues encountered on some of the
*BSD platforms.
Change-Id: I49f1e7d25edb62bf202ffceb45dedc213f2eafdd
Signed-off-by: Samuli Seppänen <samuli.seppanen@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241024133220.4864-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20241024133220.4864-1-gert@greenie.muc.de
URL: https://gerrit.openvpn.net/c/openvpn/+/776
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These have been found by Clion's Inspect Code functionality and have
been verified by hand. A few functions like buf_read_u32 have been
kept since they still feel being useful while currently not being used.
Change-Id: I0d96ee06c355c6a5ce082af23921e329d3efae33
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241018063717.14629-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29594.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For --dev null or --dev-type af_unix:lwipopenvn tests, there will be
no visible change to ifconfig or route output, so tests will fail
("how can this be?"). Set EXPECT_IFCONFIG4_<n>=- to skip this
check.
(Simply leaving both EXPECT_IFCONFIG* vars empty and using that as
trigger would interfere with the magic from commit df0b00c25)
v2: fix string-equal comparison
Change-Id: Iec1953415afb53755488dd44407568e72d28e854
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240928200508.23747-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29473.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- use "$RUN_SUDO kill -0 $pid" to test if a given process is running, not
"ps -p $pid" - the latter will not work if security.bsd.see_other_uids=0
is set
- produce proper error messages if pid files can not be found or are
empty at server shutdown time
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240918162917.6809-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29314.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are all fixes I considered "safe". They either
- Have sufficient checks/shifts for a cast to be safe
- Fix the type of a variable without requiring code changes
- Are in non-critical unittest code
v2:
- add min_size instead of abusing min_int
v6:
- remove change of return value of link_socket_write.
Move to separate patch.
Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240910122008.23507-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29172.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We do not load any providers, so only file: URI internally supported by
OpenSSL 3+ is tested. On non-OpenSSL 3 builds the test prints "SKIPPED".
v2: avoid dead code; rebase to current master
Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103900.37037-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The test certificate used in test_ssl.c is updated to use 2048 bit
RSA and the matching key is added.
Tests include loading certificate and key as inlined pem as well as
from files. Note that loading the key also checks that it matches
the certificate, providing an indirect test that the latter was loaded
correctly.
Change-Id: Ic6f089896191145f68ce9a11023587d05dcec4d8
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103814.36839-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29074.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL 3 has providers which can load keys and certificates
from various key stores and HSMs using a provider-specific URI.
While certificates are generally exportable, and some providers
support a PEM file that acts as a proxy for non-exportable private
keys, not all providers are expected to do so. A generic capability
to read keys and certificates from URIs appears useful.
This patch does this by extending the scope of the argument for
"--key" and "--cert" options to include URIs. Many of OpenSSL 3
utilities also work the same way: e.g., the "-in" option for
"openssl pkey" or "openssl x509" could be a filename or URI.
Other applications have started emulating this behaviour:
e.g., pkcs11: URI works as an alternative to a file name for
certificates and keys in apache. Even for files, this has a nice
side effect that non-PEM files get transparently parsed. E.g., a
pkcs12 file could be used in place of a PEM file without needing
any extra options.
This is backward compatible as OpenSSL falls back to treating URIs
with no scheme or unrecognized scheme as file names.
Parsing of inlined keys and certificates is unchanged (those
should be in PEM format).
Specification of URIs that OpenSSL accepts depends on the
providers that support them. Some are standard URIs such as
"file:/path", but providers may support non-standard URIs
with arbitrary scheme names. OpenSSL by itself recognizes
only file URI. However, the implementation is agnostic to the
URI specification as parsing is done by the provider that supports
the URI. A new URI gets automatically recognized when the provider
that supports it is loaded.
Below are some usage examples:
Relative or absolute path to a file or as a URI "file:/absolute/path":
--key mykey.pem (same as what is currently supported)
--key file:/path/to/mykey.pem
--cert file:/path/to/mycert.pem
Other file types supported by OpenSSL would also work:
--key client.p12
--cert client.p12
pkcs11-provider supports "pkcs11:" URI (RFC 7512):
--key pkcs11:token=Foo;id=%01
--cert pkcs11:token=Foo;id=%01
tpm2-provider recognizes a custom URI "handle:<hex>":
--key handle:0x81000000
These examples assume that required providers, if any, are loaded
and configured.
v2: same as PR 591 but with the fixup commit that addresses review comments is squashed.
Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103734.36633-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Keep the memory segment containing username and password in
"struct user_pass" encrypted. Works only on Windows.
Username and auth-token cached by the server are not covered
here.
v2: Encrypt username and password separately as it looks more
robust. We continue to depend on the username and password buffer
sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16,
which is the case now. An error is logged if this is not the case.
v3: move up ASSERT in auth_token.c
Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906112908.1009-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Using the AEAD tag at the end is the standard way of doing AEAD. Several
APIs even only support the tag at the end (e.g. mbed TLS). Having the tag at
the front or end makes no difference for security but allows streaming HW
implementations like NICs to be much more efficient as they do not need to
buffer a whole packet content and encrypt it to finally write the tag but
instead just add the calculated tag at the end of processing.
Change-Id: I00821d75342daf3f813b829812d648fe298bea81
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240214132719.3031492-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28239.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently key and cert file fd's are reused after ftruncate()
without setting the offset to zero. This causes subsequent
data to be written at some finite offset with the hole in
the file automatically filled by zeros. Fix it by calling
lseek() to set the offset to zero.
The test works nevertheless because p11tool seem to generously
ignore any junk before the "BEGIN" marker.
Change-Id: Ib0fe15a4ba18d89216b0288e6cd6be66ed377bd4
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240812232158.3776869-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29010.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows us to override query_user_exec for unit
tests more consistently without having to jump through
weird hoops.
Fixes running test_pkcs11 with --enable-systemd.
While here also fix documentation comments for
query_user_exec*.
Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240726104032.2112-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28983.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Writing a reason from a script will easily end up adding extra \r\n characters
at the end of the reason. Our current code pushes this to the peer. So be more
liberal in accepting these message.
Github: closesOpenVPN/openvpn#568
Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240710140623.172829-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- exit after a timeout if unable to kill servers
- use sudo or equivalent only for server stop/start
- use /bin/sh directly instead of through /usr/bin/env
- simplify sudo call in the sample rc file
- remove misleading and outdated documentation
- make it work on OpenBSD 7.5
- make it work on NetBSD 10.0
- make server logs readable by normal users
Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a
Signed-off-by: Samuli Seppänen <samuli.seppanen@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240704133337.26595-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28871.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are not covered by -Wall (nor -Wextra) but we want
to enforce them.
Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240620144230.19586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The changes for POSIX shell compatibility and parallel
make compatibility broke actually failing the test
when a subtest fails.
Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Message-Id: <20240620103749.7923-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rather stop
processing it completely.
Previously it was possible to get invalid characters to end up in log
files or on a terminal.
This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.
This patch also include several improvement suggestion from Reynir
(thanks!).
CVE: 2024-5594
Reported-By: Reynir Björnsson <reynir@reynir.dk>
Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240619103004.56460-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Need to make sure that ENABLE_SYSTEMD is really disabled.
Change-Id: Ic33c210f06e173a450534aa0969c57f140086655
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240605111012.3023-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28708.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
After the removal of the OpenSSL 1.0.2 support, LibreSSL/wolfSSL are the
only libraries that still needs the custom implementation.
Since our LibreSSL/wolfSSL support is always best effort, we can afford to
limit LibreSSL support in this way. If they want to support this, they
should expose the functionality as well.
Change-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240515100115.11056-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28672.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Old Microsoft versions did strange behaviour but according to the
newly added unit test and
https://stackoverflow.com/questions/7706936/is-snprintf-always-null-terminating
this is now standard conforming and we can use the normal snprintf
method.
Microsoft own documentation to swprintf also says you nowadays need to
define _CRT_NON_CONFORMING_SWPRINTFS to get to non-standard behaviour.
Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240506102710.8976-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28617.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For some of the test we don't like the default log behavior
and there seems no easy way to change that except to fork
the driver. The license seems unproblematic since we're
GPL anyway.
v2:
- Do not use forked-test-driver for UTs. Default behavior
is fine for those.
Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240125110036.16070-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28132.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240308102818.9249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240308102818.9249-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The openvpn/src directory needs to be included before include/wolfssl. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths.
src/openvpn/Makefile.am does not need to be modified because AM_CPPFLAGS is placed before AM_CFLAGS in the output Makefile.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240212132522.125903-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28229.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
