This commit allows compiling OpenVPN with recent versions of mbed TLS
if MBEDTLS_DEPRECATED_REMOVED is defined.
Cherry-pick note:
- Adapt to still support TLS 1.0 and 1.1 which were removed in
master.
Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240618120127.4564-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28771.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8eb397de3656402872f9c9584c6f703b87b50762)
Message-Id: <20250429154923.20921-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20250429154923.20921-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mention its default (on non-Windows systems), rephrase for brevity, fix
grammar, correct the module environment variable name and remove a wrong
default mentioned in a related option.
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250426121903.67930-1-kn@openbsd.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31514.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9ecaf2400a7b399166c0698c30d413b91cd4f534)
Turns out that "apt install cmake" is useless since
Github installs also CMake but not as a package. So
make sure we control which CMake we get and not
Github.
Switch to get-cmake action (which also installs ninja)
and remove the installation via apt.
Backport from master but much more limited since we
do not have Android nor AWS LC builds in release/2.6.
Change-Id: Ief11d5d7ccae084c863b50054d4e97c71f57d6f0
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250401170420.29808-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31299.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit da65c4fdde20e36df38a90c1f1ef1d8ebf486c28)
Message-Id: <20250402153250.4764-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20250402153250.4764-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a backport of the master commit
f60a493 ("dco-win: Fix crash when cancelling pending operation")
Although I am unable to reproduce this issue on release branch,
the code is clearly wrong and has to be fixed.
The OVERLAPPED structure must remain valid for the entire duration of an
asynchronous operation. Previously, when a TCP connection was pending
inside the NEW_PEER call, the OVERLAPPED structure was defined as a
local variable within dco_p2p_new_peer().
When CancelIo() was called later from close_tun_handle(), the OVERLAPPED
structure was already out of scope, resulting in undefined behavior and
stack corruption.
This fix moves the OVERLAPPED structure to the tuntap struct, ensuring
it remains valid throughout the operation's lifetime.
Change-Id: I44a73f06c0672c1d288bf46e9424dc0dc2abe054
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250402113016.14980-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31316.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes an internal server error condition that can be triggered by a
malicous authenticated client, a very unlucky corruption of packets in
transit or by an attacker that is able to inject a specially created
packet at the right time and is able to observe the traffic to construct
the packet.
The error condition results in an ASSERT statement being triggered,
NOTE: due to the security sensitive nature, this patch was prepared
under embargo on the security@openvpn.net mailing list, and thus has
no publically available "mailing list discussion before merge" URL.
CVE: 2025-2704
Change-Id: I07c1352204d308e5bde5f0b85e561a5dd0bc63c8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <385d88f0-d7c9-4330-82ff-9f5931183afd@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 82ee2fe4b42d9988c59ae3f83bd56a54d54e8c76)
From release notes:
In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname [...]
Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250327113356.11233-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31262.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4897c522948c8cdb82c0325ee08f6907cfc16f57)
We had parts of a abstraction, but it wasn't consistent.
GCC 13 now complains about the type mismatch with mbedtls now:
crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]
Previous compiler versions did not complain.
v2:
- clean solution instead of quick solution. Fix the actual API
definition
Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240327162621.1792414-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28498.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4d907bf46a470ccbd2940b9ecb64d6502d9d86bf)
When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which
is always 0.0.0.0. It should use ipi_spec_dst instead.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20250227032522.3734947-1-dqfext@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/59154010/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e4beaf7a610793f57984ec8006d26f9a695b0c74)
- Drop Ubuntu 20.04
GHA runners will go away in April 2025
- Change ubuntu-latest to ubuntu-24.04
to make sure we are not surprised by
future changes.
- Update vcpkg digest to latest 33e9c99
- Update github actions to latest
Backport changes:
Sync 2.6 GHA with master GHA by
- pinning action references
- adding Ubuntu 24.04 builds
- updating libressl
- updating ASAN builds to include
"undefined" checker
Change-Id: I29b68675143988c3304395d9d5ec62289cf519a7
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
(cherry picked from commit c26b2e2c5581ad4e14b737df9178a03d6403a5f7)
Message-Id: <20250212215232.998-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30851.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Without this, the password request will expire after 90 seconds leaving
no way to provide the password without OpenVPN asking for it again.
Given that interactive use will wait for input without a timeout, it
makes sense to have non-interactive usage also wait until the user is
ready instead of forcing users to race against the timeout.
Change-Id: I2791d09ab698d89dc7e0183151f77b84024ad6d1
Signed-off-by: Ben Boeckel <ben.boeckel@kitware.com>
Acked-By: David Sommerseth <davids@openvpn.net>
Message-Id: <20241231204629.1210040-2-ben.boeckel@kitware.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30336.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8084990ccecbf803498419e553bc1a6f073f8175)
- fix typo in peer-fingerprint
- use ec_paramgen_curve instead of requiring a subshell
Note: we still use -nodes instead of -noenc as it is more compatible.
Github: closesOpenVPN/openvpn#666
Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250114134909.31334-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30447.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb9fdc8479a2744b9db95ef8ef97222ee86454fd)
ASAN error:
forward.c:1433:13: runtime error: member access within misaligned
address 0x51e00002f52e for type 'const struct in6_addr', which
requires 4 byte alignment
replace IN6_ARE_ADDR_EQUAL() which uses 32bit compares on Linux - alignment
sensitive - with our own OPENVPN_IN6_ARE_ADDR_EQUAL() macro, which always
does memcpy() and does not care for alignment.
v2: Use memcmp instead of memcpy
Change-Id: I74a9eec4954f3f9d208792b6b34357571f76ae4c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241211171349.8892-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30074.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 387c2076af14a0f1ba97b6ca0175d81d1e8391a5)
getpeername() and getsockname() will truncate the result if it is
larger than the passed-in length. Because here always the size of the
`sa` IPv4 union member was passed in, all larger (aka IPv6) results
were truncated. Instead use the size of the `addr` union, which is the
maximum size of all union members.
The bug was introduced in 0b6450c9.
Trac: #1358
Signed-off-by: corubba <corubba@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <8de5660b-d917-4092-8871-250495d8c7a4@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30035.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dbc0491f20c34cf3b7ab8fe2a55442ea93007ddd)
This collects some minor typo fixes that are not
worth each their own commit.
Fixes: OpenVPN/openvpn#644Fixes: OpenVPN/openvpn#442
Change-Id: Ifad21a2841e97e910775f3618ddac1c483d74b65
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241128123016.10444-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29956.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f626b661dba0838907f6ad3b46cb4db5f00d1c9a)
This is highly system specific, as the content of the uname()
structure elements is not specified very well - uname(3) says:
release Release level of the operating system
which translates to "IV_PLAT_VER=13.3-RELEASE-p6" (FreeBSD) or
"IV_PLAT_VER=22.6.0" (macOS) - the latter being the "Mach Kernel
version", not what Apple calls the OS.
It's still useful if a server operator needs to keep track of
client versions (and the GUI does not set the corresponding
environment variable, which neither Tunnelblick nor NM do).
v2: manpage amendments
v3: whitespace
v4: reword manpage
Github: OpenVPN/openvpn#637
Change-Id: Id2b0c5a517f02e5c219fea2ae3ef2bdef7690169
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20241104085808.17039-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29699.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d5b4713153ce95e88651d93aa1ef25b2676d0cfc)
Some memory leaks were detected by valgrind on the openvpn daemon, using
DCO mode on a FreeBSD platform. The leaks are caused by missing
nvlist_destroy calls in the file dco_freebsd.c.
Calls to nvlist_destroy were added, sometimes using local variables to
store nvlist pointers temporarly. A valgrind run on the updated daemon
confirmed that the leaks were gone.
Github: OpenVPN/openvpn#636
Signed-off-by: Rémi Farault <remi.farault@stormshield.eu>
Acked-by: Kristof Provost <kp@freebsd.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <f8845c0c5aa74e5bab537463249a251d@stormshield.eu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29701.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dee0748a1e0f57c326cf2b83f8499998ac9d1187)
When OpenVPN is compiled without PKCS11 support USER_PASS_LEN is 128
bytes. If we encounter a username larger than this length, we would
only read the 2 bytes length header of the username/password. We did
then also NOT skip the username or password field meaning that we would
continue reading the rest of the packet at the wrong offset and get
garbage results like not having peerinfo and then rejecting a client
because of no common cipher or missing data v2 support.
This will tell the client that username/password is too regardless
of whether password/username authentication is used. This way we
do not leak if username/password authentication is active.
To reproduce this issue have the server compiled with a USER_PASS_LEN
set to 128 (e.g. without pkcs11 or manually adjusting the define) and
have the client with a larger USER_PASS_LEN to actually be able to
send the larger password. The server must also be set to use only
certificate authentication while the client must use certificates
and auth-user-pass because otherwise the user/pass verification will
reject the empty credentials.
Using the openvpn3 test client with overlong username/password also
works.
Change-Id: I60f02c919767eb8f1b95253689a8233f5f68621d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241028135505.28651-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29675.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a7f80d402fb95df3c58a8fc5d12cdb8f39c37d3e)
Remove macos-12, not supported anymore.
Add macos-15, runner is available in Beta status.
Change-Id: Ibaa591904095a824df2c0c5aaff73687e0af24fe
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20241015205627.25644-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29551.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f74d395383eeca74d6cf6f87ee1387223b2bb1c)
Implemented a safeguard to verify the returned value
from add_route3() when the default gateway is not a local
remote host.
Prior to this implementation, RT_DID_LOCAL flag was
erroneously set even in case of add_route3() failure.
This problem typically occurs when there's no default
route and the --redirect-gateway def1 option is specified,
and in case of reconnection makes it impossible for the client
to reobtain the route to the server.
This fix ensures OpenVPN accurately deletes the appropriate
route on exit by properly handling add_route3() return value.
Trac: #1457
Change-Id: I8a67b82eb4afdc8d82c5a879c18457b41e77cbe7
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240221111814.942965-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 14d2db6cd41fb6414992869caf109972d7a8275e)
In init_tun() make sure to pass the --local and --remote addresses in
the host order so that they can be compared to the --ifconfig addresses.
Change-Id: I5adbe0a79f078221c4bb5f3d39391a81b4d8adce
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240917091433.24092-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29261.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7d345b19e20f30cb2ecbea71682b5a41e6cff454)
Not all of these touch uninitialzed members of the struct, but that
could change in future.
Change-Id: I71bc847b48da54b70f60ccd7c4521ec699daf9cb
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240909204829.10379-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29152.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit aa1dd09b5fc196499c84d2ef9b0c254ebb1745d8)
Keep the memory segment containing username and password in
"struct user_pass" encrypted. Works only on Windows.
Username and auth-token cached by the server are not covered
here.
v2: Encrypt username and password separately as it looks more
robust. We continue to depend on the username and password buffer
sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16,
which is the case now. An error is logged if this is not the case.
v3: move up ASSERT in auth_token.c
Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906112908.1009-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 12a9c357b6a7b55bea929eb5d9669e6386ab0d0e)
Usage of credentials is a bit odd in this file.
Actually the copy of "struct user_pass" kept in p->up is not
required at all. It just defeats the purpose of auth-nocahe
as it never gets cleared.
Removing it is beyond the scope of this patch -- we just ensure
it's purged after use.
Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240905100724.4105-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29061.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dbe7e456954bf001420c4552c2b6e184ec6e068c)
The current way doesn't work if the device is already in use.
Starting from 1.3.0, dco-win creates a non-exclusive
control device \\.\ovpn-dco-ver which can be opened by
multiple apps and supports a single IOCTL to get
a version number.
https://github.com/OpenVPN/ovpn-dco-win/pull/76
This will be expecially handy later when checking which
features driver supports.
Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240809192257.24208-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29009.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e5a8ea36a0228c30cdbee8791d44a1f0fbaffa9f)
These result from broken up literals where it
is easy to miss the missing space.
Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240722121034.10816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28950.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 824fe9ce497bd26a9609abb7324427e906ead6a4)
Writing a reason from a script will easily end up adding extra \r\n characters
at the end of the reason. Our current code pushes this to the peer. So be more
liberal in accepting these message.
Github: closesOpenVPN/openvpn#568
Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240710140623.172829-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit be31325e1dfdffbb152374985c2ae7b6644e3519)
On most systems this should work just fine.
v2:
- simplify code by removing -llzo special handling
v3:
- reintroduce support for autodetection without pkg-config,
no need to break backwards compatibility right now
v7:
- Handle case correctly where lzo/lzo1x.h can not be included
at all. On most distros this works even though the .pc
file suggests to use it without. We had some partly
solution for that but it wasn't really working.
v8:
- Handle systems that do not implicitly include limits.h
in configure test builds.
lzodefs.h usually relies on lzoconf.h to include it.
Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240626161921.179301-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0ea51261d096b54281287bbd2a6899041c4dbd43)
Caching proxy credentials was not working due to the
lack of handling already defined creds in get_user_pass(),
which prevented the caching from working properly.
Fix this issue by getting the value of c->first_time,
that indicates if we're at the first iteration
of the main loop and use it as second argument of the
get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP
upon instance context restart credentials would be erased
every time.
The nocache member has been added to the struct
http_proxy_options and also a getter method to retrieve
that option from ssl has been added, by doing this
we're able to erase previous queried user credentials
to ensure correct operation.
Fixes: Trac #1187
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240623200551.20092-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3cfd6f961d5c92bec283ac3616e1633b4e16760c)
At the moment everyone but anonymous are permitted
to create a pipe with the same name as interactive service creates,
which makes it possible for malicious process with SeImpersonatePrivilege
impersonate as local user.
This hardens the security of the pipe, making it possible only for
processes running as SYSTEM (such as interactive service) create the
pipe with the same name.
While on it, replace EXPLICIT_ACCESS structures with SDDL string.
CVE: 2024-4877
Change-Id: I35e783b79a332d247606e05a39e41b4d35d39b5d
Reported by: Zeze with TeamT5 <zeze7w@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20240619134451.222-1-lev@openvpn.net>
URL: https://www.mail-archive.com/search?l=mid&q=20240619134451.222-1-lev@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rather stop
processing it completely.
Previously it was possible to get invalid characters to end up in log
files or on a terminal.
This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.
This patch also include several improvement suggestion from Reynir
(thanks!).
CVE: 2024-5594
Reported-By: Reynir Björnsson <reynir@reynir.dk>
Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240619103004.56460-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 414f428fa29694090ec4c46b10a8aba419c85659)
So far --server-poll-timeout was only applied
for HTTP proxies, apply it also to SOCKS proxies.
This removes the default 5 second socks connect timeout
which can be too small depending on network setup and
replaces it with the configurable overall connect timeout
(default 120 seconds).
Trac: #328
Github: fixesOpenVPN/openvpn#267
Change-Id: I2b109f8c551c23045a1be355778b08f0fd4d309f
Signed-off-by: 5andr0 <sandro.trianni@gmail.com>
Tested-By: ValdikSS <valdikss@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240315162011.1661139-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28408.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b3a68b85a729628ca8b97f9f0c2813f795289cfc)
This option is very old (from SVN days) and has been
used by Access Server for many years. I don't think it
makes sense to claim that it is "experimental" at this
point.
Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240618120156.4836-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f6ee77d1f6149cf8f8982998aee6d433f58be507)
The certificate selection process for the Crypto API certificates
is currently fixed to match on subject or identifier. Especially
if certificates that are used for OpenVPN are managed by a Windows CA,
it is appropriate to select the certificate to use by the template
that it is generated from, especially on domain-joined clients which
automatically acquire/renew the corresponding certificate.
The attached match implements the match on TMPL: with either a template
name (which is looked up through CryptFindOIDInfo) or by specifying the
OID of the template directly, which then is matched against the
corresponding X509 extensions specifying the template that the certificate
was generated from.
The logic requires to walk all certificates in the underlying store and
to match the certificate extensions directly. The hook which is
implemented in the certificate selection logic is generic to allow
other Crypto-API certificate matches to also be implemented at some
point in the future.
The logic to match the certificate template is taken from the
implementation in the .NET core runtime, see Pal.Windows/FindPal.cs in
in the implementation of System.Security.Cryptography.X509Certificates.
Change-Id: Ia2c3e4c5c83ecccce1618c43b489dbe811de5351
Signed-off-by: Heiko Wundram <heiko.wundram@gehrkens.it>
Signed-off-by: Hannes Domani <ssbssa@yahoo.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20240606103441.26598-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28726.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 13ee7f902f18e27b981f8e440facd2e6515c6c83)
Instead of lzo_{free,malloc} we can just use the
free and malloc as the lzoutils.h header itself
suggests.
Change-Id: I32ee28fde5d38d736f753c782d88a81de7fe2980
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240604211708.32315-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28705.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d601237976323b5d8f6ac65c27ccc510563ad75f)
While prexisting devices work well TUN/TAP the DCO interfaces require
setting the ifmode which cannot be done by FreeBSD base tooling. In
peer-to-peer mode this is not a problem because that is the default mode.
Subnet mode, however, will fail to be set and the resulting connection does
not start:
Failed to create interface ovpns2 (SIOCSIFNAME): File exists (errno=17)
DCO device ovpns2 already exists, won't be destroyed at shutdown
/sbin/ifconfig ovpns2 10.1.8.1/24 mtu 1500 up
ifconfig: in_exec_nl(): Empty IFA_LOCAL/IFA_ADDRESS
ifconfig: ioctl (SIOCAIFADDR): Invalid argument
FreeBSD ifconfig failed: external program exited with error status: 1
Exiting due to fatal error
Slightly restructure the code to catch the specific error
condition and execute dco_set_ifmode() in this case as well.
Signed-off-by: Franco Fichtner <franco@opnsense.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <AE20A784-506C-488B-9302-2D3AE775B168@opnsense.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28688.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 82036c17c45d45c3fe8725f64b33720cb9c94dad)
If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.
schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.
Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.
This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".
This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.
CVE: 2024-28882
Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 55bb3260c12bae33b6a8eac73cbb6972f8517411)
OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname
and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an
invalid nid in the process so that it would segfault.
Workaround but doing that NULL check in OpenVPN instead of leaving it
to the library.
Github: see also https://github.com/libressl/openbsd/issues/150
Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240508220540.12554-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28649.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b3a271b11723cbe520ad4ce6b4b0459de57ade06)
This avoids the error message triggering every night that the run
failed in forked repositories
Change-Id: Id95e0124d943912439c6ec6f562c0eb40d434163
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240506155831.3524-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28627.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 815df21d389bf70dbe98cb89f2c60b6e6e816faa)
Github's documentation states: macos-11 label has been deprecated and
will no longer be available after 6/28/2024. Add macos14 which is nowadays
supported instead.
The github macos-14 runner is using the M1 platform with ARM, so this
requires a bit more adjustment of paths.
Change-Id: Ia70f230b2e9a78939d1875395205c8f48c4944b7
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240502122231.672-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240502122231.672-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 02f0845be7e54e8676e73621e424b6a1540b88b5)
Commit
3a4fb1 "Ensure --auth-nocache is handled during renegotiation"
has changed the behavior of set_auth_token(), but left unused parameter
struct user_pass *up
Remove this parameter and amend comments accordingly. Also remove
unused function definition from misc.h.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Change-Id: Ic440f2c8d46dfcb5ff41ba2f33bf28bb7286eec4
Message-Id: <20240329103739.28254-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28503.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4c71e816031f564f834df695b3fa717ea22720d2)
- Remove obsolete ifconfig_broadcast. Since this was
removed in 2.5.0, do not add a removal note but just
completely remove it.
- Add missing documentation of IPv6 variants for
ifconfig_pool_* variables.
Github: fixesOpenvpn/openvpn#527
Change-Id: Ia8c8de6799f0291fc900628fbd06c8a414e741ca
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240321161623.2794161-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28438.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a94226cdc8ed037a6763675aa47e6c821983f174)
As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway
There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.
v2:
- fix cleanly by actually asserting that sig_info is defined
Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071448.12143-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e8c629fe64c67ea0a8454753be99db44df7ce53e)
