This adds support for parsing DEFAULT in data-ciphers, the idea is that people
can modify the default without repeating the default ciphers.
In the past we have seem that people will use data-ciphers BF-CBC or
data-ciphers AES-128-CBC when getting the warning that the cipher is not
supported by the server. This commit aims to provide a better way for
these situation as we still want people to rely on default cipher selection
from OpenVPN when possible.
Change-Id: Ia1c5209022d3ab4c0dac6438c41891c7d059f812
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241227124632.110920-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30245.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
c->c2.link_socket_owned is true in client mode
and for the global context in the server mode -
those are exactly the cases when we want to
set sd to undefined when using dco-win.
Change-Id: I3232dd8d855ca3f198b4ca3b2ef4f67cec49f3d4
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241231145417.12128-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30328.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Enable dco-win with mode server if driver supports it.
Disable for proto TCP or older drivers.
Change-Id: Iea4538cee075d50de836d1ef7652985186b2527c
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241230193204.9897-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30317.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Introduce internal changes preparing the server to
handle multiple sockets concurrently for both
TCP and UDP protocols. While no user-visible
features are implemented yet, these modifications
are essential for enabling future functionality
such as listening on multiple ports.
Key changes are: converting link_socket from a
single pointer to an array in various contexts,
in order to be able to store multiple sockets
at once.
Change-Id: Ia0a889e800f0b36aed770ee36e31afeec5df6084
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241230162338.21401-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30309.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As a preparation for multipeer and data_v3,
add function which returns dco version in
machine-readable format.
Change-Id: I8e8ddd35bd3cc3334faf7f57118d1892512ae9f7
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241229141800.4734-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30297.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch implements the Fisher-Yates shuffle algorithm to ensure that all
permutations of the connection target list are generated with equal
probability, eliminating biases present in the previous shuffling method. In
the Fisher-Yates algorithm, there's only one way to obtain each permutation
through a series of element swaps, so all permutations occur with equal
probability in theory.
Signed-off-by: Shuji Furukawa <shujifurukawa1213@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20241118142019.31045-1-shujifurukawa1213@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29837.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This change ensures that when a numeric IP address is specified
as argument to a 'local' directive, its ai_family overrides
the one extracted from the 'proto' config option.
Change-Id: Ie2471e6b2d6974e70423b09918ad1c2136253754
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241227161755.4010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30257.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We write doxygen comments but we do not verify them. So
quite some errors have crept in. Trying to reduce them
by reviewing the warnings output of doxygen and addressing
most of them.
Did generally ignore "The following parameter is not documented"
warnings (except those caused by typos). Fixing those will
require more work.
Usual errors fixed:
- Wrong usage of @file
- Wrong spellings of @param
- Desync between function declaration and comment
(usually param names)
Change-Id: I7a852eb5fafae3a0e85dd89ea6d4c91fcf2fab4e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20241227161648.3350-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30256.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This introduces a new structure key_parameters. The reason is that the
current struct serves both as an internal struct as well as an
on-wire/in-file format. Separate these two different usages to allow
extending the struct.
Change-Id: I4a981c5a70717e2276d89bf83a06c7fdbe6712d7
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241227111133.5893-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30228.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The LLVM/clang compiler warning and error message are easier too read
than their MSVC cl counterparts. Also compiling/running tests on Windows
with a different compiler has the benefit of a better coverage.
This includes a few minor changes to allow clang-cl to compile the
project.
Change-Id: I43d84034f3e920a45731c4aab4f851a60921290d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241227112209.11572-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30231.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While port-share already supports IPv6 connections from clients, it only
supported IPv4 connections towards the proxy receiver. The used
common/shared OpenVPN machinery is already IPv6-ready, so all needed was
to use properly-sized `sockaddr` structs and removing hardcoded IPv4
restrictions.
Signed-off-by: Corubba Smith <corubba@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <dcc7e538-2035-4697-b306-10eb470632f3@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30115.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to get rid of multiple casts and also prepares for the
larger packet id used by epoch data format.
Change-Id: If470af2eb456b2b10f9f2806933e026842188c42
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241225142131.12543-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30199.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit
6f2d222 ("dns: store IPv4 addresses in network byte order")
changed the internal representation of IPv4 address within DNS
settings to network byte order, however later this value is copied into
tuntap_options, where IPv4 addresses are assumed to be in host byte
order (see lots of occurences of "htonl(tt->" in tun.c). As a
consequence, DNS server address is set incorrectly, like 4.4.8.8 instead
of 8.8.4.4
Fix by converting address to host byte order when copying from DNS
options to tuntap_options.
Change-Id: I87e4593e6a548bacd40b840cd241950019fa457d
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241224174233.13005-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30195.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is really more a function of initialising the data cipher and key
context and putting it into the init_key_ctx_bi makes more sense.
It will allow calling init_key_ctx_bi to fully initialise a
data channel key without calling some extra functions after that
which will make the (upcoming) epoch key implementation cleaner.
Also ensure that free_ctx_bi actually also sets initialized to false.
Change-Id: Id223612c7bcab91d49c013fb775024bd64ab0836
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241222214541.11021-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30170.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows for only initialising one of the keys. This is needed
for epoch keys where key rotation of send/recv key can happen at
different time points.
Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221223905.18820-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30151.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
utf8to16_size() takes the size of the to be converted string. This is
needed to convert MULTI_SZ strings, which contain inline NUL characters,
but can be useful in other cases as well.
Change-Id: I6b4aa3d63c0b684bf95841271c04bc5d9c37793b
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221224136.20984-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30158.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use crypto_epoch.c/h for the new functions since they are
linked to the epoch key usage in OpenVPN.
Change-Id: I3a1c6561f4d9a69e2a441d49dff620b4258a1bcc
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221222404.10266-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30149.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This implements the limitation of AEAD key usage[1] with a confidentiality
margin of 2^-57, the same as TLS 1.3. In this implementation, unlike
TLS 1.3 that counts the number of records, we count the actual number of
packets and plaintext blocks. TLS 1.3 can reasonable assume that for
large data transfers, full records are used and therefore the maximum
record size of 2**14 (2*10 blocks) is used to calculate the number of
records before a new key needs to be used.
For a VPN like OpenVPN, the same calculation would either require using a
pessimistic assumption of using a MTU size of 65k which limits us to
2^24 packets, which equals only 24 GB with more common MTU/MSS of 1400
or requiring a dynamic calculation which includes the actual MTU that
we allow to send. For 1500 the calculation yields 2*29.4 which is a
quite significant higher number of packets (923 GB at 1400 MSS/MTU).
To avoid this dynamic calculation and also avoid needing to know the
MSS/MTU size in the crypto layer, this implementation foregoes the
simplification of counting just packets but will count blocks and packets
instead and determines the limit from that.
This also has the side effect that connections with a lot of small packets
(like TCP ACKs) mixed with large packets will be able to keep using the same
key much longer until requiring a renegotiation.
This patch will set the limit where to trigger the renegotiation at 7/8
of the recommended maximum value.
[1] https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html
Testing instructions:
The easiest way to test if this patch works as
intended is to manually change the return value of cipher_get_aead_limits
to some silly low value like 2048. After a bit of VPN traffic, a soft
reset should occur that indicates being over the
TLS: soft reset sec=41/3600 bytes=59720/-1 pkts=78/0 aead_limit_send=1883/1792 aead_limit_recv=1937/1792
Here the send limit is over the limit (1792 = 2048 * 8/7).
Change-Id: I057f007577f10c6ac917ee4620ee3d2559187dc7
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221153731.1755-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30144.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is done so that inet_ntop(3) can be used with IPv4 name server
addresses. It expects the binary address in network byte order. If they
are not that way the address octets are reversed.
Change-Id: I81d4bb0abdd421f5ba260c10c610918652334a4d
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241213164552.265863-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30111.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This change prepares the extended packet id data where also the packet id
part of the IV will be derived using xor. Using xor also in the AEAD
case where this degenerates to a concatenation allows using the same
IV generation code later.
Change-Id: I74216d776d3e0a8dc987ec7b1671c8e8dcccdbd6
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241212143845.4090-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30097.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
ASAN error:
forward.c:1433:13: runtime error: member access within misaligned
address 0x51e00002f52e for type 'const struct in6_addr', which
requires 4 byte alignment
replace IN6_ARE_ADDR_EQUAL() which uses 32bit compares on Linux - alignment
sensitive - with our own OPENVPN_IN6_ARE_ADDR_EQUAL() macro, which always
does memcpy() and does not care for alignment.
v2: Use memcmp instead of memcpy
Change-Id: I74a9eec4954f3f9d208792b6b34357571f76ae4c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241211171349.8892-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30074.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
getpeername() and getsockname() will truncate the result if it is
larger than the passed-in length. Because here always the size of the
`sa` IPv4 union member was passed in, all larger (aka IPv6) results
were truncated. Instead use the size of the `addr` union, which is the
maximum size of all union members.
The bug was introduced in 0b6450c9.
Trac: #1358
Signed-off-by: corubba <corubba@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <8de5660b-d917-4092-8871-250495d8c7a4@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30035.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make it clearer where the blocks are.
Change-Id: If645c3faf149bac82167a91be13541b30a1b8d6a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241205214158.23542-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30027.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Has been present in all releases since 10.7,
i.e. about 13 years ago. At this point the check
just makes the code uglier for no actual benefit.
Change-Id: I41eeae35ab23d9fb2512f33086f20f54c2d4f6df
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20241128142708.14665-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29963.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This collects some minor typo fixes that are not
worth each their own commit.
Fixes: OpenVPN/openvpn#644Fixes: OpenVPN/openvpn#442
Change-Id: Ifad21a2841e97e910775f3618ddac1c483d74b65
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241128123016.10444-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29956.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Special thanks to Sean Brady's hard work in GSoC 2023 towards creating
a TUN/TAP driver for Haiku!
* More kudos to Augustin Cavalier for making it functional :-)
Signed-off-by: Alexander von Gluck <alex@terarocket.io>
Acked-by: Gert Doering <gert@greenie.muc.de>
Change-Id: I9a278374f492a538f0c174ced1746c3b1f82b8c9
Message-Id: <20241128101538.12810-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29947.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add some missing "<" to trailing comments
to make sure they apply to the correct line.
Change-Id: Ib88ce925b20c5912de489ef1b62615c4b87d365c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241126102651.18905-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29897.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
reneg-bytes can currently only specify up to a maximum of 2GB.
This makes it even problematic to use without extended counters.
Change-Id: I993e7fc5609955d271e74370affc2eea340a1e2d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241111094033.16073-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29744.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The if statement has become quite large and unreadable. Reformat it
and move it to a separate function.
Change-Id: I210fa255921e7115bd66ba5f3e431562552e3335
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241111074355.17918-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29740.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The NLMSG_TAIL macro is confusing gcc when compiling with -O3, leading
to warnings like:
networking_sitnl.c:143:9: warning: writing 4 bytes into a region of size 0 [-Wstringop-overflow=]
143 | memcpy(RTA_DATA(rta), data, alen);
| ^
networking_sitnl.c:101:21: note: at offset [72, 88] into destination object ‘n’ of size 16
101 | struct nlmsghdr n;
| ^
Replacing the macro with a function is also not effective because gcc
will inline it and get confused again.
The only way out is to write a function that never gets inline'd and
replace the macro with it.
Tested on linux with gcc and clang.
Change-Id: I9306a590a10a7d5cba32abe06d269494fec41ba6
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241106131705.11069-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29710.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We can't disable compression support on receive because
that would break too many configurations out there. But
we can remove the support for compressing outgoing traffic,
it was disabled by default anyway.
Makes "--allow-compression yes" an alias for
"--allow-compression asym" and removes all resulting dead code.
Change-Id: I402ba016b75cfcfec4fc8b2b01cc4eca7e2bcc60
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241108173851.436-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29718.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is highly system specific, as the content of the uname()
structure elements is not specified very well - uname(3) says:
release Release level of the operating system
which translates to "IV_PLAT_VER=13.3-RELEASE-p6" (FreeBSD) or
"IV_PLAT_VER=22.6.0" (macOS) - the latter being the "Mach Kernel
version", not what Apple calls the OS.
It's still useful if a server operator needs to keep track of
client versions (and the GUI does not set the corresponding
environment variable, which neither Tunnelblick nor NM do).
v2: manpage amendments
v3: whitespace
v4: reword manpage
Github: OpenVPN/openvpn#637
Change-Id: Id2b0c5a517f02e5c219fea2ae3ef2bdef7690169
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20241104085808.17039-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29699.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some memory leaks were detected by valgrind on the openvpn daemon, using
DCO mode on a FreeBSD platform. The leaks are caused by missing
nvlist_destroy calls in the file dco_freebsd.c.
Calls to nvlist_destroy were added, sometimes using local variables to
store nvlist pointers temporarly. A valgrind run on the updated daemon
confirmed that the leaks were gone.
Github: OpenVPN/openvpn#636
Signed-off-by: Rémi Farault <remi.farault@stormshield.eu>
Acked-by: Kristof Provost <kp@freebsd.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <f8845c0c5aa74e5bab537463249a251d@stormshield.eu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29701.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When OpenVPN is compiled without PKCS11 support USER_PASS_LEN is 128
bytes. If we encounter a username larger than this length, we would
only read the 2 bytes length header of the username/password. We did
then also NOT skip the username or password field meaning that we would
continue reading the rest of the packet at the wrong offset and get
garbage results like not having peerinfo and then rejecting a client
because of no common cipher or missing data v2 support.
This will tell the client that username/password is too regardless
of whether password/username authentication is used. This way we
do not leak if username/password authentication is active.
To reproduce this issue have the server compiled with a USER_PASS_LEN
set to 128 (e.g. without pkcs11 or manually adjusting the define) and
have the client with a larger USER_PASS_LEN to actually be able to
send the larger password. The server must also be set to use only
certificate authentication while the client must use certificates
and auth-user-pass because otherwise the user/pass verification will
reject the empty credentials.
Using the openvpn3 test client with overlong username/password also
works.
Change-Id: I60f02c919767eb8f1b95253689a8233f5f68621d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241028135505.28651-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29675.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In order to allow the code to work with multiple listening sockets
it is essential to allow the generic multi_io event handler
to distinguish between the various socket objects.
This can be achieved by passing an event_arg object that contains
a pointer to the link_socket.
This code path is used on clients as well as UDP servers.
Change-Id: I7ebf0d4fb2a23278e16003b2e35598178155d658
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Message-Id: <20241023142030.731-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29625.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of passing the shift argument as pointer, pass
directly its integer value. This will allow the code to
distinguish a shift value from a real object pointer,
like we already do in multi_tcp_process_io().
This change will allow us later to pass an event_arg
object as event handler argument instead of a simple
integer value.
Change-Id: Ib583bf17e35b14aed78fd8217b6e71e8c2b78089
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241023084208.12317-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29604.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In order to prepare the code to work with distinct sockets,
it is essential that i/o functions do not operate on any
hard-coded socket object (i.e. c->c2.link_socket).
This patch changes all the low-level i/o functionis to work
with a socket specified as argument rather than a fixed one.
Change-Id: I8eae2d3356bbcc5d632eeb4fbe80de8009d9b40d
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241023083444.27951-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29603.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit cd8e25a6e9 removed a variable because it looked as if
used only once anyway (1 assignment, 1 usage) - overlooking that
on _WIN32 it's changed to NULL, which wasn't adjusted...
This fix restores the wiped out "unsigned int *persistent" in
multi_tcp_wait(), undoing this particular change of the previous
commit.
Change-Id: I8526aadb5151ddc997c836d5a691bcdfee700938
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241023113923.7420-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29612.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In order to prepare the event handling code to deal with multiple
listening sockets, we have to make sure that it is possible to
distinguish which of these sockets have been poked by an incoming
connection request.
To achieve that, this patch changes the object being passed as
event handler argument, from a "partly integer-evaluated variable"
to a full struct with a proper type attribute.
This struct will allow the code to carry around the particular
listening socket where the connection is being established.
This change affects the TCP server code path only as UDP servers
use only one socket to handle all clients.
Change-Id: Icd7f6a2ad350cdc2312b3e80fa0dbdd7e4311d2e
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241023080853.3710-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29602.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These were used in the key-method 1 that we remove by commit
36bef1b52 in 2020. That commit unfortunately missed that these
methods were only used for directly sending/receiving key material
over the control channel.
Change-Id: Ib480e57b62ea33f2aea52bee895badaf5607b72d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241018063123.11631-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29595.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These have been found by Clion's Inspect Code functionality and have
been verified by hand. A few functions like buf_read_u32 have been
kept since they still feel being useful while currently not being used.
Change-Id: I0d96ee06c355c6a5ce082af23921e329d3efae33
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241018063717.14629-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29594.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make decryption error messages better understandable.
* Increase verbosity level for authentication errors, because those can
be expected on bad connections.
Change-Id: I0fd48191babe4fe5c56f10eb3ba88182ffb075d1
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20241017064955.23959-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29569.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Current naming (remote_in4/6) is confusing, since
those are in fact VPN IPv4/v6 addresses and not
related to remote at all.
Change-Id: I101bbc9f682375ec733bca10b52da82f0abfec27
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240927093045.22753-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29460.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If we indicate that the tun device has been opened the c1.tuntap struct
is guaranteed to be defined. This extra null check is something that
Coverity flags as we access a do a null check after already accessing fields
of tuntap
Change-Id: I9966636163c7dfa208d26f1cadbf5b81937f3a34
Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240925151104.13036-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29447.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Without this change, pinging a lwipovpn client with something like a
3000 byte payload on macOS often fails as the default buffer sizes on
macOS are 2048 for send and 4096 for receive.
Change-Id: Ice015df81543c01094479929f0cb3075ca4f3813
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240925063016.22532-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29413.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also show the device type that we opened always instead of certain
conditions only.
Change-Id: Ib8f12516dbe294e21d3fed77478fb7660d4600c1
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240924125513.10710-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29386.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
