From 6aba9e8854155a8b8e9628a1184f3c13a8031688 Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Wed, 16 Mar 2022 15:54:11 +0200 Subject: [PATCH 01/55] vcpkg-ports\pkcs11-helper: shorten patch filename "make dist" uses 'tar -o' which breaks on long filenames: tar: openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind icate-OpenSSL-EC-support.patch: file name is too long (max 99); not dumped tar: Exiting with failure status due to previous errors and then "make dist" continues. Make filename shorter to make tar happy. Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20220316135411.217-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html Signed-off-by: Gert Doering (cherry picked from commit 2047522286f179cac09bd7615bf845d67a5dc1c8) --- ...ort.patch => 0003-config-w32-vc.h.in-indicate-OpenSSL.patch} | 0 contrib/vcpkg-ports/pkcs11-helper/portfile.cmake | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename contrib/vcpkg-ports/pkcs11-helper/{0003-config-w32-vc.h.in-indicate-OpenSSL-EC-support.patch => 0003-config-w32-vc.h.in-indicate-OpenSSL.patch} (100%) diff --git a/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-indicate-OpenSSL-EC-support.patch b/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-indicate-OpenSSL.patch similarity index 100% rename from contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-indicate-OpenSSL-EC-support.patch rename to contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-indicate-OpenSSL.patch diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake index 55c653356d6..22e9bd1f03f 100644 --- a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake +++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake @@ -13,7 +13,7 @@ vcpkg_extract_source_archive_ex( PATCHES 0001-nmake-compatibility-with-vcpkg-nmake.patch 0002-pkcs11.h-rename-interface-parameter.patch - 0003-config-w32-vc.h.in-indicate-OpenSSL-EC-support.patch + 0003-config-w32-vc.h.in-indicate-OpenSSL.patch pkcs11-helper-001-RFC7512.patch ) From 445cc852727a59f7338e59f0e594714d2b722beb Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Wed, 23 Feb 2022 09:06:28 +0100 Subject: [PATCH 02/55] networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN With the introduction of SITNL two occurrences of ETH_ALEN were introduced in the code. This define exists on Linux in the linux/if_ether.h header, however the latter is included in linux/if_tun.h which may or may not exist (depending on how old your system is). If the system lacks if_tun.h then the compilation fails because ETH_ALEN cannot be found. For this reason, swap ETH_ALEN with OPENVPN_ETH_ALEN which is already used in other places of the code. Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220223080628.4773-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23882.html Signed-off-by: Gert Doering (cherry picked from commit 8d487b4cc5b896cff5277adef6dd491b5918381f) --- src/openvpn/lladdr.c | 3 ++- src/openvpn/networking_sitnl.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/lladdr.c b/src/openvpn/lladdr.c index 3ddbebb3896..ee677187d82 100644 --- a/src/openvpn/lladdr.c +++ b/src/openvpn/lladdr.c @@ -13,6 +13,7 @@ #include "misc.h" #include "run_command.h" #include "lladdr.h" +#include "proto.h" int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, @@ -26,7 +27,7 @@ set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, } #if defined(TARGET_LINUX) - uint8_t addr[ETH_ALEN]; + uint8_t addr[OPENVPN_ETH_ALEN]; sscanf(lladdr, MAC_FMT, MAC_SCAN_ARG(addr)); r = (net_addr_ll_set(ctx, ifname, addr) == 0); diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c index 959c897f117..515a30d6f0c 100644 --- a/src/openvpn/networking_sitnl.c +++ b/src/openvpn/networking_sitnl.c @@ -32,6 +32,7 @@ #include "buffer.h" #include "misc.h" #include "networking.h" +#include "proto.h" #include #include @@ -748,7 +749,7 @@ net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, req.i.ifi_family = AF_PACKET; req.i.ifi_index = ifindex; - SITNL_ADDATTR(&req.n, sizeof(req), IFLA_ADDRESS, addr, ETH_ALEN); + SITNL_ADDATTR(&req.n, sizeof(req), IFLA_ADDRESS, addr, OPENVPN_ETH_ALEN); msg(M_INFO, "%s: lladdr " MAC_FMT " for %s", __func__, MAC_PRINT_ARG(addr), iface); From 4bf8f1147dc7aadce2b15b84bb4613d965660191 Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Sat, 19 Feb 2022 01:52:55 +0200 Subject: [PATCH 03/55] msvc: adjust build options to harden binaries - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Before applying this patch, this one must be applied from master: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.h tml Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20220218235255.334-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23852.html Signed-off-by: Gert Doering --- src/openvpn/auth_token.c | 1 + src/openvpn/openvpn.vcxproj | 38 +++++++++++++------ src/openvpnmsica/openvpnmsica.vcxproj | 48 ++++++++++++++++++++++++ src/openvpnserv/openvpnserv.vcxproj | 26 ++++++++++--- src/tapctl/tapctl.vcxproj | 54 ++++++++++++++++++++++++--- 5 files changed, 143 insertions(+), 24 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ca7e5a4dd2f..37af6605897 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -87,6 +87,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, default: /* Silence compiler warning, all four possible combinations are covered */ + state = NULL; ASSERT(0); } } diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 91d5ebbe2d9..05c63b03530 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -162,11 +164,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -177,11 +181,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -192,44 +198,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 11aa78bb006..3a9f0c97003 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -135,6 +135,54 @@ true + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + true + %(PreprocessorDefinitions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index 520242f4bc6..c70db229ea3 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -124,7 +124,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -135,7 +137,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -146,7 +150,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -157,29 +163,37 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) legacy_stdio_definitions.lib;Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index 79da9d3376f..f439dc4fb13 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -135,12 +135,54 @@ true - - - - - - + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + true + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + From 64547d552dbcadd826a30a4ba122d590d87504f6 Mon Sep 17 00:00:00 2001 From: Simon Rozman Date: Mon, 22 Mar 2021 08:43:59 +0100 Subject: [PATCH 04/55] tapctl: Resolve MSVC C4996 warnings wcsncat() was declared unsafe in favour of wcsncat_s(). However, the string concatenation follows the string length check, making wcsncat() safe too. Code analysis is just not smart enough (yet) to detect this. The code was refactored to use wcscat_s() MSVC is considering as "safe". Signed-off-by: Simon Rozman Acked-by: Gert Doering Message-Id: <20210322074359.527-1-simon@rozman.si> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html Signed-off-by: Gert Doering (cherry picked from commit e5e9a07e8baee4065b7dfd65736bfa77b8329cfc) --- src/tapctl/tap.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/tapctl/tap.c b/src/tapctl/tap.c index e399a38a3a4..c9795bce1d6 100644 --- a/src/tapctl/tap.c +++ b/src/tapctl/tap.c @@ -73,14 +73,15 @@ find_function(const WCHAR *libname, const char *funcname, HMODULE *m) return NULL; } - size_t len = _countof(libpath) - wcslen(libpath) - 1; - if (len < wcslen(libname) + 1) + /* +1 for the path seperator '\' */ + const size_t path_length = wcslen(libpath) + 1 + wcslen(libname); + if (path_length >= _countof(libpath)) { SetLastError(ERROR_INSUFFICIENT_BUFFER); return NULL; } - wcsncat(libpath, L"\\", len); - wcsncat(libpath, libname, len-1); + wcscat_s(libpath, _countof(libpath), L"\\"); + wcscat_s(libpath, _countof(libpath), libname); *m = LoadLibraryW(libpath); if (*m == NULL) From aa6f15dd2a1df68409384d6f955f68692595b77b Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Thu, 17 Mar 2022 15:57:28 +0200 Subject: [PATCH 05/55] vcpkg-ports: remove openssl port We've added functionality to openvpn-build f83f21ef "windows-msi: add ability to specify port overlays in openvpn-build" (which is used for release building) to use overlay ports, which enables us to build releases with updated ports (like openssl) without making changes to openvpn repo. This means that openssl port overlay from this repo could be removed. Developers can still use openvpn repo for Windows development and use whatever openssl version is provided by vcpkg official repo. When we need to build a release and the latest openssl is not there, we add port overlay to openvpn-build. While on it, bump vcpkg commit id in github actions. Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20220317135728.183-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23993.html Signed-off-by: Gert Doering --- .github/workflows/build.yaml | 2 +- .../openssl/install-pc-files.cmake | 32 ---- contrib/vcpkg-ports/openssl/openssl.pc.in | 6 - contrib/vcpkg-ports/openssl/portfile.cmake | 28 --- contrib/vcpkg-ports/openssl/usage | 4 - .../openssl/vcpkg-cmake-wrapper.cmake.in | 78 -------- contrib/vcpkg-ports/openssl/vcpkg.json | 18 -- .../openssl/windows/portfile.cmake | 172 ------------------ 8 files changed, 1 insertion(+), 339 deletions(-) delete mode 100644 contrib/vcpkg-ports/openssl/install-pc-files.cmake delete mode 100644 contrib/vcpkg-ports/openssl/openssl.pc.in delete mode 100644 contrib/vcpkg-ports/openssl/portfile.cmake delete mode 100644 contrib/vcpkg-ports/openssl/usage delete mode 100644 contrib/vcpkg-ports/openssl/vcpkg-cmake-wrapper.cmake.in delete mode 100644 contrib/vcpkg-ports/openssl/vcpkg.json delete mode 100644 contrib/vcpkg-ports/openssl/windows/portfile.cmake diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6f49350e75c..dbb05739d72 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -271,7 +271,7 @@ jobs: - name: Restore artifacts, or run vcpkg, build and cache artifacts uses: lukka/run-vcpkg@v7.4 with: - vcpkgGitCommitId: 'a2fcb03749ff5897b5985092934dc6057680c789' + vcpkgGitCommitId: 'a69b65229b3956b7f45abd81671b7330114bcaad' vcpkgArguments: 'openssl lz4 lzo pkcs11-helper tap-windows6' vcpkgTriplet: '${{ matrix.triplet }}-windows-ovpn' cleanAfterBuild: false diff --git a/contrib/vcpkg-ports/openssl/install-pc-files.cmake b/contrib/vcpkg-ports/openssl/install-pc-files.cmake deleted file mode 100644 index eb8d2b8c288..00000000000 --- a/contrib/vcpkg-ports/openssl/install-pc-files.cmake +++ /dev/null @@ -1,32 +0,0 @@ -function(install_pc_file name pc_data) - if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "release") - configure_file("${CMAKE_CURRENT_LIST_DIR}/openssl.pc.in" "${CURRENT_PACKAGES_DIR}/lib/pkgconfig/${name}.pc" @ONLY) - endif() - if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "debug") - configure_file("${CMAKE_CURRENT_LIST_DIR}/openssl.pc.in" "${CURRENT_PACKAGES_DIR}/debug/lib/pkgconfig/${name}.pc" @ONLY) - endif() -endfunction() - -install_pc_file(openssl [[ -Name: OpenSSL -Description: Secure Sockets Layer and cryptography libraries and tools -Requires: libssl libcrypto -]]) - -install_pc_file(libssl [[ -Name: OpenSSL-libssl -Description: Secure Sockets Layer and cryptography libraries -Libs: -L"${libdir}" -llibssl -Requires: libcrypto -Cflags: -I"${includedir}" -]]) - -install_pc_file(libcrypto [[ -Name: OpenSSL-libcrypto -Description: OpenSSL cryptography library -Libs: -L"${libdir}" -llibcrypto -Libs.private: -lcrypt32 -lws2_32 -Cflags: -I"${includedir}" -]]) - -vcpkg_fixup_pkgconfig() diff --git a/contrib/vcpkg-ports/openssl/openssl.pc.in b/contrib/vcpkg-ports/openssl/openssl.pc.in deleted file mode 100644 index 3033e1804da..00000000000 --- a/contrib/vcpkg-ports/openssl/openssl.pc.in +++ /dev/null @@ -1,6 +0,0 @@ -prefix=${pcfiledir}/../.. -exec_prefix=${prefix} -libdir=${exec_prefix}/lib -includedir=${prefix}/include -Version: @OPENSSL_VERSION@ -@pc_data@ diff --git a/contrib/vcpkg-ports/openssl/portfile.cmake b/contrib/vcpkg-ports/openssl/portfile.cmake deleted file mode 100644 index e94e7a83f02..00000000000 --- a/contrib/vcpkg-ports/openssl/portfile.cmake +++ /dev/null @@ -1,28 +0,0 @@ -if(EXISTS "${CURRENT_INSTALLED_DIR}/include/openssl/ssl.h") - message(FATAL_ERROR "Can't build openssl if libressl/boringssl is installed. Please remove libressl/boringssl, and try install openssl again if you need it.") -endif() - -set(OPENSSL_VERSION 1.1.1n) -vcpkg_download_distfile( - ARCHIVE - URLS "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" "https://www.openssl.org/source/old/1.1.1/openssl-${OPENSSL_VERSION}.tar.gz" - FILENAME "openssl-${OPENSSL_VERSION}.tar.gz" - SHA512 1937796736613dcf4105a54e42ecb61f95a1cea74677156f9459aea0f2c95159359e766089632bf364ee6b0d28d661eb9957bce8fecc9d2436378d8d79e8d0a4 -) - -vcpkg_find_acquire_program(PERL) -get_filename_component(PERL_EXE_PATH ${PERL} DIRECTORY) -vcpkg_add_to_path("${PERL_EXE_PATH}") - -if(VCPKG_TARGET_IS_UWP) - include("${CMAKE_CURRENT_LIST_DIR}/uwp/portfile.cmake") - include("${CMAKE_CURRENT_LIST_DIR}/install-pc-files.cmake") -elseif(VCPKG_TARGET_IS_WINDOWS AND NOT VCPKG_TARGET_IS_MINGW) - include("${CMAKE_CURRENT_LIST_DIR}/windows/portfile.cmake") - include("${CMAKE_CURRENT_LIST_DIR}/install-pc-files.cmake") -else() - include("${CMAKE_CURRENT_LIST_DIR}/unix/portfile.cmake") -endif() - -configure_file("${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake.in" "${CURRENT_PACKAGES_DIR}/share/${PORT}/vcpkg-cmake-wrapper.cmake" @ONLY) -file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}") diff --git a/contrib/vcpkg-ports/openssl/usage b/contrib/vcpkg-ports/openssl/usage deleted file mode 100644 index cf83f33916b..00000000000 --- a/contrib/vcpkg-ports/openssl/usage +++ /dev/null @@ -1,4 +0,0 @@ -The package openssl is compatible with built-in CMake targets: - - find_package(OpenSSL REQUIRED) - target_link_libraries(main PRIVATE OpenSSL::SSL OpenSSL::Crypto) diff --git a/contrib/vcpkg-ports/openssl/vcpkg-cmake-wrapper.cmake.in b/contrib/vcpkg-ports/openssl/vcpkg-cmake-wrapper.cmake.in deleted file mode 100644 index 4a5ee893a2f..00000000000 --- a/contrib/vcpkg-ports/openssl/vcpkg-cmake-wrapper.cmake.in +++ /dev/null @@ -1,78 +0,0 @@ -cmake_policy(PUSH) -cmake_policy(SET CMP0012 NEW) -cmake_policy(SET CMP0054 NEW) -cmake_policy(SET CMP0057 NEW) - -if(OPENSSL_USE_STATIC_LIBS) - if("@VCPKG_LIBRARY_LINKAGE@" STREQUAL "dynamic") - message(WARNING "OPENSSL_USE_STATIC_LIBS is set, but vcpkg port openssl was built with dynamic linkage") - endif() - set(OPENSSL_USE_STATIC_LIBS_BAK "${OPENSSL_USE_STATIC_LIBS}") - set(OPENSSL_USE_STATIC_LIBS FALSE) -endif() - -if(DEFINED OPENSSL_ROOT_DIR) - set(OPENSSL_ROOT_DIR_BAK "${OPENSSL_ROOT_DIR}") -endif() -get_filename_component(OPENSSL_ROOT_DIR "${CMAKE_CURRENT_LIST_DIR}" DIRECTORY) -get_filename_component(OPENSSL_ROOT_DIR "${OPENSSL_ROOT_DIR}" DIRECTORY) -find_path(OPENSSL_INCLUDE_DIR NAMES openssl/ssl.h PATH "${OPENSSL_ROOT_DIR}/include" NO_DEFAULT_PATH) -if(MSVC) - find_library(LIB_EAY_DEBUG NAMES libcrypto PATHS "${OPENSSL_ROOT_DIR}/debug/lib" NO_DEFAULT_PATH) - find_library(LIB_EAY_RELEASE NAMES libcrypto PATHS "${OPENSSL_ROOT_DIR}/lib" NO_DEFAULT_PATH) - find_library(SSL_EAY_DEBUG NAMES libssl PATHS "${OPENSSL_ROOT_DIR}/debug/lib" NO_DEFAULT_PATH) - find_library(SSL_EAY_RELEASE NAMES libssl PATHS "${OPENSSL_ROOT_DIR}/lib" NO_DEFAULT_PATH) -elseif(WIN32) - find_library(LIB_EAY NAMES libcrypto crypto NAMES_PER_DIR) - find_library(SSL_EAY NAMES libssl ssl NAMES_PER_DIR) -else() - find_library(OPENSSL_CRYPTO_LIBRARY NAMES crypto) - find_library(OPENSSL_SSL_LIBRARY NAMES ssl) -endif() - -_find_package(${ARGS}) - -unset(OPENSSL_ROOT_DIR) -if(DEFINED OPENSSL_ROOT_DIR_BAK) - set(OPENSSL_ROOT_DIR "${OPENSSL_ROOT_DIR_BAK}") - unset(OPENSSL_ROOT_DIR_BAK) -endif() - -if(DEFINED OPENSSL_USE_STATIC_LIBS_BAK) - set(OPENSSL_USE_STATIC_LIBS "${OPENSSL_USE_STATIC_LIBS_BAK}") - unset(OPENSSL_USE_STATIC_LIBS_BAK) -endif() - -if(OPENSSL_FOUND AND "@VCPKG_LIBRARY_LINKAGE@" STREQUAL "static") - if(WIN32) - list(APPEND OPENSSL_LIBRARIES crypt32 ws2_32) - if(TARGET OpenSSL::Crypto) - set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "crypt32;ws2_32") - endif() - if(TARGET OpenSSL::SSL) - set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES "crypt32;ws2_32") - endif() - else() - find_library(OPENSSL_DL_LIBRARY NAMES dl) - if(OPENSSL_DL_LIBRARY) - list(APPEND OPENSSL_LIBRARIES "dl") - if(TARGET OpenSSL::Crypto) - set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "dl") - endif() - endif() - - if("REQUIRED" IN_LIST ARGS) - find_package(Threads REQUIRED) - else() - find_package(Threads) - endif() - list(APPEND OPENSSL_LIBRARIES ${CMAKE_THREAD_LIBS_INIT}) - if(TARGET OpenSSL::Crypto) - set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Threads::Threads") - endif() - if(TARGET OpenSSL::SSL) - set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Threads::Threads") - endif() - endif() -endif() -cmake_policy(POP) diff --git a/contrib/vcpkg-ports/openssl/vcpkg.json b/contrib/vcpkg-ports/openssl/vcpkg.json deleted file mode 100644 index 18e6dde6637..00000000000 --- a/contrib/vcpkg-ports/openssl/vcpkg.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "openssl", - "version-string": "1.1.1n", - "port-version": 2, - "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.", - "homepage": "https://www.openssl.org", - "license": "OpenSSL", - "dependencies": [ - { - "name": "vcpkg-cmake", - "host": true - }, - { - "name": "vcpkg-cmake-config", - "host": true - } - ] -} diff --git a/contrib/vcpkg-ports/openssl/windows/portfile.cmake b/contrib/vcpkg-ports/openssl/windows/portfile.cmake deleted file mode 100644 index e4469ef3269..00000000000 --- a/contrib/vcpkg-ports/openssl/windows/portfile.cmake +++ /dev/null @@ -1,172 +0,0 @@ -vcpkg_extract_source_archive_ex( - OUT_SOURCE_PATH SOURCE_PATH - ARCHIVE ${ARCHIVE} -) - -vcpkg_find_acquire_program(NASM) -get_filename_component(NASM_EXE_PATH "${NASM}" DIRECTORY) -vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}") - -vcpkg_find_acquire_program(JOM) - -set(OPENSSL_SHARED no-shared) -if(VCPKG_LIBRARY_LINKAGE STREQUAL dynamic) - set(OPENSSL_SHARED shared) -endif() - -set(CONFIGURE_OPTIONS - enable-static-engine - enable-capieng - no-ssl2 - no-tests - -utf-8 - ${OPENSSL_SHARED} -) - -if(DEFINED OPENSSL_USE_NOPINSHARED) - set(CONFIGURE_OPTIONS ${CONFIGURE_OPTIONS} no-pinshared) -endif() - -if(OPENSSL_NO_AUTOLOAD_CONFIG) - set(CONFIGURE_OPTIONS ${CONFIGURE_OPTIONS} no-autoload-config) -endif() - -set(CONFIGURE_COMMAND "${PERL}" Configure ${CONFIGURE_OPTIONS}) - -if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") - set(OPENSSL_ARCH VC-WIN32) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") - set(OPENSSL_ARCH VC-WIN64A) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") - set(OPENSSL_ARCH VC-WIN32-ARM) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") - set(OPENSSL_ARCH VC-WIN64-ARM) -else() - message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}") -endif() - -set(OPENSSL_MAKEFILE "makefile") - -file(REMOVE_RECURSE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" - "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - -if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "release") - - # Copy openssl sources. - message(STATUS "Copying openssl release source files...") - file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) - foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) - file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") - endforeach() - message(STATUS "Copying openssl release source files... done") - set(SOURCE_PATH_RELEASE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") - - set(OPENSSLDIR_RELEASE ${CURRENT_PACKAGES_DIR}) - - message(STATUS "Configure ${TARGET_TRIPLET}-rel") - vcpkg_execute_required_process( - COMMAND ${CONFIGURE_COMMAND} ${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_RELEASE}" "--openssldir=${OPENSSLDIR_RELEASE}" -FS - WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} - LOGNAME configure-perl-${TARGET_TRIPLET}-rel - ) - message(STATUS "Configure ${TARGET_TRIPLET}-rel done") - - message(STATUS "Build ${TARGET_TRIPLET}-rel") - # Openssl's buildsystem has a race condition which will cause JOM to fail at some point. - # This is ok; we just do as much work as we can in parallel first, then follow up with a single-threaded build. - make_directory(${SOURCE_PATH_RELEASE}/inc32/openssl) - execute_process( - COMMAND ${JOM} -k -j $ENV{NUMBER_OF_PROCESSORS} -f ${OPENSSL_MAKEFILE} - WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} - OUTPUT_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-out.log - ERROR_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-err.log - ) - vcpkg_execute_required_process( - COMMAND nmake -f ${OPENSSL_MAKEFILE} install_sw install_ssldirs - WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} - LOGNAME build-${TARGET_TRIPLET}-rel-1) - - message(STATUS "Build ${TARGET_TRIPLET}-rel done") -endif() - - -if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "debug") - # Copy openssl sources. - message(STATUS "Copying openssl debug source files...") - file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) - foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) - file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - endforeach() - message(STATUS "Copying openssl debug source files... done") - set(SOURCE_PATH_DEBUG "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - - set(OPENSSLDIR_DEBUG ${CURRENT_PACKAGES_DIR}/debug) - - message(STATUS "Configure ${TARGET_TRIPLET}-dbg") - vcpkg_execute_required_process( - COMMAND ${CONFIGURE_COMMAND} debug-${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_DEBUG}" "--openssldir=${OPENSSLDIR_DEBUG}" -FS - WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} - LOGNAME configure-perl-${TARGET_TRIPLET}-dbg - ) - message(STATUS "Configure ${TARGET_TRIPLET}-dbg done") - - message(STATUS "Build ${TARGET_TRIPLET}-dbg") - make_directory(${SOURCE_PATH_DEBUG}/inc32/openssl) - execute_process( - COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" - WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} - OUTPUT_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-out.log - ERROR_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-err.log - ) - vcpkg_execute_required_process( - COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_sw install_ssldirs - WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} - LOGNAME build-${TARGET_TRIPLET}-dbg-1) - - message(STATUS "Build ${TARGET_TRIPLET}-dbg done") -endif() - -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/certs") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/private") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/lib/engines-1_1") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/certs") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/lib/engines-1_1") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/private") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/include") - -file(REMOVE - "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf" - "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf.dist" - "${CURRENT_PACKAGES_DIR}/openssl.cnf.dist" - "${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" - "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf" - "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist" - "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf" - "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist" -) - -file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/openssl/") -file(RENAME "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.exe") -file(RENAME "${CURRENT_PACKAGES_DIR}/openssl.cnf" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.cnf") - -vcpkg_copy_tool_dependencies("${CURRENT_PACKAGES_DIR}/tools/openssl") - -if(VCPKG_LIBRARY_LINKAGE STREQUAL static) - # They should be empty, only the exes deleted above were in these directories - file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/bin/") - file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/bin/") -endif() - -vcpkg_replace_string("${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" - "" - "" -) - -vcpkg_replace_string("${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" - "# include " - "#ifndef _WINSOCKAPI_\n#define _WINSOCKAPI_\n#endif\n# include " -) - -vcpkg_copy_pdbs() - -file(INSTALL "${SOURCE_PATH}/LICENSE" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" RENAME copyright) From 113b6c4192ecb927997b187de023aec71712f312 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Thu, 7 Apr 2022 22:14:11 +0200 Subject: [PATCH 06/55] networking_iproute2: don't pass M_WARN to openvpn_execve_check() openvpn_execve_check() expects a set of flags as third argument and not a loglevel. For this reason, if no FATAL behaviour is expected, we should simply pass 0. openvpn_execve_check() will then pick the appropriate loglevel on its own. Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220407201411.22486-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24090.html Signed-off-by: Gert Doering (cherry picked from commit 545f6bdea30e04a09b118c4e1faf6523544fd935) --- src/openvpn/networking_iproute2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/networking_iproute2.c b/src/openvpn/networking_iproute2.c index 3ca2bb35c31..db0f5503b29 100644 --- a/src/openvpn/networking_iproute2.c +++ b/src/openvpn/networking_iproute2.c @@ -105,7 +105,7 @@ net_addr_ll_set(openvpn_net_ctx_t *ctx, const openvpn_net_iface_t *iface, iproute_path, MAC_PRINT_ARG(addr), iface); argv_msg(M_INFO, &argv); - if (!openvpn_execve_check(&argv, ctx->es, M_WARN, + if (!openvpn_execve_check(&argv, ctx->es, 0, "Linux ip link set addr failed")) { ret = -1; From c3f4419cd37faaf4f2960d911a1008a161b82561 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Thu, 7 Apr 2022 10:15:55 +0200 Subject: [PATCH 07/55] t_net.sh: delete dummy iface using iproute command A dummy interface cannot be deleted using --rmtun because openvpn tries to send some ioctl (i.e. TUNSETPERSIST) which is not supported by this device type. This results in the following error: 2022-04-07 09:59:29 Cannot ioctl TUNSETPERSIST(0) ovpn-dummy0: Bad file descriptor (errno=9) 2022-04-07 09:59:29 Exiting due to fatal error and the interface is not deleted. Use iproute to generically delete an interface. Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220407081555.25228-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24086.html Signed-off-by: Gert Doering (cherry picked from commit 976e6caf0e161d3c787e1378cec44608c17b292a) --- tests/t_net.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/t_net.sh b/tests/t_net.sh index f9dba40404f..af78152c7cd 100755 --- a/tests/t_net.sh +++ b/tests/t_net.sh @@ -166,6 +166,6 @@ for i in $(seq 0 $MAX_TEST); do done # remove interface for good -$RUN_SUDO $openvpn --dev $IFACE --dev-type tun --rmtun >/dev/null +$RUN_SUDO ip link del $IFACE exit 0 From 70b6c69c8255ebd6e789e59b0fe8e106a35e9ad8 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Thu, 21 Apr 2022 15:19:09 +0200 Subject: [PATCH 08/55] auth-pam.c: add missing include limits.h On most systems limits.h is pulled in by some other header and thus no error is ever triggered, but it's possible to find the right environment which lackis this and prevents compiling auth-pam.c (possibly when using LibreSSL). Include the header explicitly as it includes the definition of PATH_MAX. (note that this bug is fixed in Gentoo since 2020 by including a custom patch, but apparently the issue was never reported upstream) Reported-by: Michelangelo Scopelliti Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220421131909.32053-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24136.html Signed-off-by: Gert Doering (cherry picked from commit 0fed64a91d894b46105bf7e8b16edea4d90ab70c) --- src/plugins/auth-pam/auth-pam.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 3a3a24096c3..c5e55d8acd4 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -47,6 +47,7 @@ #include #include #include +#include #include "utils.h" #include From f89b07831e8a6d0819b32d2fd6b15f430941ebcb Mon Sep 17 00:00:00 2001 From: Marc Becker Date: Sat, 23 Apr 2022 15:57:04 +0200 Subject: [PATCH 09/55] vcpkg-ports/pkcs11-helper: bump to release 1.29 This release has merged win32 support patch, so our own patch could be removed from the port. Upstream archive format changed back to BZIP2. Signed-off-by: Marc Becker Acked-by: Lev Stipakov Message-Id: <20220423135704.88164-1-becm@gmx.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24180.html Signed-off-by: Gert Doering (cherry picked from commit 99e6b814edcdd522c97217e027bd24ed43661917) --- ...config-w32-vc.h.in-indicate-OpenSSL.patch} | 0 ...-pkcs11.h-rename-interface-parameter.patch | 32 ------------------- contrib/vcpkg-ports/pkcs11-helper/CONTROL | 2 +- .../vcpkg-ports/pkcs11-helper/portfile.cmake | 11 +++---- 4 files changed, 6 insertions(+), 39 deletions(-) rename contrib/vcpkg-ports/pkcs11-helper/{0003-config-w32-vc.h.in-indicate-OpenSSL.patch => 0002-config-w32-vc.h.in-indicate-OpenSSL.patch} (100%) delete mode 100644 contrib/vcpkg-ports/pkcs11-helper/0002-pkcs11.h-rename-interface-parameter.patch diff --git a/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-indicate-OpenSSL.patch b/contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch similarity index 100% rename from contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-indicate-OpenSSL.patch rename to contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch diff --git a/contrib/vcpkg-ports/pkcs11-helper/0002-pkcs11.h-rename-interface-parameter.patch b/contrib/vcpkg-ports/pkcs11-helper/0002-pkcs11.h-rename-interface-parameter.patch deleted file mode 100644 index 13c60d9d807..00000000000 --- a/contrib/vcpkg-ports/pkcs11-helper/0002-pkcs11.h-rename-interface-parameter.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0c2f862fe23dc6d2c0ca8432d1f6027c922c5a04 Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Tue, 11 Jan 2022 14:24:45 +0200 -Subject: [PATCH] pkcs11.h: rename "interface" parameter - -"interface" is defined in cobaseapi.h as - - #define interface __STRUCT__ - -so use different name. - -Signed-off-by: Lev Stipakov ---- - include/pkcs11-helper-1.0/pkcs11.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/pkcs11-helper-1.0/pkcs11.h b/include/pkcs11-helper-1.0/pkcs11.h -index 85aa98e..7a7b958 100644 ---- a/include/pkcs11-helper-1.0/pkcs11.h -+++ b/include/pkcs11-helper-1.0/pkcs11.h -@@ -1210,7 +1210,7 @@ _CK_DECLARE_FUNCTION (C_GetInterfaceList, - _CK_DECLARE_FUNCTION (C_GetInterface, - (unsigned char *interface_name, - struct ck_version *version, -- struct ck_interface **interface, -+ struct ck_interface **iface, - ck_flags_t flags)); - - _CK_DECLARE_FUNCTION (C_LoginUser, --- -2.23.0.windows.1 - diff --git a/contrib/vcpkg-ports/pkcs11-helper/CONTROL b/contrib/vcpkg-ports/pkcs11-helper/CONTROL index ff116364746..1ead697ed11 100644 --- a/contrib/vcpkg-ports/pkcs11-helper/CONTROL +++ b/contrib/vcpkg-ports/pkcs11-helper/CONTROL @@ -1,4 +1,4 @@ Source: pkcs11-helper -Version: 1.28-4 +Version: 1.29-1 Homepage: https://github.com/OpenSC/pkcs11-helper Description: pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications. diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake index 22e9bd1f03f..4432b5502bc 100644 --- a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake +++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake @@ -1,9 +1,9 @@ -set(VERSION 1.28.0) +set(VERSION 1.29.0) vcpkg_download_distfile(ARCHIVE - URLS "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.tar.gz" - FILENAME "pkcs11-helper-${VERSION}.tar.gz" - SHA512 1c1cc7f83ed360fabdcfa68d0eafa7d25be03e68c6a202e7ad2907feb472663bb34e12b9e162344ec221a4298abc02acdc75f0f45d9a89657aa7ac55e59badd5 + URLS "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.tar.bz2" + FILENAME "pkcs11-helper-${VERSION}.tar.bz2" + SHA512 c530f5a4b5826a02bfe787a1293a7595d5a0d6348daa16675bd10c6d6734b1f24a3cc73b5b89433cf1edf8815f8b7298fdfd1ed686f096bb5edfb425e9430eb2 ) vcpkg_extract_source_archive_ex( @@ -12,8 +12,7 @@ vcpkg_extract_source_archive_ex( REF ${VERSION} PATCHES 0001-nmake-compatibility-with-vcpkg-nmake.patch - 0002-pkcs11.h-rename-interface-parameter.patch - 0003-config-w32-vc.h.in-indicate-OpenSSL.patch + 0002-config-w32-vc.h.in-indicate-OpenSSL.patch pkcs11-helper-001-RFC7512.patch ) From 7b1b100557608db8a311d06f7578ceb7c4d33aa6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 29 Oct 2021 13:24:07 +0200 Subject: [PATCH 10/55] Add insecure tls-cert-profile options The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0. Patch v4: fix default accidentially changed to insecure Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Message-Id: <20211029112407.2004234-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html Signed-off-by: Gert Doering (cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67) --- doc/man-sections/tls-options.rst | 6 ++++++ src/openvpn/ssl_mbedtls.c | 3 ++- src/openvpn/ssl_openssl.c | 4 ++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index f0b6d3dc53d..b7f44739175 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -369,6 +369,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa The following profiles are supported: + :code:`insecure` + Identical for mbed TLS to `legacy` + :code:`legacy` (default) SHA1 and newer, RSA 2048-bit+, any elliptic curve. @@ -381,6 +384,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa This option is only fully supported for mbed TLS builds. OpenSSL builds use the following approximation: + :code:`insecure` + sets "security level 0" + :code:`legacy` (default) sets "security level 1" diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4a64e6d3385..be0e57f154e 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -330,7 +330,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "legacy") + || 0 == strcmp(profile, "insecure")) { ctx->cert_profile = openvpn_x509_crt_profile_legacy; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 595057d63db..016331897fe 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -551,6 +551,10 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { SSL_CTX_set_security_level(ctx->ctx, 1); } + else if (0 == strcmp(profile, "insecure")) + { + SSL_CTX_set_security_level(ctx->ctx, 0); + } else if (0 == strcmp(profile, "preferred")) { SSL_CTX_set_security_level(ctx->ctx, 2); From 55cfc0b9541ff25fac31059ffcf7eea06fd6c0ec Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Thu, 5 May 2022 15:42:05 +0300 Subject: [PATCH 11/55] vcpkg: switch to manifest Add vcpkg manifest file which lists dependencies and enable manifest usage in project file. This simplifies build process by eliminating separate "vcpkg install" step to install dependencies. Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20220505124205.435-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24286.html Signed-off-by: Gert Doering --- .github/workflows/build.yaml | 16 +++++++--------- .gitignore | 1 + src/openvpn/openvpn.vcxproj | 9 +++++++++ src/openvpn/vcpkg.json | 19 +++++++++++++++++++ 4 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 src/openvpn/vcpkg.json diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index dbb05739d72..fb53fb8bdc8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -268,19 +268,17 @@ jobs: - name: Install rst2html run: python -m pip install --upgrade pip rst2html - - name: Restore artifacts, or run vcpkg, build and cache artifacts - uses: lukka/run-vcpkg@v7.4 + - name: Restore artifacts, or setup vcpkg (do not install any package) + uses: lukka/run-vcpkg@v10 with: - vcpkgGitCommitId: 'a69b65229b3956b7f45abd81671b7330114bcaad' - vcpkgArguments: 'openssl lz4 lzo pkcs11-helper tap-windows6' - vcpkgTriplet: '${{ matrix.triplet }}-windows-ovpn' - cleanAfterBuild: false + vcpkgGitCommitId: '4b766c1cd17205e1b768c4fadfd5f867c1d0510e' + appendedCacheKey: '${{matrix.triplet}}' - - name: Build + - name: Run MSBuild consuming vcpkg.json working-directory: ${{env.GITHUB_WORKSPACE}} run: | - vcpkg integrate install - msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform="${{ matrix.plat }}" . + vcpkg integrate install + msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform="${{ matrix.plat }}" . - name: Archive artifacts uses: actions/upload-artifact@v2 diff --git a/.gitignore b/.gitignore index 178076edec8..7335154ff40 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,7 @@ m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 +vcpkg_installed version.sh msvc-env-local.bat diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 05c63b03530..7f09249bd11 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -124,26 +124,35 @@ true arm64-windows-ovpn + --overlay-triplets=$(SolutionDir)contrib\vcpkg-triplets --overlay-ports=$(SolutionDir)contrib\vcpkg-ports true arm64-windows-ovpn + --overlay-triplets=$(SolutionDir)contrib\vcpkg-triplets --overlay-ports=$(SolutionDir)contrib\vcpkg-ports true x86-windows-ovpn + --overlay-triplets=$(SolutionDir)contrib\vcpkg-triplets --overlay-ports=$(SolutionDir)contrib\vcpkg-ports true x86-windows-ovpn + --overlay-triplets=$(SolutionDir)contrib\vcpkg-triplets --overlay-ports=$(SolutionDir)contrib\vcpkg-ports true x64-windows-ovpn + --overlay-triplets=$(SolutionDir)contrib\vcpkg-triplets --overlay-ports=$(SolutionDir)contrib\vcpkg-ports true x64-windows-ovpn + --overlay-triplets=$(SolutionDir)contrib\vcpkg-triplets --overlay-ports=$(SolutionDir)contrib\vcpkg-ports + + + true diff --git a/src/openvpn/vcpkg.json b/src/openvpn/vcpkg.json new file mode 100644 index 00000000000..6537fdd6cf4 --- /dev/null +++ b/src/openvpn/vcpkg.json @@ -0,0 +1,19 @@ +{ + "$schema": "https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json", + "name": "openvpn", + "version": "2.5", + "dependencies": [ + "openssl", + "tap-windows6", + "lzo", + "lz4", + "pkcs11-helper" + ], + "builtin-baseline": "4b766c1cd17205e1b768c4fadfd5f867c1d0510e", + "overrides": [ + { + "name": "openssl", + "version-string": "1.1.1n" + } + ] +} From 4e5b14012550bf934dcf850547b542afa4d6605a Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Wed, 4 May 2022 12:13:05 +0300 Subject: [PATCH 12/55] Fix M_ERRNO behavior on Windows We use M_ERRNO flag in logging to display error code and error message. This has been broken on Windows, where we use error code from GetLastError() and error description from strerror(). strerror() expects C runtime error code, which is quite different from last error code from WinAPI call. As a result, we got incorrect error description. The ultimate fix would be introducing another flag for WinAPI errors, like M_WINERR and use either that or M_ERRNO depends on context. However, the change would be quite intrusive and in some cases it is hard to say which one to use without looking into internals. Instead we stick to M_ERRNO and in Windows case we first try to obtain error code from GetLastError() and if it returns ERROR_SUCCESS (which is 0), we assume that we have C runtime error and use errno. To get error description we use strerror_win32() with GetLastError() and strerror() with errno. strerror_win32() uses FormatMessage() internally, which is the right way to get WinAPI error description. This commit is the backport of 54800aa975418fe3570f3206a5f9b277dc59bd47, adjusted for the different code base related to socket errors (print socket file descriptor) in x_check_status(). Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20220504091305.434-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24274.html Signed-off-by: Gert Doering --- src/openvpn/error.c | 32 +++++++++++++++++++++++++------- src/openvpn/error.h | 39 +++++++++++++++++++++++++++++---------- src/openvpn/forward.c | 9 ++++++++- src/openvpn/manage.c | 5 +++-- src/openvpn/platform.c | 2 +- src/openvpn/tun.h | 4 ++-- 6 files changed, 68 insertions(+), 23 deletions(-) diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 54796d0356e..7fbda8442f9 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -220,6 +220,18 @@ x_msg(const unsigned int flags, const char *format, ...) va_end(arglist); } +static const char* +openvpn_strerror(int err, bool crt_error, struct gc_arena *gc) +{ +#ifdef _WIN32 + if (!crt_error) + { + return strerror_win32(err, gc); + } +#endif + return strerror(err); +} + void x_msg_va(const unsigned int flags, const char *format, va_list arglist) { @@ -244,7 +256,8 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) } #endif - e = openvpn_errno(); + bool crt_error = false; + e = openvpn_errno_maybe_crt(&crt_error); /* * Apply muting filter. @@ -268,7 +281,7 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) if ((flags & M_ERRNO) && e) { openvpn_snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)", - m1, strerror(e), e); + m1, openvpn_strerror(e, crt_error, &gc), e); SWAP; } @@ -649,7 +662,6 @@ x_check_status(int status, struct link_socket *sock, struct tuntap *tt) { - const int my_errno = openvpn_errno(); const char *extended_msg = NULL; msg(x_cs_verbose_level, "%s %s returned %d", @@ -672,26 +684,32 @@ x_check_status(int status, sock->info.mtu_changed = true; } } -#elif defined(_WIN32) +#endif /* EXTENDED_SOCKET_ERROR_CAPABILITY */ + +#ifdef _WIN32 /* get possible driver error from TAP-Windows driver */ if (tuntap_defined(tt)) { extended_msg = tap_win_getinfo(tt, &gc); } #endif - if (!ignore_sys_error(my_errno)) + + bool crt_error = false; + int my_errno = openvpn_errno_maybe_crt(&crt_error); + + if (!ignore_sys_error(my_errno, crt_error)) { if (extended_msg) { msg(x_cs_info_level, "%s %s [%s]: %s (code=%d)", description, sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", - extended_msg, strerror(my_errno), my_errno); + extended_msg, openvpn_strerror(my_errno, crt_error, &gc), my_errno); } else { msg(x_cs_info_level, "%s %s: %s (code=%d)", description, sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", - strerror(my_errno), my_errno); + openvpn_strerror(my_errno, crt_error, &gc), my_errno); } if (x_cs_err_delay_ms) diff --git a/src/openvpn/error.h b/src/openvpn/error.h index d2d83c8ae33..fc878a56a8c 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -71,13 +71,10 @@ struct gc_arena; /* String and Error functions */ #ifdef _WIN32 -#define openvpn_errno() GetLastError() -#define openvpn_strerror(e, gc) strerror_win32(e, gc) +#define openvpn_errno() GetLastError() const char *strerror_win32(DWORD errnum, struct gc_arena *gc); - #else -#define openvpn_errno() errno -#define openvpn_strerror(x, gc) strerror(x) +#define openvpn_errno() errno #endif /* @@ -363,20 +360,22 @@ msg_get_virtual_output(void) * which can be safely ignored. */ static inline bool -ignore_sys_error(const int err) +ignore_sys_error(const int err, bool crt_error) { - /* I/O operation pending */ #ifdef _WIN32 - if (err == WSAEWOULDBLOCK || err == WSAEINVAL) + if (!crt_error && ((err == WSAEWOULDBLOCK || err == WSAEINVAL))) { return true; } #else - if (err == EAGAIN) + crt_error = true; +#endif + + /* I/O operation pending */ + if (crt_error && (err == EAGAIN)) { return true; } -#endif #if 0 /* if enabled, suppress ENOBUFS errors */ #ifdef ENOBUFS @@ -398,6 +397,26 @@ nonfatal(const unsigned int err) return err & M_FATAL ? (err ^ M_FATAL) | M_NONFATAL : err; } +static inline int +openvpn_errno_maybe_crt(bool *crt_error) +{ + int err = 0; + *crt_error = false; +#ifdef _WIN32 + err = GetLastError(); + if (err == ERROR_SUCCESS) + { + /* error is likely C runtime */ + *crt_error = true; + err = errno; + } +#else + *crt_error = true; + err = errno; +#endif + return err; +} + #include "errlevel.h" #endif /* ifndef ERROR_H */ diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 392a5c9f20e..de80dcffa21 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1676,7 +1676,14 @@ process_outgoing_link(struct context *c) } /* for unreachable network and "connecting" state switch to the next host */ - if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi + + bool unreachable = error_code == +#ifdef _WIN32 + WSAENETUNREACH; +#else + ENETUNREACH; +#endif + if (size < 0 && unreachable && c->c2.tls_multi && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT) { msg(M_INFO, "Network unreachable, restarting"); diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index a42640562dc..8d2d9983c33 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2082,9 +2082,10 @@ man_process_command(struct management *man, const char *line) static bool man_io_error(struct management *man, const char *prefix) { - const int err = openvpn_errno(); + bool crt_error = false; + int err = openvpn_errno_maybe_crt(&crt_error); - if (!ignore_sys_error(err)) + if (!ignore_sys_error(err, crt_error)) { struct gc_arena gc = gc_new(); msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix, diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 2604c27bdfa..4921f035613 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -471,7 +471,7 @@ platform_test_file(const char *filename) } else { - if (openvpn_errno() == EACCES) + if (errno == EACCES) { msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index ea19620d5af..ae98966bf96 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -461,7 +461,7 @@ tuntap_stop(int status) */ if (status < 0) { - return openvpn_errno() == ERROR_FILE_NOT_FOUND; + return GetLastError() == ERROR_FILE_NOT_FOUND; } return false; } @@ -474,7 +474,7 @@ tuntap_abort(int status) */ if (status < 0) { - return openvpn_errno() == ERROR_OPERATION_ABORTED; + return GetLastError() == ERROR_OPERATION_ABORTED; } return false; } From 3f25bf7f7c1f32c2d3ef5b52443c97553a6c8977 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 May 2022 14:14:23 +0200 Subject: [PATCH 13/55] Refactor early initialisation and uninitialisation into methods This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Cherry-pick of 97056dbf9 as prerequirement for the provider patch Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220512121429.2096164-2-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24328.html Signed-off-by: Gert Doering --- src/openvpn/openvpn.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index a21b21e2351..e03d2545069 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -105,6 +105,20 @@ tunnel_point_to_point(struct context *c) #undef PROCESS_SIGNAL_P2P +void init_early(struct context *c) +{ + net_ctx_init(c, &c->net_ctx); + + /* init verbosity and mute levels */ + init_verb_mute(c, IVM_LEVEL_1); + +} + +static void uninit_early(struct context *c) +{ + net_ctx_free(&c->net_ctx); +} + /**************************************************************************/ /** @@ -193,10 +207,9 @@ openvpn_main(int argc, char *argv[]) open_plugins(&c, true, OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE); #endif - net_ctx_init(&c, &c.net_ctx); - - /* init verbosity and mute levels */ - init_verb_mute(&c, IVM_LEVEL_1); + /* Early initialisation that need to happen before option + * post processing and other early startup but after parsing */ + init_early(&c); /* set dev options */ init_options_dev(&c.options); @@ -308,7 +321,7 @@ openvpn_main(int argc, char *argv[]) env_set_destroy(c.es); uninit_options(&c.options); gc_reset(&c.gc); - net_ctx_free(&c.net_ctx); + uninit_early(&c); } while (c.sig->signal_received == SIGHUP); } From aef0e595132bd75b0a089e0536c7f910667f1c07 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 May 2022 14:14:24 +0200 Subject: [PATCH 14/55] Allow loading of non default providers This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --providers legacy default Cherry-pick of 08081aa0a153 to release/2.5. Changes.rst has been adjust to better fit the changes in 2.5. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220512121429.2096164-3-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24327.html Signed-off-by: Gert Doering --- Changes.rst | 20 ++++++++++++++++++ doc/man-sections/generic-options.rst | 12 +++++++++++ src/openvpn/crypto_backend.h | 15 ++++++++++++++ src/openvpn/crypto_mbedtls.c | 13 ++++++++++++ src/openvpn/crypto_mbedtls.h | 3 +++ src/openvpn/crypto_openssl.c | 31 ++++++++++++++++++++++++++++ src/openvpn/crypto_openssl.h | 11 ++++++++++ src/openvpn/openvpn.c | 15 +++++++++++++- src/openvpn/options.c | 8 +++++++ src/openvpn/options.h | 9 ++++++++ 10 files changed, 136 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 45d2c3f39e4..ddfa2941fc3 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,23 @@ +Overview of changes in 2.5.7 +============================ + +New features +------------ +- Limited OpenSSL 3.0 support + OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies + on the compatiblity layer and full OpenSSL 3.0 support is coming with + OpenVPN 2.6. Only features that impact usage directly have been + backported: + + ``--tls-cert-profile insecure`` has been added to allow selecting the + lowest OpenSSL security level (not recommended, use only if you must). + + OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) + algorithm by default and the new option ``--providers`` allows loading + the legacy provider to renable these algorithms. + + + Overview of changes in 2.5.6 ============================ diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index d5f08839b10..18085f9bd6d 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -252,6 +252,18 @@ which mode OpenVPN is configured as. This option solves the problem by persisting keys across :code:`SIGUSR1` resets, so they don't need to be re-read. +--providers providers + Load the list of (OpenSSL) providers. This is mainly useful for using an + external provider for key management like tpm2-openssl or to load the + legacy provider with + + :: + + --providers legacy default + + Behaviour of changing this option between SIGHUP might not be well behaving. + If you need to change/add/remove this option, fully restart OpenVPN. + --remap-usr1 signal Control whether internally or externally generated :code:`SIGUSR1` signals are remapped to :code:`SIGHUP` (restart without persisting state) or diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index b5a122eeeb3..a9bb38ed2dc 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -78,6 +78,21 @@ void crypto_clear_error(void); */ void crypto_init_lib_engine(const char *engine_name); + +/** + * Load the given (OpenSSL) providers + * @param provider name of providers to load + * @return reference to the loaded provider + */ +provider_t *crypto_load_provider(const char *provider); + +/** + * Unloads the given (OpenSSL) provider + * @param provname name of the provider to unload + * @param provider pointer to the provider to unload + */ +void crypto_unload_provider(const char *provname, provider_t *provider); + #ifdef DMALLOC /* * OpenSSL memory debugging. If dmalloc debugging is enabled, tell diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 1da99d14743..000815209c9 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -69,6 +69,19 @@ crypto_init_lib_engine(const char *engine_name) "available"); } +provider_t *crypto_load_provider(const char *provider) +{ + if (provider) + { + msg(M_WARN, "Note: mbed TLS provider functionality is not available"); + } + return NULL; +} + +void crypto_unload_provider(const char *provname, provider_t *provider) +{ +} + /* * * Functions related to the core crypto library diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h index 816e1397a4a..14614a12dbb 100644 --- a/src/openvpn/crypto_mbedtls.h +++ b/src/openvpn/crypto_mbedtls.h @@ -48,6 +48,9 @@ typedef mbedtls_md_context_t md_ctx_t; /** Generic HMAC %context. */ typedef mbedtls_md_context_t hmac_ctx_t; +/* Use a dummy type for the provider */ +typedef void provider_t; + /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 0908e9aa173..beeaee4b7ca 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -51,6 +51,10 @@ #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + #if defined(_WIN32) && defined(OPENSSL_NO_EC) #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. #endif @@ -145,6 +149,33 @@ crypto_init_lib_engine(const char *engine_name) #endif } +provider_t * +crypto_load_provider(const char *provider) +{ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + /* Load providers into the default (NULL) library context */ + OSSL_PROVIDER *prov = OSSL_PROVIDER_load(NULL, provider); + if (!prov) + { + crypto_msg(M_FATAL, "failed to load provider '%s'", provider); + } + return prov; +#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ + msg(M_WARN, "Note: OpenSSL provider functionality is not available"); + return NULL; +#endif +} + +void crypto_unload_provider(const char *provname, provider_t *provider) +{ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (!OSSL_PROVIDER_unload(provider)) + { + crypto_msg(M_FATAL, "failed to unload provider '%s'", provname); + } +#endif +} + /* * * Functions related to the core crypto library diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index ecc66fbfdaf..9bb58adae40 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -33,6 +33,10 @@ #include #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; @@ -49,6 +53,13 @@ typedef EVP_MD_CTX md_ctx_t; /** Generic HMAC %context. */ typedef HMAC_CTX hmac_ctx_t; +#if OPENSSL_VERSION_NUMBER < 0x30000000L +/* Use a dummy type for the provider */ +typedef void provider_t; +#else +typedef OSSL_PROVIDER provider_t; +#endif + /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index e03d2545069..1cd8f1b308a 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -112,14 +112,27 @@ void init_early(struct context *c) /* init verbosity and mute levels */ init_verb_mute(c, IVM_LEVEL_1); + /* Initialise OpenSSL provider, this needs to be initialised this + * early since option post-processing and also openssl info + * printing depends on it */ + for (int j=1; j < MAX_PARMS && c->options.providers.names[j]; j++) + { + c->options.providers.providers[j] = + crypto_load_provider(c->options.providers.names[j]); + } } static void uninit_early(struct context *c) { net_ctx_free(&c->net_ctx); + for (int j=1; j < MAX_PARMS && c->options.providers.providers[j]; j++) + { + crypto_unload_provider(c->options.providers.names[j], + c->options.providers.providers[j]); + } + net_ctx_free(&c->net_ctx); } - /**************************************************************************/ /** * OpenVPN's main init-run-cleanup loop. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e0b273bdd43..f6ef02ae8ad 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -602,6 +602,7 @@ static const char usage_message[] = " : Use --show-tls to see a list of supported TLS ciphers (suites).\n" "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" " (default=legacy).\n" + "--providers l : A list l of OpenSSL providers to load.\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" @@ -8129,6 +8130,13 @@ add_option(struct options *options, options->keysize = keysize; } #endif + else if (streq(p[0], "providers") && p[1]) + { + for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++) + { + options->providers.names[j] = p[j]; + } + } #ifdef ENABLE_PREDICTION_RESISTANCE else if (streq(p[0], "use-prediction-resistance") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 251660fdc9c..37220904265 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -176,6 +176,14 @@ struct remote_list struct remote_entry *array[CONNECTION_LIST_SIZE]; }; +struct provider_list +{ + /* Names of the providers */ + const char *names[MAX_PARMS]; + /* Pointers to the loaded providers to unload them */ + provider_t *providers[MAX_PARMS]; +}; + enum vlan_acceptable_frames { VLAN_ONLY_TAGGED, @@ -519,6 +527,7 @@ struct options const char *prng_hash; int prng_nonce_secret_len; const char *engine; + struct provider_list providers; bool replay; bool mute_replay_warnings; int replay_window; From 0fb03c8c2333805eff9eda3cc10b2c82e617bee5 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 May 2022 14:14:25 +0200 Subject: [PATCH 15/55] Add ubuntu 22.04 to Github Actions This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220512121429.2096164-4-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24329.html Signed-off-by: Gert Doering --- .github/workflows/build.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index fb53fb8bdc8..4926c1f951f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -130,7 +130,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-18.04, ubuntu-20.04] + os: [ubuntu-18.04, ubuntu-20.04, ubuntu-22.04] sslpkg: [libmbedtls-dev] ssllib: [mbedtls] libname: [mbed TLS] @@ -148,6 +148,10 @@ jobs: sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 ssllib: openssl + - os: ubuntu-22.04 + sslpkg: "libssl-dev" + libname: OpenSSL 3.0.2 + ssllib: openssl - os: ubuntu-20.04 sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 From dea694099ff223feb63199bd0ca7afd74504711d Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 May 2022 14:14:26 +0200 Subject: [PATCH 16/55] Add macos OpenSSL 3.0 and ASAN builds Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220512121429.2096164-5-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24330.html Signed-off-by: Gert Doering --- .github/workflows/build.yaml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4926c1f951f..3bdf2aa9f00 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -224,15 +224,37 @@ jobs: macos: runs-on: macos-latest + strategy: + fail-fast: false + matrix: + ossl: [ 1.1, 3 ] + build: [ normal, asan ] + include: + - build: asan + cflags: "-fsanitize=address -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" + ldflags: -fsanitize=address + # Our build system ignores LDFLAGS for plugins + configureflags: --disable-plugin-auth-pam --disable-plugin-down-root + - build: normal + cflags: "-O2 -g" + ldflags: "" + configureflags: "" + + name: "macOS - OpenSSL ${{matrix.ossl}} - ${{matrix.build}}" + env: + CFLAGS: ${{ matrix.cflags }} + LDFLAGS: ${{ matrix.ldflags }} + OPENSSL_CFLAGS: -I/usr/local/opt/openssl@${{matrix.ossl}}/include + OPENSSL_LIBS: "-L/usr/local/opt/openssl@${{matrix.ossl}}/lib -lcrypto -lssl" steps: + - name: Install dependencies + run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf - name: Checkout OpenVPN uses: actions/checkout@v2 - - name: Install dependencies - run: brew install openssl lzo lz4 man2html cmocka libtool automake autoconf - name: autoconf run: autoreconf -fvi - name: configure - run: OPENSSL_CFLAGS=-I/usr/local/opt/openssl@1.1/include OPENSSL_LIBS="-L/usr/local/opt/openssl@1.1/lib -lcrypto -lssl" ./configure + run: ./configure ${{matrix.configureflags}} - name: make all run: make -j4 - name: make check From c5d61b345e21860b2357206848535a8452754ad8 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 May 2022 14:14:27 +0200 Subject: [PATCH 17/55] Add --with-openssl-engine autoconf option (auto|yes|no) This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine tests fail otherwise and it is good to have the same behaviour as in master/2.6 This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror. By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown. This commit cleans up the configure logic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220512121429.2096164-6-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24332.html Signed-off-by: Gert Doering --- Changes.rst | 2 ++ configure.ac | 60 ++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 49 insertions(+), 13 deletions(-) diff --git a/Changes.rst b/Changes.rst index ddfa2941fc3..f8259e11a1e 100644 --- a/Changes.rst +++ b/Changes.rst @@ -16,6 +16,8 @@ New features algorithm by default and the new option ``--providers`` allows loading the legacy provider to renable these algorithms. + The OpenSSL engine feature ``--engine`` is not enabled by default + anymore if OpenSSL 3.0 is detected. Overview of changes in 2.5.6 diff --git a/configure.ac b/configure.ac index 6242cc22eb3..2f5f6bc7c11 100644 --- a/configure.ac +++ b/configure.ac @@ -281,6 +281,18 @@ AC_ARG_WITH( [with_crypto_library="openssl"] ) +AC_ARG_WITH( + [openssl-engine], + [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])], + [ + case "${withval}" in + auto|yes|no) ;; + *) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;; + esac + ], + [with_openssl_engine="auto"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -880,22 +892,44 @@ if test "${with_crypto_library}" = "openssl"; then [AC_MSG_ERROR([openssl check failed])] ) - have_openssl_engine="yes" - AC_CHECK_FUNCS( - [ \ + if test "${with_openssl_engine}" = "auto"; then + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ + #include + ]], + [[ + /* Version encoding: MNNFFPPS - see opensslv.h for details */ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #error Engine supported disabled by default in OpenSSL 3.0+ + #endif + ]] + )], + [have_openssl_engine="yes"], + [have_openssl_engine="no"] + ) + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ ENGINE_load_builtin_engines \ ENGINE_register_all_complete \ - ENGINE_cleanup \ - ], - , - [have_openssl_engine="no"; break] - ) - if test "${have_openssl_engine}" = "no"; then - AC_CHECK_DECL( [ENGINE_cleanup], [have_openssl_engine="yes"],, - [[ - #include - ]] + ], + , + [have_openssl_engine="no"; break] + ) + fi + else + have_openssl_engine="${with_openssl_engine}" + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + ENGINE_load_builtin_engines \ + ENGINE_register_all_complete \ + ], + , + [AC_MSG_ERROR([OpenSSL engine support not found])] ) + fi fi if test "${have_openssl_engine}" = "yes"; then AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) From 3690939126cf84b166157bad96e724caea61346d Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 May 2022 14:14:28 +0200 Subject: [PATCH 18/55] Fix allowing/showing unsupported ciphers and digests This is a minimal version to hide the non-supported ciphers in these show-cipher/show-digests listings. It also adds code to the kt_md_get/ kt_cipher_get functions to error out early instead of getting an ugly backtrace with OpenSSL errors later when actually trying to use the ciphers. This allows make check to work again on with OpenSSL 3.0. The changes are kept minimal to avoid pulling in all the other refactoring for OpenSSL 3.0. This commit is partly cherry-picked from ab3f32b9. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220512121429.2096164-7-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24334.html Signed-off-by: Gert Doering --- src/openvpn/crypto_openssl.c | 52 +++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index beeaee4b7ca..74685b3865d 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -166,7 +166,8 @@ crypto_load_provider(const char *provider) #endif } -void crypto_unload_provider(const char *provname, provider_t *provider) +void +crypto_unload_provider(const char *provname, provider_t *provider) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (!OSSL_PROVIDER_unload(provider)) @@ -339,7 +340,11 @@ show_available_ciphers(void) || cipher_kt_mode_aead(cipher) )) { - cipher_list[num_ciphers++] = cipher; + /* Check explicit availibility (for OpenSSL 3.0) */ + if (cipher_kt_get(cipher_kt_name(cipher))) + { + cipher_list[num_ciphers++] = cipher; + } } if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) { @@ -371,6 +376,13 @@ show_available_ciphers(void) printf("\n"); } +void +print_digest(EVP_MD *digest, void *unused) +{ + printf("%s %d bit digest size\n", EVP_MD_name(digest), + EVP_MD_size(digest) * 8); +} + void show_available_digests(void) { @@ -384,16 +396,21 @@ show_available_digests(void) "the --auth option.\n\n"); #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD_do_all_provided(NULL, print_digest, NULL); +#else for (nid = 0; nid < 10000; ++nid) { const EVP_MD *digest = EVP_get_digestbynid(nid); if (digest) { - printf("%s %d bit digest size\n", - OBJ_nid2sn(nid), EVP_MD_size(digest) * 8); + /* We cast the const away so we can keep the function prototype + * compatible with EVP_MD_do_all_provided */ + print_digest((EVP_MD *)digest, NULL); } } printf("\n"); +#endif } void @@ -624,6 +641,19 @@ cipher_kt_get(const char *ciphername) ciphername = translate_cipher_name_from_openvpn(ciphername); cipher = EVP_get_cipherbyname(ciphername); + /* This is a workaround for OpenSSL 3.0 to infer if the cipher is valid + * without doing all the refactoring that OpenVPN 2.6 has. This will + * not support custom algorithm from providers but at least ignore + * algorithms that are not available without providers (legacy) */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_CIPHER *tmpcipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (!tmpcipher) + { + cipher = NULL; + } + EVP_CIPHER_free(tmpcipher); +#endif + if (NULL == cipher) { crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername); @@ -924,6 +954,20 @@ md_kt_get(const char *digest) const EVP_MD *md = NULL; ASSERT(digest); md = EVP_get_digestbyname(digest); + + /* This is a workaround for OpenSSL 3.0 to infer if the digest is valid + * without doing all the refactoring that OpenVPN 2.6 has. This will + * not support custom algorithm from providers but at least ignore + * algorithms that are not available without providers (legacy) */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD *tmpmd = EVP_MD_fetch(NULL, digest, NULL); + if (!tmpmd) + { + md = NULL; + } + EVP_MD_free(tmpmd); +#endif + if (!md) { crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest); From 263436fdb06cc2364f9667bc1adead70aeb93ecc Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 13 May 2022 10:36:35 +0200 Subject: [PATCH 19/55] Remove dependency on BF-CBC existance from test_ncp The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available. This is a cherry-pick from c07f95f3 Patch V2: manually fix if condition. Somehow the git cherry-pick ended up with a broken if condition. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220513083635.2199131-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24346.html Signed-off-by: Gert Doering --- tests/unit_tests/openvpn/test_ncp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index e38a5738ee7..4337f6df739 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -42,6 +42,7 @@ /* Defines for use in the tests and the mock parse_line() */ const char *bf_chacha = "BF-CBC:CHACHA20-POLY1305"; +const char *aes_chacha = "AES-128-CBC:CHACHA20-POLY1305"; const char *aes_ciphers = "AES-256-GCM:AES-128-GCM"; static void @@ -57,6 +58,11 @@ test_check_ncp_ciphers_list(void **state) assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers); + if (have_chacha) + { + assert_string_equal(mutate_ncp_cipher_list(aes_chacha, &gc), aes_chacha); + } + if (have_chacha && have_blowfish) { assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha); @@ -73,8 +79,8 @@ test_check_ncp_ciphers_list(void **state) bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); if (have_chacha_mixed_case) { - assert_string_equal(mutate_ncp_cipher_list("BF-CBC:ChaCha20-Poly1305", &gc), - bf_chacha); + assert_string_equal(mutate_ncp_cipher_list("AES-128-CBC:ChaCha20-Poly1305", &gc), + aes_chacha); } assert_ptr_equal(mutate_ncp_cipher_list("vollbit", &gc), NULL); From 1f54811e92c89fe07d7cea8339e928980bfe0536 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 19 Oct 2021 20:31:22 +0200 Subject: [PATCH 20/55] Add message when decoding PKCS12 file fails. Currently we never display the OpenSSL error stack when decoding a PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure might not be a wrong password but can actually be an unsupported encoding, seeing the error stack is really helpful (example from OpenSSL 3.0): error:0308010C:digital envelope routines:inner_evp_generic_fetch: unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () to pinpoint the issue Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211019183127.614175-17-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html Signed-off-by: Gert Doering (cherry picked from commit 6ac4e63c577986ec11eae3519fe8516e8ca8ac0f) --- src/openvpn/ssl_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 016331897fe..e0360f75b96 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -825,6 +825,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { + crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password " + "or unsupported/legacy encryption"); #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) { From 1294064e142d43b49df66296f8cd92de0698616d Mon Sep 17 00:00:00 2001 From: Jan Mikkelsen Date: Wed, 18 May 2022 20:37:15 +0200 Subject: [PATCH 21/55] cipher-negotiation.rst missing from doc/Makefile.am Trac: #1461 Signed-off-by: Jan Mikkelsen Acked-by: Frank Lichtenheld Message-Id: <20220518183715.931-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24394.html Signed-off-by: Gert Doering (cherry picked from commit 7c8dd98ec10f61c3b014b64c24090717cd6ebf05) --- doc/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/Makefile.am b/doc/Makefile.am index cc9a661cdf0..adf85446ced 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -25,6 +25,7 @@ dist_doc_DATA = \ openvpn_sections = \ man-sections/advanced-options.rst \ + man-sections/cipher-negotiation.rst \ man-sections/client-options.rst \ man-sections/connection-profiles.rst \ man-sections/encryption-options.rst \ From b158125f67b49149ffd3e2617479fbd27860713c Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 23 May 2022 12:35:45 +0200 Subject: [PATCH 22/55] Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names Since we used the OpenSSL <=1.1 names as part of our OCC message, they are now unfortunately part of our wire protocol. OpenSSL 3.0 will still accept the "old" names so we do not need to use this translation table for forward lookup, only for returning the name with md_kt_name() Backport of master commit 88342ed8277c5797. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20220523103546.3425388-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24424.html Signed-off-by: Gert Doering --- src/openvpn/crypto_openssl.c | 39 ++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 74685b3865d..7a05a352ad0 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -379,7 +379,7 @@ show_available_ciphers(void) void print_digest(EVP_MD *digest, void *unused) { - printf("%s %d bit digest size\n", EVP_MD_name(digest), + printf("%s %d bit digest size\n", md_kt_name(digest), EVP_MD_size(digest) * 8); } @@ -982,6 +982,28 @@ md_kt_get(const char *digest) return md; } +/* Since we used the OpenSSL <=1.1 names as part of our OCC message, they + * are now unfortunately part of our wire protocol. + * + * OpenSSL 3.0 will still accept the "old" names so we do not need to use + * this translation table for forward lookup, only for returning the name + * with md_kt_name() */ +const cipher_name_pair digest_name_translation_table[] = { + { "BLAKE2s256", "BLAKE2S-256"}, + { "BLAKE2b512", "BLAKE2B-512"}, + { "RIPEMD160", "RIPEMD-160" }, + { "SHA224", "SHA2-224"}, + { "SHA256", "SHA2-256"}, + { "SHA384", "SHA2-384"}, + { "SHA512", "SHA2-512"}, + { "SHA512-224", "SHA2-512/224"}, + { "SHA512-256", "SHA2-512/256"}, + { "SHAKE128", "SHAKE-128"}, + { "SHAKE256", "SHAKE-256"}, +}; +const size_t digest_name_translation_table_count = + sizeof(digest_name_translation_table) / sizeof(*digest_name_translation_table); + const char * md_kt_name(const EVP_MD *kt) { @@ -989,7 +1011,20 @@ md_kt_name(const EVP_MD *kt) { return "[null-digest]"; } - return EVP_MD_name(kt); + + const char *name = EVP_MD_name(kt); + + /* Search for a digest name translation */ + for (size_t i = 0; i < digest_name_translation_table_count; i++) + { + const cipher_name_pair *pair = &digest_name_translation_table[i]; + if (!strcmp(name, pair->lib_name)) + { + name = pair->openvpn_name; + } + } + + return name; } unsigned char From 5288c578b8b45dc1486bd51811a3e4462a8a9597 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 23 May 2022 11:17:24 +0200 Subject: [PATCH 23/55] Fix client-pending-auth error message to say ERROR instead of SUCCESS Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20220523091724.3418887-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24421.html Signed-off-by: Gert Doering (cherry picked from commit d681e9d42e11b08668fae6e7b61d6a040c93082d) --- src/openvpn/manage.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 8d2d9983c33..1511fd85db8 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -1029,8 +1029,8 @@ man_client_pending_auth(struct management *man, const char *cid_str, const char } else { - msg(M_CLIENT, "SUCCESS: client-pending-auth command failed." - " Extra paramter might be too long"); + msg(M_CLIENT, "ERROR: client-pending-auth command failed." + " Extra parameter might be too long"); } } else From a0f9a3e9404c83218004ac584e37a8c5db3ac925 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Mon, 23 May 2022 17:46:35 +0200 Subject: [PATCH 24/55] Preparing release 2.5.7 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 41 +++++++++++++++++++++++++++++++++++++++++ Changes.rst | 28 +++++++++++++++++++++++++++- version.m4 | 4 ++-- 3 files changed, 70 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index edc0da3c6de..9543682fb56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,47 @@ OpenVPN Change Log Copyright (C) 2002-2022 OpenVPN Inc +2022.05.24 -- Version 2.5.7 + +Antonio Quartulli (4): + networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN + networking_iproute2: don't pass M_WARN to openvpn_execve_check() + t_net.sh: delete dummy iface using iproute command + auth-pam.c: add missing include limits.h + +Arne Schwabe (11): + Add insecure tls-cert-profile options + Refactor early initialisation and uninitialisation into methods + Allow loading of non default providers + Add ubuntu 22.04 to Github Actions + Add macos OpenSSL 3.0 and ASAN builds + Add --with-openssl-engine autoconf option (auto|yes|no) + Fix allowing/showing unsupported ciphers and digests + Remove dependency on BF-CBC existance from test_ncp + Add message when decoding PKCS12 file fails. + Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names + Fix client-pending-auth error message to say ERROR instead of SUCCESS + +Gert Doering (1): + Preparing release 2.5.7 + +Jan Mikkelsen (1): + cipher-negotiation.rst missing from doc/Makefile.am + +Lev Stipakov (5): + vcpkg-ports\pkcs11-helper: shorten patch filename + msvc: adjust build options to harden binaries + vcpkg-ports: remove openssl port + vcpkg: switch to manifest + Fix M_ERRNO behavior on Windows + +Marc Becker (1): + vcpkg-ports/pkcs11-helper: bump to release 1.29 + +Simon Rozman (1): + tapctl: Resolve MSVC C4996 warnings + + 2022.03.16 -- Version 2.5.6 Antonio Quartulli (4): diff --git a/Changes.rst b/Changes.rst index f8259e11a1e..b5fa12f3b3e 100644 --- a/Changes.rst +++ b/Changes.rst @@ -14,11 +14,37 @@ New features OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option ``--providers`` allows loading - the legacy provider to renable these algorithms. + the legacy provider to renable these algorithms. Most notably, + reading of many PKCS#12 files encrypted with the RC2 algorithm fails + unless ``--providers legacy default`` is configured. The OpenSSL engine feature ``--engine`` is not enabled by default anymore if OpenSSL 3.0 is detected. +- print OpenSSL error stack if decoding PKCS12 file fails + +User-visible Changes +-------------------- +- windows vcpkg building includes pkcs11-helper 1.29 now + +- add MSVC build options to harden windows binaries (HW-enforced + stack protection, SHA256 object hashes, SDL). + +Bugfixes +-------- +- fix omission of cipher-negotiation.rst in tarballs + +- fix errno handling on Windows (Windows has different classes of + error codes, GetLastError() and C runtime errno, these should now + be handled correctly) + +- fix PATH_MAX build failure in auth-pam.c + +- fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface + +- fix overlong path names, leading to missing pkcs11-helper patch + in tarball + Overview of changes in 2.5.6 ============================ diff --git a/version.m4 b/version.m4 index 124a50aa2e0..58b21e73d9f 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.6]) +define([PRODUCT_VERSION_PATCH], [.7]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,6,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,7,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) From 400da02714abd36218954c988a2ef81dade0b59d Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 31 May 2022 00:41:49 +0200 Subject: [PATCH 25/55] Remove useless empty line from CR_RESPONSE message The out buffer is not filled and this adds an extra empty line for CR_RESPONSE outputs. Also make minor style fixes. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220530224149.201883-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24447.html Signed-off-by: Gert Doering (cherry picked from commit 0dbcaba4f301c21e68a5cd032a4b56eb75c17c37) --- src/openvpn/manage.c | 5 +---- src/openvpn/push.c | 1 - 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 1511fd85db8..0b9e92b6b9a 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2970,17 +2970,14 @@ management_notify_client_cr_response(unsigned mda_key_id, { gc = gc_new(); - struct buffer out = alloc_buf_gc(256, &gc); msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", mdac->cid, mda_key_id, response); man_output_extra_env(management, "CLIENT"); - if (management->connection.env_filter_level>0) + if (management->connection.env_filter_level > 0) { man_output_peer_info_env(management, mdac); } man_output_env(es, true, management->connection.env_filter_level, "CLIENT"); - management_notify_generic(management, BSTR(&out)); - gc_free(&gc); } } diff --git a/src/openvpn/push.c b/src/openvpn/push.c index fab1d5f43be..7c36530d061 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -225,7 +225,6 @@ receive_cr_response(struct context *c, const struct buffer *buffer) struct env_set *es = session->opt->es; int key_id = session->key[KS_PRIMARY].key_id; - management_notify_client_cr_response(key_id, mda, es, m); #endif msg(D_PUSH, "CR response was sent by client ('%s')", m); From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 3 Jun 2022 11:52:19 +0200 Subject: [PATCH 26/55] Allow running a default configuration with TLS libraries without BF-CBC Modern TLS libraries might drop Blowfish by default or distributions might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC options with BF-CBC compatible strings. To avoid requiring BF-CBC for this, special this one usage of BF-CBC enough to avoid a hard requirement on Blowfish in the default configuration. This patch is cherry-picked from 79ff3f79 and the missing ciphername = "none"; has been added in the OCC code. Due to uncrustify complains, a few extra whitespace fixes had to be done to options.c. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220603095219.637361-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html Signed-off-by: Gert Doering --- src/openvpn/crypto_backend.h | 2 ++ src/openvpn/init.c | 37 ++++++++++++++++----- src/openvpn/options.c | 62 ++++++++++++++++++++++++++++-------- 3 files changed, 80 insertions(+), 21 deletions(-) diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index a9bb38ed2dc..aebda3d6515 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername); * The returned name is normalised to the OpenVPN config name in case the * name differs from the name used by the crypto library. * + * Returns [null-cipher] in case the cipher_kt is NULL. + * * @param cipher_kt Static cipher parameters * * @return a statically allocated string describing the cipher. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index da4d60afa3b..b1b7b350f48 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c) #endif /* if P2MP */ } - /* Do not warn if we only have BF-CBC in options->ciphername - * because it is still the default cipher */ - bool warn = !streq(options->ciphername, "BF-CBC") - || options->enable_ncp_fallback; - /* Get cipher & hash algorithms */ - init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, - options->keysize, true, warn); - + /* + * BF-CBC is allowed to be used only when explicitly configured + * as NCP-fallback or when NCP has been disabled or explicitly + * allowed in the in ncp_ciphers list. + * In all other cases do not attempt to initialize BF-CBC as it + * may not even be supported by the underlying SSL library. + * + * Therefore, the key structure has to be initialized when: + * - any non-BF-CBC cipher was selected; or + * - BF-CBC is selected and NCP is disabled (explicit request to + * use the BF-CBC cipher); or + * - BF-CBC is selected, NCP is enabled and fallback is enabled + * (BF-CBC will be the fallback). + * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC: + * If the negotiated cipher and options->ciphername are the + * same we do not reinit the cipher + * + * Note that BF-CBC will still be part of the OCC string to retain + * backwards compatibility with older clients. + */ + if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled + || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)) + || options->enable_ncp_fallback) + { + /* Do not warn if the if the cipher is used only in OCC */ + bool warn = !options->ncp_enabled || options->enable_ncp_fallback; + init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, + options->keysize, true, warn); + } /* Initialize PRNG with config-specified digest */ prng_init(options->prng_hash, options->prng_nonce_secret_len); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f6ef02ae8ad..2206d9f4e18 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren #ifndef ENABLE_SMALL static void -show_dhcp_option_list(const char *name, const char * const*array, int len) +show_dhcp_option_list(const char *name, const char *const *array, int len) { int i; for (i = 0; i < len; ++i) @@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options, if (options->mode == MODE_SERVER) { #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ - "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" + "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" #ifdef TARGET_ANDROID msg(M_FATAL, "--mode server not supported on Android"); #endif @@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o) if (!o->ncp_enabled) { msg(M_USAGE, "--ncp-disable needs an explicit --cipher or " - "--data-ciphers-fallback config option"); + "--data-ciphers-fallback config option"); } msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to " @@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) { struct frame fake_frame = *frame; struct key_type fake_kt; - init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, - false); + frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); + + + /* o->ciphername might be BF-CBC even though the underlying SSL library + * does not support it. For this reason we workaround this corner case + * by pretending to have no encryption enabled and by manually adding + * the required packet overhead to the MTU computation. + */ + const char *ciphername = o->ciphername; + + if (strcmp(o->ciphername, "BF-CBC") == 0) + { + /* none has no overhead, so use this to later add only --auth + * overhead */ + + /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ + frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8); + ciphername = "none"; + } + + init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true, + false); + crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, @@ -3853,18 +3874,33 @@ options_string(const struct options *o, + (TLS_SERVER == true) <= 1); - init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, - false); + /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC + * to work here in the default configuration */ + const char *ciphername = o->ciphername; + int keysize; + + if (strcmp(o->ciphername, "BF-CBC") == 0) + { + init_key_type(&kt, "none", o->authname, o->keysize, true, + false); + keysize = 128; + } + else + { + init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, + false); + ciphername = cipher_kt_name(kt.cipher); + keysize = kt.cipher_length * 8; + } /* Only announce the cipher to our peer if we are willing to * support it */ - const char *ciphername = cipher_kt_name(kt.cipher); if (p2p_nopull || !o->ncp_enabled || tls_item_in_cipher_list(ciphername, o->ncp_ciphers)) { buf_printf(&out, ",cipher %s", ciphername); } buf_printf(&out, ",auth %s", md_kt_name(kt.digest)); - buf_printf(&out, ",keysize %d", kt.cipher_length * 8); + buf_printf(&out, ",keysize %d", keysize); if (o->shared_secret_file) { buf_printf(&out, ",secret"); @@ -6168,9 +6204,9 @@ add_option(struct options *options, } } #ifdef TARGET_LINUX - else if (streq (p[0], "bind-dev") && p[1]) + else if (streq(p[0], "bind-dev") && p[1]) { - VERIFY_PERMISSION (OPT_P_SOCKFLAGS); + VERIFY_PERMISSION(OPT_P_SOCKFLAGS); options->bind_dev = p[1]; } #endif @@ -6248,7 +6284,7 @@ add_option(struct options *options, { int64_t val = atoll(p[2]); options->inactivity_minimum_bytes = (val < 0) ? 0 : val; - if ( options->inactivity_minimum_bytes > INT_MAX ) + if (options->inactivity_minimum_bytes > INT_MAX) { msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value" " >2 Gbyte was silently ignored in older versions. If " @@ -8132,7 +8168,7 @@ add_option(struct options *options, #endif else if (streq(p[0], "providers") && p[1]) { - for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++) + for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++) { options->providers.names[j] = p[j]; } From 70897fd139e84a64d6344bf6af28fe0b0b8087d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Jan=C5=AF?= Date: Fri, 10 Jun 2022 12:04:05 +0000 Subject: [PATCH 27/55] Update the replay-window backtrack log message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The man pages reference a logging message which has been rephrased in ac1310528a248c99e039e7afaf48724ad1b7f10e. This commit updates the man page message to reflect the change for improved grep-ability. Signed-off-by: Martin Janů Acked-by: Frank Lichtenheld Message-Id: URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24472.html Signed-off-by: Gert Doering (cherry picked from commit 98cbd2914cb728bfaa6ce36a968e944555c57d53) --- doc/man-sections/link-options.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 182f1498888..71387805102 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -330,7 +330,7 @@ the local and the remote host. value for ``n``. Satellite links in particular often require this. If you run OpenVPN at ``--verb 4``, you will see the message - "Replay-window backtrack occurred [x]" every time the maximum sequence + "PID_ERR replay-window backtrack occurred [x]" every time the maximum sequence number backtrack seen thus far increases. This can be used to calibrate ``n``. From ce24bec7e2518d4ea7aa931021454d1191f4906b Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Tue, 28 Jun 2022 11:41:44 +0200 Subject: [PATCH 28/55] tls-crypt-v2: bail out if the client key is too small The tls-crypt-v2 key should be at least 2 bytes long in order to read the actual length. Bail out if the key is too short. This looks like it could be abused to trigger a read of uninitialized memory, but after close checking it won't: We read from BEND(), so this is defined for TCP since the minimum length there is 3 bytes (pkt len + opcode) For UDP we might read past the beginning of the packet but since they are buffers coming from the packet stack we have the headroom/tailroom, so might read some random data (but not out of bound!). So we copy some more or less random number into net_len/wkc_len but without actually reading from undefined memory. The next line will then almost definitively fail (buf_advance()). While at it improve the error message a bit. Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe Message-Id: <20220628094144.17471-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24580.html Signed-off-by: Gert Doering (cherry picked from commit 462339a45089ef655faf02232d7d792def9b8afb) --- src/openvpn/tls_crypt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 663f5e169a5..f2a97462d55 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -585,7 +585,8 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, if (BLEN(&wrapped_client_key) < sizeof(net_len)) { - msg(D_TLS_ERRORS, "failed to read length"); + msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length"); + return false; } memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len)); From e3c397b0edd86158b8c417f6d396920a7e2eae68 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Wed, 27 Jul 2022 23:45:07 -0400 Subject: [PATCH 29/55] Do not skip ERROR:/SUCCESS: response from management interface Generally we expect a response of SUCCESS: or ERROR: to every command sent to the management interface. But, while in the management-hold state, sending "signal foo" returns only the following reply (with foo = SIGHUP, SIGUSR1 etc.): >HOLD:Waiting for hold release:0 Fix by always responding ERROR: signal 'foo' is currently ignored" followed by the above line. Though this is seldom seen in practice[*], such violation of the protocol could stall clients like the GUI. So fix it. [*] One way this happens is with SIGHUP sent before the daemon is on hold state which it enters before the SIGHUP is received. Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20220728034508.15180-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24750.html Signed-off-by: Gert Doering (cherry picked from commit 579b78e22feab7fe7cc627355cbb270cd91aebb4) --- src/openvpn/manage.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 0b9e92b6b9a..0ba4f677d1f 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -428,14 +428,11 @@ man_signal(struct management *man, const char *name) } else { + msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name); if (man->persist.special_state_msg) { msg(M_CLIENT, "%s", man->persist.special_state_msg); } - else - { - msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name); - } } } else From 5b178f591c882a6600414104a77a9240f7a29331 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Sun, 3 Jul 2022 22:58:40 -0400 Subject: [PATCH 30/55] Fix auth-token usage with management-def-auth When auth-token verify succeeds during a reauth, other auth methods (plugin, script, management) are skipped unless external-auth is in effect (skip_auth gets set to true). However, in this case, the status of management-def-auth (ks->mda_status) stays at its default value of ACF_PENDING and will never change. This causes TLS keys to go out of sync and an eventual client disconnect. Further, a message saying username/password authentication is "deferred" gets logged which is misleading. For example: test/127.0.0.1:35874 TLS: Username/auth-token authentication succeeded for username 'test' followed by test/127.0.0.1:35874 TLS: Username/Password authentication deferred for username 'test' [CN SET] Fix by setting ks->mda_status to ACF_DISABLED, and do not set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true. Also log a warning message when token is marked as expired on missing the reneg window. Reported by: Connor Edwards Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20220704025840.2558-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24627.html Signed-off-by: Gert Doering (cherry picked from commit ddbe6a6fc26586d09f5a9105f13124c479b4d993) --- src/openvpn/auth_token.c | 8 +++++--- src/openvpn/ssl_verify.c | 9 ++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 37af6605897..7c4d15d1adf 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -349,8 +349,8 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, return 0; } - /* Accept session tokens that not expired are in the acceptable range - * for renogiations */ + /* Accept session tokens only if their timestamp is in the acceptable range + * for renegotiations */ bool in_renog_time = now >= timestamp && now < timestamp + 2 * session->opt->renegotiate_seconds; @@ -362,13 +362,15 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, if (!in_renog_time && !initialtoken) { + msg(M_WARN, "Timestamp (%" PRIu64 ") of auth-token is out of the renegotiation window", + timestamp); ret |= AUTH_TOKEN_EXPIRED; } /* Sanity check the initial timestamp */ if (timestamp < timestamp_initial) { - msg(M_WARN, "Initial timestamp (%" PRIu64 " in token from client earlier than " + msg(M_WARN, "Initial timestamp (%" PRIu64 ") in token from client earlier than " "current timestamp %" PRIu64 ". Broken/unsynchronised clock?", timestamp_initial, timestamp); ret |= AUTH_TOKEN_EXPIRED; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 7f977c0d1a7..efa2f436ad9 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1397,7 +1397,14 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth != KMDA_UNDEF) { - ks->authenticated = KS_AUTH_DEFERRED; + if (skip_auth) + { + ks->mda_status = ACF_DISABLED; + } + else + { + ks->authenticated = KS_AUTH_DEFERRED; + } } #endif if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) From 468f53ae3bfcfca6563acbf648e7a0bc6f94b038 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Wed, 27 Jul 2022 23:45:08 -0400 Subject: [PATCH 31/55] Allow a few levels of recursion in virtual_output_callback() Without this, replies to commands from the management client are sometimes lost if the server is writing when a command comes in and leads to a recursive call to this function. For some reason I've not been able to trigger this on Linux, but it does sometimes happen on Windows during intense write activity by openvpn.exe sending log lines to the management client. Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20220728034508.15180-2-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24751.html Signed-off-by: Gert Doering (cherry picked from commit 4dfd592ff1ee18aa4859264c8a341dfa1a291988) --- src/openvpn/manage.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 0ba4f677d1f..6af551528dd 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -314,8 +314,7 @@ virtual_output_callback_func(void *arg, const unsigned int flags, const char *st #define AF_DID_PUSH (1<<0) #define AF_DID_RESET (1<<1) - - if (!recursive_level) /* don't allow recursion */ + if (recursive_level < 5) /* limit recursion */ { struct gc_arena gc = gc_new(); struct log_entry e; @@ -382,6 +381,12 @@ virtual_output_callback_func(void *arg, const unsigned int flags, const char *st --recursive_level; } + else + { + /* cannot use msg here */ + printf("virtual_output: message to management interface " + "dropped due to recursion: <%s>\n", str); + } } /* From 26b04fce5a17f8a8670c005d66e9260dbdc88cfe Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Fri, 22 Jul 2022 15:49:02 +0200 Subject: [PATCH 32/55] t_client: Allow to force FAIL on prerequisite fails In automated tests we want the build to fail if the worker node is configured incorrectly. Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20220722134902.22092-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24723.html Signed-off-by: Gert Doering (cherry picked from commit 79932b94513303567fdd5d1c4e0abb79e6642b6e) --- tests/t_client.sh.in | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index 294546be580..465c3a33d20 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -12,6 +12,10 @@ # - for "ping6" checks: fping6 binary in $PATH # +# by changing this to 1 we can force automated builds to fail +# that are expected to have all the prerequisites +TCLIENT_SKIP_RC="${TCLIENT_SKIP_RC:-77}" + srcdir="${srcdir:-.}" top_builddir="${top_builddir:-..}" if [ -r "${top_builddir}"/t_client.rc ] ; then @@ -21,25 +25,25 @@ elif [ -r "${srcdir}"/t_client.rc ] ; then else echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi # Check for external dependencies which fping > /dev/null if [ $? -ne 0 ]; then echo "$0: fping is not available in \$PATH" >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi which fping6 > /dev/null if [ $? -ne 0 ]; then echo "$0: fping6 is not available in \$PATH" >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi KILL_EXEC=`which kill` if [ $? -ne 0 ]; then echo "$0: kill not found in \$PATH" >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] @@ -56,12 +60,12 @@ fi if [ -z "$CA_CERT" ] ; then echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi if [ -z "$TEST_RUN_LIST" ] ; then echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi # Ensure PREFER_KSU is in a known state @@ -91,7 +95,7 @@ else then echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 echo " must be set correctly in 't_client.rc'. SKIP." >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" else # We have to use sudo. Make sure that we (hopefully) do not have # to ask the users password during the test. This is done to @@ -101,7 +105,7 @@ else echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good." else echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 - exit 77 + exit "${TCLIENT_SKIP_RC}" fi fi fi From 64cac790b9d64b3c07fa5222bf46754a04ea1659 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Mon, 22 Aug 2022 16:18:06 +0200 Subject: [PATCH 33/55] t_client.sh: do not require fping6 fping and fping6 were merged in version 4.0, released in 2017. Many recent distributions do not include the compatibility symlink anymore. So if we find fping but not fping6 do not error out but assume that fping is capable of IPv6. Signed-off-by: Frank Lichtenheld Acked-by: Antonio Quartulli Message-Id: <20220822141806.39406-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25058.html Signed-off-by: Gert Doering (cherry picked from commit fb06c9f026a78b879f264ab8e67de09d725b5540) --- tests/t_client.sh.in | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index 465c3a33d20..76ac9b2277e 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -9,7 +9,7 @@ # - writable current directory to create subdir for logs # - t_client.rc in current directory OR source dir that specifies tests # - for "ping4" checks: fping binary in $PATH -# - for "ping6" checks: fping6 binary in $PATH +# - for "ping6" checks: fping (4.0+) or fping6 binary in $PATH # # by changing this to 1 we can force automated builds to fail @@ -29,6 +29,8 @@ else fi # Check for external dependencies +FPING="fping" +FPING6="fping6" which fping > /dev/null if [ $? -ne 0 ]; then echo "$0: fping is not available in \$PATH" >&2 @@ -36,8 +38,9 @@ if [ $? -ne 0 ]; then fi which fping6 > /dev/null if [ $? -ne 0 ]; then - echo "$0: fping6 is not available in \$PATH" >&2 - exit "${TCLIENT_SKIP_RC}" + echo "$0: fping6 is not available in \$PATH, assuming fping 4.0 or later" >&2 + FPING="fping -4" + FPING6="fping -6" fi KILL_EXEC=`which kill` @@ -220,8 +223,8 @@ run_ping_tests() if [ -z "$targetlist" ] ; then return ; fi case $proto in - 4) cmd=fping ;; - 6) cmd=fping6 ;; + 4) cmd="$FPING" ;; + 6) cmd="$FPING6" ;; *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 exit 1 ;; esac From 997df07a98ee01dfdf6e2b360dd06f61580b5a1c Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 8 Sep 2022 18:14:35 +0200 Subject: [PATCH 34/55] Change command help to match man page and implementation Acked-by: Frank Lichtenheld Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220908161435.327109-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25151.html Signed-off-by: Gert Doering (cherry picked from commit 2b4f3ea880377401275baf965ff603f30cde36f1) --- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2206d9f4e18..20d1273f37c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -198,7 +198,7 @@ static const char usage_message[] = " is established. Multiple routes can be specified.\n" " netmask default: 255.255.255.255\n" " gateway default: taken from --route-gateway or --ifconfig\n" - " Specify default by leaving blank or setting to \"nil\".\n" + " Specify default by leaving blank or setting to \"default\".\n" "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" From 8cbfd57e4ad423c807ca8ec69f88fbc0e2da5aec Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Mon, 26 Sep 2022 10:08:43 +0300 Subject: [PATCH 35/55] msvc: add branch name and commit hash to version output Add a simple python script which generates header with branch name and commit hash #defines. While on it, fix filename in msvc-generate.vcxproj and add proper copyright header to Makefile.mak. Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20220926070843.717-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25314.html Signed-off-by: Gert Doering --- build/msvc/msvc-generate/Makefile.mak | 33 +++++++++++- build/msvc/msvc-generate/git-version.py | 50 +++++++++++++++++++ .../msvc/msvc-generate/msvc-generate.vcxproj | 2 +- config-msvc.h | 2 + 4 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 build/msvc/msvc-generate/git-version.py diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak index 1cb431026db..ae8b08426c0 100644 --- a/build/msvc/msvc-generate/Makefile.mak +++ b/build/msvc/msvc-generate/Makefile.mak @@ -1,4 +1,27 @@ -# Copyright (C) 2008-2012 Alon Bar-Lev +# +# OpenVPN -- An application to securely tunnel IP networks +# over a single UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2022 OpenVPN Inc +# Copyright (C) 2008-2012 Alon Bar-Lev +# Copyright (C) 2022-2022 Lev Stipakov +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# CONFIG=$(SOLUTIONDIR)/version.m4 @@ -14,7 +37,9 @@ OUTPUT_PLUGIN_CONFIG=version.m4 INPUT_MAN=$(SOLUTIONDIR)/doc/openvpn.8.rst OUTPUT_MAN=$(SOLUTIONDIR)/doc/openvpn.8.html -all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN) +OUTPUT_MSVC_GIT_CONFIG=$(SOLUTIONDIR)/config-version.h + +all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN) $(OUTPUT_MSVC_GIT_CONFIG) $(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG) cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)" @@ -28,8 +53,12 @@ $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG) $(OUTPUT_MAN): $(INPUT_MAN) -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" +$(OUTPUT_MSVC_GIT_CONFIG): + python git-version.py $(SOLUTIONDIR) + clean: -del "$(OUTPUT_MSVC_VER)" -del "$(OUTPUT_PLUGIN)" -del "$(OUTPUT_PLUGIN_CONFIG)" -del "$(OUTPUT_MAN)" + -del "$(OUTPUT_MSVC_GIT_CONFIG)" diff --git a/build/msvc/msvc-generate/git-version.py b/build/msvc/msvc-generate/git-version.py new file mode 100644 index 00000000000..b6037e1e021 --- /dev/null +++ b/build/msvc/msvc-generate/git-version.py @@ -0,0 +1,50 @@ +# +# OpenVPN -- An application to securely tunnel IP networks +# over a single UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2022-2022 OpenVPN Inc +# Copyright (C) 2022-2022 Lev Stipakov +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# + +import os +import sys + +def get_branch_commit_id(): + commit_id = os.popen("git rev-parse --short=16 HEAD").read()[:-1] + if not commit_id: + raise + l = os.popen("git rev-parse --symbolic-full-name HEAD").read().split("/")[2:] + if not l: + l = ["none\n"] + branch = "/" .join(l)[:-1] + return branch, commit_id + +def main(): + try: + branch, commit_id = get_branch_commit_id() + except: + branch, commit_id = "unknown", "unknown" + + name = os.path.join("%s" % (sys.argv[1] if len(sys.argv) > 1 else "."), "config-version.h") + with open(name, "w") as f: + f.write("#define CONFIGURE_GIT_REVISION \"%s/%s\"\n" % (branch, commit_id)) + f.write("#define CONFIGURE_GIT_FLAGS \"\"\n") + +if __name__ == "__main__": + main() diff --git a/build/msvc/msvc-generate/msvc-generate.vcxproj b/build/msvc/msvc-generate/msvc-generate.vcxproj index dda8b051d9e..eae94709408 100644 --- a/build/msvc/msvc-generate/msvc-generate.vcxproj +++ b/build/msvc/msvc-generate/msvc-generate.vcxproj @@ -150,7 +150,7 @@ - + diff --git a/config-msvc.h b/config-msvc.h index e7479c86144..47c5ba07ef6 100644 --- a/config-msvc.h +++ b/config-msvc.h @@ -177,3 +177,5 @@ typedef uint16_t in_port_t; #define HAVE_INET_NTOP #define HAVE_INET_PTON #endif + +#define HAVE_CONFIG_VERSION_H 1 From af546d798213587285b225cd0031944a81e8e26c Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 17 Feb 2022 19:22:34 +0100 Subject: [PATCH 36/55] Fix OpenVPN querying user/password if auth-token with user expires The problematic behaviour happens when starting a profile without auth-user-pass and then connecting to a server that pushes auth-token. When the auth token expires OpenVPN asks for auth User and password again (but it shouldn't). The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Signed-off-by: Arne Schwabe Acked-by: David Sommerseth Acked-by: Heiko Hund Message-Id: <20221009130805.1556517-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25367.html Signed-off-by: Gert Doering (cherry-picked from commit 7d291e10bccd1d6b9e584307fb5fe3ebfb114ec9) --- src/openvpn/init.c | 1 + src/openvpn/ssl.c | 7 ++++++- src/openvpn/ssl.h | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b1b7b350f48..7990e8459c3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -596,6 +596,7 @@ init_query_passwords(const struct context *c) /* Auth user/pass input */ if (c->options.auth_user_pass_file) { + enable_auth_user_pass(); #ifdef ENABLE_MANAGEMENT auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); #else diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 841a649abd9..3de4cc398b0 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -393,9 +393,14 @@ static char *auth_challenge; /* GLOBAL */ #endif void -auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +enable_auth_user_pass() { auth_user_pass_enabled = true; +} + +void +auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +{ if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 4fe8004a03d..6b5ae8a96ba 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -419,6 +419,9 @@ void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf); */ void pem_password_setup(const char *auth_file); +/* Enables the use of user/password authentication */ +void enable_auth_user_pass(); + /* * Setup authentication username and password. If auth_file is given, use the * credentials stored in the file. From 5ad4b4b374f072459ab2436ed372c92d3a42d65d Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Sun, 23 Oct 2022 15:51:05 -0400 Subject: [PATCH 37/55] Ensure --auth-nocache is handled during renegotiation Currently, clearing auth_user_pass struct is delayed until push-reply processing to support auth-token. This results in username/password not purged after renegotiations that may not accompany any pushed tokens -- say, when auth-token is not in use. Fix by always clearing auth_user_pass soon after it is used, instead of delaying the purge as in pre-token days. But, when "pull" is true, retain the username in auth_token in anticipation of a token that may or may not arrive later. Remove ssl_clean_user_pass() as there is no delayed purge any longer -- auth-nocache handling is now done immediately after writing username/password to the send-buffer. Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20221023195105.31714-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25452.html Signed-off-by: Gert Doering (cherry picked from commit 3a4fb17d103be37599d72d072bbee42cc121a39d) --- src/openvpn/init.c | 13 ------------- src/openvpn/misc.c | 10 ++-------- src/openvpn/ssl.c | 23 +++++------------------ src/openvpn/ssl.h | 6 ------ 4 files changed, 7 insertions(+), 45 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7990e8459c3..be8ff80fd84 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1597,19 +1597,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot(c, true); - - /* - * In some cases (i.e. when receiving auth-token via - * push-reply) the auth-nocache option configured on the - * client is overridden; for this reason we have to wait - * for the push-reply message before attempting to wipe - * the user/pass entered by the user - */ - if (c->options.mode == MODE_POINT_TO_POINT) - { - ssl_clean_user_pass(); - } - /* Test if errors */ if (flags & ISC_ERRORS) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index dceccd22ac4..40b3bf5ea60 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -519,19 +519,13 @@ set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token) * --auth-token has no username, so it needs the username * either already set or copied from up, or later set by * --auth-token-user - * - * Do not overwrite the username if already set to avoid - * overwriting an username set by --auth-token-user + * If already set, tk is fully defined. */ - if (up->defined && !tk->defined) + if (strlen(tk->username)) { - strncpynt(tk->username, up->username, USER_PASS_LEN); tk->defined = true; } } - - /* Cleans user/pass for nocache */ - purge_user_pass(up, false); } void diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3de4cc398b0..aa8266d7f79 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2391,20 +2391,13 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, { goto error; } - /* if auth-nocache was specified, the auth_user_pass object reaches - * a "complete" state only after having received the push-reply - * message. The push message might contain an auth-token that needs - * the username of auth_user_pass. - * - * For this reason, skip the purge operation here if no push-reply - * message has been received yet. - * - * This normally happens upon first negotiation only. - */ - if (!session->opt->pull) + /* save username for auth-token which may get pushed later */ + if (session->opt->pull) { - purge_user_pass(&auth_user_pass, false); + strncpynt(auth_token.username, up->username, USER_PASS_LEN); } + /* respect auth-nocache */ + purge_user_pass(&auth_user_pass, false); } else { @@ -4143,9 +4136,3 @@ protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc) done: return BSTR(&out); } - -void -ssl_clean_user_pass(void) -{ - purge_user_pass(&auth_user_pass, false); -} diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 6b5ae8a96ba..5dabcdf8760 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -603,12 +603,6 @@ void extract_x509_field_test(void); */ bool is_hard_reset_method2(int op); -/** - * Cleans the saved user/password unless auth-nocache is in use. - */ -void ssl_clean_user_pass(void); - - /* * Show the TLS ciphers that are available for us to use in the SSL * library with headers hinting their usage and warnings about usage. From 3d792ae9557b959e796710cf903866d205d979da Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Wed, 26 Oct 2022 14:55:43 -0400 Subject: [PATCH 38/55] Purge auth-token as well while purging passwords Starting from commit e61b401a auth-token is saved in a separate struct from auth-user-pass and is not cleared when ssl_purge_auth() is called. This makes "forget-passwords" sent to the management interface or "--management-forget-disconnect" option not to work as expected. Purging caused by --auth-nocache is not affected (auth-token is retained in that case as it should be). Use case: For Pre-Logon access and persistent connections on Windows, use of "forget-passwords" before disconnect is probably the only way to ensure that no credentials are left behind. Note that openvpn.exe continues to run after disconnect in these cases. Also, the original intent of "forget-passwords" appears to be to clear all "passwords" that can be used to reconnect. v2: - call ssl_clean_auth_token() directly from manage.c instead of amending ssl_purge_auth() - Add a comment that ssl_purge_auth() does not clear auth-token Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20221026185543.5378-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25460.html Signed-off-by: Gert Doering (cherry picked from commit ecad4839caf4c2fab9c6627ceeca9b9cb32e8929) --- src/openvpn/manage.c | 2 ++ src/openvpn/ssl.h | 1 + 2 files changed, 3 insertions(+) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 6af551528dd..c63a1b3e0d8 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -768,6 +768,7 @@ static void man_forget_passwords(struct management *man) { ssl_purge_auth(false); + (void)ssl_clean_auth_token(); msg(M_CLIENT, "SUCCESS: Passwords were forgotten"); } @@ -2007,6 +2008,7 @@ man_reset_client_socket(struct management *man, const bool exiting) if (man->settings.flags & MF_FORGET_DISCONNECT) { ssl_purge_auth(false); + (void)ssl_clean_auth_token(); } if (man->settings.flags & MF_SIGNAL) diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 5dabcdf8760..1dcfe253520 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -436,6 +436,7 @@ void ssl_set_auth_nocache(void); /* * Purge any stored authentication information, both for key files and tunnel * authentication. If PCKS #11 is enabled, purge authentication for that too. + * Note that auth_token is not cleared. */ void ssl_purge_auth(const bool auth_user_pass_only); From cd50cf021bcfb797b6dacbe853e4c08b21a8e89d Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Thu, 27 Oct 2022 12:06:19 -0400 Subject: [PATCH 39/55] Do not copy auth_token username to itself - Fixes a potential mis-behaviour (strncpy with dest == src) introduced by commits ecad4839c (2.6) and 3d792ae955 (2.5). Reported by: Gert Doering Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20221027160619.11894-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/search?l=mid&q=20221027160619.11894-1-selva.nair@gmail.com Signed-off-by: Gert Doering (cherry picked from commit dbf142ffe597b21aa09a47677ea2061b74a9354e) --- src/openvpn/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index aa8266d7f79..f95b0014a76 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2392,7 +2392,7 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, goto error; } /* save username for auth-token which may get pushed later */ - if (session->opt->pull) + if (session->opt->pull && up != &auth_token) { strncpynt(auth_token.username, up->username, USER_PASS_LEN); } From 0357ceb877687faa2f3c671fcb8bc88b5a69b449 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Thu, 27 Oct 2022 09:13:14 +0200 Subject: [PATCH 40/55] Preparing release 2.5.8 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 33 ++++++++++++++++++++++++++++++++ Changes.rst | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++ version.m4 | 4 ++-- 3 files changed, 90 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9543682fb56..5da537a6228 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,39 @@ OpenVPN Change Log Copyright (C) 2002-2022 OpenVPN Inc +2022.10.27 -- Version 2.5.8 + +Antonio Quartulli (1): + tls-crypt-v2: bail out if the client key is too small + +Arne Schwabe (4): + Remove useless empty line from CR_RESPONSE message + Allow running a default configuration with TLS libraries without BF-CBC + Change command help to match man page and implementation + Fix OpenVPN querying user/password if auth-token with user expires + +Frank Lichtenheld (2): + t_client: Allow to force FAIL on prerequisite fails + t_client.sh: do not require fping6 + +Gert Doering (1): + Preparing release 2.5.8 + +Lev Stipakov (1): + msvc: add branch name and commit hash to version output + +Martin Janů (1): + Update the replay-window backtrack log message + +Selva Nair (5): + Do not skip ERROR:/SUCCESS: response from management interface + Fix auth-token usage with management-def-auth + Allow a few levels of recursion in virtual_output_callback() + Ensure --auth-nocache is handled during renegotiation + Purge auth-token as well while purging passwords + Do not copy auth_token username to itself + + 2022.05.24 -- Version 2.5.7 Antonio Quartulli (4): diff --git a/Changes.rst b/Changes.rst index b5fa12f3b3e..cafb1f23fd8 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,58 @@ +Overview of changes in 2.5.8 +============================ + +New features +------------ +- allow running a default configuration with TLS libraries without BF-CBC + (even if TLS cipher negotiation would not actually use BF-CBC, the + long-term compatibility "default cipher BF-CBC" would trigger an error + on such TLS libraries) + +User-visible Changes +-------------------- +- add git branch name + commit ID to OpenVPN version string on + MSVC builds (windows) + +Testing Enhancements +-------------------- +- t_client.sh: if fping is found and fping6 is not, assume we have + fping 4.0 and up, and call "fping -6" for IPv6 ping tests + +- t_client.sh: allow to force FAIL on prerequisite fails, so a CI + environment will no longer "silently skip" t_client runs if fping (etc) + can not be found, but will error out + +Bugfixes +-------- +- ``--auth-nocache'' was not always correctly clearing username+password + after a renegotiation + +- ensure that auth-token received from server is cleared if requested + by the management interface ("forget password" or automatically + via ``--management-forget-disconnect'') + +- in a setup without username+password, but with auth-token and + auth-token-username pushed by the server, OpenVPN would start asking + for username+password on token expiry. Fix. + +- using ``--auth-token`` together with ``--management-client-auth`` + (on the server) would lead to TLS keys getting out of sync and client + being disconnected. Fix. + +- management interface would sometimes get stuck if client and server + try to write something simultaneously. Fix by allowing a limited + level of recursion in virtual_output_callback() + +- fix management interface not returning ERROR:/SUCCESS: response + on "signal SIGxxx" commands when in HOLD state + +- tls-crypt-v2: abort connection if client-key is too short + +- make man page agree with actual code on replay-window backtrag log message + +- remove useless empty line from CR_RESPONSE message + + Overview of changes in 2.5.7 ============================ diff --git a/version.m4 b/version.m4 index 58b21e73d9f..dd66b1a9772 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.7]) +define([PRODUCT_VERSION_PATCH], [.8]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,7,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,8,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) From 2086517693f68a3b8fe10d79b5e193868b94adf4 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Fri, 11 Nov 2022 13:12:12 +0100 Subject: [PATCH 41/55] msvc: always call git-version.py There is no way to detect whether this information is outdated in nmake itself. So leave it up to the Python script to decide. While here, change some leading whitespace to tabs as expected in Makefile. Signed-off-by: Frank Lichtenheld Signed-off-by: Lev Stipakov Acked-by: Lev Stipakov Message-Id: <20221111121212.25167-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25508.html Signed-off-by: Gert Doering (cherry picked from commit 3951ed8479c01e79bd8fae5c7d4b5f6b07d1f0fb) --- build/msvc/msvc-generate/Makefile.mak | 9 ++++++--- build/msvc/msvc-generate/git-version.py | 21 ++++++++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak index ae8b08426c0..1c1c4bab181 100644 --- a/build/msvc/msvc-generate/Makefile.mak +++ b/build/msvc/msvc-generate/Makefile.mak @@ -51,10 +51,13 @@ $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG) cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)" $(OUTPUT_MAN): $(INPUT_MAN) - -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" + -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" -$(OUTPUT_MSVC_GIT_CONFIG): - python git-version.py $(SOLUTIONDIR) +# Force regeneration because we can't detect whether it is outdated +$(OUTPUT_MSVC_GIT_CONFIG): FORCE + python git-version.py $(SOLUTIONDIR) + +FORCE: clean: -del "$(OUTPUT_MSVC_VER)" diff --git a/build/msvc/msvc-generate/git-version.py b/build/msvc/msvc-generate/git-version.py index b6037e1e021..814dc86a876 100644 --- a/build/msvc/msvc-generate/git-version.py +++ b/build/msvc/msvc-generate/git-version.py @@ -41,10 +41,25 @@ def main(): except: branch, commit_id = "unknown", "unknown" + prev_content = "" + name = os.path.join("%s" % (sys.argv[1] if len(sys.argv) > 1 else "."), "config-version.h") - with open(name, "w") as f: - f.write("#define CONFIGURE_GIT_REVISION \"%s/%s\"\n" % (branch, commit_id)) - f.write("#define CONFIGURE_GIT_FLAGS \"\"\n") + try: + with open(name, "r") as f: + prev_content = f.read() + except: + # file doesn't exist + pass + + content = "#define CONFIGURE_GIT_REVISION \"%s/%s\"\n" % (branch, commit_id) + content += "#define CONFIGURE_GIT_FLAGS \"\"\n" + + if prev_content != content: + print("Writing %s" % name) + with open(name, "w") as f: + f.write(content) + else: + print("Content of %s hasn't changed" % name) if __name__ == "__main__": main() From abe0bb1a7f727a24e2d7cb7215cb309aea5fcffc Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 1 Dec 2021 19:07:19 +0100 Subject: [PATCH 42/55] Implement optional cipher in --data-ciphers prefixed with ? This allows to use the same configuration multiple platforms/ssl libraries and include optional algorithms that are not available on all platforms For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to emulate the default behaviour of OpenVPN 2.6. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211201180727.2496903-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23279.html Signed-off-by: Gert Doering (cherry picked from commit 766044507497c41f0319159c37992788ecb681e6) --- Changes.rst | 9 +++++++++ doc/man-sections/protocol-options.rst | 7 +++++++ src/openvpn/ssl_ncp.c | 16 ++++++++++++++-- tests/unit_tests/openvpn/test_ncp.c | 11 +++++++++++ 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/Changes.rst b/Changes.rst index cafb1f23fd8..ec7045dae9b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,12 @@ +Overview of changes in 2.5.9 +============================ + +New features +------------ +- Optional ciphers in ``--data-ciphers`` + Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark + those as optional and only use them if the SSL library supports them. + Overview of changes in 2.5.8 ============================ diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index e9d5d63d43b..25f8db12d95 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -184,6 +184,13 @@ configured in a compatible way between both the local and remote side. supported by the client will be pushed to clients that support cipher negotiation. + Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark + it as optional. This allows including ciphers in the list that may not be + available on all platforms. + E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable + Chacha20-Poly1305 if the underlying SSL library (and its configuration) + supports it. + Cipher negotiation is enabled in client-server mode only. I.e. if ``--mode`` is set to 'server' (server-side, implied by setting ``--server`` ), or if ``--pull`` is specified (client-side, implied by diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index b94c786ee55..de7efa40793 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -108,7 +108,18 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) * (and translate_cipher_name_from_openvpn/ * translate_cipher_name_to_openvpn) also normalises the cipher name, * e.g. replacing AeS-128-gCm with AES-128-GCM + * + * ciphers that have ? in front of them are considered optional and + * OpenVPN will only warn if they are not found (and remove them from + * the list) */ + + bool optional = false; + if (token[0] == '?') + { + token++; + optional = true; + } const cipher_kt_t *ktc = cipher_kt_get(token); if (strcmp(token, "none") == 0) { @@ -120,8 +131,9 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) } if (!ktc && strcmp(token, "none") != 0) { - msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token); - error_found = true; + const char* optstr = optional ? "optional ": ""; + msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); + error_found = !optional; } else { diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 4337f6df739..134a58ab6f7 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -74,6 +74,17 @@ test_check_ncp_ciphers_list(void **state) assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL); } + /* Check that optional ciphers work */ + assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM", &gc), + aes_ciphers); + + /* Check that optional ciphers work */ + assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc), + aes_ciphers); + + /* All unsupported should still yield an empty list */ + assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL); + /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in * a different spelling the normalised cipher output is the same */ bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); From b43a9b9f3324ccd7dffde3048c616aa5becc2b13 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 6 Dec 2021 16:08:52 +0100 Subject: [PATCH 43/55] Fix handling an optional invalid cipher at the end of data-ciphers If an optional cipher was found at the end of --data-cipher that was not available, it would reset the error and allow non optional ciphers to be ignored. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211206150852.3142891-1-arne@rfc2549.org> URL: https://www.mail-archive.com/search?l=mid&q=20211206150852.3142891-1-arne@rfc2549.org Signed-off-by: Gert Doering (cherry picked from commit 868433857fbf8d71515ac0ffecb98eae893515dc) --- src/openvpn/ssl_ncp.c | 2 +- tests/unit_tests/openvpn/test_ncp.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index de7efa40793..4ab39a53903 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -133,7 +133,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) { const char* optstr = optional ? "optional ": ""; msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); - error_found = !optional; + error_found = error_found || !optional; } else { diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 134a58ab6f7..6e1e50a47cb 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -85,6 +85,9 @@ test_check_ncp_ciphers_list(void **state) /* All unsupported should still yield an empty list */ assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL); + /* If the last is optional, previous invalid ciphers should be ignored */ + assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); + /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in * a different spelling the normalised cipher output is the same */ bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); From 4f5e57d2c7ff9384b16c42eb9aa5af11d31f5dd1 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 23 Nov 2022 16:49:12 +0100 Subject: [PATCH 44/55] Check if pkcs11_cert is NULL before freeing it When running openvpn --show-tls with mbedtls, it showed a null pointer error at the end because of this. Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20221123154912.28394-1-maximilian.fillinger@foxcrypto.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25530.html Signed-off-by: Gert Doering (cherry picked from commit 19c64f16baebbce966d55c62135d1ef066f7c8c2) --- src/openvpn/ssl_mbedtls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index be0e57f154e..9958099ceaf 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -168,7 +168,13 @@ tls_ctx_free(struct tls_root_ctx *ctx) } #if defined(ENABLE_PKCS11) - pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); + /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper + * has not been initialized, it will ASSERT() - so, do not pass NULL + */ + if (ctx->pkcs11_cert) + { + pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); + } #endif if (ctx->allowed_ciphers) From d682c77d5646466693991f0db797432fe5e09c95 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Wed, 30 Nov 2022 05:56:09 -0500 Subject: [PATCH 45/55] Do not add leading space to pushed options This makes auth-token push during reneg consistent with regular PUSH_REPLY. Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20221130105609.662402-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25583.html Signed-off-by: Gert Doering (cherry picked from commit d0672e7a06437c730e27df645b9b9a5407b44ccf) --- src/openvpn/push.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 7c36530d061..700c18e3630 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -536,7 +536,7 @@ send_push_reply_auth_token(struct tls_multi *multi) /* Construct a mimimal control channel push reply message */ struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc); - buf_printf(&buf, "%s, %s", push_reply_cmd, e->option); + buf_printf(&buf, "%s,%s", push_reply_cmd, e->option); send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH); gc_free(&gc); } From 00952a6184da0a77fbabe801d842a7546058f6c2 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Wed, 30 Nov 2022 05:55:02 -0500 Subject: [PATCH 46/55] pull-filter: ignore leading "spaces" in option names It seems sometimes comma-separated pulled options have an offending leading space. Not sure whether that is an error, but the change here matches the behaviour of option parsing. v2: fix typo in commit message v3: space() --> isspace() Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20221130105502.662374-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25582.html Signed-off-by: Gert Doering (cherry picked from commit f02946ff9900a37dd36f61748173d53eca01adf9) --- src/openvpn/options.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 20d1273f37c..048bef75940 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5001,6 +5001,12 @@ apply_pull_filter(const struct options *o, char *line) return true; } + /* skip leading spaces matching the behaviour of parse_line */ + while (isspace(*line)) + { + line++; + } + for (f = o->pull_filter_list->head; f; f = f->next) { if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0) From 01bed788b0ec4007591b81398b56b5f9632ca33c Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 15 Dec 2022 20:01:38 +0100 Subject: [PATCH 47/55] Ensure that argument to parse_line has always space for final sentinel This fixes two places were we do not have enough space in the array of parameters given to parse_line for the final NULL parameter that signal the end of the parsed argument errors. Both these cases can lead to a buffer overflow. But both of these cases require root/admin access to OpenVPN: - parse_argv, only able to trigger if starting openvpn from the command line, at this point you cannot gain more privileges than you already have. Way to reproduce, compile with ASAN and run: openvpn --tls-verify a a a a a a a a a a a a a a a - remove_iroutes_from_push_route_list This operates on the list of pushed entries that is generated by the server itself. So trigger this, you need to have control over config, management interface, a plugin or cdd files. The parse_argv problem was found by Trial of Bits. I found the remove_iroutes_from_push_route_list problem by looking for similar problems. Reported-By: Trial of Bits (TOB-OVPN-4) Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221215190143.2107896-4-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25734.html Signed-off-by: Gert Doering (cherry picked from commit 749beb6d0cb9f8628997bb656ba2f64e31cac377) --- src/openvpn/options.c | 9 ++++----- src/openvpn/push.c | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 048bef75940..2ddf30d8ce3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -4926,8 +4926,6 @@ parse_argv(struct options *options, unsigned int *option_types_found, struct env_set *es) { - int i, j; - /* usage message */ if (argc <= 1) { @@ -4937,7 +4935,7 @@ parse_argv(struct options *options, /* config filename specified only? */ if (argc == 2 && strncmp(argv[1], "--", 2)) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); p[0] = "config"; p[1] = argv[1]; @@ -4947,9 +4945,9 @@ parse_argv(struct options *options, else { /* parse command line */ - for (i = 1; i < argc; ++i) + for (int i = 1; i < argc; ++i) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); p[0] = argv[i]; if (strncmp(p[0], "--", 2)) @@ -4961,6 +4959,7 @@ parse_argv(struct options *options, p[0] += 2; } + int j; for (j = 1; j < MAX_PARMS; ++j) { if (i + j < argc) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 700c18e3630..46ec2a1210b 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -891,13 +891,13 @@ remove_iroutes_from_push_route_list(struct options *o) /* cycle through the push list */ while (e) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; bool enable = true; /* parse the push item */ CLEAR(p); if (e->enable - && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) + && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ if (p[0] && !strcmp(p[0], "route") && !p[3]) From fad810fff33946e1b79d408e97ea8b7c017e9fb4 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 15 Dec 2022 20:01:39 +0100 Subject: [PATCH 48/55] Improve documentation on user/password requirement and unicodize function Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221215190143.2107896-5-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25733.html Signed-off-by: Gert Doering (cherry picked from commit 4b6854881c36e16054878e0467ef87d925e20cae) --- src/openvpn/misc.h | 1 + src/openvpn/ntlm.c | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 570e473b28a..1e5205671ad 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -74,6 +74,7 @@ struct user_pass #else #define USER_PASS_LEN 128 #endif + /* Note that username and password are expected to be null-terminated */ char username[USER_PASS_LEN]; char password[USER_PASS_LEN]; }; diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index e3707484d59..9158cfd6729 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -143,6 +143,19 @@ my_strupr(char *str) } } +/** + * This function expects a null-terminated string in src and will + * copy it (including the terminating NUL byte), + * alternating it with 0 to dst. + * + * This basically will transform a ASCII string into valid UTF-16. + * Characters that are 8bit in src, will get the same treatment, resulting in + * invalid or wrong unicode code points. + * + * @note the function will blindly assume that dst has double + * the space of src. + * @return the length of the number of bytes written to dst + */ static int unicodize(char *dst, const char *src) { From 5ca01c79bc3c972719e844b224dac981e128cbb6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 15 Dec 2022 20:01:41 +0100 Subject: [PATCH 49/55] Remove unused gc_arena Reported-By: Trail of Bits Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221215190143.2107896-7-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25736.html Signed-off-by: Gert Doering (cherry picked from commit 97929d16a4eb05cb521a469ff4eaca32761699f3) --- src/openvpn/forward.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index de80dcffa21..de7cafded4b 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1714,8 +1714,6 @@ process_outgoing_link(struct context *c) void process_outgoing_tun(struct context *c) { - struct gc_arena gc = gc_new(); - /* * Set up for write() call to TUN/TAP * device. @@ -1801,7 +1799,6 @@ process_outgoing_tun(struct context *c) buf_reset(&c->c2.to_tun); perf_pop(); - gc_free(&gc); } void From 1ec71f4568e13f2876e6ec15f1efda530693d2e9 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 15 Dec 2022 20:01:42 +0100 Subject: [PATCH 50/55] Fix corner case that might lead to leaked file descriptor Reported-By: Trail of Bits Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221215190143.2107896-8-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25730.html Signed-off-by: Gert Doering (cherry picked from commit a034dc8153522713c3cfda90b2cda114cea70e2d) --- src/openvpn/misc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 40b3bf5ea60..e4662a7bdb0 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -273,6 +273,7 @@ get_user_pass_cr(struct user_pass *up, msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file); if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) { + fclose(fp); return false; } } From 4a165e1ea58eb395865a9975cefcfbfe7b41c356 Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Mon, 19 Dec 2022 17:56:38 +0200 Subject: [PATCH 51/55] git-version.py: proper support for tags Git magic to get branch name git rev-parse --symbolic-full-name HEAD doesn't work when we're on tag, which is the case when we build releases. First, try to get tag name with git describe --exact-match and if this fails, get branch name as before. Use subprocess.Popen() to suppress stdout/stderr output. Github: Fixes OpenVPN/openvpn#199 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20221219155638.497-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25773.html Signed-off-by: Gert Doering (cherry picked from commit 91ab3d022e2652a46e6d6f25ab62f7c903e583c1) --- build/msvc/msvc-generate/git-version.py | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/build/msvc/msvc-generate/git-version.py b/build/msvc/msvc-generate/git-version.py index 814dc86a876..00458955af9 100644 --- a/build/msvc/msvc-generate/git-version.py +++ b/build/msvc/msvc-generate/git-version.py @@ -24,15 +24,25 @@ import os import sys +import subprocess + +def run_command(args): + sp = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) + o, _ = sp.communicate() + return o.decode("utf-8")[:-1] def get_branch_commit_id(): - commit_id = os.popen("git rev-parse --short=16 HEAD").read()[:-1] + commit_id = run_command(["git", "rev-parse", "--short=16", "HEAD"]) if not commit_id: raise - l = os.popen("git rev-parse --symbolic-full-name HEAD").read().split("/")[2:] - if not l: - l = ["none\n"] - branch = "/" .join(l)[:-1] + branch = run_command(["git", "describe", "--exact-match"]) + if not branch: + # this returns an array like ["master"] or ["release", "2.6"] + branch = run_command(["git", "rev-parse", "--symbolic-full-name", "HEAD"]).split("/")[2:] + if not branch: + branch = ["none"] + branch = "/" .join(branch) # handle cases like release/2.6 + return branch, commit_id def main(): From 1d81df042eae416a4e83e6a433ae2b937c5a10a4 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Mon, 19 Dec 2022 09:04:05 -0500 Subject: [PATCH 52/55] Do not include auth-token in pulled option digest As change in auth-token is common on restart and does not require tun-reopen, exclude it from the "pulled options digest" calculation. Without this tun is always re-opened on SIGUSR1 if auth-token is in use which breaks persist-tun. Github: Fixes OpenVPN/openvpn#200 v2: explcitly filter auth-token and auth-token-user Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20221219140405.1221341-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25768.html Signed-off-by: Gert Doering (cherry picked from commit f778f4f88e56851c0a68205e95110c021f3032b3) --- src/openvpn/push.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 46ec2a1210b..43db19121b5 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -779,8 +779,10 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { - /* peer-id might change on restart and this should not trigger reopening tun */ - if (strprefix(line, "peer-id ")) + /* peer-id and auth-token might change on restart and this should not trigger reopening tun */ + if (strprefix(line, "peer-id ") + || strprefix(line, "auth-token ") + || strprefix(line, "auth-token-user ")) { continue; } From ea4ce681d9008f277706f4d90f2648ae043cbb2e Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Tue, 14 Feb 2023 17:20:58 +0100 Subject: [PATCH 53/55] Preparing release 2.5.9 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 25 +++++++++++++++++++++++++ Changes.rst | 23 +++++++++++++++++++++++ version.m4 | 4 ++-- 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5da537a6228..3701823d5df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,31 @@ OpenVPN Change Log Copyright (C) 2002-2022 OpenVPN Inc +2023.02.14 -- Version 2.5.9 + +Arne Schwabe (6): + Implement optional cipher in --data-ciphers prefixed with ? + Fix handling an optional invalid cipher at the end of data-ciphers + Ensure that argument to parse_line has always space for final sentinel + Improve documentation on user/password requirement and unicodize function + Remove unused gc_arena + Fix corner case that might lead to leaked file descriptor + +Frank Lichtenheld (1): + msvc: always call git-version.py + +Lev Stipakov (1): + git-version.py: proper support for tags + +Max Fillinger (1): + Check if pkcs11_cert is NULL before freeing it + +Selva Nair (3): + Do not add leading space to pushed options + pull-filter: ignore leading "spaces" in option names + Do not include auth-token in pulled option digest + + 2022.10.27 -- Version 2.5.8 Antonio Quartulli (1): diff --git a/Changes.rst b/Changes.rst index ec7045dae9b..3ba78c6c7a7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -7,6 +7,29 @@ New features Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark those as optional and only use them if the SSL library supports them. +User-visible Changes +-------------------- +- when compiling from a git checkout, put proper branch names into + windows builds + +Bugfixes +-------- +- do not include auth-token in pulled-option digest (interferes with + persist-tun when auth-token is in use, GH #200). + +- fix corner case that might lead to leaked file descriptor + +- fix parser bug (parse_line()) that can lead to buffer overflows on + malformed command line or server ccd file handling. Not exploitable. + +- pull-filter: ignore leading spaces in option names (work around server side + bug with erroneous extra spaces) + +- push: do not add leading spaces to "out of renegotiations" pushed auth-token + +- fix NULL pointer crash on "openvpn --show-tls" with mbedtls + + Overview of changes in 2.5.8 ============================ diff --git a/version.m4 b/version.m4 index dd66b1a9772..53d1edf57d7 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.8]) +define([PRODUCT_VERSION_PATCH], [.9]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,8,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,9,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) From 4a89a55b8a9d6193957711bef74228796a185179 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 26 Apr 2023 11:49:31 +0200 Subject: [PATCH 54/55] Add Apache2 linking with for new commits After first round of mailing people with more than 10 commits we have almost all committers have agreed. This put this license in the realm of having a realistic change to work. Had any of these contributers disagreed, rewriting all their code might have been not feasible. The rationale of adding this exception now is to avoid having to have a second round of agreement for new contributers and ensure that all new code will include the exemption. patch v2: add explaination and use exception rather than excemption patch v3: actually send v3 Change-Id: Ide83f914f383b53ef37ddf628e4da5a78e241bf0 Signed-off-by: Arne Schwabe Acked-by: David Sommerseth Message-Id: <20230426094931.1168078-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26610.html Signed-off-by: Gert Doering (cherry picked from commit 7b21c69dbe1e1ecfb5bed564417387892b42108a) --- COPYING | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/COPYING b/COPYING index 62e1a9d3ffb..b05944de463 100644 --- a/COPYING +++ b/COPYING @@ -31,6 +31,53 @@ OpenVPN license: file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. +Apache2 linking exception: +--------------------------- +OpenVPN is currently undergoing a license change to add an exception for +Apache 2 linking. The following exception is only valid for new contributions +after 2023-05-03 and past contribution where the authors have already agreed +to the exception. + + In addition, as a special exception, OpenVPN Inc and the + contributors give permission to link the code of this program to + libraries (the "Libraries") licensed under the Apache License + version 2.0 (this work and any linked library the "Combined Work") + and copy and distribute the Combined Work without an obligation to + license the Libraries under the GNU General Public License v2 + (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an + obligation to refrain from imposing any additional restrictions in + the Apache License version 2 that are not in the GPL-2.0, as + required by Section 6 of the GPL-2.0. You must comply with the + GPL-2.0 in all other respects for the Combined Work, including + the obligation to provide source code. If you modify this file, you + may extend this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, delete this + exception statement from your version. + +For better understanding, in plain non-legalese English this basically says: + + * The intention for this license exception is to allow OpenVPN to be + linked against APL-2 licensed libraries, even where the GPL-2.0 and + APL-2 licenses conflict from a legal perspective. + + * OpenVPN itself will stay GPL-2.0 and the code belonging to the + OpenVPN project must comply to the GPL-2.0 license. This is NOT + dual-licensing of the OpenVPN code base. + + * This license exception DOES NOT require NOR expect a license change + of the APL-2 based library. This exception allows using the APL-2 + library as-is. However, when distributing a compiled OpenVPN binary + linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is + that the APL-2 library MUST also be available on similar terms as in + GPL-2.0, like providing the source code of the library upon request, + except in the two specific ways mentioned. + + * If the APL-2 based library forbids such linking and distribution, + this license exception DOES NOT overrule the restriction of the APL-2 + based library. If the APL-2 library cannot satisfy the requirements + in this license exception, you CANNOT distribute an OpenVPN binary + linked with this library. + LZO license: ------------ From 3d9b4ce394f9d1a66842a5391aa744f7310a48a6 Mon Sep 17 00:00:00 2001 From: George Pchelkin Date: Fri, 14 Jul 2023 11:25:57 +0200 Subject: [PATCH 55/55] fix typo: dhcp-options to dhcp-option in vpn-network-options.rst Closes: OpenVPN/openvpn#313 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20230714092557.229260-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26855.html Signed-off-by: Gert Doering (cherry picked from commit 9d2e947e7358c7998f13b142d8bf17a2ce9eb7a3) --- doc/man-sections/vpn-network-options.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 25a26b3452f..645fd1efb61 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -116,7 +116,7 @@ routing. Valid syntax: :: - dhcp-options type [parm] + dhcp-option type [parm] :code:`DOMAIN` ``name`` Set Connection-specific DNS Suffix to :code:`name`.