Commit Graph

320 Commits

Author SHA1 Message Date
Frank Lichtenheld
2a1a21e3da configure: enable DCO by default on FreeBSD/Linux
Automatically disabled when
- iproute2 is enabled
  (Don't want to force people specifying --disable-dco explicitely)
- libnv is missing on FreeBSD
  (FreeBSD version too old anyway)

Will still error out if libnl-genl is missing on Linux to
make people aware of new dependency.

v2: error out when libnl-genl is missing as discussed with ordex on
    IRC.
v3:
 - improvements to the messages, suggested by Selva
 - further improvements to the default specification, trying to make it clear
 - if enabling iproute2, do not test for libnl-genl
v4: add updates for GHA
v5:
 - v4 was missing the changes of v3. v5 combines the changes from v3 and v4
 - fix build failure GHA/ubuntu1804/mbedtls
 - fix build failure GHA/ubuntu2204/libressl

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230215162654.52137-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-02-25 14:51:20 +01:00
Selva Nair
e3ad1fc423 Build unit tests in mingw Windows build
- Minor changes to the build system to include some
  dependencies for Windows build

- test_tls_crypt not built as it will pull in win32.c and
  its dependencies

- If cross-compiling, "make check" will only build the tests but not
  run any. Copy to Windows and run manually. Executables are in
  <buid-dir>/tests/unit_tests/openvpn/.libs/ and these depend on
  cmocka.dll in addition to openssl libs that some tests link to.

  Building with mingw on Windows should run the tests (untested).

v2: networking_testdriver was mistakenly enabled to run, while
originally it was only set to build. Corrected.

v3: exclude check_engine_keys.sh when cross-compiling
As suggested by Arne Schwabe <arne@rfc2549.org>

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230208005925.393200-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26188.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-02-10 22:02:18 +01:00
Selva Nair
8b915c4825 Conditionally add subdir-objects option to automake
- Eliminates repeated warnings such as
  warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,
  but option 'subdir-objects' is disabled
- Enabled only for automake >= 1.16 as older versions have a buggy
  implementation of this option

Main side effect of this option is that object files like
openvpnserv-blockdns.o are now created in src/openvpn where block-dns.c
resides instead of in src/openvpnserv.

Same for object files for sources from $(openvpn_srcdir) compiled
into test executables.

See also past discussion on this topic:

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00013.html

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230204004512.250271-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26147.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-02-10 18:01:43 +01:00
Arne Schwabe
2104ea6243 Deprecate OCC checking
- Move OCC warnings to debug level. This moves the only useful OCC message
  of compress-migrate to D_PUSH
- remove configure option --enable-strict-options
- ignore disable-occ in TLS mode as it is logged under debug now only
  disable-occ is now strictly a non-TLS option
- mark opt-verify and disable-occ as deprecated.

Patch v2: change one missed M_WARN to D_OCC

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111134439.1107915-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-01-11 15:41:36 +01:00
Frank Lichtenheld
ccf9d57249 Update copyright year to 2023
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-01-10 17:24:37 +01:00
Antonio Quartulli
8b80cbc384 dco-win: introduce low-level code for handling ovpn-dco-win in Windows
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220813204224.22576-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-08-18 20:16:48 +02:00
Kristof Provost
f08fcc2f1e ovpn-dco: introduce FreeBSD data-channel offload support
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.

Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220812134154.16729-2-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24894.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-08-13 14:19:31 +02:00
Timo Rothenpieler
2e359a0882 Linux: Retain CAP_NET_ADMIN when dropping privileges
On Linux, when dropping privileges, interaction with
the network configuration, such as tearing down routes
or ovpn-dco interfaces will fail when --user/--group are
used.

This patch sets the CAP_NET_ADMIN capability, which grants
the needed privileges during the lifetime of the OpenVPN
process when dropping root privileges.

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Reviewed-By: David Sommerseth <davids@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220514103717.235-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24360.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-08-11 11:59:08 +02:00
Antonio Quartulli
e34437c26b dco: introduce low-level code for handling ovpn-dco in the Linux kernel
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220624083809.23487-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24512.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-06-28 14:35:27 +02:00
Gert Doering
4225114b96 Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work:
   - setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
   - "extended error reporting" (setsockopt(IP_RECVERR) and
     then via mtu.c/format_extended_socket_error()) to react on
     "packet too big" errors on sendto() / sendmsg()

Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err".  Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).

Thus, the "non-helpful" socket error message turns into:

2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery

... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...

v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks

Trac: #1452

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-02-22 13:23:32 +01:00
Antonio Quartulli
1800d77ec5 update copyright year to 2022
Update performed by means of: dev-tools/update-copyright.sh

Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-01-26 13:38:41 +01:00
Arne Schwabe
0df2261da1 Add --with-openssl-engine autoconf option (auto|yes|no)
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.

Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
compiler warnings which in turn also break -Werror.

By using --with-openssl-engine=no or --with-openssl-engine=yes engine
support can be forced on or off. If it is enabled but not detected an
error will be thown.

This commit cleans up the configure logic a bit and removes the
ENGINE_cleanup checks as we can just assume that it will be also
available as macro or function if the other engine functions are
available. Before the cleanup we would only check for the existance
of engine.h if ENGINE_cleanup was not found.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23000.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-10-27 20:30:02 +02:00
Antonio Quartulli
01ce6ca39d configure: remove useless -Wno-* from default CFLAGS
Historically we always had -Wno-unused-parameter and
-Wno-unused-function enabled along with -Wall.

When we made -Wall a default option, we carried the other two along and
made them default too (in 2018).

Now the code is much cleaner compared to the past and we do not really
require -Wno-unused-parameter and -Wno-unused-function anymore.

Actually they may hide really unused functions that we'd need to
cleanup.

For this reason remove -Wno-unused-parameter and -Wno-unused-function
for good from the default CFLAGS.

Any new warning should rather be fixed than hidden.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211005122736.4060-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22917.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-10-06 11:56:58 +02:00
Antonio Quartulli
b61d198858 configure: search also for rst2{man, html}.py
On some systems the rst2{man,html} executables may have a slightly
different name, like rst2{man,html}.py.

Add this name variation to the Generic Programs check.

This specific variation is found on Gentoo Linux.

Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210827144807.27004-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22777.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-09-13 12:01:19 +02:00
Antonio Quartulli
1308ccec9f Remove support for PF (Packet Filter)
OpenVPN shipped a small packet filtering tool called PF. It has never
been straightforward as it required a plugin to work. On top of that,
keeping PF support, makes the code more complicated and increases the
maintenance cost of OpenVPN.

PF itself is not actually maintained at all and there is little
motivation in keeping it alive.

Some years ago an IPv6 extension for PF was proposed, but it was never
picked up for the reasons above.

External (and more appropriate) tools can still be used to implement
packet filtering on the OpenVPN interface.

Drop PF support for good.

Note that IDs used for external communication (i.e. to the plugin
or management interface) have been commented out, but not removed, as
they should not be used in the future.

v2:
* changed // to /* */
* changed "NOT IMPLEMENTED" to "REMOVED FEATURE"
* removed extra empty lines after removing ifdef blocks
* clarified on IRC that tls_final has to be removed and therefore that
  hunk is correct
* removed mi_prefix() function as it is now unused

Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210827190014.12640-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-09-12 10:24:25 +02:00
Antonio Quartulli
2b9bbaadf4 mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed
The mbedtls_ctr_drbg_update_ret() function was backported to various
older branches, including 2.14 and 2.7.
To avoid making the #if guard too complex, let's detect if this function
exist at configure time.
All versions not having this function, will use our compat code.

Cc: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20210812085300.4738-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-08-12 13:01:38 +02:00
David Sommerseth
05271322e7 Update copyrights
- Update the update-copyright script to include more contributors as well
  as correcting a few typos

- Correct a copyright address in the source code to now used address
  (dazo)

- Update copyright year to 2021

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net
URL: https://sourceforge.net/p/openvpn/mailman/message/37299719/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-06-15 10:41:07 +02:00
Arne Schwabe
84e1420923 Remove getpeername, getpid check
getpeername is part of SUSv3 and Windows also provides the function
as part of winsocks.

getpid is also provided by both Posix and windows and we do not even
use getpid on Windows since we rather call GetCurrentProcessId.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22340.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-05-14 14:02:25 +02:00
Arne Schwabe
92994e682f Remove explicit struct iovec check (HAVE_IOVEC)
This macro is currently used only in 3 places in syshead.h
- EXTENDED_SOCKET_ERROR_CAPABILITY is linux specific anyway and
  starts with #if defined(HAVE_LINUX_TYPES_H)
- port share and ip_pktinfo macros depends on sendmsg/recvmsg
  that implicitly also require iovec

So in all three cases we can implicitly assume that iovec is present
and do not need to make this explicit check

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22343.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-05-14 13:59:15 +02:00
Arne Schwabe
f17d529c66 Remove --disable-multihome option
With this change we always build multihome support if the operating
system supports it.

Patch v2: Remove also from config-msvc.h
Patch v3: Remove also another line from configure.ac

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105638.3903379-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-05-03 14:34:14 +02:00
Arne Schwabe
ba49c9a7bf Remove a number of platform specific checks in configure.ac
- Remove windows XP/old mingw compat code in socket.c
- Use _WIN32 instead checking for existence of windows.h, winsock2.h
  and ws2tcpip.h in autconf
- Remove check for unlink. The last remaining use is a check inside
  a Unix socket.
- Even Windows has umask, so remove the check for it
- Move epoll.h inclusion to event.c

Patch V2: Add epoll.h syshead.h that accidently was put into another
          patch

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22201.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-05-03 08:18:55 +02:00
Arne Schwabe
d4c1a453c2 Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR
We have two define that do exactly the same. Also move the check
from configure.ac to syshead.h since it is really only checking
for Windows.

Patch V2: Also remove from config-msvc.h

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22203.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-05-03 08:14:53 +02:00
Arne Schwabe
8c18d7c932 Move direct.h header where it is used
The direct.h header provides only a handful of functions [1] of which
we only use _wchdir. Directly included the direct.h file where it is
used and remove autoconf magic around it.

[1]
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-stud
io-2012/as5kw0ze(v=vs.110)?redirectedfrom=MSDN

Patch V2: also remove from config-msvc.h

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210422152939.2134046-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22202.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-05-03 08:07:25 +02:00
Arne Schwabe
bc36d9d569 Remove OpenSSL configure checks
These checks for the functions take a lot of time in configure call and
also having these checks make it more blurry for which of the supported
OpenSSL versions (and libraries claiming to be OpenSSL) are actually
needed.

Tested with OpenSSL 1.1.1(Ubuntu 20, macOS), 1.0.2 (CentOS7),
1.1.0 (Debian stretch), LibreSSL (OpenBSD 6.8) and wolfSSL

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210406162518.4075-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22051.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-04-13 11:19:47 +02:00
Arne Schwabe
b8510baa25 Remove a number of checks for functions/headers that are always present
For the unlink function we actually have code that just ignores
the unlink call if the unlink function is not present. But all
platforms should have an unlink function.

This also removes all conditionals check for the headers that
belong to the C99 standard library header list
(https://en.cppreference.com/w/c/header).

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210406162518.4075-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22053.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-04-07 08:31:08 +02:00
Arne Schwabe
6287538039 Remove checks for uint* types that are part of C99
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210406162518.4075-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22049.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-04-07 08:30:34 +02:00
Arne Schwabe
17f9133206 Remove check for socket functions and Win XP compatbility code
While the check if all socket related functions are present sounds like
a good idea in theory, in reality it just adds time to configure runs.

Our poll check on windows is currently only depending on sys/poll.h
non-existance. Make the check and comment more explicit.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210406162518.4075-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22052.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-04-07 08:24:50 +02:00
Arne Schwabe
6ea62d5072 Remove deprecated option '--keysize'
This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
using this option fall all into the SWEET32 category of ciphers with
64 bit block size.

Patch V2: Remove superflous check in OpenSSL codepath to check keysize

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210401123751.31756-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21943.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-04-03 11:35:04 +02:00
Tõivo Leedjärv
76ccc62d48 Stop using deprecated getpass()
The getpass() function is present in SUSv2, but marked LEGACY. It is
removed in POSIX.1-2001. Additionally, on Solaris getpass() returns
maximum 9 bytes. This will make longer passwords fail with no
possibility for user to know what is happening.

This patch removes usage of getpass() completely and replaces it with
direct implementation of what getpass() does: opens tty (existing code),
outputs the prompt (existing code), turns off echoing (new code), reads
one line (existing code shared with echoed mode), restores tty state
(new code) and closes tty (existing code).

Patch v2: incorporate review feedback, incl. style fixes, merge
          termios.h check in configure.ac with an existing
          AC_CHECK_HEADERS, add error check and logging after
          tcsettattr() when restoring tty settings

Signed-off-by: Tõivo Leedjärv <toivol@gmail.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210328171151.12056-1-toivol@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21889.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-04-01 08:10:00 +02:00
Arne Schwabe
f91e211637 Remove support for non ISO C99 vararg support
We require ISO C99 as minimum support for our source code and all compilers
should support the ISO C99 macros. Especially gcc does not need
the gcc extensions anymore. Also MSVC has support for it (as defined
in the config-msvc.h but also double checked)

LCLINT seems to be a C analyzer that history has forgotten about. I could
only find https://splint.org/release1.3.html and an similarly old research
paper.

Patch V2: Also remove AX_ macros from configure.ac

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210328142038.8826-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21883.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-03-28 16:34:42 +02:00
Arne Schwabe
7975e33bd9 Remove flexible array member autoconf check
This is configure macro that tries out how to declare a variable array
at the end of struct. This has been standardised in C99, so there is
no more need for non C99 magic. See also this stackoverflow discussion:

https://stackoverflow.com/questions/14643406/whats-the-need-of-array-with-z
ero-elements

Patch V2: Also remove AX_EMPTY_ARRAY from configure.ac

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210328142038.8826-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21882.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-03-28 16:32:57 +02:00
Juliusz Sosinowicz
f6dca235ae Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
linked against the wolfSSL library. The wolfSSL installation directory is
detected using pkg-config.

As requested by OpenVPN maintainers, this patch does not include
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
in the configure script wolfSSL will include wolfssl/options.h on its own
(change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch
adds an option `--disable-wolfssl-options-h` in case the user would like
to supply their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-03-18 14:07:15 +01:00
David Sommerseth
24596b258a build: Remove compat-lz4
Since 2014, the OpenVPN project has shipped an adopted LZ4 library to be
enabled if no LZ4 libraries was found on the system.  This was due to
the LZ4 library not being available on all platforms and it was vastly
better than the older LZO compression algorithm.  But this was years
before VORACLE and related attack vectors affecting VPN connections,
where compression is considered a vulnerability.

The OpenVPN project is gradually moving away from supporting compression,
so shipping our own LZ4 library is no longer wanted.  It will now only
use the LZ4 compression libraries found on the host, and can otherwise
be disabled completely with ./configure --disable-lz4.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210317220642.38741-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20210317220642.38741-1-openvpn@sf.lists.topphemmelig.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-03-18 08:13:13 +01:00
Gert Doering
b0bff55901 Require at least 100MB of mlock()-able memory if --mlock is used.
If --mlock is used, the amount of memory OpenVPN can use is guarded
by the RLIMIT_MEMLOCK value (see mlockall(2)).  The OS default for this
is usually 64 Kbyte, which is enough for OpenVPN to initialize, but
as soon as the first TLS handshake comes it, OpenVPN will crash due
to "ouf of memory", and might even end up in a crash loop.

Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with
many concurrent clients) of memory.  TLS renegotiation with EC keys
requires up to 90 MB of transient memory.

So: with this patch, we check if getrlimit() is available, and if yes,
log the amount of mlock'able memory.  If the amount is below 100 MB,
which is an arbitrary value "large enough for most smaller deployments",
we try to increase the limits to 100 MB, and abort if this fails.

v2:
  change arbitrary number to 100 MB, introduce #define for it
  not only check but also increase with setrlimit()
  uncrustify fixes

v3:
  OpenSolaris has mlockall() and getrlimit(), but no RLIMIT_MEMLOCK -
    make code conditional on HAVE_GETRLIMIT *and* RLIMIT_MEMLOCK
  add Changes.rst entry

Trac: #1390

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210310124808.14741-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21657.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2021-03-11 17:42:59 +01:00
Arne Schwabe
99d217b200 Remove --disable-def-auth configure argument
With scripts, plugin and management interface now all supporting
deferred auth, maintaining support of --disbale-def-auth becomes more
of a burden and the few kilobyte in potential binary size do not
outweigh this. Also the code in ssl_verify is hard to hard because
all the ifdefs.

Especially for management interface there are so many features not
directly related to deferred that depend on MANAGEMENT_DEF_AUTH
(like client-kill) that supporting management without deferred auth
is not worth it anymore. And removing this remover a high number of
ifdefs in manage.c/h

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201023113244.26295-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21214.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-10-24 22:03:41 +02:00
David Sommerseth
0b5141d8f9 sample-plugins: Partially autotoolize the sample-plugins build
The sample-plugins have their own set of build/winbuild scripts in each
of these plugin directories.  This does not give a good way to reuse
various macros the autoconf/automake/configure process enables; which
can contain important macros to make some code build without errors or
warnings.

Normally we would embrace the full autoconf/automake approach. But this
is sample code which we only want to build per request and the built
code should not be installed anywhere via 'make install'.  But since we
do use libtool other plug-ins being installed and automake gets kind of
cranky when it comes to define certain build targets not following the
expected use cases, we try to only embrace just enough of automake to
get our main goals achieved.

This changeset kicks out the build scripts and replaces them with a
single Makefile.plugins file, which defines the plugins we want to build
by default when running 'make from the sample-plugins directory.
Neither of these plugins are otherwise built by default.  No sample-plugins
are being installed.  But we have enough strings attached to automake
to grab the CFLAGS and LDFLAGS used by the rest of the code.  This also
makes it easy to use #include "config.h" in sample code, to also get
various macros defined by the ./configure run.

This patch does not touch the winbuild scripts, as it seems building
these sample-plugins on Windows requires a bit different compile and
linking steps than *nix systems in general.

Signed-off-by: David Sommerseth <davids@openvpn.net>

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200916141956.1277-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21020.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-09-16 16:22:44 +02:00
Arne Schwabe
8353ae8075 Implement tls-groups option to specify eliptic curves/groups
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.

However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.

The tls-groups option allows to modify the group list to account
for these corner cases.

Patch V2: Uses local gc_arena instead of malloc/free, reword commit
          message. Fix other typos/clarify messages

Patch V3: Style fixes, adjust code to changes from mbedTLS session
          fix

Patch V5: Fix compilation with OpenSSL 1.0.2

Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
          which accidentally got lost.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-21 22:33:58 +02:00
Arne Schwabe
94edc7c5dd Require AEAD support in the crypto library
All supported crypto libraries have AEAD support and with our
ncp/de facto default cipher AES-256-GCM we do not want to support
the obscure corner case of a library with disabled AEAD.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Patch V2: Remove three instances of (harmless) #ifdef Steffan spotted
          that can be removed now too.
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200720121704.20333-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20506.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-20 22:00:05 +02:00
Arne Schwabe
ec7d0e8e0f Drop support for OpenSSL 1.0.1
OpenSSL 1.0.1 was supported until 2016-12-31. Rhel6/Centos6 still
use this version but considering that RHEL7 and RHEL8 are already
out, these versions can also stay with OpenVPN 2.4.

All the supported Debian based distributions also come with at
least 1.0.2.

We (accidently) unconditionally compiled some key exporter code on
OpenSSL 1.0.2+ without problems. So always compile the whole
key exporter feature for OpenSSL.

This also allows the tls groups commit to be applied without
adding ifdefs to disable that functionality on OpenSSL 1.0.1

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20441.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-20 21:40:11 +02:00
Matthias Andree
83d6da5097 Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.
Else one location overwrites options from the other.

Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200717171918.230727-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20462.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-17 23:10:31 +02:00
David Sommerseth
f500c49c8e doc/man: convert openvpn.8 to split-up .rst files
To avoid keeping around a full-size openvpn.rst file which is never
needed but will take space in the repo forever, patches 01...04
of the big documentation overhaul projects were squashed togehter,
keeping the individual commit logs and URL references below.

Signed-off-by: Gert Doering <gert@greenie.muc.de>

* This is a combination of 4 commits.
* This is the 1st commit message:

doc/man: Add an .rst formatted version of the man page

This is the first step to move away from a manually editing g/nroff
encoded man page.

Some modifications was needed to ensure formatting was consistent and
rendered reasonably okay in GitHub and that the generated man page
(using rst2man) is looking as a proper man page.  Unsupported options
has also been moved into its own section.  HTML rendering directly
using rst2html has also been used to validate the conversion.

The rst2man and rst2html utilities comes from the python-docutils
project: https://docutils.sourceforge.io/

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-2-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/
Signed-off-by: Gert Doering <gert@greenie.muc.de>

* This is the commit message #2:

doc/man: Replace old man page with generated man page

The doc/openvpn.8 and doc/openvpn.8.html files are now being removed
from the git tree, as it will be generated from the doc/openvpn.8.rst
file using python-docutils.

An additional dist-hook is added so these files are generated
automatically when source tarballs are generated for releases.  This
means users compiling directly from the source tarball will not need
python-docutils installed.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-3-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/
Signed-off-by: Gert Doering <gert@greenie.muc.de>

* This is the commit message #3:

doc/man: Split up and reorganize main man page

The openvpn.8.rst file is quite long and hard to edit, as it covers
several hundred options.  Some options were even documented multiple
places.  The example has also received some attention, cleaning up
old and outdated infomration.

In this commit the main man page is split up into multiple sections
and options are sorted into each of the corresponding section.
Inside each category, each option is for now sorted alphabetically.
The main openvpn.8.rst file is currently kept unchanged and will be
handled in the next commit.

Many language improvements contributed by Richard Bonhomme has also
been incorproated.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-4-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/
Signed-off-by: Gert Doering <gert@greenie.muc.de>

* This is the commit message #4:

doc/man: Complete openvpn.8.rst splitting

This rebuilds the openvpn.8.rst content by using the text which was
split out in the previous commit by using RST ..include statements.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-5-davids@openvpn.net>
URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-17 11:23:18 +02:00
James Bottomley
542c69c37b Add unit tests for engine keys
Testing engines is problematic, so one of the prerequisites built for
the tests is a simple openssl engine that reads a non-standard PEM
guarded key.  The test is simply can we run a client/server
configuration with the usual sample key replaced by an engine key.
The trivial engine prints out some operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200622232319.8143-2-James.Bottomley@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20075.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-06-23 08:16:35 +02:00
David Sommerseth
042429d345 build: Remove --disable-server from ./configure
After some discussion among the core community developers [1,2], it was
decided to remove the possibility to build openvpn as a pure client.
This was alterted on the mailing list [3] that it was scheduled for
removal unless anyone had strong arguments why it was needed.

The general consensus was that we had not received any strong arguments
to keep this possibility after approximately 5 months, so it was fine to
remove this ./configure option.

By removing this, we remove quite some entangled sections of #ifdef
scattered all over the code base, making it more readable.

One note:
Inside the  options_postprocess_mutate_invariant() function,
the #ifdef P2MP_SERVER and #ifdef _WIN32 blocks where slightly
reworked to make the _WIN32 block more continous and avoiding having an
empty if(options->mode == MODE_SERVER) block.

Signed-off-by: David Sommerseth <davids@openvpn.net>

[1]
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18830.h
tml
[2]
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19505.h
tml
[3]
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18829.h
tml
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200227205443.27562-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19506.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-05-07 21:53:22 +02:00
Lev Stipakov
e1eb630df1 Fix building with --enable-async-push in FreeBSD
This option can be used in FreedBSD with devel/libinotify installed.

Detect presence of libinotify with pkgconf and use its word
to compile and link.

Trac: #1256

Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200314052906.28095-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20200314052906.28095-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-03-15 22:14:37 +01:00
Arne Schwabe
0a88ef8c2a Add strsep compat function
Some operating system do not have the strsep function. Since this API
is more "modern" (4.4BSD) than strtok, add it as compat function.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200217144339.3273-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20200217144339.3273-3-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-02-17 19:34:23 +01:00
Lev Stipakov
91d84530d7 configure.ac: simplify AC_CHECK_FUNCS statements
AC_CHECK_FUNCS checks availability of each function
in argument list and defines HAVE_function macro.
AC_CHECK_FUNC takes single function as an argument and
doesn't automatically define any macros.

When we check for availability of a single function and
define own macro, it is enough to use AC_CHECK_FUNC.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200121080828.1310-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19333.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-02-13 20:14:45 +01:00
Steffan Karger
5defbba478 Move keying material exporter check from syshead.h to configure.ac
Commit ab27c9f7 added a compile-time check for availablitity of
keying-material-export functionality to syshead.h. It turns out that
openvpnserv also includes syshead.h, and has ENABLE_CRYPTO_* defined in
it's config.h, but doesn't have the necessary CFLAGS / LIBS to actually
compile and link against the crypto libraries. That of course breaks
openvpnserv builds.

To fix this, change the compile-time check in syshead.h into a
configure-time check in configure.ac. That's more consistent with how we
do other feature checks anyway.

Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <E1itVts-0007ZG-NO@sfs-ml-2.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19328.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-01-20 20:15:25 +01:00
Selva Nair
fb8033d49b Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang
Some compilers (e.g., clang) only issue a warning for
unsupported options unless an additional flag such
as -Werror is used to convert the warning to an error.

The behaviour is unchanged when using gcc as it either
errors or ignores unknown options whether or not -Werror
is present.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1574183023-6136-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19170.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2019-11-27 20:39:52 +01:00
Antonio Quartulli
46d096074f add -Wno-stringop-truncation to CFLAGS on linux
GCC>=8 supports truncation checking, however the logic is somewhat
fragile when it comes to evaluating strncpy().

In buffer.h we have implemented a wrapper called strncpynt() which
ensures we always do the right hting in the code and reduce the chance
of having bugs.

This said, it seems that the gcc logic is not able to always understand
if we are doing the right thing and throws a false positive.

Toa void the noise, disable truncation checking on Linux by default.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191110100323.13206-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2019-11-10 11:47:23 +01:00
Gert Doering
9c490c26a7 OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts.
t_client.sh relies on "echo -e" and "echo -n" to produce nicely
looking output, which fails on Solaris /bin/sh - force SHELL=/bin/bash
on recent-enough Solaris variants that have it.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20191009120043.22692-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18914.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2019-10-10 20:24:22 +02:00