The refactor accidently used a wrong code style template and
ended up using 2 instead of 4 as indent.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200715141425.26293-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20371.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This makes the code a more readable and also prepares reusing
the function for client-connect return files
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20284.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This deviates from Fabian's original patch that relied on the now
removed connection_established bool as pointer being NULL or non NULL as
implicit third state and making connection_established as a substate of
(cas_context == CAS_PENDING)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: extend cas_context with two new states instead adding an
extra mini state machine.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20292.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch changes the calling of the client-connect functions into an
array of hooks and a block of code that calls them in a loop.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Rebase on master.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20293.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch changes the way the client-connect helper functions communicate
with the main function. Instead of updating cc_succeeded and cc_succeeded_count,
they now return either CC_RET_SUCCEEDED, CC_RET_FAILED or CC_RET_SKIPPED.
In addition, the client-connect helpers are now called in completely
identical ways. This is in preparation of handling the helpers as simple
call-backs.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V5: Minor style fixes
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200711093655.23686-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20286.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch moves multi_client_connect_setenv into
multi_client_connect_early_setup and makes sure that every client-connect
handling function updates the virtual address selection.
Background: This unifies how the client-connect handling functions work.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20288.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Refactor multi_client_connect_source_ccd(), so that
options_server_import() (or the success path in general) is only
entered in one place within the function.
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Patch V5: Simplify the logic even further to make it more easy to
understand.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200711093655.23686-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20287.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As of Windows 10 1809 Windows finally supports this so it makes sense
to add support to OpenVPN as well.
Multiple options can be specified at the same time, with one search
domain per line (in the config, or pushed from server):
dhcp-option DOMAIN-SEARCH my.company.domain
dhcp-option DOMAIN-SEARCH some.example.domain
OpenVPN will (on windows) concatenate them all together into a single
"option 119" for the tapv9 DHCP server. Max length is 254 in total.
DNS label compression is not used - it's complicated, and Windows does
not need it. See RFC 3397 for more details.
This only works with the tun/tap driver, not with wintun.
On non-windows platforms, these settings are exported in the environment
towards --up scripts (or to the management interface), and need to be
picked up there.
Signed-off-by: Jan Just Keijser <jan.just.keijser@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <c404dd17-e0db-ce61-0d79-864a5736f2d0@nikhef.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20349.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch splits up the multi_connection_established() function. Each new
helper function does a specific job. Functions that do a similar job
receive a similar calling interface.
The patch tries not to reindent code, so that the real changes are as
clearly visible as possible. (A follow-up patch will only do indentation
changes.)
Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
PATCH v3: Since the code has changed enough from the time the original
patch to the current master, the splitting has been redone from the
current code. Also some style and minor code changes have been added
doing this patch. This and the big reformatting done before eliminates
the follow up patch with only indentation changes.
The original patch already replaced some instances of
option_permission_mask with CLIENT_CONNECT_OPT_MASK. The V3 version does
this more consistently.
Patch v4: Move config -> mi->cc_config into its own commit
Patch v5: Clean up some minor issues, add one missing check on
temporary file deletion, rebase on latest master.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200711093655.23686-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20289.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
ssl_ncp.c:ncp_get_best_cipher() would crash if a client connects without
NCP (or with a NCP cipher list that does not contain the first NCP cipher
in the server list) due to a NULL pointer strcmp().
Work around / fix by just assigning an empty string to remote_cipher here
("not NULL but will never match either").
Add new warning message in multi.c for the "we do not know what the
client can do" case (no NCP and non-helpful OCC), rewrapped the existing
message to keep line lenght limit.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200713093252.30916-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20309.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to control the fallback cipher that is used when the
client/server do have any common cipher on a per client basis.
The patch is similar to Steffan's
[PATCH v4] Allow changing cipher from a ccd file.
Steffan's old patch also moves the cipher negotiation to
multi_established_connection() which I independently discovered and
implemented in commit 5e78bf66fa (Extract process_incoming_push_reply
from process_incoming_push_msg)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ever since the NCPv2 the ncp_get_best_cipher uses the global
options->ncp_enabled option and ignore the tls_session->ncp_enabled
option.
The server side's poor man's NCP is implemented as seeing the list
of supported ciphers from the peer as just one cipher so this special
handling for poor man's NCP of the older NCP here is not needed anymore.
Theoretically we can now get rid of tls_session->ncp_enabled but doing
so requires more refactoring since options is not available in the
methods that still use it. And when we remove ncp-disable the variable
will be removed anyway.
This commit moves the data channel key generation for the corner case of a
client not supporting NCP but having the same cipher as the server to
the same function that also generates data channel keys for NCP and
poort man's NCP.
This has an unintended side effect of changing the calculated frame
size for this special case. The old path did call
tls_session_update_crypto_params.
To avoid this change in behaviour, this patch adds a hacky
workaround for this.
A proper solution for this needs still be found but this allows the patch
set to be merged.
Document the remaining usage of tls_poor_mans_ncp better.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20251.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The simplify the control flow, it makes more sense to generate the
data keys when all the prerequisites for generating the data channel
keys (ncp cipher selection etc) are met instead of delaying it to the
next incoming PUSH_REQUEST message.
This also eliminates the need for the hack introduced by commit
3b06b57d9 to generate the data channel keys on the async file close
event.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20253.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This clean ups the code and removes the surprising side effects
of preparing a push reply to also select protocol options.
We also remember if we have seen a push request without async
push. This improves reaction time if deferred auth is involved
like managment interface deferred auth. The other benefit is
removing a number of ifdefs.
NOTE: this patch breaks asynchronous authentication (via plugins
and possibly also via management interface). The next commit will
fix this. This is understood and hereby documented, but the two
individual commits are much cleaner without trying to fix it here
or squash both together.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20255.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a small refactoring to make both function more readable. It also
eliminates the ret variable in process_incoming_push_msg that now serves
no purpose anymore.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20254.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This order the states from unauthenticated to authenticated and also
changes the comparison for KS_AUTH_FALSE from != to >
It also add comments and documents part using the state machine
better.
Remove a now obsolete comment and two obsolete ifdefs. While
keeping the ifdef in ssl_verify would save a few bytes of code,
this is too minor to justify keeping the ifdef
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20258.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For some reason, openvpn --version has since the beginning of time
returned exit code 1. A quick sample among common unix utilities confirms
that the rest of the world agrees with me that 0 makes more sense. Let's
make openvpn --version exit with exit code 0 too.
Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of having the whole function as
if (x) { func }
do
if (!x) return;
func
Due to the whitespace changes in the function body this patch looks
very strange. Ignoring whitespace makes the diff look sane.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707121615.15736-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20231.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For whatever reason, we never removed the pid file on program exit.
Not only this is unclean, but it also makes testing for "I want this
test case to FAIL" in t_client.sh more annoying to code for "is the
OpenVPN process still around?"...
Do not unlink the file if chroot() is active (might be outside the
chroot arena - testing for realpath etc. is left for someone else).
v2: make this work on M_FATAL exit, by unlinking from openvpn_exit() in
error.h - this requires moving write_pid() to init.c so module hierarchy
is maintained and introducing a static variable to save the PID file
name (otherwise it is no longer available when the top level GC is gone).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707084220.45753-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20224.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Both are tightly coupled often both are checked at the same time.
Merging them into one state makes the code simpler and also brings
us closer in the direction of a state machine
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200706163516.11390-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20216.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Turns out that renaming adapter by setting registry key doesn't
really work - while new adapter name is shown in control panel
etc, when one tries to change adapter properties (like set DNS)
with netsh call - it fails:
Fri Mar 13 09:05:36 2020 us=569311 Setting IPv4 dns servers
on 'OpenVPN Wintun' (if_index = 14) using service
Fri Mar 13 09:05:37 2020 us=118028 TUN: adding IPv4 dns failed
using service: Funktio ei kelpaa. [status=1 if_name=OpenVPN Wintun]
This renames adapter with netsh command, like:
netsh interface set interface
name="Local Area Connection 2" newname="OpenVPN Wintun"
Above functionality is used by tapctl.exe and openvpnsica.dll
(during installation).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <20200703192029.306-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20207.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_client.sh reports a summary at the end:
Test sets succeeded: none.
Test sets failed: 1 2 3 4 5.
for tests that are skipped due to the pre-test ping check ("vpn target
IP must not ping before VPN ist started") the script forgot to add
the instance number to the summary line. Fixed.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200626082743.15397-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20130.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi_instance->defined is not used anywhere.
did_open_context is always set to true when a context is created in
multi_create_instance, so checking it for true is always true.
context_auth is also always set to CAS_PENDING in multi_create_instance.
connection_established_flag is only set to true if context_auth
is changed from CAS_PENDING to one another state, so we can also check
for cas_context != CAS_PENDING.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200703095506.28559-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20200.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The variable has no useful function (anymore?).
There is only one place where this variable was checked
else if (!c->c2.push_reply_deferred && c->c2.context_auth ==
CAS_SUCCEEDED)
This condition also depends on context_auth == CAS_SUCCEEDED but the only
code path that sets context_auth = CAS_SUCCEEDED also sets
push_reply_deferred = false;
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200702125224.13516-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20186.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The rules to generate $(builddir)/openssl.cnf from $(srcdir)/openssl.cnf.in
only worked for GNU Make. BSD make needs the rules more explicit, and
the target must not have a directory specification (fixes commit
542c69c37).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Message-Id: <20200629175109.94276-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20159.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit ("Remove parameter config from multi_client_connect_mda") has
removed the config variable in favour of mi->cc_config, however one
occurence was not changed.
Fix it now by properly using mi->cc_config.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200701140517.11176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20180.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
config is always used as mi->cc_config and we pass mi,
so directly use mi->cc_config
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200701122239.6924-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20177.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove default setting of "set txqueuelen to 100". This default dates
back to the "pre git" times (before 2005) and might have been beneficial
back then - nowadays, the Linux default is 500, and thus reducing(!)
txqueuelen by-default can cause TX packet drops on the tun interface,
and that's bad for throughput.
This is a similar change to commit f0b64e5dc (remove setting of the
socket send/receive buffers by default) - similar vintage of the
existing code, similar motivation.
Note: buffer length can be checked with "ip link show" (qlen NNN)
See also:
https://ivanvari.com/solving-openvpn-poor-throughput-and-packet-loss/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200629180405.17671-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20160.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This options allows the user to specify a network interface or VRF
device the OpenVPN process should use when making a connection or
binding to an address.
This is done by setting the SO_BINDTODEVICE option to the corresponding
socket (on Linux). SO_BINDTODEVICE forces all packets sent on that socket
to go out via the specified interface, and only packets coming in on
that interface are received by OpenVPN.
When used in a VRF context on Linux [0], you can also specify the name
of the VRF ("--bind-dev external_vrf"), which will put the OpenVPN
"network side" into this VRF. This allows making connections using a
non-default VRF and having the tun/tap interface in the default VRF.
Thanks to David Ahern (Cumulus Networks) for insights on this.
[0] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/vrf.txt
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1593427748-29801-2-git-send-email-max@rfc2324.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some of the commits, especially engine have not strictly used uncrustify
clean code. Rerun uncrustify to make them compliant again.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200626125332.15385-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20142.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit introduces the allow-compression option that allow
changing the new default to the previous default or to a stricter
version.
Warning for comp-lzo/compress are not generated in the post option check
(options_postprocess_mutate) since these warnings should also be shown
on pushed options. Moving the showing the warning showing for
allow-compression to options_postprocess_mutate will complicate the
option handling without giving any other benefit.
Patch V2: fix spelling and grammer (thanks tincantech), also fix
uncompressiable to incompressible in three other instances in the
source code
Patch V3: fix overlong lines. Do not allow compression to be pushed
Patch V4: rename COMP_F_NO_ASYM to COMP_F_ALLOW_COMPRESS, fix style.
The logic of warnings etc in options.c has not been changed
since adding all the code to mutate_options would a lot more
and more complicated code and after discussion we decided that
it is okay as is.
Patch V5: Reword warnings, rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200626110554.3690-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20138.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also set warnings level to level2 and
enable "treat warnings as errors" flag.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200626101050.442-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20200626101050.442-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--enable-small eliminates one of the openssl errors the test is
looking for, so alter the grep also to account for the message in this
version. Additionally output log.txt on failure so any test platform
gives an easy clue about what went wrong.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1592953354.2103.3.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20102.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add config precursor and script to extra dist and make sure
built and test leftover files are cleaned up afterwards.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1592917531.4768.4.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20088.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Testing engines is problematic, so one of the prerequisites built for
the tests is a simple openssl engine that reads a non-standard PEM
guarded key. The test is simply can we run a client/server
configuration with the usual sample key replaced by an engine key.
The trivial engine prints out some operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200622232319.8143-2-James.Bottomley@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20075.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
More recent OpenVPN APIs pass a function pointer for a logging function
(plugin_log()) to plugins. Using this will make the plugin logs appear
wherever openvpn logs to - file, syslog, stderr.
This patch converts plugin/auth-pam.c "fairly mechanically" to use this
new API. Real errors are logged with PLOG_ERR or PLOG_ERR|PLOG_ERRNO,
while debug info is logged with PLOG_NOTE (subject to the already-existing
debug level handling inside plugin/auth-pam, via "setenv verb <n>").
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200620143940.11704-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20037.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The unit test duplicates some part of the test for
the ncp-cipher list but that is not a bad thing.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200605112519.22714-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19968.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
IPv4 pool handling needs lots of extra code to deal with "topology net30",
so we want to remove that combination in a future release.
Warn people about this in 2.5 so nobody is hit by this as a surprise.
Client- and ifconfig-support for net30 will stay, as "just net30" is not
what brings maintenance effort here (totally removing all options except
"topology subnet" would be beneficial but is a bit too radical today)
Trac: #1288
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200620180532.15738-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20041.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Replace existing ctime() output which is hard to sort and compare
with ISO 8601 / RFC 3399 "YYYY-MM-DD hh:mm:dd" format for file-based
logging (stderr or --log file).
RFC 3399 5.6 permits use of a space for full-date-full-time separation,
which is used to enhance readability.
Sylog or --machine-readable-output are not affected.
Trac: #719
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200620172303.15010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20040.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When signalling the client that it should do Challenge response
without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server
needs forward the response via the management console.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19910.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This implements sending AUTH_PENDING and INFO_PRE messages to clients
that indicate that the clients should be continue authentication with
a second factor. This can currently be out of band (openurl) or a normal
challenge/response two like TOTP (CR_TEXT).
Unfortunately this patch spend so much time in review in openvpn2 that
the corosponding IV_SSO commit in openvpn3 (34a3f264) already made its
way to released products so changing this right now is difficult.
https://github.com/OpenVPN/openvpn3/commit/34a3f264f56bd050d9b26d2e7163f88a
f9a559e2
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19909.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a client announces its support to support text based
challenge/response via IV_SSO=crtext,the client needs to also
be able to reply to that response.
This adds the "cr-response" management function to be able to
do this. The answer should be base64 encoded.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19907.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN 3 implements these messages to send information during the
authentication to the UI, implement these message also in OpenVPN 2.x
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19912.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
