Re: [Openvpn-devel] [PATCH v5-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

[ValdikSS]

I **hope** I get it right this time.

On 29.11.2015 02:32, Arne Schwabe wrote:
> Am 28.11.15 um 18:25 schrieb Selva Nair:
> I am also voting on fatal error if the option is unknown. You can always
> use setenv opt block-outside-dns or use ignore-unknown-option if you do
> not want it to fail.
>
> Arne
>




signature.asc
Description: OpenPGP digital signature

[Openvpn-devel] [PATCH v7-2.3] Add Windows DNS Leak fix using WFP ('block-outside-dns')

[ValdikSS]

This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except
for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
---
 doc/openvpn.8   |  12 ++-
 src/openvpn/init.c  |  17 
 src/openvpn/openvpn.vcxproj |   0
 src/openvpn/options.c   |  14 +++
 src/openvpn/options.h   |   1 +
 src/openvpn/win32.c | 216 
 src/openvpn/win32.h |   3 +
 7 files changed, 261 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 src/openvpn/openvpn.vcxproj

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 46c1e0c..95aafdd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1119,8 +1119,8 @@ When used with
 .B \-\-client
 or
 .B \-\-pull,
-accept options pushed by server EXCEPT for routes and dhcp options
-like DNS servers.
+accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp
+options like DNS servers.

 When used on the client, this option effectively bars the
 server from adding routes to the client's routing table,
@@ -5454,6 +5454,14 @@ adapter list to the syslog or log file after the TUN/TAP 
adapter
 has been brought up and any routes have been added.
 .\"*
 .TP
+.B \-\-block\-outside\-dns
+Block DNS servers on other network adapters to prevent
+DNS leaks. This option prevents any application from accessing
+TCP or UDP port 53 except one inside the tunnel. It uses
+Windows Filtering Platform (WFP) and works on Windows Vista or
+later.
+.\"*
+.TP
 .B \-\-dhcp\-renew
 Ask Windows to renew the TAP adapter lease on startup.
 This option is normally unnecessary, as Windows automatically
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index ceef4f7..e8a96c2 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,6 +1468,15 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);

+#if _WIN32_WINNT >= 0x0600
+  if (c->options.block_outside_dns)
+  {
+dmsg (D_LOW, "Blocking outside DNS");
+if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
+msg (M_FATAL, "Blocking DNS failed!");
+  }
+#endif
+
   /* possibly add routes */
   if (!c->options.route_delay_defined)
do_route (>options, c->c1.route_list, c->c1.route_ipv6_list,
@@ -1594,6 +1603,14 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);

+#if _WIN32_WINNT >= 0x0600
+if (c->options.block_outside_dns)
+{
+if (!win_wfp_uninit())
+msg (M_FATAL, "Uninitialising WFP failed!");
+}
+#endif
+
  /* actually close tun/tap device based on --down-pre flag */
  if (c->options.down_pre)
do_close_tun_simple (c);
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
old mode 100755
new mode 100644
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f609aa6..457ff3e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -715,6 +715,9 @@ static const char usage_message[] =
   "   optional parameter controls the initial state of 
ex.\n"
   "--show-net-up   : Show " PACKAGE_NAME "'s view of routing table and net 
adapter list\n"
   "  after TAP adapter is up and routes have been added.\n"
+#if _WIN32_WINNT >= 0x0600
+  "--block-outside-dns   : Block DNS on other network adapters to prevent DNS 
leaks\n"
+#endif
   "Windows Standalone Options:\n"
   "\n"
   "--show-adapters : Show all TAP-Windows adapters.\n"
@@ -814,6 +817,7 @@ init_options (struct options *o, const bool init_gc)
   o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
   o->tuntap_options.dhcp_masq_offset = 0;   /* use network address as 
internal DHCP server address */
   o->route_method = ROUTE_METHOD_ADAPTIVE;
+  o->block_outside_dns = false;
 #endif
 #if P2MP_SERVER
   o->real_hash_size = 256;
@@ -1678,6 +1682,9 @@ show_settings (const struct options *o)
 #ifdef WIN32
   SHOW_BOOL (show_net_up);
   SHOW_INT (route_method);
+#if _WIN32_WINNT >= 0x0600
+  SHOW_BOOL (block_outside_dns);
+#endif
   show_tuntap_options (>tuntap_options);
 #endif
 #endif
@@ -6241,6 +6248,13 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_IPWIN32);
   options->tuntap_options.register_dns = true;
 }
+#if _WIN32_WINNT >= 0x0600
+  else if (streq (p[0], "block-outside-dns") && !p[1])
+{
+  VERIFY_PERMISSION (OPT_P_IPWIN32);
+  options->block_outside_dns = true;
+}
+#endif
   else if (streq (p[0], "rdns-internal"))
  /* standalone method for internal use
   *
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 40cf71e..622706a 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -593,6 +593,7 @@ struct options
   bool exit_event_initial_state;
   bool show_net_up;
  

[Openvpn-devel] [PATCH v7-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

[ValdikSS]

This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except
for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
---
 doc/openvpn.8   |  12 ++-
 src/openvpn/Makefile.am |   2 +-
 src/openvpn/init.c  |  17 
 src/openvpn/openvpn.vcxproj |   4 +-
 src/openvpn/options.c   |  10 +++
 src/openvpn/options.h   |   1 +
 src/openvpn/win32.c | 212 
 src/openvpn/win32.h |   3 +
 8 files changed, 256 insertions(+), 5 deletions(-)
 mode change 100755 => 100644 src/openvpn/openvpn.vcxproj

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 9889540..7e73073 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1129,8 +1129,8 @@ When used with
 .B \-\-client
 or
 .B \-\-pull,
-accept options pushed by server EXCEPT for routes and dhcp options
-like DNS servers.
+accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp
+options like DNS servers.

 When used on the client, this option effectively bars the
 server from adding routes to the client's routing table,
@@ -5574,6 +5574,14 @@ adapter list to the syslog or log file after the TUN/TAP 
adapter
 has been brought up and any routes have been added.
 .\"*
 .TP
+.B \-\-block\-outside\-dns
+Block DNS servers on other network adapters to prevent
+DNS leaks. This option prevents any application from accessing
+TCP or UDP port 53 except one inside the tunnel. It uses
+Windows Filtering Platform (WFP) and works on Windows Vista or
+later.
+.\"*
+.TP
 .B \-\-dhcp\-renew
 Ask Windows to renew the TAP adapter lease on startup.
 This option is normally unnecessary, as Windows automatically
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index c840f16..c55a520 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -127,5 +127,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm 
-lfwpuclnt -lrpcrt4
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c5c0ab6..9f3da60 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,6 +1468,15 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);

+#if defined(WIN32)
+  if (c->options.block_outside_dns)
+  {
+dmsg (D_LOW, "Blocking outside DNS");
+if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
+msg (M_FATAL, "Blocking DNS failed!");
+  }
+#endif
+
   /* possibly add routes */
   if ((route_order() == ROUTE_AFTER_TUN) && 
(!c->options.route_delay_defined))
do_route (>options, c->c1.route_list, c->c1.route_ipv6_list,
@@ -1596,6 +1605,14 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);

+#if defined(WIN32)
+if (c->options.block_outside_dns)
+{
+if (!win_wfp_uninit())
+msg (M_FATAL, "Uninitialising WFP failed!");
+}
+#endif
+
  /* actually close tun/tap device based on --down-pre flag */
  if (c->options.down_pre)
do_close_tun_simple (c);
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
old mode 100755
new mode 100644
index b117b0b..821c46c
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -64,7 +64,7 @@
   
$(SOURCEBASE);%(AdditionalIncludeDirectories)
 
 
-  
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+  
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)
   
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
   true
   Console
@@ -89,7 +89,7 @@
   
$(SOURCEBASE);%(AdditionalIncludeDirectories)
 
 
-  
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+  
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)
   
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
   true
   Console
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 36290a0..4b98275 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -704,6 +704,9 @@ static const char usage_message[] =
   "   optional parameter controls the initial state of 
ex.\n"
   

Re: [Openvpn-devel] [PATCH] Also remove second Instanz von enable-password-save in the manage

[lorena meneses]

I wanna be out of this please 
NO MORE MESSAGES 

Envoyé de mon iPhone

> Le 29 nov. 2015 à 15:30, Selva Nair  a écrit :
> 
> 
>> On Sun, Nov 29, 2015 at 2:38 PM, Arne Schwabe  wrote:
>> ---
>>  doc/openvpn.8 | 5 +
>>  1 file changed, 1 insertion(+), 4 deletions(-)
>> 
>> diff --git a/doc/openvpn.8 b/doc/openvpn.8
>> index 3519e7d..1b9dcae 100644
>> --- a/doc/openvpn.8
>> +++ b/doc/openvpn.8
>> @@ -4886,10 +4886,7 @@ is specified, read the password from the first line of
>>  .B file.
>>  Keep in mind that storing your password in a file
>>  to a certain extent invalidates the extra security provided by
>> -using an encrypted key (Note: OpenVPN
>> -will only read passwords from a file if it has been built
>> -with the \-\-enable\-password\-save configure option, or on Windows
>> -by defining ENABLE_PASSWORD_SAVE in win/settings.in).
>> +using an encrypted key.
> 
> Thanks. That takes care of the manpage. The committer could correct the typo 
> in commit msg "manage" to "manpage" if that's ok.
> 
> Cheers,
> 
> Selva
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Also remove second Instanz von enable-password-save in the manage

[Gert Doering]

Your patch has been applied to the master and release/2.3 branch.

commit 80442aeed408f26700ea7570ced2409e7dd3e98b (master)
commit 0a9f866f78b5287e9996978898ccf213afd6b8d2 (release/2.3)

Author: Arne Schwabe
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Nov 29 20:38:21 2015 +0100

 Also remove second Instanz von enable-password-save in the manage

 Acked-by: Selva Nair 
 Message-Id: <1448825901-12294-1-git-send-email-a...@rfc2549.org>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10671
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] Also remove second Instanz von enable-password-save in the manage

[Selva Nair]

On Sun, Nov 29, 2015 at 2:38 PM, Arne Schwabe  wrote:

> ---
>  doc/openvpn.8 | 5 +
>  1 file changed, 1 insertion(+), 4 deletions(-)
>
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index 3519e7d..1b9dcae 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -4886,10 +4886,7 @@ is specified, read the password from the first line
> of
>  .B file.
>  Keep in mind that storing your password in a file
>  to a certain extent invalidates the extra security provided by
> -using an encrypted key (Note: OpenVPN
> -will only read passwords from a file if it has been built
> -with the \-\-enable\-password\-save configure option, or on Windows
> -by defining ENABLE_PASSWORD_SAVE in win/settings.in).
> +using an encrypted key.


Thanks. That takes care of the manpage. The committer could correct the
typo in commit msg "manage" to "manpage" if that's ok.

Cheers,

Selva

[Openvpn-devel] [PATCH] Also remove second Instanz von enable-password-save in the manage

[Arne Schwabe]

---
 doc/openvpn.8 | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3519e7d..1b9dcae 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4886,10 +4886,7 @@ is specified, read the password from the first line of
 .B file.
 Keep in mind that storing your password in a file
 to a certain extent invalidates the extra security provided by
-using an encrypted key (Note: OpenVPN
-will only read passwords from a file if it has been built
-with the \-\-enable\-password\-save configure option, or on Windows
-by defining ENABLE_PASSWORD_SAVE in win/settings.in).
+using an encrypted key.
 .\"*
 .TP
 .B \-\-auth\-nocache
-- 
2.4.9 (Apple Git-60)

Re: [Openvpn-devel] [PATCH] Reflect enable-password-save change in documentation

[Arne Schwabe]

Am 29.11.15 um 20:29 schrieb Selva Nair:
> Hi,
> 
> On Sun, Nov 29, 2015 at 2:23 PM, Arne Schwabe  > wrote:
> 
> 
> Hm but the paragraph of --askpass is not related to
> --enable-password-save, or do I miss something?
> 
> 
> please see starting line 4886 of openvpn.8 quoted below:
> 

Oh, yes sorry. I totally missed that. Good catch.

Arne

[Openvpn-devel] [PATCH applied] Re: Reflect enable-password-save change in documentation

[Gert Doering]

ACK, thanks.

Your patch has been applied to the master and release/2.3 branch.

Changes.rst did not exist in that branch yet, so git decided to copy over
the whole Changes.rst file from 2.4 :-) - adapted to 2.3.x (not complete yet)

commit 1e9c1f09cba95ebf72083c746cf847056a61c761 (master)
commit fbf3763aab42c0f4de8362474edaaa2ea580dd17 (release/2.3)

Author: Arne Schwabe
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Nov 29 19:52:24 2015 +0100

 Reflect enable-password-save change in documentation

 Acked-by: Gert Doering 
 Message-Id: <1448823144-1497-1-git-send-email-a...@rfc2549.org>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10665
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] Reflect enable-password-save change in documentation

[Arne Schwabe]

Am 29.11.15 um 20:09 schrieb Selva Nair:
> Hi,
> 
> On Sun, Nov 29, 2015 at 1:52 PM, Arne Schwabe  > wrote:
> 
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -3800,10 +3800,7 @@ over the client's routing table.
>  Authenticate with server using username/password.
>  .B up
>  is a file containing username/password on 2 lines. If the
> -password line is missing, OpenVPN will prompt for one. (Note: OpenVPN
> -will only read passwords from a file if it has been built
> -with the \-\-enable\-password\-save configure option, or on Windows
> -by defining ENABLE_PASSWORD_SAVE in win/settings.in
> ).
> +password line is missing, OpenVPN will prompt for one.
> 
> 
> There is a similar description relating to --askpass . That may be
> deleted too.

Hm but the paragraph of --askpass is not related to
--enable-password-save, or do I miss something?

Arne

Re: [Openvpn-devel] [PATCH] Reflect enable-password-save change in documentation

[Selva Nair]

Hi,

On Sun, Nov 29, 2015 at 1:52 PM, Arne Schwabe  wrote:

> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -3800,10 +3800,7 @@ over the client's routing table.
>  Authenticate with server using username/password.
>  .B up
>  is a file containing username/password on 2 lines. If the
> -password line is missing, OpenVPN will prompt for one. (Note: OpenVPN
> -will only read passwords from a file if it has been built
> -with the \-\-enable\-password\-save configure option, or on Windows
> -by defining ENABLE_PASSWORD_SAVE in win/settings.in).
> +password line is missing, OpenVPN will prompt for one.
>

There is a similar description relating to --askpass . That may be deleted
too.

Selva

[Openvpn-devel] [PATCH] Reflect enable-password-save change in documentation

[Arne Schwabe]

---
 Changes.rst   | 3 +++
 doc/openvpn.8 | 5 +
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index a791ca3..c2142fa 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -72,3 +72,6 @@ User-visible Changes
 - proto udp6/tcp6 in server mode will now try to always listen to
   both IPv4 and IPv6 on platforms that allow it. Use bind ipv6only
   to explicitly listen only on IPv6.
+
+- Removed --enable-password-save from configure. This option is now
+  always enabled.
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 9889540..4297513 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3800,10 +3800,7 @@ over the client's routing table.
 Authenticate with server using username/password.
 .B up
 is a file containing username/password on 2 lines. If the
-password line is missing, OpenVPN will prompt for one. (Note: OpenVPN
-will only read passwords from a file if it has been built
-with the \-\-enable\-password\-save configure option, or on Windows
-by defining ENABLE_PASSWORD_SAVE in win/settings.in).
+password line is missing, OpenVPN will prompt for one. 

 If
 .B up
-- 
2.4.9 (Apple Git-60)

Re: [Openvpn-devel] [PATCH] Remove --enable-password-save option

[Gert Doering]

Hi,

On Sun, Nov 29, 2015 at 10:52:37AM -0500, Jonathan K. Bullard wrote:
> But please update the man page, too; it references
> "--enable-password-save". (Then again, the man page doesn't mention
> allowing username-only files, so it is already inaccurate.

Good point.  I'll see to that "ASAP".

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH applied] Re: Remove --enable-password-save option

[Gert Doering]

ACK - we agreed to do this 2014 in Munich, but nobody submitted a patch yet...

Your patch has been applied to the master and release/2.3 branch.

commit 9ffd00e7541d83571b9eec087c6b3545ff68441f (master)
commit 747ae0c49d813434a70953ea05f58953d7da11c0 (release/2.3)

Author: Arne Schwabe
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Nov 29 15:55:59 2015 +0100

 Remove --enable-password-save option

 Acked-by: Gert Doering 
 Message-Id: <1448808959-10565-1-git-send-email-a...@rfc2549.org>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10661
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

[Gert Doering]

Hi,

On Wed, Nov 25, 2015 at 08:52:09AM -0800, Fish Wang wrote:
> Just a small suggestion: I think the following will work:
> 
> - Check the version of the current operating system.
> - Dynamically loading related DLLs (in this case, should be WFP-related
> libraries) using LoadLibrary() only if OpenVPN is running Windows Vista+,
> and pops a warning for XP users who has that option enabled.
> - On Vista+, get addresses of those APIs that we want to call (via
> GetProcAddress() ), and then use them as function pointers.
> 
> Pros: one binary works for all Windows.
> Cons: the code is a bit messier. 
> 
> I've done this before for my own projects that must be running on both XP
> and later versions of Windows, and it works reliably. I can look into this
> later this week (if ValdikSS doesn't have cycles).

This would definitely be something I'd like to have a look at.

Depending how *much* messier the code gets (especially: what settings does
it need to get built?  WINXP or VISTA?) this might be a good way to avoid
having to build two different openvpn.exe executables.

OTOH, we need two installers anyway as the NDIS6 tap driver does not work
on XP - so if we bundle openvpn-xp.exe with the old tap driver and
openvpn-vista+.exe with the ndis6 tap driver, it's not that much worse than
what we have now...

And yes, time to get 2.4 out :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH applied] Re: Unbreak read username password from management

[Gert Doering]

ACK.  This looks reasonable, and I've tested the use cases I can easily
test here ("all from stdin", "username from file, pass from stdin", "both 
from file").  Sorry for causing you pain in your VPN setups - and thanks
for taking care of this.

Your patch has been applied to the master and release/2.3 branch.

commit cdd69bb7f1c207fb5a9648f36440d7c6e2dcaa76 (master)
commit 9557196ffb3296f2a8e5aee4521702f1d0c2019b (release/2.3)

Author: Selva Nair
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Nov 26 21:20:53 2015 -0500

 Unbreak read username password from management

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <1448590853-26862-1-git-send-email-selva.n...@gmail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10630
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Support duplicate x509 field values in environment

[Gert Doering]

ACK on the changes v1->v2, keeping Selva's ACK for v1.

Your patch has been applied to the master branch.

commit 13b585e8a4c6f9681ff23bc7fb0af71ce9d0162f
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Nov 29 10:39:24 2015 +0100

 Support duplicate x509 field values in environment

 Signed-off-by: Steffan Karger 
 Acked-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: 

[Openvpn-devel] [PATCH applied] Re: Fix openssl builds with custom-built library: specify most-dependent first

[Gert Doering]

Your patch has been applied to the master branch (with some massaging as
the context has the aead_modes stuff in your tree...).

commit 09f2670ce27158f81b4983c06f63870a5188d4aa
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Nov 28 23:48:01 2015 +0100

 Fix openssl builds with custom-built library: specify most-dependent first

 Signed-off-by: Steffan Karger 
 Acked-by: Arne Schwabe 
 Message-Id: <1448750881-10767-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10649
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Un-break compilation on *BSD

[Gert Doering]

Thanks for review. Patch has been applied to the master branch.

commit 4a82a9ac0bef6db58858a42b4dc500ae9e09682d (master)

Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Nov 28 20:58:37 2015 +0100

 Un-break compilation on *BSD

 Signed-off-by: Gert Doering 
 Acked-by: Arne Schwabe 
 Message-Id: <1448740717-60914-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10648


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] Un-break compilation on *BSD

[Arne Schwabe]

Am 28.11.15 um 20:58 schrieb Gert Doering:
> Commit 2191c47165 introduced code to handle IP address query on
> multihoming hosts for IP_PKTINFO-supporting OSes, but all the BSDs
> need the "#elsif IP_RECVDSTADDR" variant... add code equivalent
> to what we have in socket.c/print_link_socket_actual_ex()
> 


ACK code looks sane.

Arne

Re: [Openvpn-devel] [PATCH] Fix openssl builds with custom-built library: specify most-dependent first

[Arne Schwabe]

Am 28.11.15 um 23:48 schrieb Steffan Karger:
> Libraries should be specified from left-to-right as most-dependent to
> least-dependent.  Thus, -lssl comes first, then -lcrypto.
> 
> (This does not fail when pkg-config finds your libraries for you, since
> we tell it '-lssl needs -lcrypto' and we then end up with
> "-lcrypto -lssl -lcrypto", which is not pretty but does work.)
> 

ACK from me.

Arne

Re: [Openvpn-devel] [PATCH] Support duplicate x509 field values in environment

[Steffan Karger]

Hi,

On Sun, Nov 29, 2015 at 6:29 AM, Selva Nair  wrote:
> A useful change and clean code. A couple of places could benefit from const
> qualifiers, though

You're absolutely right.  Thanks.  Attached a v2 patch that adds the
suggested const qualifiers.

Now that I was looking at my own code again, I also realized a
strcpy() makes more sense in setenv_str_incr() than the memcpy() from
the previous patch.  (Both work just fine, but this should be easier
to read.)

-Steffan
From 44a5af585953d5384d3bbd64e55c1de6343919d8 Mon Sep 17 00:00:00 2001
From: Steffan Karger 
Date: Sun, 29 Nov 2015 10:39:24 +0100
Subject: [PATCH] Support duplicate x509 field values in environment

As reported in trac #387, an x509 DN can contain duplicate fields.
Previously, we would overwrite any previous field value with a new one if
we would process a second same-name field.  Now, instead, append _$N,
starting at N=1 to the name for each consequent field to export all fields
to the enviroment.

v2 - make better use of const qualifiers in env_set_get(), and use strcpy()
 instead of memcpy() in setenv_str_incr()

Signed-off-by: Steffan Karger 
---
 Changes.rst   |  7 +++
 src/openvpn/misc.c| 32 
 src/openvpn/misc.h|  7 +++
 src/openvpn/ssl_verify_openssl.c  |  2 +-
 src/openvpn/ssl_verify_polarssl.c |  2 +-
 5 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index c674da5..e712f63 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -36,6 +36,13 @@ LZ4 Compression
 
 User-visible Changes
 
+- For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields
+  are now exported to the environment, where each second and later occurrence
+  of a field get _$N appended to it's field name, starting at N=1.  For the
+  example above, that would result in e.g. X509_0_OU=one, X509_0_OU_1=two.
+  Note that this breaks setups that rely on the fact that OpenVPN would
+  previously (incorrectly) only export the last occurence of a field.
+
 - proto udp and proto tcp specify to use IPv4 and IPv6. The new
   options proto udp4 and tcp4 specify to use IPv4 only.
 
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 0f04d09..6bf46ce 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -607,6 +607,16 @@ env_set_add (struct env_set *es, const char *str)
   env_set_add_nolock (es, str);
 }
 
+const char*
+env_set_get (const struct env_set *es, const char *name)
+{
+  const struct env_item *item = es->list;
+  while (item && !env_string_equal(item->string, name)) {
+  item = item->next;
+  }
+  return item ? item->string : NULL;
+}
+
 void
 env_set_print (int msglevel, const struct env_set *es)
 {
@@ -741,6 +751,28 @@ setenv_str_safe (struct env_set *es, const char *name, const char *value)
 msg (M_WARN, "setenv_str_safe: name overflow");
 }
 
+void setenv_str_incr(struct env_set *es, const char *name, const char *value)
+{
+  unsigned int counter = 1;
+  const size_t tmpname_len = strlen(name) + 5; /* 3 digits counter max */
+  char *tmpname = gc_malloc(tmpname_len, true, NULL);
+  strcpy(tmpname, name);
+  while (NULL != env_set_get(es, tmpname) && counter < 1000)
+{
+  ASSERT (openvpn_snprintf (tmpname, tmpname_len, "%s_%u", name, counter));
+  counter++;
+}
+  if (counter < 1000)
+{
+  setenv_str (es, tmpname, value);
+}
+  else
+{
+  msg (D_TLS_DEBUG_MED, "Too many same-name env variables, ignoring: %s", name);
+}
+  free (tmpname);
+}
+
 void
 setenv_del (struct env_set *es, const char *name)
 {
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index ec2e417..7686399 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -133,6 +133,12 @@ void setenv_str (struct env_set *es, const char *name, const char *value);
 void setenv_str_safe (struct env_set *es, const char *name, const char *value);
 void setenv_del (struct env_set *es, const char *name);
 
+/**
+ * Store the supplied name value pair in the env_set.  If the variable with the
+ * supplied name  already exists, append _N to the name, starting at N=1.
+ */
+void setenv_str_incr(struct env_set *es, const char *name, const char *value);
+
 void setenv_int_i (struct env_set *es, const char *name, const int value, const int i);
 void setenv_str_i (struct env_set *es, const char *name, const char *value, const int i);
 
@@ -142,6 +148,7 @@ struct env_set *env_set_create (struct gc_arena *gc);
 void env_set_destroy (struct env_set *es);
 bool env_set_del (struct env_set *es, const char *str);
 void env_set_add (struct env_set *es, const char *str);
+const char* env_set_get (const struct env_set *es, const char *name);
 
 void env_set_print (int msglevel, const struct env_set *es);
 
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index bf53522..d014f9d 100644
--- 

Re: [Openvpn-devel] [PATCH] Support duplicate x509 field values in environment

[Selva Nair]

Hi,

On Sat, Nov 28, 2015 at 5:03 AM, Steffan Karger  wrote:

> As reported in trac #387, an x509 DN can contain duplicate fields.
> Previously, we would overwrite any previous field value with a new one if
> we would process a second same-name field.  Now, instead, append _$N,
> starting at N=1 to the name for each consequent field to export all fields
> to the enviroment.
>

A useful change and clean code. A couple of places could benefit from const
qualifiers, though:

--- a/src/openvpn/misc.c
> +++ b/src/openvpn/misc.c
> @@ -607,6 +607,16 @@ env_set_add (struct env_set *es, const char *str)
>env_set_add_nolock (es, str);
>  }
>
> +const char*
> +env_set_get (struct env_set *es, const char *name)
>

... (const struct env_set *es,   )  

+{
> +  struct env_item *item = es->list;
>

const struct env_item *item = ...

+  while (item && !envstring_equal(item->string, name)) {
> +  item = item->next;
> +  }
> +  return item ? item->string : NULL;
> +}
>

Thanks,

Selva