[Openvpn-devel] [PATCH v5] Support for disabled peer-id
From: Lev Stipakov v5: * Few more nickpicks v4: * replace magic number with define * show user a decimal value instead of hex v3: * move assert outside of loop * add max-clients value check to options v2: * Add round brackets for clarity * Rephrase comment Support for disabled peer-id When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. --- src/openvpn/mudp.c| 13 ++--- src/openvpn/multi.c | 3 ++- src/openvpn/openvpn.h | 3 +++ src/openvpn/options.c | 5 + 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 21a7e97..fec5e8d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -64,12 +64,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) struct hash_bucket *bucket = hash_bucket (hash, hv); uint8_t* ptr = BPTR(&m->top.c2.buf); uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); + bool peer_id_disabled = false; /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ - if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3)) + if (v2) { uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF; - if ((peer_id < m->max_clients) && (m->instances[peer_id])) + peer_id_disabled = (peer_id == MAX_PEER_ID); + + if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { mi = m->instances[peer_id]; @@ -84,7 +88,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) } } } - else + if (!v2 || peer_id_disabled) { he = hash_lookup_fast (hash, bucket, &real, hv); if (he) @@ -107,6 +111,9 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) hash_add_fast (hash, bucket, &mi->real, hv, mi); mi->did_real_hash = true; + /* max_clients must be less then max peer-id value */ + ASSERT(m->max_clients < MAX_PEER_ID); + for (i = 0; i < m->max_clients; ++i) { if (!m->instances[i]) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ba7f2c0..3bc6ee9 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -605,7 +605,8 @@ multi_close_instance (struct multi_context *m, } #endif - m->instances[mi->context.c2.tls_multi->peer_id] = NULL; + if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID) + m->instances[mi->context.c2.tls_multi->peer_id] = NULL; schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 1a458f1..65a183a 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -595,4 +595,7 @@ struct context #define CIPHER_ENABLED(c) (false) #endif +/* this represents "disabled peer-id" */ +#define MAX_PEER_ID 0xFF + #endif diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c9688c3..4b7203d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5893,6 +5893,11 @@ add_option (struct options *options, msg (msglevel, "--max-clients must be at least 1"); goto err; } + if (max_clients >= MAX_PEER_ID) /* max peer-id value */ + { + msg (msglevel, "--max-clients must be less than %d", MAX_PEER_ID); + goto err; + } options->max_clients = max_clients; } else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) -- 1.9.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix win32 building with C99 mode
Hi, On Sat, Sep 17, 2016 at 9:20 AM, Gert Doering wrote: > In -std=c99 mode, WIN32 is not defined to be "1" anymore, but just > "#define WIN32" - so the "#if WIN32" breaks, needs to be "#ifdef WIN32" > Indeed... To depend on the compiler or system headers to define WIN32 was not a great idea anyway. Using _WIN32 or __WIN32 is probably more reliable. Or we should define WIN32 in config.h. With std=c99, it seems WIN32 gets defined by chance through some header pulled-in by syshead.h -- not something one can rely on. Compiler-defined macros with std=c99: $ x86_64-w64-mingw32-gcc -std=c99 -E -dM - -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] Enable TCP non-linear packet ID
Implementation with multiple threads needs that to be able run encryption in parallel. Tested with James' OpenVPN 3 server. --- src/openvpn/comp.c | 1 + src/openvpn/init.c | 1 - src/openvpn/options.c | 5 - src/openvpn/packet_id.c | 7 +++ src/openvpn/packet_id.h | 2 +- src/openvpn/ssl.c | 3 +-- 6 files changed, 6 insertions(+), 13 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 3a32c62..61f6f08 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -160,6 +160,7 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer buf_printf (out, "IV_LZO_STUB=1\n"); buf_printf (out, "IV_COMP_STUB=1\n"); buf_printf (out, "IV_COMP_STUBv2=1\n"); +buf_printf (out, "IV_TCPNL=1\n"); } } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9cd3d9f..fdeaf95 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2143,7 +2143,6 @@ do_init_crypto_static (struct context *c, const unsigned int flags) if (options->replay) { packet_id_init (&c->c2.crypto_options.packet_id, - link_socket_proto_connection_oriented (options->ce.proto), options->replay_window, options->replay_time, "STATIC", 0); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dd7d461..1be32ff 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2215,11 +2215,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne /* * Check consistency of replay options */ - if ((!proto_is_udp(ce->proto)) - && (options->replay_window != defaults.replay_window - || options->replay_time != defaults.replay_time)) -msg (M_USAGE, "--replay-window only makes sense with --proto udp"); - if (!options->replay && (options->replay_window != defaults.replay_window || options->replay_time != defaults.replay_time)) diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index baa4966..9874519 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -76,10 +76,9 @@ packet_id_debug (int msglevel, } void -packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit) +packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) { - dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d", - tcp_mode, + dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", seq_backtrack, time_backtrack); @@ -88,7 +87,7 @@ packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_ p->rec.name = name; p->rec.unit = unit; - if (seq_backtrack && !tcp_mode) + if (seq_backtrack) { ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK); ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK); diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index 5eb501d..fb059b7 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -210,7 +210,7 @@ struct packet_id struct packet_id_rec rec; }; -void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit); +void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit); void packet_id_free (struct packet_id *p); /* should we accept an incoming packet id ? */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 8717324..c7823b2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -799,7 +799,7 @@ key_state_init (struct tls_session *session, struct key_state *ks) /* init packet ID tracker */ if (session->opt->replay) { - packet_id_init (&ks->crypto_options.packet_id, session->opt->tcp_mode, + packet_id_init (&ks->crypto_options.packet_id, session->opt->replay_window, session->opt->replay_time, "SSL", ks->key_id); } @@ -948,7 +948,6 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session) /* initialize packet ID replay window for --tls-auth */ packet_id_init (&session->tls_auth.packet_id, - session->opt->tcp_mode, session->opt->replay_window, session->opt->replay_time, "TLS_AUTH", session->key_id); -- 2.8.4 (Apple Git-73) -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Enable TCP non-linear packet ID
Hi, On Sat, Sep 17, 2016 at 03:33:28PM +0200, Arne Schwabe wrote: > --- a/src/openvpn/forward.c > +++ b/src/openvpn/forward.c > @@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c) >struct link_socket_info *lsi = get_link_socket_info (c); > >/* OS MTU Hint? */ > - if (lsi->mtu_changed && c->c2.ipv4_tun) > + if (lsi->mtu_changed) > { >frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu, >c->options.ce.proto); I *think* this is part of the other patch... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix win32 building with C99 mode
Hi, On Sat, Sep 17, 2016 at 06:40:00PM +0500, ?? wrote: > Should we add mingw compiler to travis-ci matrix? If travis can do mingw builds, that would be good. But it is complicated. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix win32 building with C99 mode
Should we add mingw compiler to travis-ci matrix? 17 сент. 2016 г. 6:34 PM пользователь "Gert Doering" написал: In -std=c99 mode, WIN32 is not defined to be "1" anymore, but just "#define WIN32" - so the "#if WIN32" breaks, needs to be "#ifdef WIN32" Signed-off-by: Gert Doering --- src/openvpn/misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 0991d79..2982cd0 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -977,7 +977,7 @@ hostname_randomize(const char *hostname, struct gc_arena *gc) const char * gen_path (const char *directory, const char *filename, struct gc_arena *gc) { -#if WIN32 +#ifdef WIN32 const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON| CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_ MARK|CC_ASTERISK; #else -- 1.9.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] Support for disabled peer-id
From: Lev Stipakov v4: - replace magic number with define - show user a decimal value instead of hex v3: * move assert outside of loop * add max-clients value check to options v2: * Add round brackets for clarity * Rephrase comment Support for disabled peer-id When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. --- src/openvpn/mudp.c| 13 ++--- src/openvpn/multi.c | 3 ++- src/openvpn/openvpn.h | 2 ++ src/openvpn/options.c | 5 + 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 21a7e97..fec5e8d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -64,12 +64,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) struct hash_bucket *bucket = hash_bucket (hash, hv); uint8_t* ptr = BPTR(&m->top.c2.buf); uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); + bool peer_id_disabled = false; /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ - if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3)) + if (v2) { uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF; - if ((peer_id < m->max_clients) && (m->instances[peer_id])) + peer_id_disabled = (peer_id == MAX_PEER_ID); + + if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { mi = m->instances[peer_id]; @@ -84,7 +88,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) } } } - else + if (!v2 || peer_id_disabled) { he = hash_lookup_fast (hash, bucket, &real, hv); if (he) @@ -107,6 +111,9 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) hash_add_fast (hash, bucket, &mi->real, hv, mi); mi->did_real_hash = true; + /* max_clients must be less then max peer-id value */ + ASSERT(m->max_clients < MAX_PEER_ID); + for (i = 0; i < m->max_clients; ++i) { if (!m->instances[i]) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ba7f2c0..3bc6ee9 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -605,7 +605,8 @@ multi_close_instance (struct multi_context *m, } #endif - m->instances[mi->context.c2.tls_multi->peer_id] = NULL; + if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID) + m->instances[mi->context.c2.tls_multi->peer_id] = NULL; schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 1a458f1..ec8075d 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -595,4 +595,6 @@ struct context #define CIPHER_ENABLED(c) (false) #endif +#define MAX_PEER_ID 0xFF + #endif diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c9688c3..29c76a6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5893,6 +5893,11 @@ add_option (struct options *options, msg (msglevel, "--max-clients must be at least 1"); goto err; } + if (max_clients >= MAX_PEER_ID) /* max peer-id value */ + { + msg (msglevel, "--max-clients must be less than 16777215"); + goto err; + } options->max_clients = max_clients; } else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) -- 1.9.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Enable TCP non-linear packet ID
Implementation with multiple threads needs that to be able run encryption in parallel. Tested with James' OpenVPN 3 server. --- src/openvpn/comp.c | 1 + src/openvpn/forward.c | 2 +- src/openvpn/init.c | 1 - src/openvpn/options.c | 5 - src/openvpn/packet_id.c | 7 +++ src/openvpn/packet_id.h | 2 +- src/openvpn/ssl.c | 3 +-- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 3a32c62..61f6f08 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -160,6 +160,7 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer buf_printf (out, "IV_LZO_STUB=1\n"); buf_printf (out, "IV_COMP_STUB=1\n"); buf_printf (out, "IV_COMP_STUBv2=1\n"); +buf_printf (out, "IV_TCPNL=1\n"); } } diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 6c11439..b3077ed 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c) struct link_socket_info *lsi = get_link_socket_info (c); /* OS MTU Hint? */ - if (lsi->mtu_changed && c->c2.ipv4_tun) + if (lsi->mtu_changed) { frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu, c->options.ce.proto); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9cd3d9f..fdeaf95 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2143,7 +2143,6 @@ do_init_crypto_static (struct context *c, const unsigned int flags) if (options->replay) { packet_id_init (&c->c2.crypto_options.packet_id, - link_socket_proto_connection_oriented (options->ce.proto), options->replay_window, options->replay_time, "STATIC", 0); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dd7d461..1be32ff 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2215,11 +2215,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne /* * Check consistency of replay options */ - if ((!proto_is_udp(ce->proto)) - && (options->replay_window != defaults.replay_window - || options->replay_time != defaults.replay_time)) -msg (M_USAGE, "--replay-window only makes sense with --proto udp"); - if (!options->replay && (options->replay_window != defaults.replay_window || options->replay_time != defaults.replay_time)) diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index baa4966..9874519 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -76,10 +76,9 @@ packet_id_debug (int msglevel, } void -packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit) +packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) { - dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d", - tcp_mode, + dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", seq_backtrack, time_backtrack); @@ -88,7 +87,7 @@ packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_ p->rec.name = name; p->rec.unit = unit; - if (seq_backtrack && !tcp_mode) + if (seq_backtrack) { ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK); ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK); diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index 5eb501d..fb059b7 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -210,7 +210,7 @@ struct packet_id struct packet_id_rec rec; }; -void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit); +void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit); void packet_id_free (struct packet_id *p); /* should we accept an incoming packet id ? */ diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 8717324..c7823b2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -799,7 +799,7 @@ key_state_init (struct tls_session *session, struct key_state *ks) /* init packet ID tracker */ if (session->opt->replay) { - packet_id_init (&ks->crypto_options.packet_id, session->opt->tcp_mode, + packet_id_init (&ks->crypto_options.packet_id, session->opt->replay_window, session->opt->replay_time, "SSL", ks->key_id); } @@ -948,7 +948,6 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session) /* initialize packet ID replay window for --tls-auth */ packet_id_init (&session->tls_auth.packet_id, - session->opt->tcp_mode, session->opt->replay_window, sessi
[Openvpn-devel] [PATCH] Fix win32 building with C99 mode
In -std=c99 mode, WIN32 is not defined to be "1" anymore, but just "#define WIN32" - so the "#if WIN32" breaks, needs to be "#ifdef WIN32" Signed-off-by: Gert Doering --- src/openvpn/misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 0991d79..2982cd0 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -977,7 +977,7 @@ hostname_randomize(const char *hostname, struct gc_arena *gc) const char * gen_path (const char *directory, const char *filename, struct gc_arena *gc) { -#if WIN32 +#ifdef WIN32 const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON| CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK; #else -- 1.9.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] Document the --auth-token option
This isn't an option to be used directly in any configuration files, but to be used via --client-connect scripts or --plugin making use of OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2. [v2 - Added lacking .B styling of options - Clarified the token life time ] Signed-off-by: David Sommerseth --- doc/openvpn.8 | 56 ++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2f42636..be9dc47 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -34,7 +34,7 @@ .\" .ft -- normal face .\" .in +|-{n} -- indent .\" -.TH openvpn 8 "17 November 2008" +.TH openvpn 8 "25 August 2016" .\"* .SH NAME openvpn \- secure IP tunnel daemon. @@ -2931,6 +2931,7 @@ This is a partial list of options which can currently be pushed: .B \-\-ip\-win32, \-\-dhcp\-option, .B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart, .B \-\-setenv, +.B \-\-auth\-token, .B \-\-persist\-key, \-\-persist\-tun, \-\-echo, .B \-\-comp\-lzo, .B \-\-socket\-flags, @@ -5023,6 +5024,57 @@ This directive does not affect the username/password. It is always cached. .\"* .TP +.B \-\-auth\-token token +This is not an option to be used directly in any configuration files, +but rather push this option from a +.B \-\-client\-connect +script or a +.B \-\-plugin +which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or +OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides +a possibility to replace the clients password with an authentication +token during the lifetime of the OpenVPN client. + +Whenever the connection is renegotiated and the +.B \-\-auth\-user\-pass\-verify +script or +.B \-\-plugin +making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is +triggered, it will pass over this token as the password +instead of the password the user provided. The authentication +token can only be reset by a full reconnect where the server +can push new options to the client. The password the user entered +is never preserved once an authentication token have been set. If +the OpenVPN server side rejects the authentication token, the +client will receive an AUTH_FAIL and disconnect. + +The purpose of this is to enable two factor authentication +methods, such as HOTP or TOTP, to be used without needing to +retrieve a new OTP code each time the connection is renegotiated. +Another use case is to cache authentication data on the client +without needing to have the users password cached in memory +during the life time of the session. + +To make use of this feature, the +.B \-\-client\-connect +script or +.B \-\-plugin +needs to put + +.nf +.ft 3 +.in +4 +push "auth\-token UNIQUE_TOKEN_VALUE" +.in -4 +.ft +.fi + +into the file/buffer for dynamic configuration data. This +will then make the OpenVPN server to push this value to the +client, which replaces the local password with the +UNIQUE_TOKEN_VALUE. +.\"* +.TP .B \-\-tls\-verify cmd Run command .B cmd -- 1.8.3.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Support for disabled peer-id
Hi, On 17 September 2016 at 14:53, Lev Stipakov wrote: > From: Lev Stipakov > > v3: > * move assert outside of loop > * add max-clients value check to options > > [...] > > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -5893,6 +5893,11 @@ add_option (struct options *options, > msg (msglevel, "--max-clients must be at least 1"); > goto err; > } > + if (max_clients >= 0xFF) /* max peer-id value */ > + { > + msg (msglevel, "--max-clients must be less than 0xFF"); > + goto err; > + } >options->max_clients = max_clients; > } >else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) Thanks. One more nitpick though. There are quite some occurrences of 0xFF now. I think a #define MAX_PEER_ID 0xFF is warranted. And if you do so, please change to error message to print the decimal value, since that is also how we expect users to specify the --max-clients argument. -Steffan -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Support for disabled peer-id
From: Lev Stipakov v3: * move assert outside of loop * add max-clients value check to options v2: * Add round brackets for clarity * Rephrase comment Support for disabled peer-id When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. --- src/openvpn/mudp.c| 13 ++--- src/openvpn/multi.c | 3 ++- src/openvpn/options.c | 5 + 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 21a7e97..59795eb 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -64,12 +64,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) struct hash_bucket *bucket = hash_bucket (hash, hv); uint8_t* ptr = BPTR(&m->top.c2.buf); uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); + bool peer_id_disabled = false; /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ - if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3)) + if (v2) { uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF; - if ((peer_id < m->max_clients) && (m->instances[peer_id])) + peer_id_disabled = (peer_id == 0xFF); + + if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { mi = m->instances[peer_id]; @@ -84,7 +88,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) } } } - else + if (!v2 || peer_id_disabled) { he = hash_lookup_fast (hash, bucket, &real, hv); if (he) @@ -107,6 +111,9 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) hash_add_fast (hash, bucket, &mi->real, hv, mi); mi->did_real_hash = true; + /* max_clients must be less then max peer-id value */ + ASSERT(m->max_clients < 0xFF); + for (i = 0; i < m->max_clients; ++i) { if (!m->instances[i]) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ba7f2c0..73b211e 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -605,7 +605,8 @@ multi_close_instance (struct multi_context *m, } #endif - m->instances[mi->context.c2.tls_multi->peer_id] = NULL; + if (mi->context.c2.tls_multi->peer_id != 0xFF) + m->instances[mi->context.c2.tls_multi->peer_id] = NULL; schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c9688c3..493ffe6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5893,6 +5893,11 @@ add_option (struct options *options, msg (msglevel, "--max-clients must be at least 1"); goto err; } + if (max_clients >= 0xFF) /* max peer-id value */ + { + msg (msglevel, "--max-clients must be less than 0xFF"); + goto err; + } options->max_clients = max_clients; } else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) -- 1.9.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)
Hi, On Sat, Sep 17, 2016 at 02:01:03PM +0200, Gert Doering wrote: > Your patch has been applied to the master branch. > > commit 3ffe2338c092d7bd4abace3ae9fa0b4f85cf4b87 > Author: Arne Schwabe > Date: Sat Sep 17 11:00:35 2016 +0200 Forgot to push and then David put a new patch in between, so the commit-id changed. Sorry. commit e7303ace6f101bbe61c3251c080975cf5c261f71 Author: Arne Schwabe Date: Sat Sep 17 11:00:35 2016 +0200 Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] how is debug/doval and debug/dovalns are supposed to be used ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/09/16 14:37, ??? wrote: > Hello, > > I see couple of valgrind-like tests > > debug/dovalns debug/doval > > however, I do not see any usage of them > > [ilia@localhost openvpn]$ find . -type f -exec grep doval {} ';' > -print Binary file ./.git/index matches ./.git/index > [ilia@localhost openvpn]$ > > > > I would like to valgrind tests to .travis.yml > > also, if openssl if compiled -DPURIFY, it is not so annoying with > valgrind, should we add -DPURIFY as well ? This is tackled via the --with-mem-check argument to ./configure. $ ./configure --with-mem-check=valgrind That should make valgrind runs look far more reasonable. - -- kind regards, David Sommerseth OpenVPN Technologies, Inc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJX3ThFAAoJEIbPlEyWcf3ywcwP/1QkDHGKukf8T8Cg8/0/WXyj 1rEscAGIq+Fvj+WjFpSAsZqa3tiVmLBvCvgLcoBnHXX4m/GuqVN4hu7fLlO5t+da zkC4oGiOklhNySI8/usJmp9m10Gpp/uGVLxTZ/Mfpe3B2LA0ReaRldkRDrlCqoDD WTPiJTZtsbaunNnZhldt4gEzUvBNNN3US15wK++UagbJCkZ53zZ2Y6NqNVYTBc3z 7IFh3f8qad9GEs45FsAuSAGT6q/bta7TjwCI2LZ/f48dDzn8dEoWp/hMwIpiP2fc s3KD4WR+56dRGdu1nYVukHcUu6sme6EDIHPndd9RH/p5pEwGpMQBeI1SykRk2DIg t0XvAosp0Jbziia2EkI9W3W1MiP4LpikD94DFxXLCbhvXe5ly17nZ4PeMGwoEqRd 3AEn0Vl4CwXiSb1VbvsRvJ3bbzDWWcHVcDHA63F5RFJQzA0f0GvXTDb/lKlQX7wk N96TASvwv5cg5Ij8DD0eME0Fe/SKgUVyQ9UiApnK6RHwyrY5h4V0ELIuNxBv7cRI 3b1ntH7KumfLYBrHwPqE9Lr8dlGWCxegDjshMdUMKYdkphWQtk7hGJQPxFIbD3t/ gGfMAIWO0G1k/xe2MPXlNaNf4nEA5m1iFIcGxn9sHsywGAZ+3lfC66aM7x8N3wPv fb/ltR+RRubUiw6sc+VP =fUA0 -END PGP SIGNATURE- -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Add SHA256 fingerprint support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK! Your patch has been applied to the master branch This patch includes also the clean cert_hash_remember scoping patch. commit af1e4d26ab65bd71de168ea621ca55d0e40a0bc1 Author: Steffan Karger Date: Thu May 5 22:14:07 2016 +0200 Add SHA256 fingerprint support Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: 1462479247-21854-1-git-send-email-stef...@karger.me Message-Id: 1474055635-7427-1-git-send-email-stef...@karger.me URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg11859.html URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12464.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJX3TbFAAoJEIbPlEyWcf3yKqYQALRt5SbxcPaDQomeghpigX/v NhZGdfWhyvTPoV3uxr17OPJh+Z8CFExGtJQbIgJD2jO5v6ADO5tRr2xniuQsWP8d YyMgR9YDKxZ/x7P27X/gWsuBKo9DqMaQDU+pEqMftO1iUWu7O1pQRuYXENpotzEj lBh8bbC0K0NUM+rDKREtv54qGgzjlROCwtDVkrAdH10KMxwvL1IHVgF9GR1XyYTB hZ2Tm0IHscZ0EBkdALIT01PBdm/N/DatSyD9gCAWQjUWzZpJDgeXz49x2Rzk4bn+ 9vG42eaAI6F+z6aIimd3C37qQQ/sq6N1k60o8po9yGisavth3UaGfmsQ8/HpE2g9 3yVZ9TmfA4r8kk9eP2M7FrKMW7dZF95z/FXWbsrT3eYa+BZuKvn9ukXP4egtyxRS rp2mqAl01BN0z9kcdzUr+amtAPBdgyfGcvpiAPrhyppV9nmI9FmPBJUppZpFzwdq A5obbdPczJUEzC0bRyIB4lrZyDDbdwWfVH8QvePaVgUpCZY6/01kuWZKAe39CXEu fg8RsFiNKJ/WwVCmUB+LOAcWIW68bAZt9DDJ1p3kDBV9vUV4kwrpF9D9O4APHGXV LvHEf3hU3ksVeTNFyjWBPxN03bw9g3bVqSe9ZSHDPZWLAGVIYCStv0lfyWgssPVW s7Tvc101nT1bFy4xp8fq =RWXq -END PGP SIGNATURE- -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)
ACK. Your patch has been applied to the master branch. commit 3ffe2338c092d7bd4abace3ae9fa0b4f85cf4b87 Author: Arne Schwabe Date: Sat Sep 17 11:00:35 2016 +0200 Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO) Acked-by: Gert Doering Message-Id: <1474102835-13402-1-git-send-email-a...@rfc2549.org> URL: http://www.mail-archive.com/search?l=mid&q=1474102835-13402-1-git-send-email-a...@rfc2549.org Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix ENABLE_WITH_OPENSSL set to YES even with --disable-crypto set
ACK. Your patch has been applied to the master branch. Text changed to read "ENABLE_CRYPTO_OPENSSL" commit d13a40a4a477bae3efede6945174df1cb2c3aa69 Author: Arne Schwabe Date: Sat Sep 17 13:16:46 2016 +0200 Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set Acked-by: Gert Doering Message-Id: <1474111006-16401-1-git-send-email-a...@rfc2549.org> URL: http://www.mail-archive.com/search?l=mid&q=1474111006-16401-1-git-send-email-a...@rfc2549.org Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] how is debug/doval and debug/dovalns are supposed to be used ?
Hello, I see couple of valgrind-like tests debug/dovalns debug/doval however, I do not see any usage of them [ilia@localhost openvpn]$ find . -type f -exec grep doval {} ';' -print Binary file ./.git/index matches ./.git/index [ilia@localhost openvpn]$ I would like to valgrind tests to .travis.yml also, if openssl if compiled -DPURIFY, it is not so annoying with valgrind, should we add -DPURIFY as well ? Cheers, Ilya Shipitsin -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] t_client.sh: Improve detection if the OpenVPN process did start during tests
ACK, thanks. Your patch has been applied to the following branches commit 3712322ee1219e55640f2f4e5f822799edacd7cc (master) commit 3347d51ea779b190864fe0715da3e9d7e8fa365c (release/2.3) Author: David Sommerseth Date: Sat Sep 17 14:18:05 2016 +0300 t_client.sh: Improve detection if the OpenVPN process did start during tests Signed-off-by: David Sommerseth Acked-by: Gert Doering Message-Id: <1474111085-10678-1-git-send-email-dav...@openvpn.net> URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-dav...@openvpn.net Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] enable "--disable-crypto" build configuration
2016-09-17 16:17 GMT+05:00 Steffan Karger : > Hi, > > On 17 September 2016 at 12:54, Ilya Shipitsin > wrote: > > --- > > .travis.yml | 4 > > 1 file changed, 4 deletions(-) > > > > diff --git a/.travis.yml b/.travis.yml > > index 452c48e..369db97 100644 > > --- a/.travis.yml > > +++ b/.travis.yml > > @@ -51,10 +51,6 @@ matrix: > >os: osx > >osx_image: xcode7.3 > >compiler: clang > > - allow_failures: > > -- env: SSLLIB="openssl" EXTRA_CONFIG="--disable-crypto" > > - os: linux > > - compiler: clang > >exclude: > > - compiler: gcc > > > > -- > > 2.5.5 > > Thanks. The patch is good, so ACK. > > But the commit messages should describe why this change is needed. In > this case: > > Previously, 'make test' failed for --disable-crypto builds. Since > that is not fixed, we should no longer accept --disable-crypto builds > to fail 'make test' on travis. > > Could you please include such descriptions in future patches? > ok, I'm going to play with travis-ci + valgrind soon. or, some powershell for windows testing (it's on my list) > > -Steffan > -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] t_client.sh: Add support for Kerberos/ksu
Your patch has been applied to the following branches commit 6b25b99fe4b8bdf5cdba4a0fb247df40277d0525 (master) commit f1b66b21f2f5c0ef74903048f84d69023ef21b8e (release/2.3) Author: David Sommerseth Date: Sat Sep 17 13:50:33 2016 +0300 t_client.sh: Add support for Kerberos/ksu Signed-off-by: David Sommerseth Acked-by: Gert Doering Message-Id: <1474109433-4710-1-git-send-email-dav...@openvpn.net> URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-dav...@openvpn.net Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] t_client.sh: Improve detection if the OpenVPN process did start during tests
This will check the OpenVPN log file if the process initialized successfully. It will check the log file for 30 seconds before aborting the test run. This also has the advantage of starting the testing quicker if the initialization goes faster than 10 seconds (which was the old sleep time). The umask is also set to a more permissive mode to ensure the test script is capable of reading the OpenVPN PID file, as that will be created by root. Signed-off-by: David Sommerseth --- tests/t_client.sh.in | 46 +- 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index 64a3b9a..bde07a6 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -297,23 +297,39 @@ do openvpn_conf="$openvpn_conf --writepid $pidfile" echo " run openvpn $openvpn_conf" echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log +umask 022 $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & -sleep 3 # Wait for OpenVPN to initialize and have had time to write the pid file -opid=`cat $pidfile` -echo " OpenVPN running with PID $opid" - -# make sure openvpn client is terminated in case shell exits -trap "$RUN_SUDO $KILL_EXEC $opid" 0 -trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 +sudopid=$! -echo "wait for connection to establish..." -sleep ${SETUP_TIME_WAIT:-10} +# Check if OpenVPN has initialized before continuing. It will check every 3rd second up +# to $ovpn_init_check times. +ovpn_init_check=10 +ovpn_init_success=0 +while [ $ovpn_init_check -gt 0 ]; +do + sleep 3 # Wait for OpenVPN to initialize and have had time to write the pid file + grep -q "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log + if [ $? -eq 0 ]; then + ovpn_init_check=0 + ovpn_init_success=1 + fi + ovpn_init_check=$(( $ovpn_init_check - 1 )) +done -# test whether OpenVPN process is still there -if $RUN_SUDO $KILL_EXEC -0 $opid -then : +opid=`cat $pidfile` +if [ -n "$opid" ]; then +echo " OpenVPN running with PID $opid" else - fail "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log)." +echo " Could not read OpenVPN PID file" >&2 +fi + +# If OpenVPN did not start +if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then +echo "$0: OpenVPN did not initialize in a reasonable time" >&2 +if [ -n "$opid" ]; then + $RUN_SUDO $KILL_EXEC $opid +fi +$RUN_SUDO $KILL_EXEC $sudopid echo "tail -5 $SUF:openvpn.log" >&2 tail -5 $LOGDIR/$SUF:openvpn.log >&2 echo -e "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2 @@ -323,6 +339,10 @@ do continue fi +# make sure openvpn client is terminated in case shell exits +trap "$RUN_SUDO $KILL_EXEC $opid" 0 +trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 + # compare whether anything changed in ifconfig/route setup? echo "save ifconfig+route" get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt -- 1.8.3.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] enable "--disable-crypto" build configuration
Hi, On 17 September 2016 at 12:54, Ilya Shipitsin wrote: > --- > .travis.yml | 4 > 1 file changed, 4 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index 452c48e..369db97 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -51,10 +51,6 @@ matrix: >os: osx >osx_image: xcode7.3 >compiler: clang > - allow_failures: > -- env: SSLLIB="openssl" EXTRA_CONFIG="--disable-crypto" > - os: linux > - compiler: clang >exclude: > - compiler: gcc > > -- > 2.5.5 Thanks. The patch is good, so ACK. But the commit messages should describe why this change is needed. In this case: Previously, 'make test' failed for --disable-crypto builds. Since that is not fixed, we should no longer accept --disable-crypto builds to fail 'make test' on travis. Could you please include such descriptions in future patches? -Steffan -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix ENABLE_WITH_OPENSSL set to YES even with --disable-crypto set
On OS X openssl/x509.h is not in the standard include path and the files still try to include since the includes only depend on on ENABLE_WITH_OPENSSL. --- configure.ac | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 5c5cdf8..e4f613b 100644 --- a/configure.ac +++ b/configure.ac @@ -781,7 +781,7 @@ PKG_CHECK_MODULES( [] ) -if test "${with_crypto_library}" = "openssl"; then +if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL]) AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL]) @@ -835,7 +835,7 @@ if test "${with_crypto_library}" = "openssl"; then AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library]) CRYPTO_CFLAGS="${OPENSSL_CFLAGS}" CRYPTO_LIBS="${OPENSSL_LIBS}" -elif test "${with_crypto_library}" = "mbedtls"; then +elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "mbedtls"; then AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbedtls]) AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbedtls]) @@ -918,7 +918,7 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" -else +elif test "${enable_crypto}" = "yes"; then AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) fi -- 2.7.4 (Apple Git-66) -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] enable "--disable-crypto" build configuration
--- .travis.yml | 4 1 file changed, 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 452c48e..369db97 100644 --- a/.travis.yml +++ b/.travis.yml @@ -51,10 +51,6 @@ matrix: os: osx osx_image: xcode7.3 compiler: clang - allow_failures: -- env: SSLLIB="openssl" EXTRA_CONFIG="--disable-crypto" - os: linux - compiler: clang exclude: - compiler: gcc -- 2.5.5 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv3] t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh will check if you have a valid Kerberos ticket and if so it will do all execution via ksu instead of sudo. If PREFER_KSU is not set or a Kerberos ticket is not found, it will fallback to the configured RUN_SUDO approach. When using ksu it needs the full path to the program being executed, so there is also additional code to find the full path of true and kill. [ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived last review before patch submission. - Improve known state declaration of PREFER_KSU ] [ v3 - Kick out bashism - '&>' redirect ] Signed-off-by: David Sommerseth --- tests/t_client.sh.in | 40 +++- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index fc82cdb..64a3b9a 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -36,6 +36,18 @@ if [ $? -ne 0 ]; then exit 77 fi +KILL_EXEC=`which kill` +if [ $? -ne 0 ]; then +echo "$0: kill not found in \$PATH" >&2 +exit 77 +fi + +TRUE_EXEC=`which true` +if [ $? -ne 0 ]; then +echo "$0: true not found in \$PATH" >&2 +exit 77 +fi + if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] then echo "no (executable) openvpn binary in current build tree. FAIL." >&2 @@ -58,12 +70,29 @@ if [ -z "$TEST_RUN_LIST" ] ; then exit 77 fi +# Ensure PREFER_KSU is in a known state +PREFER_KSU="${PREFER_KSU:-0}" + # make sure we have permissions to run ifconfig/route from OpenVPN # can't use "id -u" here - doesn't work on Solaris ID=`id` if expr "$ID" : "uid=0" >/dev/null then : else +if [ "${PREFER_KSU}" -eq 1 ]; +then +# Check if we have a valid kerberos ticket +klist -l 1>/dev/null 2>/dev/null +if [ $? -ne 0 ]; +then +# No kerberos ticket found, skip ksu and fallback to RUN_SUDO +PREFER_KSU=0 +echo "$0: No Kerberos ticket available. Will not use ksu." +else +RUN_SUDO="ksu -q -e" +fi +fi + if [ -z "$RUN_SUDO" ] then echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 @@ -73,7 +102,7 @@ else # We have to use sudo. Make sure that we (hopefully) do not have # to ask the users password during the test. This is done to # prevent timing issues, e.g. when the waits for openvpn to start -$RUN_SUDO \true +$RUN_SUDO $TRUE_EXEC fi fi @@ -90,6 +119,7 @@ exit_code=0 # -- # helper functions # -- + # print failure message, increase FAIL counter fail() { @@ -273,14 +303,14 @@ do echo " OpenVPN running with PID $opid" # make sure openvpn client is terminated in case shell exits -trap "$RUN_SUDO kill $opid" 0 -trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 +trap "$RUN_SUDO $KILL_EXEC $opid" 0 +trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 echo "wait for connection to establish..." sleep ${SETUP_TIME_WAIT:-10} # test whether OpenVPN process is still there -if $RUN_SUDO kill -0 $opid +if $RUN_SUDO $KILL_EXEC -0 $opid then : else fail "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log)." @@ -315,7 +345,7 @@ do echo -e "ping tests done.\n" echo "stopping OpenVPN" -$RUN_SUDO kill $opid +$RUN_SUDO $KILL_EXEC $opid wait $! rc=$? if [ $rc != 0 ] ; then -- 1.8.3.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCHv2] t_client.sh: Add support for Kerberos/ksu
Hi, On Sat, Sep 17, 2016 at 01:19:33PM +0300, David Sommerseth wrote: > +klist -l &> /dev/null NAK :) (bashism, on ksh it will just put "klist -l" into the background) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3 (release/2.3)] Drop recursively routed packets
From: Lev Stipakov v3: Use better way of figuring out IP proto version which does not break TAP mode. Add an option to allow recursive routing, could be useful when packets sent by openvpn itself are not subject to the routing tables that would move packets into the tunnel. v2: better method naming On certain OSes (Windows, OS X) when network adapter is disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled), operating system starts to use tun as an external interface. Outgoing packets are routed to tun, UDP encapsulated, given to routing table and sent to.. tun. As a consequence, system starts talking to itself on full power, traffic counters skyrocket and user is not happy. To prevent that, drop packets which have gateway IP as destination address. Tested on Win7/10, OS X. --- doc/openvpn.8 | 4 +++ src/openvpn/forward.c | 71 +++ src/openvpn/options.c | 10 src/openvpn/options.h | 4 +++ src/openvpn/proto.h | 32 +++ 5 files changed, 121 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index d9bb77c..0decc54 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3796,6 +3796,10 @@ rather than waiting for a timeout. The parameter (default=1) controls the maximum number of attempts that the client will try to resend the exit notification message. OpenVPN will not send any exit notifications unless this option is enabled. +.TP +.B \-\-allow\-recursive\-routing +When this option is set, OpenVPN will not drop incoming tun packets +with same destination as host. .\"* .SS Data Channel Encryption Options: These options are meaningful for both Static & TLS-negotiated key modes diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 5ba6fcb..d725f8d 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -968,6 +968,75 @@ read_incoming_tun (struct context *c) perf_pop (); } +/** + * Drops UDP packets which OS decided to route via tun. + * + * On Windows and OS X when netwotk adapter is disabled or + * disconnected, platform starts to use tun as external interface. + * When packet is sent to tun, it comes to openvpn, encapsulated + * and sent to routing table, which sends it again to tun. + */ +static void +drop_if_recursive_routing (struct context *c, struct buffer *buf) +{ + bool drop = false; + struct openvpn_sockaddr tun_sa; + + if (c->c2.to_link_addr == NULL) /* no remote addr known */ +return; + + tun_sa = c->c2.to_link_addr->dest; + + int proto_ver = get_tun_ip_ver (TUNNEL_TYPE (c->c1.tuntap), &c->c2.buf); + + if (proto_ver == 4) +{ + const struct openvpn_iphdr *pip; + + /* make sure we got whole IP header */ + if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr)) + return; + + /* skip ipv4 packets for ipv6 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET) + return; + + pip = (struct openvpn_iphdr *) BPTR (buf); + + /* drop packets with same dest addr as gateway */ + if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr) + drop = true; +} + else if (proto_ver == 6) +{ + const struct openvpn_ipv6hdr *pip6; + + /* make sure we got whole IPv6 header */ + if (BLEN (buf) < (int) sizeof (struct openvpn_ipv6hdr)) + return; + + /* skip ipv6 packets for ipv4 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET6) + return; + + /* drop packets with same dest addr as gateway */ + pip6 = (struct openvpn_ipv6hdr *) BPTR(buf); + if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) + drop = true; +} + + if (drop) +{ + struct gc_arena gc = gc_new (); + + c->c2.buf.len = 0; + + msg(D_LOW, "Recursive routing detected, drop tun packet to %s", + print_link_socket_actual(c->c2.to_link_addr, &gc)); + gc_free (&gc); +} +} + /* * Input: c->c2.buf * Output: c->c2.to_link @@ -993,6 +1062,8 @@ process_incoming_tun (struct context *c) if (c->c2.buf.len > 0) { + if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing)) + drop_if_recursive_routing (c, &c->c2.buf); /* * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1ef0299..0ecaad9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -500,6 +500,8 @@ static const char usage_message[] = "--server-poll-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" + "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n" + " incoming tun packets with same destination as host.\n" #endif #ifdef ENABL
[Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
This option was useful when Ipv6 tun support was non standard and was an internal/user specified flag that tracked the Ipv6 capability of the tun device. All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so not putting tun-ipv6 does not forbid ipv6 addresses. This commit also clean up a bit of the ipv6 related tun.c. Changes for most platforms are minimal. For linux a bit more cleanup is done: - Remove compatibility defines that were added 2008 - Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun setups (Android also always IFF_NO_PI works fine with Ipv6). This commit also remove a non ipv6 fallback for tap driver from OpenVPN 2.2-beta or earlier and only warns. Patch V2: Integrate Gert's comments Patch V3: Remove tun_ipv4 option. It only used for MTU discovery and there it was wrong since it should on the transport protocol if at all Patch V4: do not send V3 as V2 --- Changes.rst | 3 ++ src/openvpn/forward.c | 2 +- src/openvpn/helper.c | 2 - src/openvpn/init.c| 6 --- src/openvpn/multi.c | 8 ++-- src/openvpn/openvpn.h | 5 --- src/openvpn/options.c | 11 + src/openvpn/options.h | 1 - src/openvpn/route.c | 13 ++ src/openvpn/tun.c | 110 ++ src/openvpn/tun.h | 2 - 11 files changed, 32 insertions(+), 131 deletions(-) diff --git a/Changes.rst b/Changes.rst index 9fcba75..2956003 100644 --- a/Changes.rst +++ b/Changes.rst @@ -135,6 +135,9 @@ User-visible Changes ciphers configured in the config file. Use --ncp-disable if you don't want that. +- ALl tun devices on all platforms are considered always IPv6 capable. The --tun-ipv6 + option is ignored (behaves like it is always on). + Maintainer-visible changes -- diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 6c11439..b3077ed 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c) struct link_socket_info *lsi = get_link_socket_info (c); /* OS MTU Hint? */ - if (lsi->mtu_changed && c->c2.ipv4_tun) + if (lsi->mtu_changed) { frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu, c->options.ce.proto); diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 62f88ec..229523d 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -200,8 +200,6 @@ helper_client_server (struct options *o) add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; - o->tun_ipv6 = true; - push_option( o, "tun-ipv6", M_USAGE ); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9236a9f..7b73509 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1400,9 +1400,6 @@ do_init_tun (struct context *c) !c->options.ifconfig_nowarn, c->c2.es); - /* flag tunnel for IPv6 config if --tun-ipv6 is set */ - c->c1.tuntap->ipv6 = c->options.tun_ipv6; - init_tun_post (c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options); @@ -1420,9 +1417,6 @@ do_open_tun (struct context *c) struct gc_arena gc = gc_new (); bool ret = false; - c->c2.ipv4_tun = (!c->options.tun_ipv6 - && is_dev_type (c->options.dev, c->options.dev_type, "tun")); - #ifndef TARGET_ANDROID if (!c->c1.tuntap) { diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ba7f2c0..228b393 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1377,8 +1377,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * (see below) so issue a warning if that happens - don't break the * session, though, as we don't even know if this client WANTS IPv6 */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.ifconfig_ipv6_pool_defined && + if ( mi->context.options.ifconfig_ipv6_pool_defined && ! mi->context.options.push_ifconfig_ipv6_defined ) { msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." ); @@ -1451,8 +1450,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * way round ("dynamic IPv4, static IPv6") or "both static" makes sense * -> and so it's implemented right now */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.push_ifconfig_ipv6_defined ) + if ( mi->context.options.push_ifconfig_ipv6_defined ) { mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local; @@ -1510,7 +1508,7 @@ multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi) setenv_del (mi->context.c2.es,
[Openvpn-devel] [PATCH applied] Re: Show compile-time variant for --multihome in --version output.
Your patch has been applied to the master branch. commit d7c15ff12a8790c2ad2e0adc0e191c32f081463f Author: Gert Doering Date: Fri Sep 16 21:45:11 2016 +0200 Show compile-time variant for --multihome in --version output. Signed-off-by: Gert Doering Acked-by: Arne Schwabe Message-Id: <20160916194511.46137-1-g...@greenie.muc.de> URL: http://www.mail-archive.com/search?l=mid&q=20160916194511.46137-1-g...@greenie.muc.de Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix IP_PKTINFO related compilation failure on NetBSD 7.0
Your patch has been applied to the master branch. commit 7efa60d9790e029b8f9efd6a0ca06312d31d3420 Author: Gert Doering Date: Fri Sep 16 21:02:42 2016 +0200 Fix IP_PKTINFO related compilation failure on NetBSD 7.0 Signed-off-by: Gert Doering Acked-by: Arne Schwabe Message-Id: <20160916190242.44897-1-g...@greenie.muc.de> URL: http://www.mail-archive.com/search?l=mid&q=20160916190242.44897-1-g...@greenie.muc.de Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Show compile-time variant for --multihome in --version output.
Am 16.09.16 um 22:45 schrieb Gert Doering: > Instead of just [MH], show [MH/PKTINFO] or [MH/RECVDA], to see more > easily which compile-time variant was chosen by configure and syshead.h > ACK from me. Arne -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix IP_PKTINFO related compilation failure on NetBSD 7.0
Am 16.09.16 um 22:02 schrieb Gert Doering: > NetBSD has introduced IP_PKTINFO and struct in_pktinfo, but does not > have the "ipi_spec_dst" structure element, causing compilation errors. > > Introduce a check for that (AC_CHECK_MEMBER) in configure.ac, and > change all "#ifdef HAVE_IN_PKTINFO" to also check "HAVE_IPI_SPEC_DST". > > Patch inspired by NetBSD pkgsrc patch set. > ACK frome me. Arne -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh will check if you have a valid Kerberos ticket and if so it will do all execution via ksu instead of sudo. If PREFER_KSU is not set or a Kerberos ticket is not found, it will fallback to the configured RUN_SUDO approach. When using ksu it needs the full path to the program being executed, so there is also additional code to find the full path of true and kill. [ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived last review before patch submission. - Improve known state declaration of PREFER_KSU ] Signed-off-by: David Sommerseth --- tests/t_client.sh.in | 40 +++- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index fc82cdb..9363522 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -36,6 +36,18 @@ if [ $? -ne 0 ]; then exit 77 fi +KILL_EXEC=`which kill` +if [ $? -ne 0 ]; then +echo "$0: kill not found in \$PATH" >&2 +exit 77 +fi + +TRUE_EXEC=`which true` +if [ $? -ne 0 ]; then +echo "$0: true not found in \$PATH" >&2 +exit 77 +fi + if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] then echo "no (executable) openvpn binary in current build tree. FAIL." >&2 @@ -58,12 +70,29 @@ if [ -z "$TEST_RUN_LIST" ] ; then exit 77 fi +# Ensure PREFER_KSU is in a known state +PREFER_KSU="${PREFER_KSU:-0}" + # make sure we have permissions to run ifconfig/route from OpenVPN # can't use "id -u" here - doesn't work on Solaris ID=`id` if expr "$ID" : "uid=0" >/dev/null then : else +if [ "${PREFER_KSU}" -eq 1 ]; +then +# Check if we have a valid kerberos ticket +klist -l &> /dev/null +if [ $? -ne 0 ]; +then +# No kerberos ticket found, skip ksu and fallback to RUN_SUDO +PREFER_KSU=0 +echo "$0: No Kerberos ticket available. Will not use ksu." +else +RUN_SUDO="ksu -q -e" +fi +fi + if [ -z "$RUN_SUDO" ] then echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 @@ -73,7 +102,7 @@ else # We have to use sudo. Make sure that we (hopefully) do not have # to ask the users password during the test. This is done to # prevent timing issues, e.g. when the waits for openvpn to start -$RUN_SUDO \true +$RUN_SUDO $TRUE_EXEC fi fi @@ -90,6 +119,7 @@ exit_code=0 # -- # helper functions # -- + # print failure message, increase FAIL counter fail() { @@ -273,14 +303,14 @@ do echo " OpenVPN running with PID $opid" # make sure openvpn client is terminated in case shell exits -trap "$RUN_SUDO kill $opid" 0 -trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 +trap "$RUN_SUDO $KILL_EXEC $opid" 0 +trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 echo "wait for connection to establish..." sleep ${SETUP_TIME_WAIT:-10} # test whether OpenVPN process is still there -if $RUN_SUDO kill -0 $opid +if $RUN_SUDO $KILL_EXEC -0 $opid then : else fail "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log)." @@ -315,7 +345,7 @@ do echo -e "ping tests done.\n" echo "stopping OpenVPN" -$RUN_SUDO kill $opid +$RUN_SUDO $KILL_EXEC $opid wait $! rc=$? if [ $rc != 0 ] ; then -- 1.8.3.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Your patch has been applied to the following branches commit a85ba0e06badf9932e80deb53b68f50611943c6e (master) commit 8e13e38aef5028e2227eb2d5e0a7e35ba6ff028e (release/2.3) Author: Ilya Shipitsin Date: Sat Sep 17 14:33:09 2016 +0500 skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Acked-by: Steffan Karger Message-Id: <1474104789-31735-1-git-send-email-chipits...@gmail.com> URL: http://www.mail-archive.com/search?l=mid&q=1474104789-31735-1-git-send-email-chipits...@gmail.com Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [[PATCH v2]] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
Am 17.09.16 um 12:40 schrieb Илья Шипицин: > funny enough, neither Azure, nor GCP are running ipv6. > well, GCP images are compiled with ipv6 support actually. Yeah. But the patch is not about ipv6 actually working. Just about telling that the OS support of IPv6 tun. Arne -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
This option was useful when Ipv6 tun support was non standard and was an internal/user specified flag that tracked the Ipv6 capability of the tun device. All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so not putting tun-ipv6 does not forbid ipv6 addresses. This commit also clean up a bit of the ipv6 related tun.c. Changes for most platforms are minimal. For linux a bit more cleanup is done: - Remove compatibility defines that were added 2008 - Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun setups (Android also always IFF_NO_PI works fine with Ipv6). This commit also remove a non ipv6 fallback for tap driver from OpenVPN 2.2-beta or earlier and only warns. --- src/openvpn/helper.c | 2 - src/openvpn/init.c| 7 +--- src/openvpn/multi.c | 8 ++-- src/openvpn/options.c | 11 + src/openvpn/options.h | 1 - src/openvpn/route.c | 13 ++ src/openvpn/tun.c | 110 ++ src/openvpn/tun.h | 2 - 8 files changed, 30 insertions(+), 124 deletions(-) diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 62f88ec..229523d 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -200,8 +200,6 @@ helper_client_server (struct options *o) add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; - o->tun_ipv6 = true; - push_option( o, "tun-ipv6", M_USAGE ); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9236a9f..e9eb6c7 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1400,9 +1400,6 @@ do_init_tun (struct context *c) !c->options.ifconfig_nowarn, c->c2.es); - /* flag tunnel for IPv6 config if --tun-ipv6 is set */ - c->c1.tuntap->ipv6 = c->options.tun_ipv6; - init_tun_post (c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options); @@ -1420,8 +1417,8 @@ do_open_tun (struct context *c) struct gc_arena gc = gc_new (); bool ret = false; - c->c2.ipv4_tun = (!c->options.tun_ipv6 - && is_dev_type (c->options.dev, c->options.dev_type, "tun")); + //c->c2.ipv4_tun = (!c->options.tun_ipv6 + //&& is_dev_type (c->options.dev, c->options.dev_type, "tun")); #ifndef TARGET_ANDROID if (!c->c1.tuntap) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ba7f2c0..228b393 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1377,8 +1377,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * (see below) so issue a warning if that happens - don't break the * session, though, as we don't even know if this client WANTS IPv6 */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.ifconfig_ipv6_pool_defined && + if ( mi->context.options.ifconfig_ipv6_pool_defined && ! mi->context.options.push_ifconfig_ipv6_defined ) { msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." ); @@ -1451,8 +1450,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * way round ("dynamic IPv4, static IPv6") or "both static" makes sense * -> and so it's implemented right now */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.push_ifconfig_ipv6_defined ) + if ( mi->context.options.push_ifconfig_ipv6_defined ) { mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local; @@ -1510,7 +1508,7 @@ multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi) setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip6"); setenv_del (mi->context.c2.es, "ifconfig_pool_ip6_netbits"); - if (mi->context.c1.tuntap->ipv6 && mi->context.c2.push_ifconfig_ipv6_defined) + if (mi->context.c2.push_ifconfig_ipv6_defined) { setenv_in6_addr (mi->context.c2.es, "ifconfig_pool_remote", diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e052042..0bab660 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1496,7 +1496,6 @@ show_settings (const struct options *o) SHOW_STR (dev_node); SHOW_STR (lladdr); SHOW_INT (topology); - SHOW_BOOL (tun_ipv6); SHOW_STR (ifconfig_local); SHOW_STR (ifconfig_remote_netmask); SHOW_BOOL (ifconfig_noexec); @@ -2099,10 +2098,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne options->connection_list->array[0]->remote) msg (M_USAGE, " cannot be used with --mode server"); -#if 0 - if (options->tun_ipv6) - msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server"); -#endif if (options->shaper) msg
Re: [Openvpn-devel] [PATCH] t_client.sh: Add support for Kerberos/ksu
Hi, On Sat, Sep 17, 2016 at 12:44:15PM +0300, David Sommerseth wrote: > +else > +RUN_SUDO="ksu -q -e $*" NAK :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
ACK. Because it make sense and I've been bitten by the bug, too :-) Your patch has been applied to the following branches commit e0926ebfe55347843af701216be9598827a1367a (master) commit 057b70f1642336b7eb939f8515de791d515b8d04 (release/2.3) Author: David Sommerseth Date: Sat Sep 17 12:20:26 2016 +0300 t_client.sh: Make OpenVPN write PID file to avoid various sudo issues Trac: #738 Signed-off-by: David Sommerseth Acked-by: Gert Doering Message-Id: <1474104026-20615-1-git-send-email-dav...@openvpn.net> URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-dav...@openvpn.net Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Drop recursively routed packets
v3: Use better way of figuring out IP proto version which does not break TAP mode. Add an option to allow recursive routing, could be useful when packets sent by openvpn itself are not subject to the routing tables that would move packets into the tunnel. v2: better method naming On certain OSes (Windows, OS X) when network adapter is disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled), operating system starts to use tun as an external interface. Outgoing packets are routed to tun, UDP encapsulated, given to routing table and sent to.. tun. As a consequence, system starts talking to itself on full power, traffic counters skyrocket and user is not happy. To prevent that, drop packets which have gateway IP as destination address. Tested on Win7/10, OS X. --- Changes.rst | 2 ++ doc/openvpn.8 | 4 +++ src/openvpn/forward.c | 71 +++ src/openvpn/options.c | 10 src/openvpn/options.h | 4 +++ src/openvpn/proto.h | 32 +++ 6 files changed, 123 insertions(+) diff --git a/Changes.rst b/Changes.rst index 9fcba75..4cc4acf 100644 --- a/Changes.rst +++ b/Changes.rst @@ -135,6 +135,8 @@ User-visible Changes ciphers configured in the config file. Use --ncp-disable if you don't want that. +- On the client side recursively routed packets, which have same destination as host, + are dropped. This could be disabled with --allow-recursive-routing option. Maintainer-visible changes -- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2f42636..49d2f72 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3985,6 +3985,10 @@ to the same server, with OpenVPN will not send any exit notifications unless this option is enabled. +.TP +.B \-\-allow\-recursive\-routing +When this option is set, OpenVPN will not drop incoming tun packets +with same destination as host. .\"* .SS Data Channel Encryption Options: These options are meaningful for both Static & TLS-negotiated key modes diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 6c11439..3016677 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -993,6 +993,75 @@ read_incoming_tun (struct context *c) perf_pop (); } +/** + * Drops UDP packets which OS decided to route via tun. + * + * On Windows and OS X when netwotk adapter is disabled or + * disconnected, platform starts to use tun as external interface. + * When packet is sent to tun, it comes to openvpn, encapsulated + * and sent to routing table, which sends it again to tun. + */ +static void +drop_if_recursive_routing (struct context *c, struct buffer *buf) +{ + bool drop = false; + struct openvpn_sockaddr tun_sa; + + if (c->c2.to_link_addr == NULL) /* no remote addr known */ +return; + + tun_sa = c->c2.to_link_addr->dest; + + int proto_ver = get_tun_ip_ver (TUNNEL_TYPE (c->c1.tuntap), &c->c2.buf); + + if (proto_ver == 4) +{ + const struct openvpn_iphdr *pip; + + /* make sure we got whole IP header */ + if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr)) + return; + + /* skip ipv4 packets for ipv6 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET) + return; + + pip = (struct openvpn_iphdr *) BPTR (buf); + + /* drop packets with same dest addr as gateway */ + if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr) + drop = true; +} + else if (proto_ver == 6) +{ + const struct openvpn_ipv6hdr *pip6; + + /* make sure we got whole IPv6 header */ + if (BLEN (buf) < (int) sizeof (struct openvpn_ipv6hdr)) + return; + + /* skip ipv6 packets for ipv4 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET6) + return; + + /* drop packets with same dest addr as gateway */ + pip6 = (struct openvpn_ipv6hdr *) BPTR(buf); + if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) + drop = true; +} + + if (drop) +{ + struct gc_arena gc = gc_new (); + + c->c2.buf.len = 0; + + msg(D_LOW, "Recursive routing detected, drop tun packet to %s", + print_link_socket_actual(c->c2.to_link_addr, &gc)); + gc_free (&gc); +} +} + /* * Input: c->c2.buf * Output: c->c2.to_link @@ -1018,6 +1087,8 @@ process_incoming_tun (struct context *c) if (c->c2.buf.len > 0) { + if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing)) + drop_if_recursive_routing (c, &c->c2.buf); /* * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c100d4c..90d26c0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -500,6 +500,8 @@ static const char usage_message[] = "--connect-timeout n : when polling possible remote servers to connect to\n" "
[Openvpn-devel] [PATCH] t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh will check if you have a valid Kerberos ticket and if so it will do all execution via ksu instead of sudo. If PREFER_KSU is not set or a Kerberos ticket is not found, it will fallback to the configured RUN_SUDO approach. When using ksu it needs the full path to the program being executed, so there is also additional code to find the full path of true and kill. Signed-off-by: David Sommerseth --- tests/t_client.sh.in | 42 +- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index fc82cdb..4cd5413 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -36,6 +36,18 @@ if [ $? -ne 0 ]; then exit 77 fi +KILL_EXEC=`which kill` +if [ $? -ne 0 ]; then +echo "$0: kill not found in \$PATH" >&2 +exit 77 +fi + +TRUE_EXEC=`which true` +if [ $? -ne 0 ]; then +echo "$0: true not found in \$PATH" >&2 +exit 77 +fi + if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] then echo "no (executable) openvpn binary in current build tree. FAIL." >&2 @@ -58,12 +70,31 @@ if [ -z "$TEST_RUN_LIST" ] ; then exit 77 fi +# Ensure PREFER_KSU is in a known state +if [ -z "$PREFER_KSU" ]; then +PREFER_KSU=0 +fi + # make sure we have permissions to run ifconfig/route from OpenVPN # can't use "id -u" here - doesn't work on Solaris ID=`id` if expr "$ID" : "uid=0" >/dev/null then : else +if [ $PREFER_KSU -eq 1 ]; +then +# Check if we have a valid kerberos ticket +klist -l &> /dev/null +if [ $? -ne 0 ]; +then +# No kerberos ticket found, skip ksu and fallback to RUN_SUDO +PREFER_KSU=0 +echo "$0: No Kerberos ticket available. Will not use ksu." +else +RUN_SUDO="ksu -q -e $*" +fi +fi + if [ -z "$RUN_SUDO" ] then echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 @@ -73,7 +104,7 @@ else # We have to use sudo. Make sure that we (hopefully) do not have # to ask the users password during the test. This is done to # prevent timing issues, e.g. when the waits for openvpn to start -$RUN_SUDO \true +$RUN_SUDO $TRUE_EXEC fi fi @@ -90,6 +121,7 @@ exit_code=0 # -- # helper functions # -- + # print failure message, increase FAIL counter fail() { @@ -273,14 +305,14 @@ do echo " OpenVPN running with PID $opid" # make sure openvpn client is terminated in case shell exits -trap "$RUN_SUDO kill $opid" 0 -trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 +trap "$RUN_SUDO $KILL_EXEC $opid" 0 +trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 echo "wait for connection to establish..." sleep ${SETUP_TIME_WAIT:-10} # test whether OpenVPN process is still there -if $RUN_SUDO kill -0 $opid +if $RUN_SUDO $KILL_EXEC -0 $opid then : else fail "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log)." @@ -315,7 +347,7 @@ do echo -e "ping tests done.\n" echo "stopping OpenVPN" -$RUN_SUDO kill $opid +$RUN_SUDO $KILL_EXEC $opid wait $! rc=$? if [ $rc != 0 ] ; then -- 1.8.3.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
On 17 September 2016 at 11:33, Ilya Shipitsin wrote: > --- > configure.ac | 1 + > tests/Makefile.am | 5 - > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index d733023..dc95123 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -1192,6 +1192,7 @@ AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) > AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) > AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = > "yes"]) > AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" > = "yes"]) > +AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) > > plugindir="${with_plugindir}" > sampledir="\$(docdir)/sample" > diff --git a/tests/Makefile.am b/tests/Makefile.am > index 2cba9e6..235cd13 100644 > --- a/tests/Makefile.am > +++ b/tests/Makefile.am > @@ -14,7 +14,10 @@ MAINTAINERCLEANFILES = \ > > SUBDIRS = unit_tests > > -test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh > +test_scripts = t_client.sh > +if ENABLE_CRYPTO > +test_scripts += t_lpback.sh t_cltsrv.sh > +endif > > TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" > TESTS = $(test_scripts) > -- > 2.5.5 This patch was originally discussed on github: https://github.com/OpenVPN/openvpn/pull/55. Even though it would be more elegant to have 'make test' print a 'skipped', instead of just not running the test at all, that is very minor and this clearly fixes an issue. So, ACK. -Steffan -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [[PATCH v2]] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
funny enough, neither Azure, nor GCP are running ipv6. well, GCP images are compiled with ipv6 support actually. 2016-09-17 14:23 GMT+05:00 Arne Schwabe : > This option was useful when Ipv6 tun support was non standard and was an > internal/user specified flag that tracked the Ipv6 capability of the tun > device. > > All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so > not putting tun-ipv6 does not forbid ipv6 addresses. > > This commit also clean up a bit of the ipv6 related tun.c. Changes for > most platforms are minimal. > > For linux a bit more cleanup is done: > > - Remove compatibility defines that were added 2008 > - Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun > setups (Android also always IFF_NO_PI works fine with Ipv6). > > This commit also remove a non ipv6 fallback for tap driver from OpenVPN > 2.2-beta or earlier and only warns. > > Patch V2: Integrate Gert's comments > --- > src/openvpn/helper.c | 2 - > src/openvpn/init.c| 7 +--- > src/openvpn/multi.c | 8 ++-- > src/openvpn/options.c | 11 + > src/openvpn/options.h | 1 - > src/openvpn/route.c | 13 ++ > src/openvpn/tun.c | 110 ++ > > src/openvpn/tun.h | 2 - > 8 files changed, 30 insertions(+), 124 deletions(-) > > diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c > index 62f88ec..229523d 100644 > --- a/src/openvpn/helper.c > +++ b/src/openvpn/helper.c > @@ -200,8 +200,6 @@ helper_client_server (struct options *o) > add_in6_addr( o->server_network_ipv6, 0x1000 ); > o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; > > - o->tun_ipv6 = true; > - > push_option( o, "tun-ipv6", M_USAGE ); > } > > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index 9236a9f..e9eb6c7 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -1400,9 +1400,6 @@ do_init_tun (struct context *c) >!c->options.ifconfig_nowarn, >c->c2.es); > > - /* flag tunnel for IPv6 config if --tun-ipv6 is set */ > - c->c1.tuntap->ipv6 = c->options.tun_ipv6; > - >init_tun_post (c->c1.tuntap, > &c->c2.frame, > &c->options.tuntap_options); > @@ -1420,8 +1417,8 @@ do_open_tun (struct context *c) >struct gc_arena gc = gc_new (); >bool ret = false; > > - c->c2.ipv4_tun = (!c->options.tun_ipv6 > - && is_dev_type (c->options.dev, c->options.dev_type, > "tun")); > + //c->c2.ipv4_tun = (!c->options.tun_ipv6 > + //&& is_dev_type (c->options.dev, c->options.dev_type, > "tun")); > > #ifndef TARGET_ANDROID >if (!c->c1.tuntap) > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index ba7f2c0..228b393 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -1377,8 +1377,7 @@ multi_select_virtual_addr (struct multi_context *m, > struct multi_instance *mi) > * (see below) so issue a warning if that happens - don't break the > * session, though, as we don't even know if this client WANTS IPv6 > */ > - if ( mi->context.c1.tuntap->ipv6 && > - mi->context.options.ifconfig_ipv6_pool_defined && > + if ( mi->context.options.ifconfig_ipv6_pool_defined && >! mi->context.options.push_ifconfig_ipv6_defined ) > { > msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for > IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. > Use --ifconfig-ipv6-push for IPv6 then." ); > @@ -1451,8 +1450,7 @@ multi_select_virtual_addr (struct multi_context *m, > struct multi_instance *mi) > * way round ("dynamic IPv4, static IPv6") or "both static" makes sense > * -> and so it's implemented right now > */ > - if ( mi->context.c1.tuntap->ipv6 && > - mi->context.options.push_ifconfig_ipv6_defined ) > + if ( mi->context.options.push_ifconfig_ipv6_defined ) > { >mi->context.c2.push_ifconfig_ipv6_local = > mi->context.options.push_ifconfig_ipv6_local; > @@ -1510,7 +1508,7 @@ multi_set_virtual_addr_env (struct multi_context *m, > struct multi_instance *mi) >setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip6"); >setenv_del (mi->context.c2.es, "ifconfig_pool_ip6_netbits"); > > - if (mi->context.c1.tuntap->ipv6 && mi->context.c2.push_ifconfig_ > ipv6_defined) > + if (mi->context.c2.push_ifconfig_ipv6_defined) > { >setenv_in6_addr (mi->context.c2.es, > "ifconfig_pool_remote", > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index e052042..0bab660 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -1496,7 +1496,6 @@ show_settings (const struct options *o) >SHOW_STR (dev_node); >SHOW_STR (lladdr); >SHOW_INT (topology); > - SHOW_BOOL (tun_ipv6); >SHOW_STR (ifconfig_local); >SHOW_STR (ifconfig_remote_netmask); >SHOW_BOO
Re: [Openvpn-devel] [PATCH applied] initial travis-ci support
thanks! I'm going to unleash "allowed as failure" tests now. 2016-09-17 14:19 GMT+05:00 Gert Doering : > ACK. Your patch has been applied to the master branch > > (Talking with Steffan, we've decided to squash both patches into just one, > because it seems to be somewhat silly to add a file just to completely > rewrite in the next patch again) > > commit 368991264d82f038bde30a67910ac6c7681a4ba9 > Author: Ilya Shipitsin > Date: Thu Sep 15 16:26:48 2016 +0500 > > initial travis-ci support > > Acked-by: Gert Doering > Message-Id: <1473938808-3312-1-git-send-email-chipits...@gmail.com> > URL: http://www.mail-archive.com/search?l=mid&q=1473938808- > 3312-1-git-send-email-chipits...@gmail.com > Signed-off-by: Steffan Karger > Acked-by: Gert Doering > Message-Id: <1473938818-3375-1-git-send-email-chipits...@gmail.com> > URL: http://www.mail-archive.com/search?l=mid&q=1473938818- > 3375-1-git-send-email-chipits...@gmail.com > Signed-off-by: Gert Doering > > > -- > kind regards, > > Gert Doering > > -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
--- configure.ac | 1 + tests/Makefile.am | 5 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index d733023..dc95123 100644 --- a/configure.ac +++ b/configure.ac @@ -1192,6 +1192,7 @@ AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) +AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) plugindir="${with_plugindir}" sampledir="\$(docdir)/sample" diff --git a/tests/Makefile.am b/tests/Makefile.am index 2cba9e6..235cd13 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -14,7 +14,10 @@ MAINTAINERCLEANFILES = \ SUBDIRS = unit_tests -test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh +test_scripts = t_client.sh +if ENABLE_CRYPTO +test_scripts += t_lpback.sh t_cltsrv.sh +endif TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" TESTS = $(test_scripts) -- 2.5.5 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [[PATCH v2]] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
This option was useful when Ipv6 tun support was non standard and was an internal/user specified flag that tracked the Ipv6 capability of the tun device. All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so not putting tun-ipv6 does not forbid ipv6 addresses. This commit also clean up a bit of the ipv6 related tun.c. Changes for most platforms are minimal. For linux a bit more cleanup is done: - Remove compatibility defines that were added 2008 - Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun setups (Android also always IFF_NO_PI works fine with Ipv6). This commit also remove a non ipv6 fallback for tap driver from OpenVPN 2.2-beta or earlier and only warns. Patch V2: Integrate Gert's comments --- src/openvpn/helper.c | 2 - src/openvpn/init.c| 7 +--- src/openvpn/multi.c | 8 ++-- src/openvpn/options.c | 11 + src/openvpn/options.h | 1 - src/openvpn/route.c | 13 ++ src/openvpn/tun.c | 110 ++ src/openvpn/tun.h | 2 - 8 files changed, 30 insertions(+), 124 deletions(-) diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 62f88ec..229523d 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -200,8 +200,6 @@ helper_client_server (struct options *o) add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; - o->tun_ipv6 = true; - push_option( o, "tun-ipv6", M_USAGE ); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9236a9f..e9eb6c7 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1400,9 +1400,6 @@ do_init_tun (struct context *c) !c->options.ifconfig_nowarn, c->c2.es); - /* flag tunnel for IPv6 config if --tun-ipv6 is set */ - c->c1.tuntap->ipv6 = c->options.tun_ipv6; - init_tun_post (c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options); @@ -1420,8 +1417,8 @@ do_open_tun (struct context *c) struct gc_arena gc = gc_new (); bool ret = false; - c->c2.ipv4_tun = (!c->options.tun_ipv6 - && is_dev_type (c->options.dev, c->options.dev_type, "tun")); + //c->c2.ipv4_tun = (!c->options.tun_ipv6 + //&& is_dev_type (c->options.dev, c->options.dev_type, "tun")); #ifndef TARGET_ANDROID if (!c->c1.tuntap) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ba7f2c0..228b393 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1377,8 +1377,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * (see below) so issue a warning if that happens - don't break the * session, though, as we don't even know if this client WANTS IPv6 */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.ifconfig_ipv6_pool_defined && + if ( mi->context.options.ifconfig_ipv6_pool_defined && ! mi->context.options.push_ifconfig_ipv6_defined ) { msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." ); @@ -1451,8 +1450,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * way round ("dynamic IPv4, static IPv6") or "both static" makes sense * -> and so it's implemented right now */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.push_ifconfig_ipv6_defined ) + if ( mi->context.options.push_ifconfig_ipv6_defined ) { mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local; @@ -1510,7 +1508,7 @@ multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi) setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip6"); setenv_del (mi->context.c2.es, "ifconfig_pool_ip6_netbits"); - if (mi->context.c1.tuntap->ipv6 && mi->context.c2.push_ifconfig_ipv6_defined) + if (mi->context.c2.push_ifconfig_ipv6_defined) { setenv_in6_addr (mi->context.c2.es, "ifconfig_pool_remote", diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e052042..0bab660 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1496,7 +1496,6 @@ show_settings (const struct options *o) SHOW_STR (dev_node); SHOW_STR (lladdr); SHOW_INT (topology); - SHOW_BOOL (tun_ipv6); SHOW_STR (ifconfig_local); SHOW_STR (ifconfig_remote_netmask); SHOW_BOOL (ifconfig_noexec); @@ -2099,10 +2098,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne options->connection_list->array[0]->remote) msg (M_USAGE, " cannot be used with --mode server"); -#if 0 - if (options->tun_ipv6) - msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server"); -#endif
[Openvpn-devel] [PATCH] t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
This resolves an issue where $! returns the PID of the sudo process instead of the PID of OpenVPN and when sudo does not properly propagate signales down to OpenVPN. Trac: #738 Signed-off-by: David Sommerseth --- tests/t_client.sh.in | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index 62d6730..fc82cdb 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -263,10 +263,14 @@ do continue fi +pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid" +openvpn_conf="$openvpn_conf --writepid $pidfile" echo " run openvpn $openvpn_conf" echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & -opid=$! +sleep 3 # Wait for OpenVPN to initialize and have had time to write the pid file +opid=`cat $pidfile` +echo " OpenVPN running with PID $opid" # make sure openvpn client is terminated in case shell exits trap "$RUN_SUDO kill $opid" 0 -- 1.8.3.1 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] initial travis-ci support
ACK. Your patch has been applied to the master branch (Talking with Steffan, we've decided to squash both patches into just one, because it seems to be somewhat silly to add a file just to completely rewrite in the next patch again) commit 368991264d82f038bde30a67910ac6c7681a4ba9 Author: Ilya Shipitsin Date: Thu Sep 15 16:26:48 2016 +0500 initial travis-ci support Acked-by: Gert Doering Message-Id: <1473938808-3312-1-git-send-email-chipits...@gmail.com> URL: http://www.mail-archive.com/search?l=mid&q=1473938808-3312-1-git-send-email-chipits...@gmail.com Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1473938818-3375-1-git-send-email-chipits...@gmail.com> URL: http://www.mail-archive.com/search?l=mid&q=1473938818-3375-1-git-send-email-chipits...@gmail.com Signed-off-by: Gert Doering -- kind regards, Gert Doering -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)
--- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 418ad57..6dfe256 100644 --- a/configure.ac +++ b/configure.ac @@ -337,6 +337,7 @@ case "$host" in have_tap_header="yes" dnl some Mac OS X tendering (we use vararg macros...) CPPFLAGS="$CPPFLAGS -no-cpp-precomp" + ac_cv_type_struct_in_pktinfo=no ;; *-mingw*) AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?]) -- 2.8.4 (Apple Git-73) -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel