[Openvpn-devel] [PATCH] Enable -D_SVR4_2 for compilation on Solaris

2016-10-10 Thread Gert Doering 
Solaris' header files to not make necessary macros (like CMSG_SPACE)
available unless told "this is the API level we want" - thus, do so.

This fixes --multihome on OpenSolaris 11 (at least).

trac #750

Signed-off-by: Gert Doering 
---
 configure.ac |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/configure.ac b/configure.ac
index a03abba..24b2e46 100644
--- a/configure.ac
+++ b/configure.ac
@@ -318,6 +318,7 @@ case "$host" in
*-*-solaris*)
AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["S"], [Target prefix])
+   CPPFLAGS="$CPPFLAGS -D_XPG4_2"
;;
*-*-openbsd*)
AC_DEFINE([TARGET_OPENBSD], [1], [Are we running on OpenBSD?])
-- 
1.5.6.5


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Enable -D_SVR4_2 for compilation on Solaris

2016-10-10 Thread Arne Schwabe 
I cannot test Solaris but the code looks good enough, so ACK

Arne
Am 10.10.16 um 09:39 schrieb Gert Doering:
> Solaris' header files to not make necessary macros (like CMSG_SPACE)
> available unless told "this is the API level we want" - thus, do so.
>
> This fixes --multihome on OpenSolaris 11 (at least).
>
> trac #750
>
> Signed-off-by: Gert Doering 
> ---
>  configure.ac |1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index a03abba..24b2e46 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -318,6 +318,7 @@ case "$host" in
>   *-*-solaris*)
>   AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?])
>   AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["S"], [Target prefix])
> + CPPFLAGS="$CPPFLAGS -D_XPG4_2"
>   ;;
>   *-*-openbsd*)
>   AC_DEFINE([TARGET_OPENBSD], [1], [Are we running on OpenBSD?])


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Exclude peer-id from pulled options digest

2016-10-10 Thread Gert Doering 
Your patch has been applied to the release/2.3 branch.

commit 84022030dc2af8606e6a11c3dca1780419e7a534
Author: Lev Stipakov
Date:   Tue Oct 4 22:53:06 2016 +0300

 Exclude peer-id from pulled options digest

 Acked-by: Steffan Karger 
 Message-Id: <1475610786-25781-1-git-send-email-lstipa...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12598.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Enable -D_SVR4_2 for compilation on Solaris

2016-10-10 Thread Gert Doering 
Your patch has been applied to the master branch.

commit 6eaa70e80aea7dfd1b3114fcb369a8f72c19ceee
Author: Gert Doering
Date:   Mon Oct 10 09:39:31 2016 +0200

 Enable -D_SVR4_2 for compilation on Solaris

 Signed-off-by: Gert Doering 
 Acked-by: Arne Schwabe 
 Message-Id: <20161010073931.54469-1-g...@greenie.muc.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12634.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Exclude peer-id from pulled options digest

2016-10-10 Thread Gert Doering 
Your patch has been applied to the master branch.

commit 3cf51f613c4d0ac0982826cd2e27e1f34bcd1a83
Author: Lev Stipakov
Date:   Tue Oct 4 23:20:03 2016 +0300

 Exclude peer-id from pulled options digest

 Acked-by: Steffan Karger 
 Message-Id: <1475612403-1266-1-git-send-email-lstipa...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12599.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix compilation in pedantic mode

2016-10-10 Thread Gert Doering 
ACK.  I've decided to leave the whitespace changes as they were in your
patch ("git show -w" will confirm only whitespace and comments have been
changed), and changed the multiline comment to "leading *" style, as
discussed previously.

Your patch has been applied to the release/2.3 branch.

commit d72c3835e20593091d4d2c69466329f994b69ae6
Author: Lev Stipakov
Date:   Tue Oct 4 23:42:16 2016 +0300

 Fix compilation in pedantic mode

 Signed-off-by: Lev Stipakov 
 Acked-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1475613736-1529-1-git-send-email-lstipa...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12600.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] New SHA1-signed Windows XP installers ready for testing

2016-10-10 Thread Samuli Seppänen 
Hi,

New Windows XP installers signed with a new SHA1 code-signing 
certificate are now available:




Could someone verify that Windows XP can recognize the SHA1 signature 
correctly?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] New SHA1-signed Windows XP installers ready for testing

2016-10-10 Thread debbie10t 


On 10/10/16 10:17, Samuli Seppänen wrote:
> Hi,
>
> New Windows XP installers signed with a new SHA1 code-signing
> certificate are now available:
>
> 
> 
>
> Could someone verify that Windows XP can recognize the SHA1 signature
> correctly?
>

This worked completely normally on WXP-Pro-SP3 32bit VM.
(I do not have access to 64bit WXP)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix duplicated PUSH_REPLY options

2016-10-10 Thread Steffan Karger 
Hi,

On 24 September 2016 at 12:23, Lev Stipakov  wrote:
> Starting from 
> https://github.com/OpenVPN/openvpn/commit/3a5a46cf2b7f6a8b8520c2513a8054deb48bfcbe,
> we add peer-id and cipher values to context->options->push_list instead of 
> adding those directly
> to buf (as done for client-specific values, like ifconfig). Since push_list 
> is per child context,
> when options are added and context is reused - we got duplicates.
>
> Fixed by adding options to buffer, as it was done previously.

NAK.  This reintroduces another issue, where the added options might
not fit into buf, because we can't reserve space for variable-sized
options (peer-id would be possible, by cipher would already be
trickier).

This is a bug though (sorry!), so attached a different proposal to fix
this.  I didn't test this yet (need to leave now), but lev just
announced on IRC that he was willing to test it.

-Steffan
From 957c54a7f4cefdc05e5e876195ef31a52c00f2b3 Mon Sep 17 00:00:00 2001
From: Steffan Karger 
Date: Thu, 29 Sep 2016 19:48:29 +0200
Subject: [PATCH] Fix duplicate PUSH_REPLY options

As reported by Lev Stipakov, starting from 3a5a46cf we add peer-id and
cipher values to context->options->push_list instead of adding those
directly to buf. Since push_list is preserved over sigusr1 restarts,
we add duplicate values for peer-id and cipher.

Fixed by removing the previous values from the list before adding new ones.

Signed-off-by: Steffan Karger 
---
 src/openvpn/errlevel.h | 1 +
 src/openvpn/options.c  | 1 +
 src/openvpn/push.c | 6 --
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h
index da600ab..ae1f8f4 100644
--- a/src/openvpn/errlevel.h
+++ b/src/openvpn/errlevel.h
@@ -147,6 +147,7 @@
 #define D_PID_DEBUG  LOGLEV(7, 70, M_DEBUG)  /* show packet-id debugging info */
 #define D_PF_DROPPED_BCAST   LOGLEV(7, 71, M_DEBUG)  /* packet filter dropped a broadcast packet */
 #define D_PF_DEBUG   LOGLEV(7, 72, M_DEBUG)  /* packet filter debugging, must also define PF_DEBUG in pf.h */
+#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG)  /* show push/pull debugging info */
 
 #define D_HANDSHAKE_VERBOSE  LOGLEV(8, 70, M_DEBUG)  /* show detailed description of each handshake */
 #define D_TLS_DEBUG_MED  LOGLEV(8, 70, M_DEBUG)  /* limited info from tls_session routines */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 53b4617..ccb6b28 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5781,6 +5781,7 @@ add_option (struct options *options,
   else if (streq (p[0], "push-remove") && p[1] && !p[2])
 {
   VERIFY_PERMISSION (OPT_P_INSTANCE);
+  msg (D_PUSH, "PUSH_REMOVE '%s'", p[1]);
   push_remove_option (options,p[1]);
 }
   else if (streq (p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index a1b999e..4d1dd34 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -314,6 +314,7 @@ prepare_push_reply (struct options *o, struct tls_multi *tls_multi)
   int r = sscanf(optstr, "IV_PROTO=%d", &proto);
   if ((r == 1) && (proto >= 2))
 	{
+	  push_remove_option(o, "peer-id");
 	  push_option_fmt(o, M_USAGE, "peer-id %d", tls_multi->peer_id);
 	}
 }
@@ -337,6 +338,7 @@ prepare_push_reply (struct options *o, struct tls_multi *tls_multi)
 	   * TODO: actual negotiation, instead of server dictatorship. */
 	  char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
 	  o->ciphername = strtok (push_cipher, ":");
+	  push_remove_option(o, "cipher");
 	  push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
 	}
 }
@@ -525,7 +527,7 @@ push_reset (struct options *o)
 void
 push_remove_option (struct options *o, const char *p)
 {
-  msg( D_PUSH, "PUSH_REMOVE '%s'", p );
+  msg (D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
 
   /* ifconfig-ipv6 is special, as not part of the push list */
   if ( streq( p, "ifconfig-ipv6" ))
@@ -544,7 +546,7 @@ push_remove_option (struct options *o, const char *p)
 	  if ( e->enable &&
strncmp( e->option, p, strlen(p) ) == 0 )
 	{
-	  msg (D_PUSH, "PUSH_REMOVE removing: '%s'", e->option);
+	  msg (D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
 	  e->enable = false;
 	}
 
-- 
2.7.4

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Topics for today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread Samuli Seppänen 
Hi,

We're going to have an IRC meeting today starting at 20:00 CEST (18:00 
UTC) on #openvpn-meeting  irc.freenode.net. You do not have to be 
logged in to Freenode to join the channel.

Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] New SHA1-signed Windows XP installers ready for testing

2016-10-10 Thread Samuli Seppänen 
Il 10/10/2016 14:37, debbie10t ha scritto:
>
>
> On 10/10/16 10:17, Samuli Seppänen wrote:
>> Hi,
>>
>> New Windows XP installers signed with a new SHA1 code-signing
>> certificate are now available:
>>
>> 
>> 
>>
>> Could someone verify that Windows XP can recognize the SHA1 signature
>> correctly?
>>
>
> This worked completely normally on WXP-Pro-SP3 32bit VM.
> (I do not have access to 64bit WXP)

Ok, excellent! I will update the release page then.

Thanks,

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Fix duplicate PUSH_REPLY options

2016-10-10 Thread Gert Doering 
Thanks.

Your patch has been applied to the master branch

commit 974ec19daa6c9d4e954912b3743c7101637f1d33
Author: Steffan Karger
Date:   Thu Sep 29 19:48:29 2016 +0200

 Fix duplicate PUSH_REPLY options

 Signed-off-by: Steffan Karger 
 Acked-by: Lev Stipakov 
 Message-Id: 

 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12642.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Windows: do_ifconfig() after open_tun()

2016-10-10 Thread Samuli Seppänen 
Il 09/10/2016 18:25, Gert Doering ha scritto:
> Hi,
>
> On Sun, Oct 09, 2016 at 05:06:59PM +0200, Gert Doering wrote:
>> Running more tests with that hunk reverted next...
>
> With the following patch applied on top of Heiko's patch
>
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index 4a11d10..1250547 100644
> --- a/src/openvpn/tun.c
> +++ b/src/openvpn/tun.c
> @@ -1373,11 +1373,13 @@ do_ifconfig (struct tuntap *tt,
>   else
> {
>   /* example: netsh interface ipv6 set address interface=42 
> 2001:608:8003::d store=active */
> + char iface[64];
> + openvpn_snprintf(iface, sizeof(iface), "interface=%lu", 
> tt->adapter_index );
>   argv_printf (&argv,
> -  "%s%sc interface ipv6 set address interface=%lu %s 
> store=active",
> +  "%s%sc interface ipv6 set address %s %s store=active",
>get_win_sys_path(),
>NETSH_PATH_SUFFIX,
> -  tt->adapter_index,
> +  iface,
>ifconfig_ipv6_local );
>   netsh_command (&argv, 4, M_FATAL);
> }
>
>
> ... the resulting binary now actually works :-) - tested on win7, without(!)
> iservice (because Heiko already tested that), testing all the variants
> of "--ip-win32".  Only a single tap adapter in the system, but will test
> with 2-3 taps next (and trying to run multiple instances).
>
> I've done a "v2" of Heiko's patch with that change included, which I'll
> append below.  Samuli, could you build us a windows installer with master
> plus that patch, for "windows early alpha testing"?  If that change
> works for people, we are very close to 2.4_alpha1...
>
> gert
>

Installers with the attached patch:




-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Topics for today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread Jonathan K. Bullard 
On Mon, Oct 10, 2016 at 8:56 AM, Samuli Seppänen  wrote:
>
> We're going to have an IRC meeting today starting at 20:00 CEST (18:00
> UTC) on #openvpn-meeting  irc.freenode.net. You do not have to be
> logged in to Freenode to join the channel.

I can't attend the meeting, so here is a simple (maybe stupid, too!) question:

Will 2.4alpha1 come directly from the master branch?

Tunnelblick betas include a  copy of OpenVPN built from the GitHub
master branch (along with a 2.3 copy with 2.3.x), so it would be nice
to know that it includes something close to 2.4alpha1. Tunnelblick
3.6.9beta1, for example, includes a copy of OpenVPN built from the
GitHub master branch as of bae1ad7 [1]. The latest beta includes
LibreSSL and OpenSSL versions of each OpenVPN, too.

Best regards,

Jon Bullard

[1] 
https://github.com/OpenVPN/openvpn/commit/bae1ad7005fd9a1fadeed56370a9ac5422a33fee

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Topics for today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread Arne Schwabe 


Am 10.10.16 um 16:15 schrieb Jonathan K. Bullard:
> On Mon, Oct 10, 2016 at 8:56 AM, Samuli Seppänen  wrote:
>> We're going to have an IRC meeting today starting at 20:00 CEST (18:00
>> UTC) on #openvpn-meeting  irc.freenode.net. You do not have to be
>> logged in to Freenode to join the channel.
> I can't attend the meeting, so here is a simple (maybe stupid, too!) question:
>
> Will 2.4alpha1 come directly from the master branch?
>
More or less. At some point we will branch 2.4 from master but until
then 2.4 == master.

Arne


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3] Use separate list for per-client push options

2016-10-10 Thread Lev Stipakov 
v3:
 - rebase on master

v2:
 - Also move ifconfig and ipv6-ifconfig to separate options list

Move client-specific push options (currently peer-id and cipher) to
separate list, which is deallocated after push_reply
has been send. This makes sure that options fit into buf,
not duplicated nor leak memory on renegotiation.

Signed-off-by: Lev Stipakov 
---
 src/openvpn/push.c | 188 +
 1 file changed, 104 insertions(+), 84 deletions(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index df4f596..1f28826 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -40,26 +40,29 @@
 
 #if P2MP
 
+static char push_reply_cmd[] = "PUSH_REPLY";
+
 /**
- * Add an option to the push list by providing a format string.
+ * Add an option to the given push list by providing a format string.
  *
  * The string added to the push options is allocated in o->gc, so the caller
  * does not have to preserve anything.
  *
- * @param oThe current connection's options
- * @param msglevel The message level to use when printing errors
+ * @param gc   GC arena where options are allocated
+ * @param push_list Push list containing options
+ * @param msglevel  The message level to use when printing errors
  * @param fmt  Format string for the option
  * @param ...  Format string arguments
  *
  * @return true on success, false on failure.
  */
-static bool push_option_fmt(struct options *o, int msglevel,
+static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, 
int msglevel,
 const char *fmt, ...)
 #ifdef __GNUC__
 #if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format (gnu_printf, 3, 4)))
+__attribute__ ((format (gnu_printf, 4, 5)))
 #else
-__attribute__ ((format (__printf__, 3, 4)))
+__attribute__ ((format (__printf__, 4, 5)))
 #endif
 #endif
 ;
@@ -295,16 +298,39 @@ send_push_request (struct context *c)
 /**
  * Prepare push options, based on local options and available peer info.
  *
- * @param options  Connection options
- * @param tls_multiTLS state structure for the current tunnel
+ * @param context  context structure storing data for VPN tunnel
+ * @param gc   gc arena for allocating push options
+ * @param push_listpush list to where options are added
  *
  * @return true on success, false on failure.
  */
 static bool
-prepare_push_reply (struct options *o, struct tls_multi *tls_multi)
+prepare_push_reply (struct context *c, struct gc_arena *gc, struct push_list 
*push_list)
 {
   const char *optstr = NULL;
+  const struct tls_multi *tls_multi = c->c2.tls_multi;
   const char * const peer_info = tls_multi->peer_info;
+  struct options *o = &c->options;
+
+  /* ipv6 */
+  if (c->c2.push_ifconfig_ipv6_defined && !o->push_ifconfig_ipv6_blocked)
+{
+  push_option_fmt (gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
+  print_in6_addr (c->c2.push_ifconfig_ipv6_local, 0, gc),
+  c->c2.push_ifconfig_ipv6_netbits,
+  print_in6_addr (c->c2.push_ifconfig_ipv6_remote, 0, gc));
+}
+
+  /* ipv4 */
+  if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && 
c->c2.push_ifconfig_remote_netmask)
+{
+  in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
+  if (c->c2.push_ifconfig_local_alias)
+   ifconfig_local = c->c2.push_ifconfig_local_alias;
+  push_option_fmt (gc, push_list, M_USAGE, "ifconfig %s %s",
+  print_in_addr_t (ifconfig_local, 0, gc),
+  print_in_addr_t (c->c2.push_ifconfig_remote_netmask, 0, 
gc));
+}
 
   /* Send peer-id if client supports it */
   optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL;
@@ -314,8 +340,7 @@ prepare_push_reply (struct options *o, struct tls_multi 
*tls_multi)
   int r = sscanf(optstr, "IV_PROTO=%d", &proto);
   if ((r == 1) && (proto >= 2))
{
- push_remove_option(o, "peer-id");
- push_option_fmt(o, M_USAGE, "peer-id %d", tls_multi->peer_id);
+ push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", 
tls_multi->peer_id);
}
 }
 
@@ -325,7 +350,7 @@ prepare_push_reply (struct options *o, struct tls_multi 
*tls_multi)
   /* if we have already created our key, we cannot change our own
* cipher, so disable NCP and warn = explain why
*/
-  struct tls_session *session = &tls_multi->session[TM_ACTIVE];
+  const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
   if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized )
{
   msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
@@ -336,87 +361,76 @@ prepare_push_reply (struct options *o, struct tls_multi 
*tls_multi)
{
  /* Push the first cipher from --ncp-ciphers to the client.
   * TODO: actual negotiation, instead of server dictatorship. */
- char *push_cipher = string_alloc(o->n

Re: [Openvpn-devel] [PATCH] Windows: do_ifconfig() after open_tun()

2016-10-10 Thread debbie10t 
Hi

On 10/10/16 14:42, Samuli Seppänen wrote:

> Installers with the attached patch:
>
> 
> 
>

For the hell of it I tested -i686 on WXP ..
It successfully installs but then fails to run, missing fwpuclnt.dll

You may want to include a refusal to install on WXP ?

Regards


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Enable -D_SVR4_2 for compilation on Solaris

2016-10-10 Thread Matthias Andree 
Am 10.10.2016 um 09:39 schrieb Gert Doering:
> + CPPFLAGS="$CPPFLAGS -D_XPG4_2"
NAK. Description mismatches content. Please revert and reapply with
proper description.

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Enable -D_SVR4_2 for compilation on Solaris

2016-10-10 Thread Gert Doering 
Hi,

On Mon, Oct 10, 2016 at 07:23:33PM +0200, Matthias Andree wrote:
> Am 10.10.2016 um 09:39 schrieb Gert Doering:
> > +   CPPFLAGS="$CPPFLAGS -D_XPG4_2"
> NAK. Description mismatches content. Please revert and reapply with
> proper description.

Indeed.  Silly me.  So much effort for a one-line change.

Thanks for pointing that out.

commit 4e2038ed2e77aa7189852304d802382bad140f53
Author: Gert Doering 
Date:   Mon Oct 10 09:39:31 2016 +0200

Enable -D_XPG4_2 for compilation on Solaris
...
(v2: same patch as in 6eaa70e80aea7, reverted in e25d03a4cc0, and now
with correct description)

commit e25d03a4cc0664f6ece067facb1bc8e38134f396
Author: Gert Doering 
Date:   Mon Oct 10 19:36:20 2016 +0200

Revert "Enable -D_SVR4_2 for compilation on Solaris"

This reverts commit 6eaa70e80aea7dfd1b3114fcb369a8f72c19ceee.
(the description was incorrect and the patch was already pushed out)


gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Windows: do_ifconfig() after open_tun()

2016-10-10 Thread Samuli Seppänen 
Il 10/10/2016 18:09, debbie10t ha scritto:
> Hi
>
> On 10/10/16 14:42, Samuli Seppänen wrote:
>
>> Installers with the attached patch:
>>
>> 
>> 
>>
>
> For the hell of it I tested -i686 on WXP ..
> It successfully installs but then fails to run, missing fwpuclnt.dll
>
> You may want to include a refusal to install on WXP ?
>

Hi,

We did exactly that in "Fail if trying to run I60x installer on Windows 
XP" commit:


 


Even though that change was crafted pretty carefully, it made all 
installers - including I00x ones - fail on Windows XP. So we had to 
revert the change:



I have not had time to look into that issue again. If somebody has a 
clue why the NSI code in commit 65e328c89 did not work please let me know.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Enable TCP non-linear packet ID

2016-10-10 Thread Gert Doering 
ACK.  

Amazingly simple - "just remove all notion of TCP in the packet ID code".

Your patch has been applied to the master branch.

I have fixed a small whitespace error in comp.c.

commit 55755e6ee56516c96525e6bf313c173653af1a4b
Author: Arne Schwabe
Date:   Sat Sep 17 16:15:38 2016 +0200

 Enable TCP non-linear packet ID

 Acked-by: Gert Doering 
 Message-Id: <1474121738-19420-1-git-send-email-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12513.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-10 Thread Gert Doering 
Hi,

On Sat, Sep 17, 2016 at 12:36:16PM +0200, Arne Schwabe wrote:
> @@ -1127,6 +1127,8 @@ do_ifconfig (struct tuntap *tt,
>if ( do_ipv6 )
>   {
>  #ifdef NETBSD_MULTI_AF
> +#error no IPv6 support for tun interfaces on NetBSD before 4.0, upgrade your 
> system.
> +#endif

If we keep this, this needs to be an #ifndef (you change the if/else
branches).  But I think this could also just go - 4.0 has been released
9 years ago.  It will fail at compile time, and then people can either
use 2.3 or upgrade their NetBSD.

Besides that, I think it mostly looks good.  Needs explicit testing
on those platforms where tun.c got changed (which I did not do yet).

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] Use separate list for per-client push options

2016-10-10 Thread Steffan Karger 
Hi,

On 10-10-16 16:54, Lev Stipakov wrote:
> Move client-specific push options (currently peer-id and cipher) to
> separate list, which is deallocated after push_reply
> has been send. This makes sure that options fit into buf,
> not duplicated nor leak memory on renegotiation.

Feature-ACK.  Very needed refactoring.

But some very minor comments:

> - * @param o  The current connection's options
> - * @param msglevel   The message level to use when printing errors
> + * @param gc GC arena where options are allocated
> + * @param push_list Push list containing options
> + * @param msglevel  The message level to use when printing errors
>   * @param fmtFormat string for the option

Some whitespace inconsistencies here (looks funny with ts=8).

> +prepare_push_reply (struct context *c, struct gc_arena *gc, struct push_list 
> *push_list)

> +  if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && 
> c->c2.push_ifconfig_remote_netmask)

> +   push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", 
> tls_multi->peer_id);

These lines exceed 80 chars (and won't get much harder to read from
wrapping), so please wrap them.

I ran some smoke tests, but my jenkins broke down do didn't test very
thoroughly.  Still, the code looks very reasonable and smoke tests
succeed, so ACK if the above nitpicks are taken care of.

-Steffan

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread Samuli Seppänen 

Hi,

Here's the summary of yesterday's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Monday 10th October 2016
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, danhunsaker, jamesyonan, lev, mattock, plaisthos, snair and 
syzzer participated in this meeting.


---

Discussed testing procedures for the "Windows: do_ifconfig() after 
open_tun()" patch version 2. While the patch passed cron2's test 
scripts, it was agreed that we should give people a chance to test the 
patch in their environments before releasing 2.4-alpha1.


Installers that contain the patch are already available here:




Things/use-cases that should be tested in particular are:

- Running without OpenVPN-GUI
- Running without the Interactive Service
- Running --server (on Windows)
- Using more than one tap adapter
- General openvpnserv2 testing

Mattock will make announcements about these installers (and subsequent 
installers) to the mailing lists as well as forums.



---

Discussed the "hide the scary message during Windows install" issue. The 
message is caused by


"sc.exe start OpenVPNServiceInteractive"

and it looks a lot like an error/warning, even though it is benign.

Mattock will try to make sc.exe less verbose.

---

Discussed management of IV_* (capability) values that clients send to 
the server. It was agreed that binding an IV_PROTO= level to a set of 
more fine-grained IV_ advertisements makes sense. While the 
space available for IV_* values is limited, OpenVPN 3 has worked around 
this without changing the protocol:




The same approach makes sense for OpenVPN 2.4 also. Adding receive 
(server) support would be safe to implement, but adding send (client) 
support needs to be done carefully so as not to break anything. This 
capability was not seen as a "must have" for OpenVPN 2.4-alpha1.


---

Discussed OpenVPN-GUI fixes from snair that should be included in 
2.4-alpha1:




Mattock will have a look tomorrow and produce new installers as necessary.

--

Discussed OpenVPN 2.3.13 release. Three things are missing:

1. recursive routing
2. block-outside-dns v2
3. 64MB renegotiation for 64-bit block ciphers

Cron2 will take care of 1-2, and syzzer will tackle 3.

--

Preliminary release date for OpenVPN 2.4-alpha1 was set to late this 
week. If we don't get Windows test reports then we may have to postpone 
the release a bit. OpenVPN 2.3.13 release date was set to "early next week".


--

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:00:23) L'argomento per #openvpn-meeting è stato impostato da 
valdikss!~valdikss@2a02:7aa0:1619::2c32:9c23 a 21:38:35 su 22/08/2016
(21:00:39) lev__: sorry for that :(
(21:00:41) mattock: howdy
(21:01:07) syzzer: lev__: sorry?  no need, this is needed refactoring.
(21:01:34) ***lev__ was trying to make a joke
(21:01:39) cron2: more lkke "thanks for taking this" :)
(21:02:33) syzzer: ok, good ;)
(21:02:51) mattock: so meeting time now
(21:02:57) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2016-10-10
(21:02:58) vpnHelper: Title: Topics-2016-10-10 – OpenVPN Community (at 
community.openvpn.net)
(21:03:13) mattock: request in #1 was fulled hours ago
(21:03:25) mattock: fulfilled :)
(21:03:29) ***cron2 likes to borrow that time machine
(21:04:59) ibins [~ib...@55d4345d.access.ecotel.net] è entrato nella stanza.
(21:05:50) mattock: sent mail about it 5 hours ago, but the links are on the 
agenda
(21:06:25) cron2: I've seen the mail (and I think I already said thanks) :-)
(21:06:47) mattock: ok
(21:06:55) mattock: did you have time to run the tests?
(21:07:09) cron2: so - if this isn't breaking people's windows setups, we can 
merge it, and have all "MUST HAVE!" bits for 2.4_alpha1
(21:07:45) cron2: there's more stuff out there that should go into 2.4 (TCP_NL, 
recursive routing, push option cleanup, ...) but this is more easily testable
(21:09:30) cron2: mattock: looking at plaisthos' TCP_NL patch - do you have an 
OpenVPN 3 test server available that we can test this against?
(21:09:41) mattock: no, I don't have one, but james might
(21:10:08) danhunsaker: James has ALL THE v3 SERVERS.
(21:10:18) cron2: *g*
(21:11:02) mattock: regarding windows testing: perhaps we should announce the 
installers I created so that (in theory) somebody would test it bef

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread debbie10t 


On 10/10/16 21:26, Samuli Seppänen wrote:
> Discussed testing procedures for the "Windows: do_ifconfig() after
> open_tun()" patch version 2. While the patch passed cron2's test
> scripts, it was agreed that we should give people a chance to test the
> patch in their environments before releasing 2.4-alpha1.
>
> Installers that contain the patch are already available here:
>
> 
>
> 
>
>
> Things/use-cases that should be tested in particular are:
>
> - Running without OpenVPN-GUI
> - Running without the Interactive Service
> - Running --server (on Windows)
> - Using more than one tap adapter
> - General openvpnserv2 testing
>
> Mattock will make announcements about these installers (and subsequent
> installers) to the mailing lists as well as forums.
>

I am now running
openvpn-install-2.3_git-do-ifconfig-after-tun-v2-I601-x86_64
on Win10Pro OVPN Server with half a dozen mixed win/linux clients
and also running as a client with second TAP adapter
Using openvpnserv2

So far: No problems!

Regards

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] (no subject)

2016-10-10 Thread Leon Tanoh 
172.29.29.1
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel