Re: [Openvpn-devel] [PATCH] configure.ac: fix default behavior

[Yegor Yefremov]

On Fri, Nov 21, 2014 at 8:40 PM, Yegor Yefremov
 wrote:
> Set enable_password_save to "yes", if the option is not given,
> as stated in the description.
>
> Signed-off-by: Yegor Yefremov 
> ---
>  configure.ac | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/configure.ac b/configure.ac
> index 608ab6d..9dcd2ab 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -166,7 +166,7 @@ AC_ARG_ENABLE(
> [password-save],
> [AS_HELP_STRING([--enable-password-save], [allow --askpass and 
> --auth-user-pass passwords to be read from a file @<:@default=yes@:>@])],
> ,
> -   [enable_password_save="no"]
> +   [enable_password_save="yes"]
>  )
>
>  AC_ARG_ENABLE(

This patch is a result of our IRC discussion with Arne. Alternative
approach were to always build with password-save functionality without
configure option at all.

Yegor

[Openvpn-devel] [PATCH] configure.ac: fix default behavior

[Yegor Yefremov]

Set enable_password_save to "yes", if the option is not given,
as stated in the description.

Signed-off-by: Yegor Yefremov 
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 608ab6d..9dcd2ab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -166,7 +166,7 @@ AC_ARG_ENABLE(
[password-save],
[AS_HELP_STRING([--enable-password-save], [allow --askpass and 
--auth-user-pass passwords to be read from a file @<:@default=yes@:>@])],
,
-   [enable_password_save="no"]
+   [enable_password_save="yes"]
 )

 AC_ARG_ENABLE(
-- 
1.8.3.2

[Openvpn-devel] [PATCH] Fix to --shaper documentation on the man-page

[samuli]

From: Samuli Seppänen 

Trac: #413
Trac-URL: https://community.openvpn.net/openvpn/ticket/413
Signed-off-by: Samuli Seppänen 
---
 doc/openvpn.8 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 8fca9aa..96ba555 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1437,6 +1437,7 @@ Currently defaults to 100.
 Limit bandwidth of outgoing tunnel data to
 .B n
 bytes per second on the TCP/UDP port.
+Note that this will only work if mode is set to p2p.
 If you want to limit the bandwidth
 in both directions, use this option on both peers.
 
-- 
1.9.1

[Openvpn-devel] [PATCH] Peer-id patch v6

[Lev Stipakov]

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.

Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory corruption 
and crash.
Various review fixes.

Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.

If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.

Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.

Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated client.
---
 src/openvpn/forward.c| 50 -
 src/openvpn/forward.h|  2 +
 src/openvpn/init.c   | 12 +-
 src/openvpn/mudp.c   | 57 +---
 src/openvpn/mudp.h   |  2 +-
 src/openvpn/multi.c  | 97 ++--
 src/openvpn/multi.h  | 13 +++
 src/openvpn/options.c|  6 +++
 src/openvpn/options.h|  5 +++
 src/openvpn/push.c   | 13 +++
 src/openvpn/ssl.c| 74 
 src/openvpn/ssl.h| 15 +++-
 src/openvpn/ssl_common.h |  4 ++
 13 files changed, 304 insertions(+), 46 deletions(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 27b775f..b772d9a 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -722,20 +722,11 @@ read_incoming_link (struct context *c)
   perf_pop ();
 }

-/*
- * Input:  c->c2.buf
- * Output: c->c2.to_tun
- */
-
-void
-process_incoming_link (struct context *c)
+bool
+process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, 
bool floated)
 {
   struct gc_arena gc = gc_new ();
-  bool decrypt_status;
-  struct link_socket_info *lsi = get_link_socket_info (c);
-  const uint8_t *orig_buf = c->c2.buf.data;
-
-  perf_push (PERF_PROC_IN_LINK);
+  bool decrypt_status = false;

   if (c->c2.buf.len > 0)
 {
@@ -805,7 +796,7 @@ process_incoming_link (struct context *c)
   * will load crypto_options with the correct encryption key
   * and return false.
   */
- if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, 
>c2.crypto_options))
+ if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, 
>c2.crypto_options, floated))
{
  interval_action (>c2.tmp_int);

@@ -832,11 +823,25 @@ process_incoming_link (struct context *c)
  /* decryption errors are fatal in TCP mode */
  register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- 
decryption error in TCP mode */
  msg (D_STREAM_ERRORS, "Fatal decryption error 
(process_incoming_link), restarting");
- goto done;
}
-
+#else /* ENABLE_CRYPTO */
+  decrypt_status = true;
 #endif /* ENABLE_CRYPTO */
+}
+  else
+{
+  buf_reset (>c2.to_tun);
+}
+  gc_free ();

+  return decrypt_status;
+}
+
+void
+process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, 
const uint8_t *orig_buf)
+{
+  if (c->c2.buf.len > 0)
+{
 #ifdef ENABLE_FRAGMENT
   if (c->c2.fragment)
fragment_incoming (c->c2.fragment, >c2.buf, >c2.frame_fragment);
@@ -903,9 +908,20 @@ process_incoming_link (struct context *c)
 {
   buf_reset (>c2.to_tun);
 }
- done:
+}
+
+void
+process_incoming_link (struct context *c)
+{
+  perf_push (PERF_PROC_IN_LINK);
+
+  struct link_socket_info *lsi = get_link_socket_info (c);
+  const uint8_t *orig_buf = c->c2.buf.data;
+
+  process_incoming_link_part1(c, lsi, false);   
+  process_incoming_link_part2(c, lsi, orig_buf);
+
   perf_pop ();
-  gc_free ();
 }

 /*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 1830a00..b9dfeea 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -161,6 +161,8 @@ void read_incoming_link (struct context *c);
  */
 void process_incoming_link (struct context *c);

+bool process_incoming_link_part1 (struct context *c, struct link_socket_info 
*lsi, bool floated);
+void process_incoming_link_part2 (struct context *c, struct link_socket_info 
*lsi, const uint8_t *orig_buf);

 /**
  * Write a packet to the external network interface.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a673be5..a135aa5 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1718,7 +1718,8 @@ pull_permission_mask (const struct context *c)
 | OPT_P_MESSAGES
 | OPT_P_EXPLICIT_NOTIFY
 | OPT_P_ECHO
-| OPT_P_PULL_MODE;
+| 

[Openvpn-devel] Topics for next Monday's (24th Nov 2014) community meeting

[Samuli Seppänen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

We're having an IRC meeting on Monday, starting at 20:00 CET (19:00
UTC) on #openvpn-de...@irc.freenode.net. Current topic list along with
basic information is here:



If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:



- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlRu/xoACgkQwp2X7RmNIqPxigCeJgcFSlJaY2FG9MtCuiajVA2i
t5QAn1MlKwrqF+9NwiuPFDEDMbgY5qGh
=cnkV
-END PGP SIGNATURE-