Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.
On 11/10/15 19:44, Gert Doering wrote: [...snip... > ChangeLog entries are good, but I disagree on the format (sorry) - what > we have in ChangeLog *today* is basically "git shortlog $tag..$HEAD" > when doing a release - so I think we should not mix the "user visible > changes" in here, but maintain a separate file, eg. "CHANGES(.rst, .md)", > for these. Agreed! I see that the files Samuli added regarding contribution have .rst. I don't care if it is .rst or .md. But lets keep the same extension/format for CHANGES too. > Alternative, rename ChangeLog to "GitShortlog.txt" and put the user visible > changes into ChangeLog - but please do not mix. Agreeing to the mixing. I think we should keep ChangeLog as is, as I believe that resembles the format used since the very beginning. Even though the verbosity have increased since we started using git and git shortlog. Some packagers or other interested may already have routines in place for grokking through our current ChangeLog file. -- kind regards, David Sommerseth
Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.
Hi, On Sun, Oct 11, 2015 at 04:25:30PM +0200, Steffan Karger wrote: > > --- a/ChangeLog > > +++ b/ChangeLog > > @@ -1,6 +1,9 @@ > > OpenVPN Change Log > > Copyright (C) 2002-2012 OpenVPN Technologies, Inc.> > > > +2015.xx.xx -- Version 2.4.0 > > + - sndbuf and recvbuf default now to OS default instead of 65k > > + > > Nice, changelog entries! But, 65k should be 64k. ChangeLog entries are good, but I disagree on the format (sorry) - what we have in ChangeLog *today* is basically "git shortlog $tag..$HEAD" when doing a release - so I think we should not mix the "user visible changes" in here, but maintain a separate file, eg. "CHANGES(.rst, .md)", for these. Alternative, rename ChangeLog to "GitShortlog.txt" and put the user visible changes into ChangeLog - but please do not mix. (The rest of the patch is fine, but should mention trac #461 in the commit message - I'll amend if OK) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.
On 11.10.2015 17:25, Steffan Karger wrote: > On Sun, Oct 11, 2015 at 3:47 PM, Arne Schwabewrote: > Nice, changelog entries! But, 65k should be 64k. > > Am I right that it was tested that this indeed results in using > operating system defaults? Yes. > > -Steffan > > -- > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.
On Sun, Oct 11, 2015 at 3:47 PM, Arne Schwabewrote: > --- > ChangeLog | 3 +++ > doc/openvpn.8 | 4 ++-- > src/openvpn/options.c | 4 > 3 files changed, 5 insertions(+), 6 deletions(-) > > diff --git a/ChangeLog b/ChangeLog > index 7b945c8..9642adf 100644 > --- a/ChangeLog > +++ b/ChangeLog > @@ -1,6 +1,9 @@ > OpenVPN Change Log > Copyright (C) 2002-2012 OpenVPN Technologies, Inc. > > +2015.xx.xx -- Version 2.4.0 > + - sndbuf and recvbuf default now to OS default instead of 65k > + Nice, changelog entries! But, 65k should be 64k. > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 6823167..2b0af34 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -785,10 +785,6 @@ init_options (struct options *o, const bool init_gc) > #ifdef ENABLE_FEATURE_TUN_PERSIST >o->persist_mode = 1; > #endif > -#ifndef WIN32 > - o->rcvbuf = 65536; > - o->sndbuf = 65536; > -#endif > #ifdef TARGET_LINUX >o->tuntap_options.txqueuelen = 100; > #endif Am I right that it was tested that this indeed results in using operating system defaults? -Steffan
[Openvpn-devel] [PATCH] Implement the compression V2 data format for stub and lz4.
It has been tested against v3 server and again itself. From James Mail: Compression V2 I have observed that compression in many cases, even when enabled, often does not produce packet size reduction because much of the packet data typically generated by web sessions is already compressed. Further, the single byte that precedes the packet and indicates whether or not compression occurred has the unfortunate side effect of misaligning the IP packet in cases where compression did not occur. To remedy this, I propose a Compression V2 header that is optimized for the case where compression does not occur. a. No compression occurred and first byte of IP/Ethernet packet is NOT 0x50 (0 bytes of overhead and maintains alignment): [ uncompressed IP/Ethernet packet ] b. No compression occurred and first byte of IP/Ethernet packet is 0x50 (2 bytes of overhead but unlikely since no known IP packet can begin with 0x50): [ 0x50 ] [ 0x00 ] [ uncompressed IP/Ethernet packet ] c. Compression occurred (2 bytes of overhead): [ 0x50 ] [ compression Alg ID ] [ compressed IP/Ethernet packet ] Compression Alg ID is one-byte algorithm identifier for LZ4 (0x1), LZO (0x2), or Snappy (0x3). This approach has several beneficial effects: 1. In the common case where compression does not occur, no compression op is required, therefore there is zero overhead. 2. When compression does not occur, the IP/Ethernet packet alignment is retained. 3. This technique does not require any byte swapping with the tail of the packet which can potentially incur an expensive cache miss. --- src/openvpn/comp-lz4.c | 191 ++--- src/openvpn/comp-lz4.h | 1 + src/openvpn/comp.c | 81 - src/openvpn/comp.h | 13 src/openvpn/compstub.c | 53 ++ src/openvpn/options.c | 10 +++ 6 files changed, 290 insertions(+), 59 deletions(-) diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index 4651148..3144717 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -51,7 +51,7 @@ static void lz4_compress_init (struct compress_context *compctx) { msg (D_INIT_MEDIUM, "LZ4 compression initializing"); - ASSERT(compctx->flags & COMP_F_SWAP); + ASSERT(compctx->flags & COMP_F_SWAP || compctx->flags & COMP_F_COMPV2); } static void @@ -59,16 +59,12 @@ lz4_compress_uninit (struct compress_context *compctx) { } -static void -lz4_compress (struct buffer *buf, struct buffer work, - struct compress_context *compctx, - const struct frame* frame) +static bool +do_lz4_compress (struct buffer *buf, +struct buffer *work, +struct compress_context *compctx, +const struct frame* frame) { - bool compressed = false; - - if (buf->len <= 0) -return; - /* * In order to attempt compression, length must be at least COMPRESS_THRESHOLD. */ @@ -78,33 +74,50 @@ lz4_compress (struct buffer *buf, struct buffer work, int zlen_max = ps + COMP_EXTRA_BUFFER (ps); int zlen; - ASSERT (buf_init (, FRAME_HEADROOM (frame))); - ASSERT (buf_safe (, zlen_max)); + ASSERT (buf_init (work, FRAME_HEADROOM (frame))); + ASSERT (buf_safe (work, zlen_max)); if (buf->len > ps) { dmsg (D_COMP_ERRORS, "LZ4 compression buffer overflow"); buf->len = 0; - return; + return false; } - zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char *)BPTR(), BLEN(buf), zlen_max ); + zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char *)BPTR(work), BLEN(buf), zlen_max ); if (zlen <= 0) { dmsg (D_COMP_ERRORS, "LZ4 compression error"); buf->len = 0; - return; + return false; } - ASSERT (buf_safe (, zlen)); - work.len = zlen; - compressed = true; + ASSERT (buf_safe (work, zlen)); + work->len = zlen; + - dmsg (D_COMP, "LZ4 compress %d -> %d", buf->len, work.len); + dmsg (D_COMP, "LZ4 compress %d -> %d", buf->len, work->len); compctx->pre_compress += buf->len; - compctx->post_compress += work.len; + compctx->post_compress += work->len; + return true; } + return false; +} + + +static void +lz4_compress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + if (buf->len <= 0) +return; + bool compressed = do_lz4_compress(buf, , compctx, frame); + + /* On Error just return */ + if (buf->len == 0) +return; /* did compression save us anything? */ { @@ -128,13 +141,73 @@ lz4_compress (struct buffer *buf, struct buffer work, } } + +static void +lz4v2_compress (struct buffer *buf, struct buffer work, + struct compress_context
[Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.
--- ChangeLog | 3 +++ doc/openvpn.8 | 4 ++-- src/openvpn/options.c | 4 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7b945c8..9642adf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ OpenVPN Change Log Copyright (C) 2002-2012 OpenVPN Technologies, Inc.+2015.xx.xx -- Version 2.4.0 + - sndbuf and recvbuf default now to OS default instead of 65k + 2012.09.12 -- Version 2.3_beta1 Arne Schwabe (7): Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 3a86409..b6d5aed 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1433,12 +1433,12 @@ connection problems) with the following options: .TP .B \-\-sndbuf size Set the TCP/UDP socket send buffer size. -Currently defaults to 65536 bytes. +Defaults to operation system default. .\"* .TP .B \-\-rcvbuf size Set the TCP/UDP socket receive buffer size. -Currently defaults to 65536 bytes. +Defaults to operation system default. .\"* .TP .B \-\-mark value diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6823167..2b0af34 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -785,10 +785,6 @@ init_options (struct options *o, const bool init_gc) #ifdef ENABLE_FEATURE_TUN_PERSIST o->persist_mode = 1; #endif -#ifndef WIN32 - o->rcvbuf = 65536; - o->sndbuf = 65536; -#endif #ifdef TARGET_LINUX o->tuntap_options.txqueuelen = 100; #endif -- 1.9.5 (Apple Git-50.3)
Re: [Openvpn-devel] [PATCH v2] Allow inlining of --auth-user-pass
Ack from me. Tested: - myusername mypassword - myusername - auth-userpass username.txt where username.txt contains only the username. in the last 2 cases openvpn correctly queries the user for the password. JJK On 11/10/15 11:52, Adriaan de Jong wrote: This patch allows inlining of the --auth-user-pass directive, so it is now possible to do myusername mypassword or supply just the username, eg myusername (in this case the user is prompted for the password only). The most changed files are options.c (sanity check of inlined credentials) and ssl.c (actual parsing of the inlined credentials). Udates to the documentation will be provided in a separate patch if and when the present patch is accepted. As discussed on IRC, for the time being the non-inlined syntax auth-user-pass [up] is still supported and [up] is expected to contain username and password on two lines. Signed-off-by: Davide BriniUpdated patch to current master, removed printing of the username/password. Signed-off-by: Adriaan de Jong --- doc/openvpn.8| 3 +-- src/openvpn/init.c | 5 ++-- src/openvpn/misc.c | 2 +- src/openvpn/options.c| 45 +-- src/openvpn/options.h| 2 ++ src/openvpn/ssl.c| 61 +++- src/openvpn/ssl.h| 2 +- src/openvpn/ssl_common.h | 1 + 8 files changed, 107 insertions(+), 14 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 829b09c..422b426 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -6399,8 +6399,7 @@ X509_1_C=KG .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret -and -.B \-\-tls\-auth +.B \-\-tls\-auth and \-\-auth-user-pass options. Each inline file started by the line diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c32a809..ade8cae 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -421,9 +421,9 @@ init_query_passwords (const struct context *c) if (c->options.auth_user_pass_file) { #ifdef ENABLE_CLIENT_CR - auth_user_pass_setup (c->options.auth_user_pass_file, >options.sc_info); + auth_user_pass_setup (c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, >options.sc_info); #else - auth_user_pass_setup (c->options.auth_user_pass_file, NULL); + auth_user_pass_setup (c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, NULL); #endif } #endif @@ -2263,6 +2263,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) if (options->ccd_exclusive) to.client_config_dir_exclusive = options->client_config_dir; to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; #endif #ifdef ENABLE_X509_TRACK diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index fd1930a..5158f66 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1003,7 +1003,7 @@ get_user_pass_cr (struct user_pass *up, if (!up->defined) { - const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin")); + const bool from_stdin = (!auth_file || streq (auth_file, "stdin")); if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) msg (M_WARN, "Note: previous '%s' credentials failed", prefix); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7906f46..619a269 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2320,6 +2320,41 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #if P2MP if (options->auth_user_pass_file && !options->pull) msg (M_USAGE, "--auth-user-pass requires --pull"); + if (options->auth_user_pass_file) +{ + if ( (!streq(options->auth_user_pass_file, "stdin") || options->auth_user_pass_file_inline) && options->auth_nocache) +msg (M_USAGE, "Cannot use --auth-nocache with credentials from file"); +#ifdef ENABLE_CLIENT_CR + if ( (!streq(options->auth_user_pass_file, "stdin") || options->auth_user_pass_file_inline) && options->sc_info.challenge_text) +msg (M_USAGE, "Credentials cannot be in a file if using --static-challenge"); +#endif +} + if (options->auth_user_pass_file_inline) +{ + int n_inlined = 0; + const char *pos = options->auth_user_pass_file_inline; + const char *prev = pos; + + if ( strlen(pos) == 0 ) +msg (M_USAGE, "Invalid format for inlined --auth-user-pass"); + + while( (pos = strchr(pos, '\n')) != NULL ) +{ + n_inlined++; + + if (n_inlined > 2) +msg (M_USAGE, "Too many lines in inlined --auth-user-pass"); + + if ( pos - prev > USER_PASS_LEN - 1 ) +msg (M_USAGE, "Line too long in inlined --auth-user-pass"); + + pos++; +
[Openvpn-devel] [PATCH] Fix compilation with --disable-server
Add missing #if P2MP_SERVER --- src/openvpn/push.c | 2 ++ src/openvpn/push.h | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 704818d..a4cb726 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -410,6 +410,7 @@ push_reset (struct options *o) } #endif +#if P2MP_SERVER int process_incoming_push_request (struct context *c) { @@ -449,6 +450,7 @@ process_incoming_push_request (struct context *c) return ret; } +#endif int process_incoming_push_msg (struct context *c, diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 5eca45f..fa06e08 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -37,9 +37,6 @@ #define PUSH_MSG_CONTINUATION 5 #define PUSH_MSG_ALREADY_REPLIED 6 -void incoming_push_message (struct context *c, - const struct buffer *buffer); - int process_incoming_push_request (struct context *c); int process_incoming_push_msg (struct context *c, @@ -56,6 +53,8 @@ void server_pushed_signal (struct context *c, const struct buffer *buffer, const #if P2MP_SERVER +void incoming_push_message (struct context *c, const struct buffer *buffer); + void clone_push_list (struct options *o); void push_option (struct options *o, const char *opt, int msglevel); -- 1.9.1
[Openvpn-devel] [PATCH v2] Allow inlining of --auth-user-pass
This patch allows inlining of the --auth-user-pass directive, so it is now possible to do myusername mypassword or supply just the username, eg myusername (in this case the user is prompted for the password only). The most changed files are options.c (sanity check of inlined credentials) and ssl.c (actual parsing of the inlined credentials). Udates to the documentation will be provided in a separate patch if and when the present patch is accepted. As discussed on IRC, for the time being the non-inlined syntax auth-user-pass [up] is still supported and [up] is expected to contain username and password on two lines. Signed-off-by: Davide BriniUpdated patch to current master, removed printing of the username/password. Signed-off-by: Adriaan de Jong --- doc/openvpn.8| 3 +-- src/openvpn/init.c | 5 ++-- src/openvpn/misc.c | 2 +- src/openvpn/options.c| 45 +-- src/openvpn/options.h| 2 ++ src/openvpn/ssl.c| 61 +++- src/openvpn/ssl.h| 2 +- src/openvpn/ssl_common.h | 1 + 8 files changed, 107 insertions(+), 14 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 829b09c..422b426 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -6399,8 +6399,7 @@ X509_1_C=KG .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret -and -.B \-\-tls\-auth +.B \-\-tls\-auth and \-\-auth-user-pass options. Each inline file started by the line diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c32a809..ade8cae 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -421,9 +421,9 @@ init_query_passwords (const struct context *c) if (c->options.auth_user_pass_file) { #ifdef ENABLE_CLIENT_CR - auth_user_pass_setup (c->options.auth_user_pass_file, >options.sc_info); + auth_user_pass_setup (c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, >options.sc_info); #else - auth_user_pass_setup (c->options.auth_user_pass_file, NULL); + auth_user_pass_setup (c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, NULL); #endif } #endif @@ -2263,6 +2263,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) if (options->ccd_exclusive) to.client_config_dir_exclusive = options->client_config_dir; to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; #endif #ifdef ENABLE_X509_TRACK diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index fd1930a..5158f66 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1003,7 +1003,7 @@ get_user_pass_cr (struct user_pass *up, if (!up->defined) { - const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin")); + const bool from_stdin = (!auth_file || streq (auth_file, "stdin")); if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) msg (M_WARN, "Note: previous '%s' credentials failed", prefix); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7906f46..619a269 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2320,6 +2320,41 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #if P2MP if (options->auth_user_pass_file && !options->pull) msg (M_USAGE, "--auth-user-pass requires --pull"); + if (options->auth_user_pass_file) +{ + if ( (!streq(options->auth_user_pass_file, "stdin") || options->auth_user_pass_file_inline) && options->auth_nocache) +msg (M_USAGE, "Cannot use --auth-nocache with credentials from file"); +#ifdef ENABLE_CLIENT_CR + if ( (!streq(options->auth_user_pass_file, "stdin") || options->auth_user_pass_file_inline) && options->sc_info.challenge_text) +msg (M_USAGE, "Credentials cannot be in a file if using --static-challenge"); +#endif +} + if (options->auth_user_pass_file_inline) +{ + int n_inlined = 0; + const char *pos = options->auth_user_pass_file_inline; + const char *prev = pos; + + if ( strlen(pos) == 0 ) +msg (M_USAGE, "Invalid format for inlined --auth-user-pass"); + + while( (pos = strchr(pos, '\n')) != NULL ) +{ + n_inlined++; + + if (n_inlined > 2) +msg (M_USAGE, "Too many lines in inlined --auth-user-pass"); + + if ( pos - prev > USER_PASS_LEN - 1 ) +msg (M_USAGE, "Line too long in inlined --auth-user-pass"); + + pos++; + prev = pos; +} + + if ( (n_inlined == 0) || (*prev != '\0') ) +msg (M_USAGE, "Invalid format for inlined --auth-user-pass"); +} #endif uninit_options (); @@ -2744,7 +2779,7 @@ options_postprocess_filechecks (struct options *options) "--management
[Openvpn-devel] [PATCH applied] Re: Send push reply right after async auth complete
Your patch has been applied to the master branch. commit 0d1a75bfe241466230c41a52c6013494135c5935 Author: Lev Stipakov List-Post: openvpn-devel@lists.sourceforge.net Date: Sat Oct 10 19:04:25 2015 +0300 Send push reply right after async auth complete Signed-off-by: Lev StipakovAcked-by: David Sommerseth Message-Id: <193065-13506-1-git-send-email-lstipa...@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10248 Signed-off-by: David Sommerseth -- kind regards, David Sommerseth
[Openvpn-devel] [PATCH] Allow inlining of --auth-user-pass
This patch allows inlining of the --auth-user-pass directive, so it is now possible to do myusername mypassword or supply just the username, eg myusername (in this case the user is prompted for the password only). The most changed files are options.c (sanity check of inlined credentials) and ssl.c (actual parsing of the inlined credentials). Udates to the documentation will be provided in a separate patch if and when the present patch is accepted. As discussed on IRC, for the time being the non-inlined syntax auth-user-pass [up] is still supported and [up] is expected to contain username and password on two lines. Signed-off-by: Davide BriniUpdated patch to current master, removed printing of the username/password. Signed-off-by: Adriaan de Jong --- doc/openvpn.8| 3 +-- src/openvpn/init.c | 5 ++-- src/openvpn/misc.c | 2 +- src/openvpn/options.c| 43 +- src/openvpn/options.h| 2 ++ src/openvpn/ssl.c| 61 +++- src/openvpn/ssl.h| 2 +- src/openvpn/ssl_common.h | 1 + 8 files changed, 106 insertions(+), 13 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 829b09c..422b426 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -6399,8 +6399,7 @@ X509_1_C=KG .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret -and -.B \-\-tls\-auth +.B \-\-tls\-auth and \-\-auth-user-pass options. Each inline file started by the line diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c32a809..ade8cae 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -421,9 +421,9 @@ init_query_passwords (const struct context *c) if (c->options.auth_user_pass_file) { #ifdef ENABLE_CLIENT_CR - auth_user_pass_setup (c->options.auth_user_pass_file, >options.sc_info); + auth_user_pass_setup (c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, >options.sc_info); #else - auth_user_pass_setup (c->options.auth_user_pass_file, NULL); + auth_user_pass_setup (c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, NULL); #endif } #endif @@ -2263,6 +2263,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) if (options->ccd_exclusive) to.client_config_dir_exclusive = options->client_config_dir; to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; #endif #ifdef ENABLE_X509_TRACK diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index fd1930a..5158f66 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1003,7 +1003,7 @@ get_user_pass_cr (struct user_pass *up, if (!up->defined) { - const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin")); + const bool from_stdin = (!auth_file || streq (auth_file, "stdin")); if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) msg (M_WARN, "Note: previous '%s' credentials failed", prefix); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7906f46..86b7a83 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2320,6 +2320,41 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #if P2MP if (options->auth_user_pass_file && !options->pull) msg (M_USAGE, "--auth-user-pass requires --pull"); + if (options->auth_user_pass_file) +{ + if ( (!streq(options->auth_user_pass_file, "stdin") || options->auth_user_pass_file_inline) && options->auth_nocache) +msg (M_USAGE, "Cannot use --auth-nocache with credentials from file"); +#ifdef ENABLE_CLIENT_CR + if ( (!streq(options->auth_user_pass_file, "stdin") || options->auth_user_pass_file_inline) && options->sc_info.challenge_text) +msg (M_USAGE, "Credentials cannot be in a file if using --static-challenge"); +#endif +} + if (options->auth_user_pass_file_inline) +{ + int n_inlined = 0; + const char *pos = options->auth_user_pass_file_inline; + const char *prev = pos; + + if ( strlen(pos) == 0 ) +msg (M_USAGE, "Invalid format for inlined --auth-user-pass"); + + while( (pos = strchr(pos, '\n')) != NULL ) +{ + n_inlined++; + + if (n_inlined > 2) +msg (M_USAGE, "Too many lines in inlined --auth-user-pass"); + + if ( pos - prev > USER_PASS_LEN - 1 ) +msg (M_USAGE, "Line too long in inlined --auth-user-pass"); + + pos++; + prev = pos; +} + + if ( (n_inlined == 0) || (*prev != '\0') ) +msg (M_USAGE, "Invalid format for inlined --auth-user-pass"); +} #endif uninit_options (); @@ -2744,7 +2779,7 @@ options_postprocess_filechecks (struct options *options) "--management
[Openvpn-devel] [PATCH] Support for username-only auth file.
Make OpenVPN read the username from the auth file parameter of --auth-user-pass and prompt for a password if it's not in the file. Rationale: Prior to this change OpenVPN either required both username and password present in the auth file or prompted for both on the console. Unlike passwords usernames usually don't change and can therefore be "hardcoded" in the config. Signed-off-by: Michal LudvigReviewed and updated to current master. Signed-off-by: Adriaan de Jong --- doc/openvpn.8 | 3 +- src/openvpn/misc.c| 110 ++ src/openvpn/options.c | 6 ++- 3 files changed, 64 insertions(+), 55 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 422b426..1b7606c 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3754,7 +3754,8 @@ over the client's routing table. .B \-\-auth\-user\-pass [up] Authenticate with server using username/password. .B up -is a file containing username/password on 2 lines (Note: OpenVPN +is a file containing username/password on 2 lines. If the +password line is missing, OpenVPN will prompt for one. (Note: OpenVPN will only read passwords from a file if it has been built with the \-\-enable\-password\-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in win/settings.in). diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 5158f66..b6c8854 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1003,7 +1003,9 @@ get_user_pass_cr (struct user_pass *up, if (!up->defined) { - const bool from_stdin = (!auth_file || streq (auth_file, "stdin")); + bool from_authfile = (auth_file && !streq (auth_file, "stdin")); + bool username_from_stdin = !from_authfile; + bool password_from_stdin = !from_authfile; if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) msg (M_WARN, "Note: previous '%s' credentials failed", prefix); @@ -1013,7 +1015,7 @@ get_user_pass_cr (struct user_pass *up, * Get username/password from management interface? */ if (management - && ((auth_file && streq (auth_file, "management")) || (from_stdin && (flags & GET_USER_PASS_MANAGEMENT))) + && ((auth_file && streq (auth_file, "management")) || (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))) && management_query_user_pass_enabled (management)) { const char *sc = NULL; @@ -1050,11 +1052,61 @@ get_user_pass_cr (struct user_pass *up, if (!strlen (up->password)) strcpy (up->password, "ok"); } - + else if (from_authfile) +{ + /* + * Try to get username/password from a file. + */ + FILE *fp; + char password_buf[USER_PASS_LEN] = { '\0' }; + + warn_if_group_others_accessible (auth_file); + + fp = platform_fopen (auth_file, "r"); + if (!fp) +msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); + + if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0) +{ + /* Read username first */ + if (fgets (up->username, USER_PASS_LEN, fp) == NULL) + msg (M_FATAL, "Error reading username from %s authfile: %s", + prefix, + auth_file); + } + chomp (up->username); + + if (fgets (password_buf, USER_PASS_LEN, fp) != NULL) +{ +#ifndef ENABLE_PASSWORD_SAVE + /* + * Unless ENABLE_PASSWORD_SAVE is defined, don't allow sensitive passwords + * to be read from a file. + */ + if (flags & GET_USER_PASS_SENSITIVE) +msg (M_FATAL, "Sorry, '%s' password cannot be read from a file", prefix); +#endif + chomp (password_buf); +} + + if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0]) +msg (M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file); + + if (password_buf[0]) +strncpy(up->password, password_buf, USER_PASS_LEN); + else +password_from_stdin = 1; + + fclose (fp); + + if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen (up->username) == 0) +msg (M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file); +} + /* * Get username/password from standard input? */ - else if (from_stdin) + if (username_from_stdin || password_from_stdin) { #ifndef WIN32 /* did we --daemon'ize before asking for passwords? */ @@ -1092,7 +1144,7 @@ get_user_pass_cr (struct user_pass *up, buf_printf (_prompt, "Enter %s Username:", prefix); buf_printf (_prompt, "Enter %s Password:", prefix); - if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) + if (username_from_stdin && !(flags &
[Openvpn-devel] [PATCH applied] Re: Remove support for snappy compression.
Patch has been applied to the master branch. commit 9403e3f4b510fbc4187044f31be8f7dccbde1cf1 Author: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Sat Oct 10 18:34:49 2015 +0200 Remove support for snappy compression. Signed-off-by: Gert DoeringAcked-by: Arne Schwabe Message-Id: <194889-28925-1-git-send-email-g...@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/10251 -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: Fix trac ticket #569
Your patch has been applied to the master and release/2.3 branch. commit c67acea173dc9ee37220f5b9ff14ede081181992 (master) commit a3160fc1bd7368395745b9cee6e40fb819f5564c (release/2.3) Author: janjustList-Post: openvpn-devel@lists.sourceforge.net Date: Sat Oct 10 18:12:49 2015 +0200 Fix "White space before end tags can break the config parser" trac #569 Acked-by: Arne Schwabe Message-Id: <193569-24026-1-git-send-email-janj...@nikhef.nl> URL: http://article.gmane.org/gmane.network.openvpn.devel/10249 Signed-off-by: Gert Doering -- kind regards, Gert Doering
Re: [Openvpn-devel] [PATCH] Remove support for snappy compression.
Am 10.10.15 um 18:34 schrieb Gert Doering: > LZ4 is using less CPU at similar performance, and it is easier to > build and support for binary installs (as it does not require C++ > and a C++ runtime). Since it was never supported in any formally > released OpenVPN version, just drop it again. > > This leaves in the compression opcode for Snappy for documentation > purposes. > > trac #617 ACK from me. Snappy is probably not used outside from testscripts. Arne