Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.

[David Sommerseth]

On 11/10/15 19:44, Gert Doering wrote:
[...snip...
> ChangeLog entries are good, but I disagree on the format (sorry) - what
> we have in ChangeLog *today* is basically "git shortlog $tag..$HEAD" 
> when doing a release - so I think we should not mix the "user visible
> changes" in here, but maintain a separate file, eg. "CHANGES(.rst, .md)", 
> for these.

Agreed!  I see that the files Samuli added regarding contribution have .rst.
I don't care if it is .rst or .md.  But lets keep the same extension/format
for CHANGES too.

> Alternative, rename ChangeLog to "GitShortlog.txt" and put the user visible
> changes into ChangeLog - but please do not mix.

Agreeing to the mixing.  I think we should keep ChangeLog as is, as I believe
that resembles the format used since the very beginning.  Even though the
verbosity have increased since we started using git and git shortlog.  Some
packagers or other interested may already have routines in place for grokking
through our current ChangeLog file.


-- 
kind regards,

David Sommerseth

Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.

[Gert Doering]

Hi,

On Sun, Oct 11, 2015 at 04:25:30PM +0200, Steffan Karger wrote:
> > --- a/ChangeLog
> > +++ b/ChangeLog
> > @@ -1,6 +1,9 @@
> >  OpenVPN Change Log
> >  Copyright (C) 2002-2012 OpenVPN Technologies, Inc. 
> >
> > +2015.xx.xx -- Version 2.4.0
> > +   - sndbuf and recvbuf default now to OS default instead of 65k
> > +
> 
> Nice, changelog entries!  But, 65k should be 64k.

ChangeLog entries are good, but I disagree on the format (sorry) - what
we have in ChangeLog *today* is basically "git shortlog $tag..$HEAD" 
when doing a release - so I think we should not mix the "user visible
changes" in here, but maintain a separate file, eg. "CHANGES(.rst, .md)", 
for these.

Alternative, rename ChangeLog to "GitShortlog.txt" and put the user visible
changes into ChangeLog - but please do not mix.

(The rest of the patch is fine, but should mention trac #461 in the
commit message - I'll amend if OK)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.

[ValdikSS]

On 11.10.2015 17:25, Steffan Karger wrote:
> On Sun, Oct 11, 2015 at 3:47 PM, Arne Schwabe  wrote:
> Nice, changelog entries!  But, 65k should be 64k.
>
> Am I right that it was tested that this indeed results in using
> operating system defaults?

Yes.

>
> -Steffan
>
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.

[Steffan Karger]

On Sun, Oct 11, 2015 at 3:47 PM, Arne Schwabe  wrote:
> ---
>  ChangeLog | 3 +++
>  doc/openvpn.8 | 4 ++--
>  src/openvpn/options.c | 4 
>  3 files changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/ChangeLog b/ChangeLog
> index 7b945c8..9642adf 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,6 +1,9 @@
>  OpenVPN Change Log
>  Copyright (C) 2002-2012 OpenVPN Technologies, Inc. 
>
> +2015.xx.xx -- Version 2.4.0
> +   - sndbuf and recvbuf default now to OS default instead of 65k
> +

Nice, changelog entries!  But, 65k should be 64k.

> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 6823167..2b0af34 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -785,10 +785,6 @@ init_options (struct options *o, const bool init_gc)
>  #ifdef ENABLE_FEATURE_TUN_PERSIST
>o->persist_mode = 1;
>  #endif
> -#ifndef WIN32
> -  o->rcvbuf = 65536;
> -  o->sndbuf = 65536;
> -#endif
>  #ifdef TARGET_LINUX
>o->tuntap_options.txqueuelen = 100;
>  #endif

Am I right that it was tested that this indeed results in using
operating system defaults?

-Steffan

[Openvpn-devel] [PATCH] Implement the compression V2 data format for stub and lz4.

[Arne Schwabe]

It has been tested against v3 server and again itself. From James Mail:

 Compression V2

   I have observed that compression in many cases, even when
   enabled, often does not produce packet size reduction
   because much of the packet data typically generated by web
   sessions is already compressed.  Further, the single byte that
   precedes the packet and indicates whether or not compression
   occurred has the unfortunate side effect of misaligning the IP
   packet in cases where compression did not occur.  To remedy this,
   I propose a Compression V2 header that is optimized for the
   case where compression does not occur.

   a. No compression occurred and first byte of IP/Ethernet packet
  is NOT 0x50 (0 bytes of overhead and maintains alignment):

[ uncompressed IP/Ethernet packet ]

   b. No compression occurred and first byte of IP/Ethernet packet
  is 0x50 (2 bytes of overhead but unlikely since no known
  IP packet can begin with 0x50):

[ 0x50 ] [ 0x00 ] [ uncompressed IP/Ethernet packet ]

   c. Compression occurred (2 bytes of overhead):

[ 0x50 ] [ compression Alg ID ] [ compressed IP/Ethernet packet ]

  Compression Alg ID is one-byte algorithm identifier
  for LZ4 (0x1), LZO (0x2), or Snappy (0x3).

   This approach has several beneficial effects:

   1. In the common case where compression does not occur, no
  compression op is required, therefore there is zero overhead.

   2. When compression does not occur, the IP/Ethernet packet
  alignment is retained.

   3. This technique does not require any byte swapping with
  the tail of the packet which can potentially incur an
  expensive cache miss.
---
 src/openvpn/comp-lz4.c | 191 ++---
 src/openvpn/comp-lz4.h |   1 +
 src/openvpn/comp.c |  81 -
 src/openvpn/comp.h |  13 
 src/openvpn/compstub.c |  53 ++
 src/openvpn/options.c  |  10 +++
 6 files changed, 290 insertions(+), 59 deletions(-)

diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
index 4651148..3144717 100644
--- a/src/openvpn/comp-lz4.c
+++ b/src/openvpn/comp-lz4.c
@@ -51,7 +51,7 @@ static void
 lz4_compress_init (struct compress_context *compctx)
 {
   msg (D_INIT_MEDIUM, "LZ4 compression initializing");
-  ASSERT(compctx->flags & COMP_F_SWAP);
+  ASSERT(compctx->flags & COMP_F_SWAP || compctx->flags & COMP_F_COMPV2);
 }

 static void
@@ -59,16 +59,12 @@ lz4_compress_uninit (struct compress_context *compctx)
 {
 }

-static void
-lz4_compress (struct buffer *buf, struct buffer work,
-  struct compress_context *compctx,
-  const struct frame* frame)
+static bool
+do_lz4_compress (struct buffer *buf,
+struct buffer *work,
+struct compress_context *compctx,
+const struct frame* frame)
 {
-  bool compressed = false;
-
-  if (buf->len <= 0)
-return;
-
   /*
* In order to attempt compression, length must be at least 
COMPRESS_THRESHOLD.
*/
@@ -78,33 +74,50 @@ lz4_compress (struct buffer *buf, struct buffer work,
   int zlen_max = ps + COMP_EXTRA_BUFFER (ps);
   int zlen;

-  ASSERT (buf_init (, FRAME_HEADROOM (frame)));
-  ASSERT (buf_safe (, zlen_max));
+  ASSERT (buf_init (work, FRAME_HEADROOM (frame)));
+  ASSERT (buf_safe (work, zlen_max));

   if (buf->len > ps)
{
  dmsg (D_COMP_ERRORS, "LZ4 compression buffer overflow");
  buf->len = 0;
- return;
+ return false;
}

-  zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char 
*)BPTR(), BLEN(buf), zlen_max );
+  zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char 
*)BPTR(work), BLEN(buf), zlen_max );

   if (zlen <= 0)
{
  dmsg (D_COMP_ERRORS, "LZ4 compression error");
  buf->len = 0;
- return;
+ return false;
}

-  ASSERT (buf_safe (, zlen));
-  work.len = zlen;
-  compressed = true;
+  ASSERT (buf_safe (work, zlen));
+  work->len = zlen;
+

-  dmsg (D_COMP, "LZ4 compress %d -> %d", buf->len, work.len);
+  dmsg (D_COMP, "LZ4 compress %d -> %d", buf->len, work->len);
   compctx->pre_compress += buf->len;
-  compctx->post_compress += work.len;
+  compctx->post_compress += work->len;
+  return true;
 }
+  return false;
+}
+
+
+static void
+lz4_compress (struct buffer *buf, struct buffer work,
+ struct compress_context *compctx,
+ const struct frame* frame)
+{
+  if (buf->len <= 0)
+return;
+  bool compressed = do_lz4_compress(buf, , compctx, frame);
+
+  /* On Error just return */
+  if (buf->len == 0)
+return;

   /* did compression save us anything? */
   {
@@ -128,13 +141,73 @@ lz4_compress (struct buffer *buf, struct buffer work,
   }
 }

+
+static void
+lz4v2_compress (struct buffer *buf, struct buffer work,
+   struct compress_context 

[Openvpn-devel] [PATCH] Do not set the buffer size by default but rely on the operation system default.

[Arne Schwabe]

---
 ChangeLog | 3 +++
 doc/openvpn.8 | 4 ++--
 src/openvpn/options.c | 4 
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7b945c8..9642adf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 OpenVPN Change Log
 Copyright (C) 2002-2012 OpenVPN Technologies, Inc. 

+2015.xx.xx -- Version 2.4.0
+   - sndbuf and recvbuf default now to OS default instead of 65k
+
 2012.09.12 -- Version 2.3_beta1
 Arne Schwabe (7):
   Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or 
directory if --management-external-key is used
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3a86409..b6d5aed 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1433,12 +1433,12 @@ connection problems) with the following options:
 .TP
 .B \-\-sndbuf size
 Set the TCP/UDP socket send buffer size.
-Currently defaults to 65536 bytes.
+Defaults to operation system default.
 .\"*
 .TP
 .B \-\-rcvbuf size
 Set the TCP/UDP socket receive buffer size.
-Currently defaults to 65536 bytes.
+Defaults to operation system default.
 .\"*
 .TP
 .B \-\-mark value
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 6823167..2b0af34 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -785,10 +785,6 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_FEATURE_TUN_PERSIST
   o->persist_mode = 1;
 #endif
-#ifndef WIN32
-  o->rcvbuf = 65536;
-  o->sndbuf = 65536;
-#endif
 #ifdef TARGET_LINUX
   o->tuntap_options.txqueuelen = 100;
 #endif
-- 
1.9.5 (Apple Git-50.3)

Re: [Openvpn-devel] [PATCH v2] Allow inlining of --auth-user-pass

[Jan Just Keijser]

Ack from me.
Tested:
- 
myusername
mypassword


-  
myusername


- auth-userpass   username.txt

where username.txt contains only the username. in the last 2 cases 
openvpn correctly queries the user for the password.



JJK

On 11/10/15 11:52, Adriaan de Jong wrote:

This patch allows inlining of the --auth-user-pass directive, so it is now
possible to do


myusername
mypassword


or supply just the username, eg


myusername


(in this case the user is prompted for the password only).
The most changed files are options.c (sanity check of inlined credentials)
and ssl.c (actual parsing of the inlined credentials).

Udates to the documentation will be provided in a separate patch if and when
the present patch is accepted.

As discussed on IRC, for the time being the non-inlined syntax

auth-user-pass [up]

is still supported and [up] is expected to contain username and password
on two lines.

Signed-off-by: Davide Brini 

Updated patch to current master, removed printing of the username/password.

Signed-off-by: Adriaan de Jong 
---
  doc/openvpn.8|  3 +--
  src/openvpn/init.c   |  5 ++--
  src/openvpn/misc.c   |  2 +-
  src/openvpn/options.c| 45 +--
  src/openvpn/options.h|  2 ++
  src/openvpn/ssl.c| 61 +++-
  src/openvpn/ssl.h|  2 +-
  src/openvpn/ssl_common.h |  1 +
  8 files changed, 107 insertions(+), 14 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 829b09c..422b426 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6399,8 +6399,7 @@ X509_1_C=KG
  .SH INLINE FILE SUPPORT
  OpenVPN allows including files in the main configuration for the
  .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret
-and
-.B \-\-tls\-auth
+.B \-\-tls\-auth and \-\-auth-user-pass
  options.
  
  Each inline file started by the line

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c32a809..ade8cae 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -421,9 +421,9 @@ init_query_passwords (const struct context *c)
if (c->options.auth_user_pass_file)
  {
  #ifdef ENABLE_CLIENT_CR
-  auth_user_pass_setup (c->options.auth_user_pass_file, 
>options.sc_info);
+  auth_user_pass_setup (c->options.auth_user_pass_file, 
c->options.auth_user_pass_file_inline, >options.sc_info);
  #else
-  auth_user_pass_setup (c->options.auth_user_pass_file, NULL);
+  auth_user_pass_setup (c->options.auth_user_pass_file, 
c->options.auth_user_pass_file_inline, NULL);
  #endif
  }
  #endif
@@ -2263,6 +2263,7 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
if (options->ccd_exclusive)
  to.client_config_dir_exclusive = options->client_config_dir;
to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
  #endif
  
  #ifdef ENABLE_X509_TRACK

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index fd1930a..5158f66 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1003,7 +1003,7 @@ get_user_pass_cr (struct user_pass *up,
  
if (!up->defined)

  {
-  const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin"));
+  const bool from_stdin = (!auth_file || streq (auth_file, "stdin"));
  
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)

msg (M_WARN, "Note: previous '%s' credentials failed", prefix);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7906f46..619a269 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2320,6 +2320,41 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
  #if P2MP
if (options->auth_user_pass_file && !options->pull)
  msg (M_USAGE, "--auth-user-pass requires --pull");
+  if (options->auth_user_pass_file)
+{
+  if ( (!streq(options->auth_user_pass_file, "stdin") || 
options->auth_user_pass_file_inline) && options->auth_nocache)
+msg (M_USAGE, "Cannot use --auth-nocache with credentials from file");
+#ifdef ENABLE_CLIENT_CR
+  if ( (!streq(options->auth_user_pass_file, "stdin") || 
options->auth_user_pass_file_inline) && options->sc_info.challenge_text)
+msg (M_USAGE, "Credentials cannot be in a file if using 
--static-challenge");
+#endif
+}
+  if (options->auth_user_pass_file_inline)
+{
+  int n_inlined = 0;
+  const char *pos = options->auth_user_pass_file_inline;
+  const char *prev = pos;
+
+  if ( strlen(pos) == 0 )
+msg (M_USAGE, "Invalid format for inlined --auth-user-pass");
+
+  while( (pos = strchr(pos, '\n')) != NULL )
+{
+  n_inlined++;
+
+  if (n_inlined > 2)
+msg (M_USAGE, "Too many lines in inlined --auth-user-pass");
+
+  if ( pos - prev > USER_PASS_LEN - 1 )
+msg (M_USAGE, "Line too long in inlined --auth-user-pass");
+
+  pos++;
+   

[Openvpn-devel] [PATCH] Fix compilation with --disable-server

[Lev Stipakov]

Add missing #if P2MP_SERVER
---
 src/openvpn/push.c | 2 ++
 src/openvpn/push.h | 5 ++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 704818d..a4cb726 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -410,6 +410,7 @@ push_reset (struct options *o)
 }
 #endif

+#if P2MP_SERVER
 int
 process_incoming_push_request (struct context *c)
 {
@@ -449,6 +450,7 @@ process_incoming_push_request (struct context *c)

   return ret;
 }
+#endif

 int
 process_incoming_push_msg (struct context *c,
diff --git a/src/openvpn/push.h b/src/openvpn/push.h
index 5eca45f..fa06e08 100644
--- a/src/openvpn/push.h
+++ b/src/openvpn/push.h
@@ -37,9 +37,6 @@
 #define PUSH_MSG_CONTINUATION 5
 #define PUSH_MSG_ALREADY_REPLIED  6

-void incoming_push_message (struct context *c,
-   const struct buffer *buffer);
-
 int process_incoming_push_request (struct context *c);

 int process_incoming_push_msg (struct context *c,
@@ -56,6 +53,8 @@ void server_pushed_signal (struct context *c, const struct 
buffer *buffer, const

 #if P2MP_SERVER

+void incoming_push_message (struct context *c, const struct buffer *buffer);
+
 void clone_push_list (struct options *o);

 void push_option (struct options *o, const char *opt, int msglevel);
-- 
1.9.1

[Openvpn-devel] [PATCH v2] Allow inlining of --auth-user-pass

[Adriaan de Jong]

This patch allows inlining of the --auth-user-pass directive, so it is now
possible to do


myusername
mypassword


or supply just the username, eg


myusername


(in this case the user is prompted for the password only).
The most changed files are options.c (sanity check of inlined credentials)
and ssl.c (actual parsing of the inlined credentials).

Udates to the documentation will be provided in a separate patch if and when
the present patch is accepted.

As discussed on IRC, for the time being the non-inlined syntax

auth-user-pass [up]

is still supported and [up] is expected to contain username and password
on two lines.

Signed-off-by: Davide Brini 

Updated patch to current master, removed printing of the username/password.

Signed-off-by: Adriaan de Jong 
---
 doc/openvpn.8|  3 +--
 src/openvpn/init.c   |  5 ++--
 src/openvpn/misc.c   |  2 +-
 src/openvpn/options.c| 45 +--
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl.c| 61 +++-
 src/openvpn/ssl.h|  2 +-
 src/openvpn/ssl_common.h |  1 +
 8 files changed, 107 insertions(+), 14 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 829b09c..422b426 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6399,8 +6399,7 @@ X509_1_C=KG
 .SH INLINE FILE SUPPORT
 OpenVPN allows including files in the main configuration for the
 .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret
-and
-.B \-\-tls\-auth
+.B \-\-tls\-auth and \-\-auth-user-pass
 options.

 Each inline file started by the line
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c32a809..ade8cae 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -421,9 +421,9 @@ init_query_passwords (const struct context *c)
   if (c->options.auth_user_pass_file)
 {
 #ifdef ENABLE_CLIENT_CR
-  auth_user_pass_setup (c->options.auth_user_pass_file, 
>options.sc_info);
+  auth_user_pass_setup (c->options.auth_user_pass_file, 
c->options.auth_user_pass_file_inline, >options.sc_info);
 #else
-  auth_user_pass_setup (c->options.auth_user_pass_file, NULL);
+  auth_user_pass_setup (c->options.auth_user_pass_file, 
c->options.auth_user_pass_file_inline, NULL);
 #endif
 }
 #endif
@@ -2263,6 +2263,7 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   if (options->ccd_exclusive)
 to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
 #endif

 #ifdef ENABLE_X509_TRACK
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index fd1930a..5158f66 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1003,7 +1003,7 @@ get_user_pass_cr (struct user_pass *up,

   if (!up->defined)
 {
-  const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin"));
+  const bool from_stdin = (!auth_file || streq (auth_file, "stdin"));

   if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
msg (M_WARN, "Note: previous '%s' credentials failed", prefix);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7906f46..619a269 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2320,6 +2320,41 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
 #if P2MP
   if (options->auth_user_pass_file && !options->pull)
 msg (M_USAGE, "--auth-user-pass requires --pull");
+  if (options->auth_user_pass_file)
+{
+  if ( (!streq(options->auth_user_pass_file, "stdin") || 
options->auth_user_pass_file_inline) && options->auth_nocache)
+msg (M_USAGE, "Cannot use --auth-nocache with credentials from file");
+#ifdef ENABLE_CLIENT_CR
+  if ( (!streq(options->auth_user_pass_file, "stdin") || 
options->auth_user_pass_file_inline) && options->sc_info.challenge_text)
+msg (M_USAGE, "Credentials cannot be in a file if using 
--static-challenge");
+#endif
+}
+  if (options->auth_user_pass_file_inline)
+{
+  int n_inlined = 0;
+  const char *pos = options->auth_user_pass_file_inline;
+  const char *prev = pos;
+
+  if ( strlen(pos) == 0 )
+msg (M_USAGE, "Invalid format for inlined --auth-user-pass");
+
+  while( (pos = strchr(pos, '\n')) != NULL )
+{
+  n_inlined++;
+
+  if (n_inlined > 2)
+msg (M_USAGE, "Too many lines in inlined --auth-user-pass");
+
+  if ( pos - prev > USER_PASS_LEN - 1 )
+msg (M_USAGE, "Line too long in inlined --auth-user-pass");
+
+  pos++;
+  prev = pos;
+}
+
+  if ( (n_inlined == 0) || (*prev != '\0') )
+msg (M_USAGE, "Invalid format for inlined --auth-user-pass");
+}
 #endif

   uninit_options ();
@@ -2744,7 +2779,7 @@ options_postprocess_filechecks (struct options *options)
  "--management 

[Openvpn-devel] [PATCH applied] Re: Send push reply right after async auth complete

[David Sommerseth]

Your patch has been applied to the master branch.

commit 0d1a75bfe241466230c41a52c6013494135c5935
Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Oct 10 19:04:25 2015 +0300

 Send push reply right after async auth complete

 Signed-off-by: Lev Stipakov 
 Acked-by: David Sommerseth 
 Message-Id: <193065-13506-1-git-send-email-lstipa...@gmail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10248
 Signed-off-by: David Sommerseth 


--
kind regards,

David Sommerseth

[Openvpn-devel] [PATCH] Allow inlining of --auth-user-pass

[Adriaan de Jong]

This patch allows inlining of the --auth-user-pass directive, so it is now
possible to do


myusername
mypassword


or supply just the username, eg


myusername


(in this case the user is prompted for the password only).
The most changed files are options.c (sanity check of inlined credentials)
and ssl.c (actual parsing of the inlined credentials).

Udates to the documentation will be provided in a separate patch if and when
the present patch is accepted.

As discussed on IRC, for the time being the non-inlined syntax

auth-user-pass [up]

is still supported and [up] is expected to contain username and password
on two lines.

Signed-off-by: Davide Brini 

Updated patch to current master, removed printing of the username/password.

Signed-off-by: Adriaan de Jong 
---
 doc/openvpn.8|  3 +--
 src/openvpn/init.c   |  5 ++--
 src/openvpn/misc.c   |  2 +-
 src/openvpn/options.c| 43 +-
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl.c| 61 +++-
 src/openvpn/ssl.h|  2 +-
 src/openvpn/ssl_common.h |  1 +
 8 files changed, 106 insertions(+), 13 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 829b09c..422b426 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6399,8 +6399,7 @@ X509_1_C=KG
 .SH INLINE FILE SUPPORT
 OpenVPN allows including files in the main configuration for the
 .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret
-and
-.B \-\-tls\-auth
+.B \-\-tls\-auth and \-\-auth-user-pass
 options.

 Each inline file started by the line
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c32a809..ade8cae 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -421,9 +421,9 @@ init_query_passwords (const struct context *c)
   if (c->options.auth_user_pass_file)
 {
 #ifdef ENABLE_CLIENT_CR
-  auth_user_pass_setup (c->options.auth_user_pass_file, 
>options.sc_info);
+  auth_user_pass_setup (c->options.auth_user_pass_file, 
c->options.auth_user_pass_file_inline, >options.sc_info);
 #else
-  auth_user_pass_setup (c->options.auth_user_pass_file, NULL);
+  auth_user_pass_setup (c->options.auth_user_pass_file, 
c->options.auth_user_pass_file_inline, NULL);
 #endif
 }
 #endif
@@ -2263,6 +2263,7 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   if (options->ccd_exclusive)
 to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
 #endif

 #ifdef ENABLE_X509_TRACK
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index fd1930a..5158f66 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1003,7 +1003,7 @@ get_user_pass_cr (struct user_pass *up,

   if (!up->defined)
 {
-  const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin"));
+  const bool from_stdin = (!auth_file || streq (auth_file, "stdin"));

   if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
msg (M_WARN, "Note: previous '%s' credentials failed", prefix);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7906f46..86b7a83 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2320,6 +2320,41 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
 #if P2MP
   if (options->auth_user_pass_file && !options->pull)
 msg (M_USAGE, "--auth-user-pass requires --pull");
+  if (options->auth_user_pass_file)
+{
+  if ( (!streq(options->auth_user_pass_file, "stdin") || 
options->auth_user_pass_file_inline) && options->auth_nocache)
+msg (M_USAGE, "Cannot use --auth-nocache with credentials from file");
+#ifdef ENABLE_CLIENT_CR
+  if ( (!streq(options->auth_user_pass_file, "stdin") || 
options->auth_user_pass_file_inline) && options->sc_info.challenge_text)
+msg (M_USAGE, "Credentials cannot be in a file if using 
--static-challenge");
+#endif
+}
+  if (options->auth_user_pass_file_inline)
+{
+  int n_inlined = 0;
+  const char *pos = options->auth_user_pass_file_inline;
+  const char *prev = pos;
+
+  if ( strlen(pos) == 0 )
+msg (M_USAGE, "Invalid format for inlined --auth-user-pass");
+
+  while( (pos = strchr(pos, '\n')) != NULL )
+{
+  n_inlined++;
+
+  if (n_inlined > 2)
+msg (M_USAGE, "Too many lines in inlined --auth-user-pass");
+
+  if ( pos - prev > USER_PASS_LEN - 1 )
+msg (M_USAGE, "Line too long in inlined --auth-user-pass");
+
+  pos++;
+  prev = pos;
+}
+
+  if ( (n_inlined == 0) || (*prev != '\0') )
+msg (M_USAGE, "Invalid format for inlined --auth-user-pass");
+}
 #endif

   uninit_options ();
@@ -2744,7 +2779,7 @@ options_postprocess_filechecks (struct options *options)
  "--management 

[Openvpn-devel] [PATCH] Support for username-only auth file.

[Adriaan de Jong]

Make OpenVPN read the username from the auth file
parameter of --auth-user-pass and prompt for a
password if it's not in the file.

Rationale: Prior to this change OpenVPN either
required both username and password present in the
auth file or prompted for both on the console.
Unlike passwords usernames usually don't change and
can therefore be "hardcoded" in the config.

Signed-off-by: Michal Ludvig 

Reviewed and updated to current master.

Signed-off-by: Adriaan de Jong 
---
 doc/openvpn.8 |   3 +-
 src/openvpn/misc.c| 110 ++
 src/openvpn/options.c |   6 ++-
 3 files changed, 64 insertions(+), 55 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 422b426..1b7606c 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3754,7 +3754,8 @@ over the client's routing table.
 .B \-\-auth\-user\-pass [up]
 Authenticate with server using username/password.
 .B up
-is a file containing username/password on 2 lines (Note: OpenVPN
+is a file containing username/password on 2 lines. If the
+password line is missing, OpenVPN will prompt for one. (Note: OpenVPN
 will only read passwords from a file if it has been built
 with the \-\-enable\-password\-save configure option, or on Windows
 by defining ENABLE_PASSWORD_SAVE in win/settings.in).
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 5158f66..b6c8854 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1003,7 +1003,9 @@ get_user_pass_cr (struct user_pass *up,

   if (!up->defined)
 {
-  const bool from_stdin = (!auth_file || streq (auth_file, "stdin"));
+  bool from_authfile = (auth_file && !streq (auth_file, "stdin"));
+  bool username_from_stdin = !from_authfile;
+  bool password_from_stdin = !from_authfile;

   if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
msg (M_WARN, "Note: previous '%s' credentials failed", prefix);
@@ -1013,7 +1015,7 @@ get_user_pass_cr (struct user_pass *up,
* Get username/password from management interface?
*/
   if (management
- && ((auth_file && streq (auth_file, "management")) || (from_stdin && 
(flags & GET_USER_PASS_MANAGEMENT)))
+ && ((auth_file && streq (auth_file, "management")) || (!from_authfile 
&& (flags & GET_USER_PASS_MANAGEMENT)))
  && management_query_user_pass_enabled (management))
{
  const char *sc = NULL;
@@ -1050,11 +1052,61 @@ get_user_pass_cr (struct user_pass *up,
  if (!strlen (up->password))
strcpy (up->password, "ok");
}
- 
+  else if (from_authfile)
+{
+  /*
+   * Try to get username/password from a file.
+   */
+  FILE *fp;
+  char password_buf[USER_PASS_LEN] = { '\0' };
+
+  warn_if_group_others_accessible (auth_file);
+
+  fp = platform_fopen (auth_file, "r");
+  if (!fp)
+msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
+
+  if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0)
+{
+  /* Read username first */
+   if (fgets (up->username, USER_PASS_LEN, fp) == NULL)
+ msg (M_FATAL, "Error reading username from %s authfile: %s",
+  prefix,
+  auth_file);
+ }
+  chomp (up->username);
+
+  if (fgets (password_buf, USER_PASS_LEN, fp) != NULL)
+{
+#ifndef ENABLE_PASSWORD_SAVE
+  /*
+   * Unless ENABLE_PASSWORD_SAVE is defined, don't allow sensitive 
passwords
+   * to be read from a file.
+   */
+  if (flags & GET_USER_PASS_SENSITIVE)
+msg (M_FATAL, "Sorry, '%s' password cannot be read from a 
file", prefix);
+#endif
+  chomp (password_buf);
+}
+
+  if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0])
+msg (M_FATAL, "Error reading password from %s authfile: %s", 
prefix, auth_file);
+
+  if (password_buf[0])
+strncpy(up->password, password_buf, USER_PASS_LEN);
+  else
+password_from_stdin = 1;
+
+  fclose (fp);
+
+  if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen (up->username) 
== 0)
+msg (M_FATAL, "ERROR: username from %s authfile '%s' is empty", 
prefix, auth_file);
+}
+
   /*
* Get username/password from standard input?
*/
-  else if (from_stdin)
+  if (username_from_stdin || password_from_stdin)
{
 #ifndef WIN32
  /* did we --daemon'ize before asking for passwords? */
@@ -1092,7 +1144,7 @@ get_user_pass_cr (struct user_pass *up,
  buf_printf (_prompt, "Enter %s Username:", prefix);
  buf_printf (_prompt, "Enter %s Password:", prefix);

- if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
+ if (username_from_stdin && !(flags & 

[Openvpn-devel] [PATCH applied] Re: Remove support for snappy compression.

[Gert Doering]

Patch has been applied to the master branch.

commit 9403e3f4b510fbc4187044f31be8f7dccbde1cf1
Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Oct 10 18:34:49 2015 +0200

 Remove support for snappy compression.

 Signed-off-by: Gert Doering 
 Acked-by: Arne Schwabe 
 Message-Id: <194889-28925-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10251


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Fix trac ticket #569

[Gert Doering]

Your patch has been applied to the master and release/2.3 branch.

commit c67acea173dc9ee37220f5b9ff14ede081181992 (master)
commit a3160fc1bd7368395745b9cee6e40fb819f5564c (release/2.3)

Author: janjust 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Oct 10 18:12:49 2015 +0200

Fix "White space before end tags can break the config parser"

trac #569

Acked-by: Arne Schwabe 
Message-Id: <193569-24026-1-git-send-email-janj...@nikhef.nl>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10249

Signed-off-by: Gert Doering 

--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] Remove support for snappy compression.

[Arne Schwabe]

Am 10.10.15 um 18:34 schrieb Gert Doering:
> LZ4 is using less CPU at similar performance, and it is easier to
> build and support for binary installs (as it does not require C++
> and a C++ runtime).  Since it was never supported in any formally
> released OpenVPN version, just drop it again.
> 
> This leaves in the compression opcode for Snappy for documentation
> purposes.
> 
> trac #617

ACK from me. Snappy is probably not used outside from testscripts.

Arne