[Openvpn-devel] unsubscribe

2015-12-14 Thread Rick Brockman 


-- 

-

_RICK BROCKMAN_ 

_28 LANCASTER ST._


_CHERRY VALLEY, NY 13320_ 

_607 434-4746_

[Openvpn-devel] [PATCH] Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2

2015-12-14 Thread Steffan Karger 
The SSL_CTX_get0_certificate() function I used in 091edd8e is available in
OpenSSL 1.0.2+ only.  Older versions seem to not have a useful alternative.
The remaining option would then be to create a cache for our parsed
certificate, but that would mean adding more struct members and code for
the select group of people that do use an up-to-date openvpn, but do not
update their openssl.  I don't think that's worth it.  So just disable the
code for older openssl versions.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_openssl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2b74818..4792b08 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -353,6 +353,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
char *ciphers)
 void
 tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
   int ret;
   const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);

@@ -375,6 +376,7 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
 {
   msg (M_WARN, "WARNING: Your certificate has expired!");
 }
+#endif
 }

 void
-- 
2.5.0

Re: [Openvpn-devel] [PATCH] Improve stdin prompting section, fixing CR prompting.

2015-12-14 Thread Wayne Davison 
On Thu, Dec 10, 2015 at 8:57 AM, Wayne Davison  wrote:

>  src/openvpn/misc.c | 119
> +
>  1 file changed, 57 insertions(+), 62 deletions(-)
>

Any questions I can answer about this patch?  This is such a
straight-forward bug with a simple fix that I'd hope that it makes it into
the upcoming release. (The patch is mainly re-indenting, which bloats it a
good bit.)

..wayne..

Re: [Openvpn-devel] Topics for today's (Monday, 14th Dec 2015) community meeting

2015-12-14 Thread Samuli Seppänen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Here's the summary of today's IRC meeting.

- - ---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 14th Dec 2015
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet, but will probably be arranged two 
weeks from now.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, ecrist, lev, ltfish, mattock, rafaelgava100, syzzer and valdikss 
participated in this meeting.

- ---

Discussed the "​Make ValdikSS's DNS leak fix platform agnostic" patch:



Several new versions of the patch were created and tested during the meeting. 
The final version worked on enough mingw-w64 and Visual Studio versions to 
allow giving it an ACK.

- ---

Discussed the "​Added two feature to Network Address Translator" patch:



None of the attendees knew the affected codepaths well enough, so mattock sent 
email to jamesyonan, asking him to review the patch.

- ---

Discussed the "​Distribute the GUI to run with highest privilege available" 
patch to openvpn-gui:





The approach taken in the patch seems sane. Mattock will do some basic testing 
with the patched OpenVPN-GUI and if all goes well, merge it into official 
installers. The testing does not have to postpone the 2.3.9 release, as new 
Windows installers can be released soon after initial 2.3.9 Windows installers 
are out.

The alternative approach of using level=”requireAdministrator” seems to have 
the potential to break valid cases where the user _does_ have the privileges 
required for OpenVPN to work, but _does not_ have admin privileges.

- ---

Discussed OpenVPN 2.3.9 release. Here is the release plan:

- - mattock posts changes.rst to list
- - cron2 adds changes.rst, updates ChangeLog and version.m4
- - mattock builds 2.3.9 installers with all the new stuff
- - if that is good, cron2 tags and we ship

In addition:

- - the initial windows installers will not have the openvpn-gui changes
- - mattock will provide test installers with the changes and send a link to 
the list
- - if the test installers work fine for people, new official installers will 
released

- ---

Full chatlog has been attached to this email.

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlZvOGAACgkQwp2X7RmNIqO06QCfYWe5I34JUsOIMHP8bIUqBMeD
laQAn0wF15O1NMd+whDYcje2p/dmERs1
=nSlq
-END PGP SIGNATURE-
(21:02:34) mattock: hi
(21:02:46) ecrist: hey, mattock
(21:02:50) lev__: hi
(21:02:50) mattock: hi ecrist!
(21:02:56) mattock: ready to start the meeting?
(21:03:01) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2015-12-14
(21:03:03) vpnHelper: Title: Topics-2015-12-14 – OpenVPN Community (at 
community.openvpn.net)
(21:04:49) syzzer: hi, yes, ready!
(21:04:58) mattock: is the topic list ok? anything to remove or add?
(21:05:14) cron2_: lev__: if you close 637, we can just have it done on the 
agenda :)
(21:05:38) lev__: cron2_: I would like to but don't have trac admin rights
(21:05:51) cron2_: oh?  mattock: can you fix that, please? :-)
(21:05:57) cron2_: (trac name is "stipa")
(21:06:06) mattock: cron2_: ok
(21:06:17) WayneD ha abbandonato la stanza (quit: Remote host closed the 
connection).
(21:06:57) mattock: done
(21:06:58) gava100: hi, I'd like to ask you guys about a patch: "Allow the user 
to use the string 'client-ip' on the  client-nat network configuration as a 
convenient way to use  the leased IP address received from OpenVPN server"
(21:07:36) cron2_: it's on the agenda
(21:07:54) gava100: oh great, thx!
(21:07:57) cron2_: (though I'm not sure if mattock linked the right mail)
(21:08:24) mattock: yes, I did
(21:08:36) mattock: unless there is a version 2 or something
(21:08:58) mattock: I'll check the previous discussion regarding that patch
(21:09:31) gava100: exactly. The version 2 is only for this client-ip string.
(21:09:48) cron2_: regarding fish's v2 patch - "close, but no cigar" - it is 
removing all #if _WIN32_WINNT >= 0x0600 lines, but some of them should actually 
be #if defined(WIN32) - those in init.c, for example, because otherwise it will 
fail non-windows builds
(21:10:20) ltfish: i see
(21:10:30) gava100: I think we should consider it instead of the previous patch.
(21:10:38) cron2_: ltfish: so init.c needs to change the #ifdef - I think the 
rest is good (comparing with master)
(21:11:06) ltfish: cron2_: let me fix it

Re: [Openvpn-devel] [PATCH] Make MSVC happy about route.c

2015-12-14 Thread Lev Stipakov 

ACK.

I don't have VC2010, but at least on 2013 it compiles nicely.

[Openvpn-devel] [PATCH applied] Re: Make block-outside-dns option platform agnostic

2015-12-14 Thread Gert Doering 
ACK, thanks a lot (and thanks to valdikss and lev for this a thorough
testing)

Your patch has been applied to the release/2.3 branch.

commit 367067f3cb29785338686426667df30c86663ed1 (release/2.3)
Author: Fish
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Dec 14 12:41:35 2015 -0800

 Make block-outside-dns option platform agnostic

 Acked-by: Gert Doering 
 Message-Id: <1450125695-36596-1-git-send-email-fish.t...@gmail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10795
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH] Make MSVC happy about route.c

2015-12-14 Thread Fish 
Move the definition of out to the beginning of functions to comply with
old-style C compilers. Tested on MSVC 2010.
---
 src/openvpn/route.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index cf5a067..c4459f9 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -1551,6 +1551,9 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct 
tuntap *tt, unsigned int fla
 {
   struct gc_arena gc;
   struct argv argv;
+#ifdef WIN32
+  struct buffer out;
+#endif

   const char *network;
   const char *gateway;
@@ -1622,8 +1625,7 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct 
tuntap *tt, unsigned int fla
   status = openvpn_execve_check (, es, 0, "ERROR: Linux route -6/-A inet6 
add command failed");

 #elif defined (WIN32)
-
-  struct buffer out = alloc_buf_gc (64, );
+  out = alloc_buf_gc(64, );
   buf_printf (, "interface=%d", tt->adapter_index );
   device = buf_bptr();

@@ -1900,6 +1902,9 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const 
struct tuntap *tt, unsigne
 {
   struct gc_arena gc;
   struct argv argv;
+#ifdef WIN32
+  struct buffer out;
+#endif
   const char *network;
   const char *gateway;
   const char *device = tt->actual_name;
@@ -1958,7 +1963,7 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const 
struct tuntap *tt, unsigne

 #elif defined (WIN32)

-  struct buffer out = alloc_buf_gc (64, );
+  out = alloc_buf_gc(64, );
   buf_printf (, "interface=%d", tt->adapter_index );
   device = buf_bptr();

-- 
2.6.4

[Openvpn-devel] [PATCH applied] Re: Warn user if their certificate has expired

2015-12-14 Thread Gert Doering 
ACK! WANT!

(Tested with an expired certificate and it works, and looking at OpenSSL
x509_vfy.c and PolarSSL x509_8h, I'm reasonable confident that it will 
also for for not-yet-valid certificates and that we call this all correctly)

Your patch has been applied to the master branch (release/2.3 coming 
when that has migrated to PolarSSL 1.3).

commit 091edd8e2996867447eeb665af957547aa8b3107 (master)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Dec 14 21:09:18 2015 +0100

 Warn user if their certificate has expired

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1450123758-31641-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10794
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH] Warn user if their certificate has expired

2015-12-14 Thread Steffan Karger 
Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt.  This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.

Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl.c  |  3 +++
 src/openvpn/ssl_backend.h  |  9 +
 src/openvpn/ssl_openssl.c  | 27 +++
 src/openvpn/ssl_polarssl.c | 14 ++
 4 files changed, 53 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 887bd75..665fdd7 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -566,6 +566,9 @@ init_ssl (const struct options *options, struct 
tls_root_ctx *new_ctx)
   tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, 
options->extra_certs_file_inline);
 }

+  /* Check certificate notBefore and notAfter */
+  tls_ctx_check_cert_time(new_ctx);
+
   /* Once keys and cert are loaded, load ECDH parameters */
   if (options->tls_server)
 tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 99930e5..ac28f5f 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -175,6 +175,15 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, 
unsigned int ssl_flags);
 void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);

 /**
+ * Check our certificate notBefore and notAfter fields, and warn if the cert is
+ * either not yet valid or has expired.  Note that this is a non-fatal error,
+ * since we compare against the system time, which might be incorrect.
+ *
+ * @param ctx  TLS context to get our certificate from.
+ */
+void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx);
+
+/**
  * Load Diffie Hellman Parameters, and load them into the library-specific
  * TLS context.
  *
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4430fec..2b74818 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -351,6 +351,33 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
char *ciphers)
 }

 void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+  int ret;
+  const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
+
+  ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
+  if (ret == 0)
+{
+  msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
+}
+  if (ret > 0)
+{
+  msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+}
+
+  ret = X509_cmp_time (X509_get_notAfter (cert), NULL);
+  if (ret == 0)
+{
+  msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
+}
+  if (ret < 0)
+{
+  msg (M_WARN, "WARNING: Your certificate has expired!");
+}
+}
+
+void
 tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
 const char *dh_file_inline
 )
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index bb58746..4782469 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -217,6 +217,20 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
char *ciphers)
 }

 void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+  if (x509_time_future (>crt_chain->valid_from))
+{
+  msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+}
+
+  if (x509_time_expired (>crt_chain->valid_to))
+{
+  msg (M_WARN, "WARNING: Your certificate has expired!");
+}
+}
+
+void
 tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
 const char *dh_inline
 )
-- 
2.5.0

[Openvpn-devel] [PATCH v3] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Fish 
Make the "block-outside-dns" option agnostic of Windows versions by dynamically
loading WFP-related functions. Cross-compiled on Linux and tested on Windows
XP/10.
---
 src/openvpn/Makefile.am |   4 +-
 src/openvpn/init.c  |   4 +-
 src/openvpn/options.c   |  17 ++-
 src/openvpn/win32.c | 114 ---
 src/openvpn/win32.h |   1 +
 src/openvpn/win32_wfp.h | 359 
 6 files changed, 429 insertions(+), 70 deletions(-)
 create mode 100644 src/openvpn/win32_wfp.h

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 2e602f1..6d02fea 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -110,7 +110,7 @@ openvpn_SOURCES = \
status.c status.h \
syshead.h \
tun.c tun.h \
-   win32.h win32.c \
+   win32.h win32_wfp.h win32.c \
cryptoapi.h cryptoapi.c
 openvpn_LDADD = \
$(top_builddir)/src/compat/libcompat.la \
@@ -123,5 +123,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lrpcrt4 
-lwinmm
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e8a96c2..1c0ed60 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,7 +1468,7 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
+#ifdef WIN32
   if (c->options.block_outside_dns)
   {
 dmsg (D_LOW, "Blocking outside DNS");
@@ -1603,7 +1603,7 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
+#ifdef WIN32
 if (c->options.block_outside_dns)
 {
 if (!win_wfp_uninit())
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3a6aacd..1832bc5 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -715,9 +715,7 @@ static const char usage_message[] =
   "   optional parameter controls the initial state of 
ex.\n"
   "--show-net-up   : Show " PACKAGE_NAME "'s view of routing table and net 
adapter list\n"
   "  after TAP adapter is up and routes have been added.\n"
-#if _WIN32_WINNT >= 0x0600
   "--block-outside-dns   : Block DNS on other network adapters to prevent DNS 
leaks\n"
-#endif
   "Windows Standalone Options:\n"
   "\n"
   "--show-adapters : Show all TAP-Windows adapters.\n"
@@ -1682,9 +1680,7 @@ show_settings (const struct options *o)
 #ifdef WIN32
   SHOW_BOOL (show_net_up);
   SHOW_INT (route_method);
-#if _WIN32_WINNT >= 0x0600
   SHOW_BOOL (block_outside_dns);
-#endif
   show_tuntap_options (>tuntap_options);
 #endif
 #endif
@@ -6252,11 +6248,20 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_IPWIN32);
   options->tuntap_options.register_dns = true;
 }
-#if _WIN32_WINNT >= 0x0600
+#ifdef WIN32
   else if (streq (p[0], "block-outside-dns") && !p[1])
 {
   VERIFY_PERMISSION (OPT_P_IPWIN32);
-  options->block_outside_dns = true;
+  if (win_wfp_init_funcs())
+  {
+options->block_outside_dns = true;
+  }
+  else
+  {
+msg (msglevel_fc, "Failed to enable --block-outside-dns. "
+   "Maybe WFP is not supported on your system?");
+ goto err;
+  }
 }
 #endif
   else if (streq (p[0], "rdns-internal"))
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 9402361..449d512 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -46,63 +46,17 @@

 #include "memdbg.h"

-/*
- * WFP-related defines and GUIDs.
- */
-#if _WIN32_WINNT >= 0x0600
-#include 
-#include 
-#include 
-#include 
-
-#ifndef FWPM_SESSION_FLAG_DYNAMIC
-#define FWPM_SESSION_FLAG_DYNAMIC 0x0001
-#endif
-
-// c38d57d1-05a7-4c33-904f-7fbceee60e82
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V4,
-   0xc38d57d1,
-   0x05a7,
-   0x4c33,
-   0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
-);
-
-// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V6,
-   0x4a72393b,
-   0x319f,
-   0x44bc,
-   0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
-);
-
-// d78e1e87-8644-4ea5-9437-d809ecefc971
-DEFINE_GUID(
-   FWPM_CONDITION_ALE_APP_ID,
-   0xd78e1e87,
-   0x8644,
-   0x4ea5,
-   0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
-);
-
-// c35a604d-d22b-4e1a-91b4-68f674ee674b
-DEFINE_GUID(
-   FWPM_CONDITION_IP_REMOTE_PORT,
-   0xc35a604d,
-   0xd22b,
-   0x4e1a,
-   0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b
-);
-
-// 4cd62a49-59c3-4969-b7f3-bda5d32890a4
-DEFINE_GUID(
-   FWPM_CONDITION_IP_LOCAL_INTERFACE,
-   0x4cd62a49,
-   0x59c3,
-   0x4969,
-   0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4
-);
+#include "win32_wfp.h"
+
+/* WFP function pointers. Initialized in win_wfp_init_funcs() */
+func_ConvertInterfaceIndexToLuid

Re: [Openvpn-devel] Topics for today's (Monday, 14th Dec 2015) community meeting

2015-12-14 Thread Samuli Seppänen 

Hi,

Oh yes, I added those to the topic list. They appeared on the agenda on 
21st September, so getting those reviewed would be good.


Samuli



Hi,

Hoping you will have time to consider Gava's client-nat localhost and ftp 
patches.

Sent from my iPhone


On Dec 14, 2015, at 7:23 AM, Samuli Seppänen  wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

We're going to have an IRC meeting today starting at 20:00 CET (19:00
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting
channel has changed and that you do _not_ have to be logged in to
Freenode to join the channel.

Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

- - --
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlZu3wMACgkQwp2X7RmNIqO8QwCfbS8OG5l/tAX4w7bah0SKdejb
gU0An0sowDdhFn0MSTReND9Qi9SGBVxG
=iA74
-END PGP SIGNATURE-

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Topics for today's (Monday, 14th Dec 2015) community meeting

2015-12-14 Thread Gmail 
Hi,

Hoping you will have time to consider Gava's client-nat localhost and ftp 
patches. 

Sent from my iPhone

> On Dec 14, 2015, at 7:23 AM, Samuli Seppänen  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi,
> 
> We're going to have an IRC meeting today starting at 20:00 CET (19:00 
> UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
> channel has changed and that you do _not_ have to be logged in to 
> Freenode to join the channel.
> 
> Current topic list along with basic information is here:
> 
> 
> 
> If you have any other things you'd like to bring up, respond to this 
> mail, send me mail privately or add them to the list yourself.
> 
> In case you can't attend the meeting, please feel free to make comments 
> on the topics by responding to this email or to the summary email sent 
> after the meeting. Whenever possible, we'll also respond to existing, 
> related email threads.
> 
> - - -- 
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
> 
> irc freenode net: mattock
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iEYEARECAAYFAlZu3wMACgkQwp2X7RmNIqO8QwCfbS8OG5l/tAX4w7bah0SKdejb
> gU0An0sowDdhFn0MSTReND9Qi9SGBVxG
> =iA74
> -END PGP SIGNATURE-
> 
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Pass adapter index to up/down scripts

2015-12-14 Thread Gert Doering 
ACK.  I have not actually compile-tested this (buildbot will :-) ) but
it looks reasonable and since we've decided to use idx for netsh.exe, 
it should be available to scripts too.

Your patch has been applied to the master and release/2.3 branch.

I've taken the liberty of actually documenting $env_idx in doc/openvpn.8

commit 9dff2c1f106865a72a1d505076751dde170e88dc (master)
commit 9fe2ac8d51b8182f5e8e41ce7c875f451de10191 (release/2.3)

Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Dec 12 14:34:20 2015 +0200

 Pass adapter index to up/down scripts

 Signed-off-by: Lev Stipakov 
 Acked-by: Gert Doering 
 Message-Id: <1449923660-27363-1-git-send-email-lstipa...@gmail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10762
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH v2] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Fish 
Make the "block-outside-dns" option agnostic of Windows versions by dynamically
loading WFP-related functions. Cross-compiled on Linux and tested on Windows
XP/10.
---
 src/openvpn/Makefile.am |   4 +-
 src/openvpn/init.c  |   4 -
 src/openvpn/options.c   |  17 ++-
 src/openvpn/win32.c | 114 ---
 src/openvpn/win32.h |   1 +
 src/openvpn/win32_wfp.h | 359 
 6 files changed, 426 insertions(+), 73 deletions(-)
 create mode 100644 src/openvpn/win32_wfp.h

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 2e602f1..6d02fea 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -110,7 +110,7 @@ openvpn_SOURCES = \
status.c status.h \
syshead.h \
tun.c tun.h \
-   win32.h win32.c \
+   win32.h win32_wfp.h win32.c \
cryptoapi.h cryptoapi.c
 openvpn_LDADD = \
$(top_builddir)/src/compat/libcompat.la \
@@ -123,5 +123,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lrpcrt4 
-lwinmm
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e8a96c2..960535d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,14 +1468,12 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
   if (c->options.block_outside_dns)
   {
 dmsg (D_LOW, "Blocking outside DNS");
 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
 msg (M_FATAL, "Blocking DNS failed!");
   }
-#endif

   /* possibly add routes */
   if (!c->options.route_delay_defined)
@@ -1603,13 +1601,11 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
 if (c->options.block_outside_dns)
 {
 if (!win_wfp_uninit())
 msg (M_FATAL, "Uninitialising WFP failed!");
 }
-#endif

  /* actually close tun/tap device based on --down-pre flag */
  if (c->options.down_pre)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3a6aacd..8d85502 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -715,9 +715,7 @@ static const char usage_message[] =
   "   optional parameter controls the initial state of 
ex.\n"
   "--show-net-up   : Show " PACKAGE_NAME "'s view of routing table and net 
adapter list\n"
   "  after TAP adapter is up and routes have been added.\n"
-#if _WIN32_WINNT >= 0x0600
   "--block-outside-dns   : Block DNS on other network adapters to prevent DNS 
leaks\n"
-#endif
   "Windows Standalone Options:\n"
   "\n"
   "--show-adapters : Show all TAP-Windows adapters.\n"
@@ -1682,9 +1680,7 @@ show_settings (const struct options *o)
 #ifdef WIN32
   SHOW_BOOL (show_net_up);
   SHOW_INT (route_method);
-#if _WIN32_WINNT >= 0x0600
   SHOW_BOOL (block_outside_dns);
-#endif
   show_tuntap_options (>tuntap_options);
 #endif
 #endif
@@ -6252,13 +6248,20 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_IPWIN32);
   options->tuntap_options.register_dns = true;
 }
-#if _WIN32_WINNT >= 0x0600
   else if (streq (p[0], "block-outside-dns") && !p[1])
 {
   VERIFY_PERMISSION (OPT_P_IPWIN32);
-  options->block_outside_dns = true;
+  if (win_wfp_init_funcs())
+  {
+options->block_outside_dns = true;
+  }
+  else
+  {
+msg (msglevel_fc, "Failed to enable --block-outside-dns. "
+   "Maybe WFP is not supported on your system?");
+ goto err;
+  }
 }
-#endif
   else if (streq (p[0], "rdns-internal"))
  /* standalone method for internal use
   *
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 9402361..449d512 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -46,63 +46,17 @@

 #include "memdbg.h"

-/*
- * WFP-related defines and GUIDs.
- */
-#if _WIN32_WINNT >= 0x0600
-#include 
-#include 
-#include 
-#include 
-
-#ifndef FWPM_SESSION_FLAG_DYNAMIC
-#define FWPM_SESSION_FLAG_DYNAMIC 0x0001
-#endif
-
-// c38d57d1-05a7-4c33-904f-7fbceee60e82
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V4,
-   0xc38d57d1,
-   0x05a7,
-   0x4c33,
-   0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
-);
-
-// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V6,
-   0x4a72393b,
-   0x319f,
-   0x44bc,
-   0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
-);
-
-// d78e1e87-8644-4ea5-9437-d809ecefc971
-DEFINE_GUID(
-   FWPM_CONDITION_ALE_APP_ID,
-   0xd78e1e87,
-   0x8644,
-   0x4ea5,
-   0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
-);
-
-// c35a604d-d22b-4e1a-91b4-68f674ee674b
-DEFINE_GUID(
-   FWPM_CONDITION_IP_REMOTE_PORT,
-

Re: [Openvpn-devel] [PATCH] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Fish Wang 
I see, let me add that file to Makefile.am. My modified build system does not 
create the dist tarball :-(

 

Best,

Fish

 

From: Selva Nair [mailto:selva.n...@gmail.com] 
Sent: Monday, December 14, 2015 9:01 AM
To: Fish 
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [PATCH] Make "block-outside-dns" option platform agnostic

 

Hi,

On Sun, Dec 13, 2015 at 8:25 PM, Fish  > wrote:

Make the "block-outside-dns" option agnostic of Windows versions by dynamically
loading WFP-related functions. Cross-compiled on Linux and tested on Windows
XP/10.
---
 src/openvpn/Makefile.am |   2 +-
 src/openvpn/init.c  |   4 -
 src/openvpn/options.c   |  17 ++-
 src/openvpn/win32.c | 114 ---
 src/openvpn/win32.h |   1 +
 src/openvpn/win32_wfp.h | 359 

 

Looks good, including the attribution to the right mingw upstream..

But won't build, as the new header (win32_wfp.h) is not added to 
src/openvpn/Makefile.am --- without that it wont get into the 
dist tarball etc..

Next time please append a version number to the mail header: 
something like [PATCH v2] would do. I'm getting confused with 
too many versions :)

 

Thanks,

Selva

Re: [Openvpn-devel] [PATCH] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Selva Nair 
Hi,

On Sun, Dec 13, 2015 at 8:25 PM, Fish  wrote:

> Make the "block-outside-dns" option agnostic of Windows versions by
> dynamically
> loading WFP-related functions. Cross-compiled on Linux and tested on
> Windows
> XP/10.
> ---
>  src/openvpn/Makefile.am |   2 +-
>  src/openvpn/init.c  |   4 -
>  src/openvpn/options.c   |  17 ++-
>  src/openvpn/win32.c | 114 ---
>  src/openvpn/win32.h |   1 +
>  src/openvpn/win32_wfp.h | 359
> 


Looks good, including the attribution to the right mingw upstream..

But won't build, as the new header (win32_wfp.h) is not added to
src/openvpn/Makefile.am --- without that it wont get into the
dist tarball etc..

Next time please append a version number to the mail header:
something like [PATCH v2] would do. I'm getting confused with
too many versions :)

Thanks,

Selva

[Openvpn-devel] Topics for today's (Monday, 14th Dec 2015) community meeting

2015-12-14 Thread Samuli Seppänen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

We're going to have an IRC meeting today starting at 20:00 CET (19:00 
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.

Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.

- - -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlZu3wMACgkQwp2X7RmNIqO8QwCfbS8OG5l/tAX4w7bah0SKdejb
gU0An0sowDdhFn0MSTReND9Qi9SGBVxG
=iA74
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Samuli Seppänen 



Hi,

On Sun, Dec 13, 2015 at 05:06:27PM -0800, Fish wrote:

Make the "block-outside-dns" option agnostic of Windows versions by dynamically
loading WFP-related functions. Cross-compiled on Linux and tested on Windows
XP/10.
---
  src/openvpn/Makefile.am |   2 +-
  src/openvpn/init.c  |   4 -
  src/openvpn/options.c   |  17 ++-
  src/openvpn/win32.c | 114 ---
  src/openvpn/win32.h |   1 +
  src/openvpn/win32_wfp.h | 361 


This layout of "all the copied API bits go to win32_wfp.h" is good enough
for me (so, mails crossed here).  Thanks.

I leave the final decision on "how do we want 2.3 binaries to look like"
(single openvpn binary with copied-API bits or xp-binary and vista+ binary)
to the windows team.  Both would work for me.


The build team (=me) would definitely prefer a single binary. Building 
separate binaries would be lots of hassle. I can give this patch a 
feature-ACK - can't comment on the code quality due to lack of C-fu. I 
also don't have a Windows XP to test this on.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Gert Doering 
Hi,

On Sun, Dec 13, 2015 at 05:06:27PM -0800, Fish wrote:
> Make the "block-outside-dns" option agnostic of Windows versions by 
> dynamically
> loading WFP-related functions. Cross-compiled on Linux and tested on Windows
> XP/10.
> ---
>  src/openvpn/Makefile.am |   2 +-
>  src/openvpn/init.c  |   4 -
>  src/openvpn/options.c   |  17 ++-
>  src/openvpn/win32.c | 114 ---
>  src/openvpn/win32.h |   1 +
>  src/openvpn/win32_wfp.h | 361 
> 

This layout of "all the copied API bits go to win32_wfp.h" is good enough
for me (so, mails crossed here).  Thanks.

I leave the final decision on "how do we want 2.3 binaries to look like"
(single openvpn binary with copied-API bits or xp-binary and vista+ binary)
to the windows team.  Both would work for me.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Make ValdikSS's DNS leak fix platform agnostic

2015-12-14 Thread Gert Doering 
Hi,

On Sun, Dec 13, 2015 at 04:20:03PM -0800, Fish Wang wrote:
> Will do. However, I???m by no means a license expert. Based on Licensing 
> Terms page on MinGW???s website ([1], win32api), I believe the code I 
> stripped out of MinGW should be fine as long as a copy of the notice and its 
> license [2] is included. Please correct me if I???m wrong.

By no means a license expert myself, I think it would be good to have 
something like "win32-api.h" (name stands to be discussed) which has all
the bits we take from MinGW with a comment and their license included
(your [2], if I'm not mistaken) - so it's totally clear where the stuff 
came from.  Less of a "technical" design issue, but being nice about
attribution.

> [2] 
> http://sourceforge.net/p/mingw/mingw-org-wsl/ci/21762bb4a1bd0c88c38eead03f59e8d994349e83/tree/LICENSE

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Fish 
Make the "block-outside-dns" option agnostic of Windows versions by dynamically
loading WFP-related functions. Cross-compiled on Linux and tested on Windows
XP/10.
---
 src/openvpn/Makefile.am |   2 +-
 src/openvpn/init.c  |   4 -
 src/openvpn/options.c   |  17 ++-
 src/openvpn/win32.c | 114 ---
 src/openvpn/win32.h |   1 +
 src/openvpn/win32_wfp.h | 359 
 6 files changed, 425 insertions(+), 72 deletions(-)
 create mode 100644 src/openvpn/win32_wfp.h

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 2e602f1..149a533 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -123,5 +123,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lrpcrt4 
-lwinmm
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e8a96c2..960535d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,14 +1468,12 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
   if (c->options.block_outside_dns)
   {
 dmsg (D_LOW, "Blocking outside DNS");
 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
 msg (M_FATAL, "Blocking DNS failed!");
   }
-#endif

   /* possibly add routes */
   if (!c->options.route_delay_defined)
@@ -1603,13 +1601,11 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
 if (c->options.block_outside_dns)
 {
 if (!win_wfp_uninit())
 msg (M_FATAL, "Uninitialising WFP failed!");
 }
-#endif

  /* actually close tun/tap device based on --down-pre flag */
  if (c->options.down_pre)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3a6aacd..8d85502 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -715,9 +715,7 @@ static const char usage_message[] =
   "   optional parameter controls the initial state of 
ex.\n"
   "--show-net-up   : Show " PACKAGE_NAME "'s view of routing table and net 
adapter list\n"
   "  after TAP adapter is up and routes have been added.\n"
-#if _WIN32_WINNT >= 0x0600
   "--block-outside-dns   : Block DNS on other network adapters to prevent DNS 
leaks\n"
-#endif
   "Windows Standalone Options:\n"
   "\n"
   "--show-adapters : Show all TAP-Windows adapters.\n"
@@ -1682,9 +1680,7 @@ show_settings (const struct options *o)
 #ifdef WIN32
   SHOW_BOOL (show_net_up);
   SHOW_INT (route_method);
-#if _WIN32_WINNT >= 0x0600
   SHOW_BOOL (block_outside_dns);
-#endif
   show_tuntap_options (>tuntap_options);
 #endif
 #endif
@@ -6252,13 +6248,20 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_IPWIN32);
   options->tuntap_options.register_dns = true;
 }
-#if _WIN32_WINNT >= 0x0600
   else if (streq (p[0], "block-outside-dns") && !p[1])
 {
   VERIFY_PERMISSION (OPT_P_IPWIN32);
-  options->block_outside_dns = true;
+  if (win_wfp_init_funcs())
+  {
+options->block_outside_dns = true;
+  }
+  else
+  {
+msg (msglevel_fc, "Failed to enable --block-outside-dns. "
+   "Maybe WFP is not supported on your system?");
+ goto err;
+  }
 }
-#endif
   else if (streq (p[0], "rdns-internal"))
  /* standalone method for internal use
   *
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 9402361..449d512 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -46,63 +46,17 @@

 #include "memdbg.h"

-/*
- * WFP-related defines and GUIDs.
- */
-#if _WIN32_WINNT >= 0x0600
-#include 
-#include 
-#include 
-#include 
-
-#ifndef FWPM_SESSION_FLAG_DYNAMIC
-#define FWPM_SESSION_FLAG_DYNAMIC 0x0001
-#endif
-
-// c38d57d1-05a7-4c33-904f-7fbceee60e82
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V4,
-   0xc38d57d1,
-   0x05a7,
-   0x4c33,
-   0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
-);
-
-// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V6,
-   0x4a72393b,
-   0x319f,
-   0x44bc,
-   0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
-);
-
-// d78e1e87-8644-4ea5-9437-d809ecefc971
-DEFINE_GUID(
-   FWPM_CONDITION_ALE_APP_ID,
-   0xd78e1e87,
-   0x8644,
-   0x4ea5,
-   0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
-);
-
-// c35a604d-d22b-4e1a-91b4-68f674ee674b
-DEFINE_GUID(
-   FWPM_CONDITION_IP_REMOTE_PORT,
-   0xc35a604d,
-   0xd22b,
-   0x4e1a,
-   0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b
-);
-
-// 4cd62a49-59c3-4969-b7f3-bda5d32890a4
-DEFINE_GUID(
-   FWPM_CONDITION_IP_LOCAL_INTERFACE,
-   0x4cd62a49,
-   0x59c3,
-   0x4969,
-   0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90,

Re: [Openvpn-devel] [PATCH] Make ValdikSS's DNS leak fix platform agnostic

2015-12-14 Thread Fish Wang 
You are absolutely right, the code I grabbed is indeed from mingw-w64, not 
MinGW. Let me send out another patch with mingw-w64’s disclaimer soon. I’ll see 
what core people says about this patch.

 

Thanks!

 

Best,

Fish

 

From: Selva Nair [mailto:selva.n...@gmail.com] 
Sent: Sunday, December 13, 2015 5:09 PM
To: Fish Wang 
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [PATCH] Make ValdikSS's DNS leak fix platform 
agnostic

 

Hi,

On Sun, Dec 13, 2015 at 7:20 PM, Fish Wang  > wrote:

Will do. However, I’m by no means a license expert. Based on Licensing Terms 
page on MinGW’s website ([1], win32api), I believe the code I stripped out of 
MinGW should be fine as long as a copy of the notice and its license [2] is 
included. Please correct me if I’m wrong.


I thought those headers are from the mingw-w64 (a different code base
from mingw32).. 

Anyway, I did not mean to imply any licensing issues with extracting 
parts from mingw32 or mingw-w64 --- both have permissive licenses 
so there is no clash. However, some GPL projects have clear guidelines 
of how to incorporate code from other licenses. 

Personally I prefer to keep public domain code (and minor edits to it) 
in a  separate file which clearly indicates its in PD with the original 
notice so that one wouldn't slap on a GPL header on it later. While 
some projects want all their additions to be GPL keeping the original 
in PD etc..(Fro example, see various practices disscussed in  
https://www.softwarefreedom.org/resources/2007/gpl-non-gpl-collaboration.pdf).

Better wait for a core developer to comment on this..

Selva

Re: [Openvpn-devel] [PATCH] Make ValdikSS's DNS leak fix platform agnostic

2015-12-14 Thread Selva Nair 
Hi,

On Sun, Dec 13, 2015 at 7:20 PM, Fish Wang  wrote:

> Will do. However, I’m by no means a license expert. Based on Licensing
> Terms page on MinGW’s website ([1], win32api), I believe the code I
> stripped out of MinGW should be fine as long as a copy of the notice and
> its license [2] is included. Please correct me if I’m wrong.


I thought those headers are from the mingw-w64 (a different code base
from mingw32)..

Anyway, I did not mean to imply any licensing issues with extracting
parts from mingw32 or mingw-w64 --- both have permissive licenses
so there is no clash. However, some GPL projects have clear guidelines
of how to incorporate code from other licenses.

Personally I prefer to keep public domain code (and minor edits to it)
in a  separate file which clearly indicates its in PD with the original
notice so that one wouldn't slap on a GPL header on it later. While
some projects want all their additions to be GPL keeping the original
in PD etc..(Fro example, see various practices disscussed in
https://www.softwarefreedom.org/resources/2007/gpl-non-gpl-collaboration.pdf
).

Better wait for a core developer to comment on this..

Selva

[Openvpn-devel] [PATCH] Make "block-outside-dns" option platform agnostic

2015-12-14 Thread Fish 
Make the "block-outside-dns" option agnostic of Windows versions by dynamically
loading WFP-related functions. Cross-compiled on Linux and tested on Windows
XP/10.
---
 src/openvpn/Makefile.am |   2 +-
 src/openvpn/init.c  |   4 -
 src/openvpn/options.c   |  17 ++-
 src/openvpn/win32.c | 114 ---
 src/openvpn/win32.h |   1 +
 src/openvpn/win32_wfp.h | 361 
 6 files changed, 427 insertions(+), 72 deletions(-)
 create mode 100644 src/openvpn/win32_wfp.h

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 2e602f1..149a533 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -123,5 +123,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lrpcrt4 
-lwinmm
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e8a96c2..960535d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,14 +1468,12 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
   if (c->options.block_outside_dns)
   {
 dmsg (D_LOW, "Blocking outside DNS");
 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
 msg (M_FATAL, "Blocking DNS failed!");
   }
-#endif

   /* possibly add routes */
   if (!c->options.route_delay_defined)
@@ -1603,13 +1601,11 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);

-#if _WIN32_WINNT >= 0x0600
 if (c->options.block_outside_dns)
 {
 if (!win_wfp_uninit())
 msg (M_FATAL, "Uninitialising WFP failed!");
 }
-#endif

  /* actually close tun/tap device based on --down-pre flag */
  if (c->options.down_pre)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3a6aacd..8d85502 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -715,9 +715,7 @@ static const char usage_message[] =
   "   optional parameter controls the initial state of 
ex.\n"
   "--show-net-up   : Show " PACKAGE_NAME "'s view of routing table and net 
adapter list\n"
   "  after TAP adapter is up and routes have been added.\n"
-#if _WIN32_WINNT >= 0x0600
   "--block-outside-dns   : Block DNS on other network adapters to prevent DNS 
leaks\n"
-#endif
   "Windows Standalone Options:\n"
   "\n"
   "--show-adapters : Show all TAP-Windows adapters.\n"
@@ -1682,9 +1680,7 @@ show_settings (const struct options *o)
 #ifdef WIN32
   SHOW_BOOL (show_net_up);
   SHOW_INT (route_method);
-#if _WIN32_WINNT >= 0x0600
   SHOW_BOOL (block_outside_dns);
-#endif
   show_tuntap_options (>tuntap_options);
 #endif
 #endif
@@ -6252,13 +6248,20 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_IPWIN32);
   options->tuntap_options.register_dns = true;
 }
-#if _WIN32_WINNT >= 0x0600
   else if (streq (p[0], "block-outside-dns") && !p[1])
 {
   VERIFY_PERMISSION (OPT_P_IPWIN32);
-  options->block_outside_dns = true;
+  if (win_wfp_init_funcs())
+  {
+options->block_outside_dns = true;
+  }
+  else
+  {
+msg (msglevel_fc, "Failed to enable --block-outside-dns. "
+   "Maybe WFP is not supported on your system?");
+ goto err;
+  }
 }
-#endif
   else if (streq (p[0], "rdns-internal"))
  /* standalone method for internal use
   *
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 9402361..449d512 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -46,63 +46,17 @@

 #include "memdbg.h"

-/*
- * WFP-related defines and GUIDs.
- */
-#if _WIN32_WINNT >= 0x0600
-#include 
-#include 
-#include 
-#include 
-
-#ifndef FWPM_SESSION_FLAG_DYNAMIC
-#define FWPM_SESSION_FLAG_DYNAMIC 0x0001
-#endif
-
-// c38d57d1-05a7-4c33-904f-7fbceee60e82
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V4,
-   0xc38d57d1,
-   0x05a7,
-   0x4c33,
-   0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
-);
-
-// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
-DEFINE_GUID(
-   FWPM_LAYER_ALE_AUTH_CONNECT_V6,
-   0x4a72393b,
-   0x319f,
-   0x44bc,
-   0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
-);
-
-// d78e1e87-8644-4ea5-9437-d809ecefc971
-DEFINE_GUID(
-   FWPM_CONDITION_ALE_APP_ID,
-   0xd78e1e87,
-   0x8644,
-   0x4ea5,
-   0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
-);
-
-// c35a604d-d22b-4e1a-91b4-68f674ee674b
-DEFINE_GUID(
-   FWPM_CONDITION_IP_REMOTE_PORT,
-   0xc35a604d,
-   0xd22b,
-   0x4e1a,
-   0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b
-);
-
-// 4cd62a49-59c3-4969-b7f3-bda5d32890a4
-DEFINE_GUID(
-   FWPM_CONDITION_IP_LOCAL_INTERFACE,
-   0x4cd62a49,
-   0x59c3,
-   0x4969,
-   0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90,

Re: [Openvpn-devel] [PATCH] Make ValdikSS's DNS leak fix platform agnostic

2015-12-14 Thread Fish Wang 
Hi all,

 

A minor suggestion: All those prototypes taken from mingw (32 or -w64?) 
may be better placed in new header file to be included only from win32.c -- 
-- preferably with a license matching the source (PD or ZPL?).  Makes
win32.c less cluttered as well.

 

Will do. However, I’m by no means a license expert. Based on Licensing Terms 
page on MinGW’s website ([1], win32api), I believe the code I stripped out of 
MinGW should be fine as long as a copy of the notice and its license [2] is 
included. Please correct me if I’m wrong.

 

Best,

Fish

 

[1] http://www.mingw.org/license

[2] 
http://sourceforge.net/p/mingw/mingw-org-wsl/ci/21762bb4a1bd0c88c38eead03f59e8d994349e83/tree/LICENSE

 

From: Selva Nair [mailto:selva.n...@gmail.com] 
Sent: Sunday, December 13, 2015 1:14 PM
To: Fish 
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [PATCH] Make ValdikSS's DNS leak fix platform 
agnostic

 

Hi,

On Thu, Dec 10, 2015 at 7:46 PM, Fish  > wrote:

Based on release/2.3 branch and ValdikSS's v9 patch, this patch is
cross-compiled on Linux and tested on Windows XP/10. The VC project file is
left untouched - you might want to add rpcrt4.lib to compile and link it under
MSVC.

 

Builds on 2.3 out of the box (i.e., target  WINXP).

The implementation looks fine, and works on win7 and 10, but I've 
no XP machines for the crucial test.

A minor suggestion: All those prototypes taken from mingw (32 or -w64?) 
may be better placed in new header file to be included only from win32.c -- 
-- preferably with a license matching the source (PD or ZPL?).  Makes
win32.c less cluttered as well. 

I'm not familiar with the policy of OpenVPN on license-related 
matters, though.

 

Selva