Re: [Openvpn-devel] [PATCH] Fix win32 building with C99 mode

[Selva Nair]

Hi,

On Sat, Sep 17, 2016 at 9:20 AM, Gert Doering  wrote:

> In -std=c99 mode, WIN32 is not defined to be "1" anymore, but just
> "#define WIN32" - so the "#if WIN32" breaks, needs to be "#ifdef WIN32"
>

Indeed...

To depend on the compiler or system headers to define WIN32 was not a great
idea anyway. Using  _WIN32 or __WIN32 is probably more reliable. Or we
should define WIN32 in config.h. With std=c99, it seems WIN32 gets defined
by chance through some header pulled-in by syshead.h -- not something one
can rely on.

Compiler-defined macros with std=c99:
$ x86_64-w64-mingw32-gcc -std=c99 -E -dM - --
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCHv2] Enable TCP non-linear packet ID

[Arne Schwabe]

Implementation with multiple threads needs that to be able run encryption in 
parallel. Tested with James' OpenVPN 3 server.
---
 src/openvpn/comp.c  | 1 +
 src/openvpn/init.c  | 1 -
 src/openvpn/options.c   | 5 -
 src/openvpn/packet_id.c | 7 +++
 src/openvpn/packet_id.h | 2 +-
 src/openvpn/ssl.c   | 3 +--
 6 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 3a32c62..61f6f08 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -160,6 +160,7 @@ comp_generate_peer_info_string(const struct 
compress_options *opt, struct buffer
buf_printf (out, "IV_LZO_STUB=1\n");
   buf_printf (out, "IV_COMP_STUB=1\n");
   buf_printf (out, "IV_COMP_STUBv2=1\n");
+buf_printf (out, "IV_TCPNL=1\n");
 }
 }
 
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9cd3d9f..fdeaf95 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2143,7 +2143,6 @@ do_init_crypto_static (struct context *c, const unsigned 
int flags)
   if (options->replay)
 {
   packet_id_init (>c2.crypto_options.packet_id,
- link_socket_proto_connection_oriented (options->ce.proto),
  options->replay_window,
  options->replay_time,
  "STATIC", 0);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dd7d461..1be32ff 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2215,11 +2215,6 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
   /*
* Check consistency of replay options
*/
-  if ((!proto_is_udp(ce->proto))
-  && (options->replay_window != defaults.replay_window
- || options->replay_time != defaults.replay_time))
-msg (M_USAGE, "--replay-window only makes sense with --proto udp");
-
   if (!options->replay
   && (options->replay_window != defaults.replay_window
  || options->replay_time != defaults.replay_time))
diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
index baa4966..9874519 100644
--- a/src/openvpn/packet_id.c
+++ b/src/openvpn/packet_id.c
@@ -76,10 +76,9 @@ packet_id_debug (int msglevel,
 }
 
 void
-packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int 
time_backtrack, const char *name, int unit)
+packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, 
const char *name, int unit)
 {
-  dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d 
time_backtrack=%d",
-   tcp_mode,
+  dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",
seq_backtrack,
time_backtrack);
 
@@ -88,7 +87,7 @@ packet_id_init (struct packet_id *p, bool tcp_mode, int 
seq_backtrack, int time_
 
   p->rec.name = name;
   p->rec.unit = unit;
-  if (seq_backtrack && !tcp_mode)
+  if (seq_backtrack)
 {
   ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= 
MAX_SEQ_BACKTRACK);
   ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= 
MAX_TIME_BACKTRACK);
diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h
index 5eb501d..fb059b7 100644
--- a/src/openvpn/packet_id.h
+++ b/src/openvpn/packet_id.h
@@ -210,7 +210,7 @@ struct packet_id
   struct packet_id_rec rec;
 };
 
-void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, 
int time_backtrack, const char *name, int unit);
+void packet_id_init (struct packet_id *p, int seq_backtrack, int 
time_backtrack, const char *name, int unit);
 void packet_id_free (struct packet_id *p);
 
 /* should we accept an incoming packet id ? */
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 8717324..c7823b2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -799,7 +799,7 @@ key_state_init (struct tls_session *session, struct 
key_state *ks)
   /* init packet ID tracker */
   if (session->opt->replay)
 {
-  packet_id_init (>crypto_options.packet_id, session->opt->tcp_mode,
+  packet_id_init (>crypto_options.packet_id,
  session->opt->replay_window, session->opt->replay_time, "SSL",
  ks->key_id);
 }
@@ -948,7 +948,6 @@ tls_session_init (struct tls_multi *multi, struct 
tls_session *session)
 
   /* initialize packet ID replay window for --tls-auth */
   packet_id_init (>tls_auth.packet_id,
- session->opt->tcp_mode,
  session->opt->replay_window,
  session->opt->replay_time,
  "TLS_AUTH", session->key_id);
-- 
2.8.4 (Apple Git-73)


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Enable TCP non-linear packet ID

[Gert Doering]

Hi,

On Sat, Sep 17, 2016 at 03:33:28PM +0200, Arne Schwabe wrote:
> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c)
>struct link_socket_info *lsi = get_link_socket_info (c);
>  
>/* OS MTU Hint? */
> -  if (lsi->mtu_changed && c->c2.ipv4_tun)
> +  if (lsi->mtu_changed)
>  {
>frame_adjust_path_mtu (>c2.frame_fragment, c->c2.link_socket->mtu,
>c->options.ce.proto);

I *think* this is part of the other patch...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix win32 building with C99 mode

[Gert Doering]

Hi,
On Sat, Sep 17, 2016 at 06:40:00PM +0500,  ?? wrote:
> Should we add mingw compiler to travis-ci matrix?

If travis can do mingw builds, that would be good.

But it is complicated.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix win32 building with C99 mode

[Илья Шипицин]

Should we add mingw compiler to travis-ci matrix?

17 сент. 2016 г. 6:34 PM пользователь "Gert Doering" 
написал:

In -std=c99 mode, WIN32 is not defined to be "1" anymore, but just
"#define WIN32" - so the "#if WIN32" breaks, needs to be "#ifdef WIN32"

Signed-off-by: Gert Doering 
---
 src/openvpn/misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 0991d79..2982cd0 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -977,7 +977,7 @@ hostname_randomize(const char *hostname, struct
gc_arena *gc)
 const char *
 gen_path (const char *directory, const char *filename, struct gc_arena *gc)
 {
-#if WIN32
+#ifdef WIN32
   const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON|
 CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_
MARK|CC_ASTERISK;
 #else
--
1.9.1



--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4] Support for disabled peer-id

[Lev Stipakov]

From: Lev Stipakov 

v4:
- replace magic number with define
- show user a decimal value instead of hex

v3:
* move assert outside of loop
* add max-clients value check to options

v2:
* Add round brackets for clarity
* Rephrase comment

Support for disabled peer-id

When peer-id value is 0xFF, server should ignore it and treat packet
in a same way as P_DATA_V1.
---
 src/openvpn/mudp.c| 13 ++---
 src/openvpn/multi.c   |  3 ++-
 src/openvpn/openvpn.h |  2 ++
 src/openvpn/options.c |  5 +
 4 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 21a7e97..fec5e8d 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -64,12 +64,16 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
   struct hash_bucket *bucket = hash_bucket (hash, hv);
   uint8_t* ptr = BPTR(>top.c2.buf);
   uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
+  bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
+  bool peer_id_disabled = false;
 
   /* make sure buffer has enough length to read opcode (1 byte) and 
peer-id (3 bytes) */
-  if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
+  if (v2)
{
  uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF;
- if ((peer_id < m->max_clients) && (m->instances[peer_id]))
+ peer_id_disabled = (peer_id == MAX_PEER_ID);
+
+ if (!peer_id_disabled && (peer_id < m->max_clients) && 
(m->instances[peer_id]))
{
  mi = m->instances[peer_id];
 
@@ -84,7 +88,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool 
*floated)
  }
}
}
-  else
+  if (!v2 || peer_id_disabled)
{
  he = hash_lookup_fast (hash, bucket, , hv);
  if (he)
@@ -107,6 +111,9 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
  hash_add_fast (hash, bucket, >real, hv, mi);
  mi->did_real_hash = true;
 
+ /* max_clients must be less then max peer-id value */
+ ASSERT(m->max_clients < MAX_PEER_ID);
+
  for (i = 0; i < m->max_clients; ++i)
{
  if (!m->instances[i])
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index ba7f2c0..3bc6ee9 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -605,7 +605,8 @@ multi_close_instance (struct multi_context *m,
}
 #endif
 
-  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
+  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
+   m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
 
   schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);
 
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 1a458f1..ec8075d 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -595,4 +595,6 @@ struct context
 #define CIPHER_ENABLED(c) (false)
 #endif
 
+#define MAX_PEER_ID 0xFF
+
 #endif
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c9688c3..29c76a6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5893,6 +5893,11 @@ add_option (struct options *options,
  msg (msglevel, "--max-clients must be at least 1");
  goto err;
}
+  if (max_clients >= MAX_PEER_ID) /* max peer-id value */
+   {
+ msg (msglevel, "--max-clients must be less than 16777215");
+ goto err;
+   }
   options->max_clients = max_clients;
 }
   else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2])
-- 
1.9.1


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Enable TCP non-linear packet ID

[Arne Schwabe]

Implementation with multiple threads needs that to be able run encryption in 
parallel. Tested with James' OpenVPN 3 server.
---
 src/openvpn/comp.c  | 1 +
 src/openvpn/forward.c   | 2 +-
 src/openvpn/init.c  | 1 -
 src/openvpn/options.c   | 5 -
 src/openvpn/packet_id.c | 7 +++
 src/openvpn/packet_id.h | 2 +-
 src/openvpn/ssl.c   | 3 +--
 7 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 3a32c62..61f6f08 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -160,6 +160,7 @@ comp_generate_peer_info_string(const struct 
compress_options *opt, struct buffer
buf_printf (out, "IV_LZO_STUB=1\n");
   buf_printf (out, "IV_COMP_STUB=1\n");
   buf_printf (out, "IV_COMP_STUBv2=1\n");
+buf_printf (out, "IV_TCPNL=1\n");
 }
 }
 
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 6c11439..b3077ed 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c)
   struct link_socket_info *lsi = get_link_socket_info (c);
 
   /* OS MTU Hint? */
-  if (lsi->mtu_changed && c->c2.ipv4_tun)
+  if (lsi->mtu_changed)
 {
   frame_adjust_path_mtu (>c2.frame_fragment, c->c2.link_socket->mtu,
 c->options.ce.proto);
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9cd3d9f..fdeaf95 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2143,7 +2143,6 @@ do_init_crypto_static (struct context *c, const unsigned 
int flags)
   if (options->replay)
 {
   packet_id_init (>c2.crypto_options.packet_id,
- link_socket_proto_connection_oriented (options->ce.proto),
  options->replay_window,
  options->replay_time,
  "STATIC", 0);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dd7d461..1be32ff 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2215,11 +2215,6 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
   /*
* Check consistency of replay options
*/
-  if ((!proto_is_udp(ce->proto))
-  && (options->replay_window != defaults.replay_window
- || options->replay_time != defaults.replay_time))
-msg (M_USAGE, "--replay-window only makes sense with --proto udp");
-
   if (!options->replay
   && (options->replay_window != defaults.replay_window
  || options->replay_time != defaults.replay_time))
diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
index baa4966..9874519 100644
--- a/src/openvpn/packet_id.c
+++ b/src/openvpn/packet_id.c
@@ -76,10 +76,9 @@ packet_id_debug (int msglevel,
 }
 
 void
-packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int 
time_backtrack, const char *name, int unit)
+packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, 
const char *name, int unit)
 {
-  dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d 
time_backtrack=%d",
-   tcp_mode,
+  dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",
seq_backtrack,
time_backtrack);
 
@@ -88,7 +87,7 @@ packet_id_init (struct packet_id *p, bool tcp_mode, int 
seq_backtrack, int time_
 
   p->rec.name = name;
   p->rec.unit = unit;
-  if (seq_backtrack && !tcp_mode)
+  if (seq_backtrack)
 {
   ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= 
MAX_SEQ_BACKTRACK);
   ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= 
MAX_TIME_BACKTRACK);
diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h
index 5eb501d..fb059b7 100644
--- a/src/openvpn/packet_id.h
+++ b/src/openvpn/packet_id.h
@@ -210,7 +210,7 @@ struct packet_id
   struct packet_id_rec rec;
 };
 
-void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, 
int time_backtrack, const char *name, int unit);
+void packet_id_init (struct packet_id *p, int seq_backtrack, int 
time_backtrack, const char *name, int unit);
 void packet_id_free (struct packet_id *p);
 
 /* should we accept an incoming packet id ? */
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 8717324..c7823b2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -799,7 +799,7 @@ key_state_init (struct tls_session *session, struct 
key_state *ks)
   /* init packet ID tracker */
   if (session->opt->replay)
 {
-  packet_id_init (>crypto_options.packet_id, session->opt->tcp_mode,
+  packet_id_init (>crypto_options.packet_id,
  session->opt->replay_window, session->opt->replay_time, "SSL",
  ks->key_id);
 }
@@ -948,7 +948,6 @@ tls_session_init (struct tls_multi *multi, struct 
tls_session *session)
 
   /* initialize packet ID replay window for --tls-auth */
   packet_id_init (>tls_auth.packet_id,
- session->opt->tcp_mode,
  session->opt->replay_window,
  session->opt->replay_time,
 

[Openvpn-devel] [PATCH] Fix win32 building with C99 mode

[Gert Doering]

In -std=c99 mode, WIN32 is not defined to be "1" anymore, but just
"#define WIN32" - so the "#if WIN32" breaks, needs to be "#ifdef WIN32"

Signed-off-by: Gert Doering 
---
 src/openvpn/misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 0991d79..2982cd0 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -977,7 +977,7 @@ hostname_randomize(const char *hostname, struct gc_arena 
*gc)
 const char *
 gen_path (const char *directory, const char *filename, struct gc_arena *gc)
 {
-#if WIN32
+#ifdef WIN32
   const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON|
 CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK;
 #else
-- 
1.9.1


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCHv2] Document the --auth-token option

[David Sommerseth]

This isn't an option to be used directly in any configuration files,
but to be used via --client-connect scripts or --plugin making use of
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2.

 [v2 - Added lacking .B styling of options
 - Clarified the token life time ]

Signed-off-by: David Sommerseth 
---
 doc/openvpn.8 | 56 ++--
 1 file changed, 54 insertions(+), 2 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2f42636..be9dc47 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4,7 +4,7 @@
 .\" packet encryption, packet authentication, and
 .\" packet compression.
 .\"
-.\"  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
+.\"  Copyright (C) 2002-2016 OpenVPN Technologies, Inc. 
 .\"
 .\"  This program is free software; you can redistribute it and/or modify
 .\"  it under the terms of the GNU General Public License version 2
@@ -34,7 +34,7 @@
 .\" .ft -- normal face
 .\" .in +|-{n} -- indent
 .\"
-.TH openvpn 8 "17 November 2008"
+.TH openvpn 8 "25 August 2016"
 .\"*
 .SH NAME
 openvpn \- secure IP tunnel daemon.
@@ -2931,6 +2931,7 @@ This is a partial list of options which can currently be 
pushed:
 .B \-\-ip\-win32, \-\-dhcp\-option,
 .B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart,
 .B \-\-setenv,
+.B \-\-auth\-token,
 .B \-\-persist\-key, \-\-persist\-tun, \-\-echo,
 .B \-\-comp\-lzo,
 .B \-\-socket\-flags,
@@ -5023,6 +5024,57 @@ This directive does not affect the
 username/password.  It is always cached.
 .\"*
 .TP
+.B \-\-auth\-token token
+This is not an option to be used directly in any configuration files,
+but rather push this option from a
+.B \-\-client\-connect
+script or a
+.B \-\-plugin
+which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or
+OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls.  This option provides
+a possibility to replace the clients password with an authentication
+token during the lifetime of the OpenVPN client.
+
+Whenever the connection is renegotiated and the
+.B \-\-auth\-user\-pass\-verify
+script or
+.B \-\-plugin
+making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is
+triggered, it will pass over this token as the password
+instead of the password the user provided.  The authentication
+token can only be reset by a full reconnect where the server
+can push new options to the client.  The password the user entered
+is never preserved once an authentication token have been set.  If
+the OpenVPN server side rejects the authentication token, the
+client will receive an AUTH_FAIL and disconnect.
+
+The purpose of this is to enable two factor authentication
+methods, such as HOTP or TOTP, to be used without needing to
+retrieve a new OTP code each time the connection is renegotiated.
+Another use case is to cache authentication data on the client
+without needing to have the users password cached in memory
+during the life time of the session.
+
+To make use of this feature, the
+.B \-\-client\-connect
+script or
+.B \-\-plugin
+needs to put
+
+.nf
+.ft 3
+.in +4
+push "auth\-token UNIQUE_TOKEN_VALUE"
+.in -4
+.ft
+.fi
+
+into the file/buffer for dynamic configuration data.  This
+will then make the OpenVPN server to push this value to the
+client, which replaces the local password with the
+UNIQUE_TOKEN_VALUE.
+.\"*
+.TP
 .B \-\-tls\-verify cmd
 Run command
 .B cmd
-- 
1.8.3.1


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] Support for disabled peer-id

[Steffan Karger]

Hi,

On 17 September 2016 at 14:53, Lev Stipakov  wrote:
> From: Lev Stipakov 
>
> v3:
> * move assert outside of loop
> * add max-clients value check to options
>
> [...]
>
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -5893,6 +5893,11 @@ add_option (struct options *options,
>   msg (msglevel, "--max-clients must be at least 1");
>   goto err;
> }
> +  if (max_clients >= 0xFF) /* max peer-id value */
> +   {
> + msg (msglevel, "--max-clients must be less than 0xFF");
> + goto err;
> +   }
>options->max_clients = max_clients;
>  }
>else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2])

Thanks.  One more nitpick though.  There are quite some occurrences of
0xFF now.  I think a #define MAX_PEER_ID 0xFF is warranted.

And if you do so, please change to error message to print the decimal
value, since that is also how we expect users to specify the
--max-clients argument.

-Steffan

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3] Support for disabled peer-id

[Lev Stipakov]

From: Lev Stipakov 

v3:
* move assert outside of loop
* add max-clients value check to options

v2:
* Add round brackets for clarity
* Rephrase comment

Support for disabled peer-id

When peer-id value is 0xFF, server should ignore it and treat packet
in a same way as P_DATA_V1.
---
 src/openvpn/mudp.c| 13 ++---
 src/openvpn/multi.c   |  3 ++-
 src/openvpn/options.c |  5 +
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 21a7e97..59795eb 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -64,12 +64,16 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
   struct hash_bucket *bucket = hash_bucket (hash, hv);
   uint8_t* ptr = BPTR(>top.c2.buf);
   uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
+  bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
+  bool peer_id_disabled = false;
 
   /* make sure buffer has enough length to read opcode (1 byte) and 
peer-id (3 bytes) */
-  if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
+  if (v2)
{
  uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF;
- if ((peer_id < m->max_clients) && (m->instances[peer_id]))
+ peer_id_disabled = (peer_id == 0xFF);
+
+ if (!peer_id_disabled && (peer_id < m->max_clients) && 
(m->instances[peer_id]))
{
  mi = m->instances[peer_id];
 
@@ -84,7 +88,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool 
*floated)
  }
}
}
-  else
+  if (!v2 || peer_id_disabled)
{
  he = hash_lookup_fast (hash, bucket, , hv);
  if (he)
@@ -107,6 +111,9 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
  hash_add_fast (hash, bucket, >real, hv, mi);
  mi->did_real_hash = true;
 
+ /* max_clients must be less then max peer-id value */
+ ASSERT(m->max_clients < 0xFF);
+
  for (i = 0; i < m->max_clients; ++i)
{
  if (!m->instances[i])
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index ba7f2c0..73b211e 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -605,7 +605,8 @@ multi_close_instance (struct multi_context *m,
}
 #endif
 
-  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
+  if (mi->context.c2.tls_multi->peer_id != 0xFF)
+   m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
 
   schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);
 
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c9688c3..493ffe6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5893,6 +5893,11 @@ add_option (struct options *options,
  msg (msglevel, "--max-clients must be at least 1");
  goto err;
}
+  if (max_clients >= 0xFF) /* max peer-id value */
+   {
+ msg (msglevel, "--max-clients must be less than 0xFF");
+ goto err;
+   }
   options->max_clients = max_clients;
 }
   else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2])
-- 
1.9.1


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)

[Gert Doering]

Hi,

On Sat, Sep 17, 2016 at 02:01:03PM +0200, Gert Doering wrote:
> Your patch has been applied to the master branch.
> 
> commit 3ffe2338c092d7bd4abace3ae9fa0b4f85cf4b87
> Author: Arne Schwabe
> Date:   Sat Sep 17 11:00:35 2016 +0200

Forgot to push and then David put a new patch in between, so the commit-id
changed.  Sorry.

commit e7303ace6f101bbe61c3251c080975cf5c261f71
Author: Arne Schwabe 
Date:   Sat Sep 17 11:00:35 2016 +0200

Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works 
(unlike PKTINFO)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] how is debug/doval and debug/dovalns are supposed to be used ?

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/09/16 14:37,  ??? wrote:
> Hello,
> 
> I see couple of valgrind-like tests
> 
> debug/dovalns debug/doval
> 
> however, I do not see any usage of them
> 
> [ilia@localhost openvpn]$ find . -type f -exec grep doval {} ';'
> -print Binary file ./.git/index matches ./.git/index 
> [ilia@localhost openvpn]$
> 
> 
> 
> I would like to valgrind tests to .travis.yml
> 
> also, if openssl if compiled -DPURIFY, it is not so annoying with 
> valgrind, should we add -DPURIFY as well ?

This is tackled via the --with-mem-check argument to ./configure.

  $ ./configure --with-mem-check=valgrind

That should make valgrind runs look far more reasonable.


- -- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJX3ThFAAoJEIbPlEyWcf3ywcwP/1QkDHGKukf8T8Cg8/0/WXyj
1rEscAGIq+Fvj+WjFpSAsZqa3tiVmLBvCvgLcoBnHXX4m/GuqVN4hu7fLlO5t+da
zkC4oGiOklhNySI8/usJmp9m10Gpp/uGVLxTZ/Mfpe3B2LA0ReaRldkRDrlCqoDD
WTPiJTZtsbaunNnZhldt4gEzUvBNNN3US15wK++UagbJCkZ53zZ2Y6NqNVYTBc3z
7IFh3f8qad9GEs45FsAuSAGT6q/bta7TjwCI2LZ/f48dDzn8dEoWp/hMwIpiP2fc
s3KD4WR+56dRGdu1nYVukHcUu6sme6EDIHPndd9RH/p5pEwGpMQBeI1SykRk2DIg
t0XvAosp0Jbziia2EkI9W3W1MiP4LpikD94DFxXLCbhvXe5ly17nZ4PeMGwoEqRd
3AEn0Vl4CwXiSb1VbvsRvJ3bbzDWWcHVcDHA63F5RFJQzA0f0GvXTDb/lKlQX7wk
N96TASvwv5cg5Ij8DD0eME0Fe/SKgUVyQ9UiApnK6RHwyrY5h4V0ELIuNxBv7cRI
3b1ntH7KumfLYBrHwPqE9Lr8dlGWCxegDjshMdUMKYdkphWQtk7hGJQPxFIbD3t/
gGfMAIWO0G1k/xe2MPXlNaNf4nEA5m1iFIcGxn9sHsywGAZ+3lfC66aM7x8N3wPv
fb/ltR+RRubUiw6sc+VP
=fUA0
-END PGP SIGNATURE-

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Add SHA256 fingerprint support

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ACK!

Your patch has been applied to the master branch
This patch includes also the clean cert_hash_remember scoping patch.

commit af1e4d26ab65bd71de168ea621ca55d0e40a0bc1
Author: Steffan Karger
Date:   Thu May 5 22:14:07 2016 +0200

 Add SHA256 fingerprint support

 Signed-off-by: Steffan Karger 
 Acked-by: David Sommerseth 
 Message-Id: 1462479247-21854-1-git-send-email-stef...@karger.me
 Message-Id: 1474055635-7427-1-git-send-email-stef...@karger.me
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg11859.html
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12464.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJX3TbFAAoJEIbPlEyWcf3yKqYQALRt5SbxcPaDQomeghpigX/v
NhZGdfWhyvTPoV3uxr17OPJh+Z8CFExGtJQbIgJD2jO5v6ADO5tRr2xniuQsWP8d
YyMgR9YDKxZ/x7P27X/gWsuBKo9DqMaQDU+pEqMftO1iUWu7O1pQRuYXENpotzEj
lBh8bbC0K0NUM+rDKREtv54qGgzjlROCwtDVkrAdH10KMxwvL1IHVgF9GR1XyYTB
hZ2Tm0IHscZ0EBkdALIT01PBdm/N/DatSyD9gCAWQjUWzZpJDgeXz49x2Rzk4bn+
9vG42eaAI6F+z6aIimd3C37qQQ/sq6N1k60o8po9yGisavth3UaGfmsQ8/HpE2g9
3yVZ9TmfA4r8kk9eP2M7FrKMW7dZF95z/FXWbsrT3eYa+BZuKvn9ukXP4egtyxRS
rp2mqAl01BN0z9kcdzUr+amtAPBdgyfGcvpiAPrhyppV9nmI9FmPBJUppZpFzwdq
A5obbdPczJUEzC0bRyIB4lrZyDDbdwWfVH8QvePaVgUpCZY6/01kuWZKAe39CXEu
fg8RsFiNKJ/WwVCmUB+LOAcWIW68bAZt9DDJ1p3kDBV9vUV4kwrpF9D9O4APHGXV
LvHEf3hU3ksVeTNFyjWBPxN03bw9g3bVqSe9ZSHDPZWLAGVIYCStv0lfyWgssPVW
s7Tvc101nT1bFy4xp8fq
=RWXq
-END PGP SIGNATURE-

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)

[Gert Doering]

ACK.

Your patch has been applied to the master branch.

commit 3ffe2338c092d7bd4abace3ae9fa0b4f85cf4b87
Author: Arne Schwabe
Date:   Sat Sep 17 11:00:35 2016 +0200

 Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works 
(unlike PKTINFO)

 Acked-by: Gert Doering 
 Message-Id: <1474102835-13402-1-git-send-email-a...@rfc2549.org>
 URL: 
http://www.mail-archive.com/search?l=mid=1474102835-13402-1-git-send-email-a...@rfc2549.org
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix ENABLE_WITH_OPENSSL set to YES even with --disable-crypto set

[Gert Doering]

ACK.

Your patch has been applied to the master branch.

Text changed to read "ENABLE_CRYPTO_OPENSSL"

commit d13a40a4a477bae3efede6945174df1cb2c3aa69
Author: Arne Schwabe
Date:   Sat Sep 17 13:16:46 2016 +0200

 Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set

 Acked-by: Gert Doering 
 Message-Id: <1474111006-16401-1-git-send-email-a...@rfc2549.org>
 URL: 
http://www.mail-archive.com/search?l=mid=1474111006-16401-1-git-send-email-a...@rfc2549.org
 Signed-off-by: Gert Doering 

--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] how is debug/doval and debug/dovalns are supposed to be used ?

[Илья Шипицин]

Hello,

I see couple of valgrind-like tests

debug/dovalns
debug/doval

however, I do not see any usage of them

[ilia@localhost openvpn]$ find . -type f -exec grep doval {} ';' -print
Binary file ./.git/index matches
./.git/index
[ilia@localhost openvpn]$



I would like to valgrind tests to .travis.yml

also, if openssl if compiled -DPURIFY, it is not so annoying with valgrind,
should we add -DPURIFY as well ?

Cheers,
Ilya Shipitsin
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] t_client.sh: Improve detection if the OpenVPN process did start during tests

[Gert Doering]

ACK, thanks.

Your patch has been applied to the following branches

commit 3712322ee1219e55640f2f4e5f822799edacd7cc  (master)
commit 3347d51ea779b190864fe0715da3e9d7e8fa365c  (release/2.3)
Author: David Sommerseth
Date:   Sat Sep 17 14:18:05 2016 +0300

 t_client.sh: Improve detection if the OpenVPN process did start during 
tests

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <1474111085-10678-1-git-send-email-dav...@openvpn.net>
 URL: 
http://www.mail-archive.com/search?l=mid=1474111085-10678-1-git-send-email-dav...@openvpn.net
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] enable "--disable-crypto" build configuration

[Илья Шипицин]

2016-09-17 16:17 GMT+05:00 Steffan Karger :

> Hi,
>
> On 17 September 2016 at 12:54, Ilya Shipitsin 
> wrote:
> > ---
> >  .travis.yml | 4 
> >  1 file changed, 4 deletions(-)
> >
> > diff --git a/.travis.yml b/.travis.yml
> > index 452c48e..369db97 100644
> > --- a/.travis.yml
> > +++ b/.travis.yml
> > @@ -51,10 +51,6 @@ matrix:
> >os: osx
> >osx_image: xcode7.3
> >compiler: clang
> > -  allow_failures:
> > -- env: SSLLIB="openssl" EXTRA_CONFIG="--disable-crypto"
> > -  os: linux
> > -  compiler: clang
> >exclude:
> >  - compiler: gcc
> >
> > --
> > 2.5.5
>
> Thanks.  The patch is good, so ACK.
>
> But the commit messages should describe why this change is needed.  In
> this case:
>
> Previously, 'make test' failed for --disable-crypto builds.  Since
> that is not fixed, we should no longer accept --disable-crypto builds
> to fail 'make test' on travis.
>
> Could you please include such descriptions in future patches?
>

ok, I'm going to play with travis-ci + valgrind soon.

or, some powershell for windows testing (it's on my list)



>
> -Steffan
>
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] t_client.sh: Add support for Kerberos/ksu

[Gert Doering]

Your patch has been applied to the following branches

commit 6b25b99fe4b8bdf5cdba4a0fb247df40277d0525  (master)
commit f1b66b21f2f5c0ef74903048f84d69023ef21b8e  (release/2.3)
Author: David Sommerseth
Date:   Sat Sep 17 13:50:33 2016 +0300

 t_client.sh: Add support for Kerberos/ksu

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <1474109433-4710-1-git-send-email-dav...@openvpn.net>
 URL: 
http://www.mail-archive.com/search?l=mid=1474109433-4710-1-git-send-email-dav...@openvpn.net
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] t_client.sh: Improve detection if the OpenVPN process did start during tests

[David Sommerseth]

This will check the OpenVPN log file if the process initialized successfully.
It will check the log file for 30 seconds before aborting the test run.  This
also has the advantage of starting the testing quicker if the initialization
goes faster than 10 seconds (which was the old sleep time).

The umask is also set to a more permissive mode to ensure the test script is
capable of reading the OpenVPN PID file, as that will be created by root.

Signed-off-by: David Sommerseth 
---
 tests/t_client.sh.in | 46 +-
 1 file changed, 33 insertions(+), 13 deletions(-)

diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index 64a3b9a..bde07a6 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
@@ -297,23 +297,39 @@ do
 openvpn_conf="$openvpn_conf --writepid $pidfile"
 echo " run openvpn $openvpn_conf"
 echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log
+umask 022
 $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf 
>>$LOGDIR/$SUF:openvpn.log &
-sleep 3  # Wait for OpenVPN to initialize and have had time to write the 
pid file
-opid=`cat $pidfile`
-echo "  OpenVPN running with PID $opid"
-
-# make sure openvpn client is terminated in case shell exits
-trap "$RUN_SUDO $KILL_EXEC $opid" 0
-trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
+sudopid=$!
 
-echo "wait for connection to establish..."
-sleep ${SETUP_TIME_WAIT:-10}
+# Check if OpenVPN has initialized before continuing.  It will check every 
3rd second up
+# to $ovpn_init_check times.
+ovpn_init_check=10
+ovpn_init_success=0
+while [ $ovpn_init_check -gt 0 ];
+do
+   sleep 3  # Wait for OpenVPN to initialize and have had time to write 
the pid file
+   grep -q "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log
+   if [ $? -eq 0 ]; then
+   ovpn_init_check=0
+   ovpn_init_success=1
+   fi
+   ovpn_init_check=$(( $ovpn_init_check - 1 ))
+done
 
-# test whether OpenVPN process is still there
-if $RUN_SUDO $KILL_EXEC -0 $opid
-then :
+opid=`cat $pidfile`
+if [ -n "$opid" ]; then
+echo "  OpenVPN running with PID $opid"
 else
-   fail "OpenVPN process has failed to start up, check log 
($LOGDIR/$SUF:openvpn.log)."
+echo "  Could not read OpenVPN PID file" >&2
+fi
+
+# If OpenVPN did not start
+if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then
+echo "$0:  OpenVPN did not initialize in a reasonable time" >&2
+if [ -n "$opid" ]; then
+   $RUN_SUDO $KILL_EXEC $opid
+fi
+$RUN_SUDO $KILL_EXEC $sudopid
echo "tail -5 $SUF:openvpn.log" >&2
tail -5 $LOGDIR/$SUF:openvpn.log >&2
echo -e "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2
@@ -323,6 +339,10 @@ do
continue
 fi
 
+# make sure openvpn client is terminated in case shell exits
+trap "$RUN_SUDO $KILL_EXEC $opid" 0
+trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
+
 # compare whether anything changed in ifconfig/route setup?
 echo "save ifconfig+route"
 get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt
-- 
1.8.3.1


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Fix ENABLE_WITH_OPENSSL set to YES even with --disable-crypto set

[Arne Schwabe]

On OS X openssl/x509.h is not in the standard include path and the
files still try to include since the includes only depend on on
ENABLE_WITH_OPENSSL.
---
 configure.ac | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 5c5cdf8..e4f613b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -781,7 +781,7 @@ PKG_CHECK_MODULES(
[]
 )
 
-if test "${with_crypto_library}" = "openssl"; then
+if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; 
then
AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
 
@@ -835,7 +835,7 @@ if test "${with_crypto_library}" = "openssl"; then
AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library])
CRYPTO_CFLAGS="${OPENSSL_CFLAGS}"
CRYPTO_LIBS="${OPENSSL_LIBS}"
-elif test "${with_crypto_library}" = "mbedtls"; then
+elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "mbedtls"; 
then
AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbedtls])
AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbedtls])
 
@@ -918,7 +918,7 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
-else
+elif test "${enable_crypto}" = "yes"; then
AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
 fi
 
-- 
2.7.4 (Apple Git-66)


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] enable "--disable-crypto" build configuration

[Ilya Shipitsin]

---
 .travis.yml | 4 
 1 file changed, 4 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 452c48e..369db97 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -51,10 +51,6 @@ matrix:
   os: osx
   osx_image: xcode7.3
   compiler: clang
-  allow_failures:
-- env: SSLLIB="openssl" EXTRA_CONFIG="--disable-crypto"
-  os: linux
-  compiler: clang
   exclude:
 - compiler: gcc
 
-- 
2.5.5


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCHv3] t_client.sh: Add support for Kerberos/ksu

[David Sommerseth]

If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.

If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.

When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.

[ v2 - Remove $* from RUN_SUDO for ksu config.  Old cruft which survived
   last review before patch submission.
 - Improve known state declaration of PREFER_KSU ]

[ v3 - Kick out bashism - '&>' redirect ]

Signed-off-by: David Sommerseth 
---
 tests/t_client.sh.in | 40 +++-
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index fc82cdb..64a3b9a 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
@@ -36,6 +36,18 @@ if [ $? -ne 0 ]; then
 exit 77
 fi
 
+KILL_EXEC=`which kill`
+if [ $? -ne 0 ]; then
+echo "$0: kill not found in \$PATH" >&2
+exit 77
+fi
+
+TRUE_EXEC=`which true`
+if [ $? -ne 0 ]; then
+echo "$0: true not found in \$PATH" >&2
+exit 77
+fi
+
 if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
 then
 echo "no (executable) openvpn binary in current build tree. FAIL." >&2
@@ -58,12 +70,29 @@ if [ -z "$TEST_RUN_LIST" ] ; then
 exit 77
 fi
 
+# Ensure PREFER_KSU is in a known state
+PREFER_KSU="${PREFER_KSU:-0}"
+
 # make sure we have permissions to run ifconfig/route from OpenVPN
 # can't use "id -u" here - doesn't work on Solaris
 ID=`id`
 if expr "$ID" : "uid=0" >/dev/null
 then :
 else
+if [ "${PREFER_KSU}" -eq 1 ];
+then
+# Check if we have a valid kerberos ticket
+klist -l 1>/dev/null 2>/dev/null
+if [ $? -ne 0 ];
+then
+# No kerberos ticket found, skip ksu and fallback to RUN_SUDO
+PREFER_KSU=0
+echo "$0: No Kerberos ticket available.  Will not use ksu."
+else
+RUN_SUDO="ksu -q -e"
+fi
+fi
+
 if [ -z "$RUN_SUDO" ]
 then
 echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
@@ -73,7 +102,7 @@ else
 # We have to use sudo. Make sure that we (hopefully) do not have
 # to ask the users password during the test. This is done to
 # prevent timing issues, e.g. when the waits for openvpn to start
-$RUN_SUDO \true
+$RUN_SUDO $TRUE_EXEC
 fi
 fi
 
@@ -90,6 +119,7 @@ exit_code=0
 # --
 # helper functions
 # --
+
 # print failure message, increase FAIL counter
 fail()
 {
@@ -273,14 +303,14 @@ do
 echo "  OpenVPN running with PID $opid"
 
 # make sure openvpn client is terminated in case shell exits
-trap "$RUN_SUDO kill $opid" 0
-trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15
+trap "$RUN_SUDO $KILL_EXEC $opid" 0
+trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
 
 echo "wait for connection to establish..."
 sleep ${SETUP_TIME_WAIT:-10}
 
 # test whether OpenVPN process is still there
-if $RUN_SUDO kill -0 $opid
+if $RUN_SUDO $KILL_EXEC -0 $opid
 then :
 else
fail "OpenVPN process has failed to start up, check log 
($LOGDIR/$SUF:openvpn.log)."
@@ -315,7 +345,7 @@ do
 echo -e "ping tests done.\n"
 
 echo "stopping OpenVPN"
-$RUN_SUDO kill $opid
+$RUN_SUDO $KILL_EXEC $opid
 wait $!
 rc=$?
 if [ $rc != 0 ] ; then
-- 
1.8.3.1


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCHv2] t_client.sh: Add support for Kerberos/ksu

[Gert Doering]

Hi,

On Sat, Sep 17, 2016 at 01:19:33PM +0300, David Sommerseth wrote:
> +klist -l &> /dev/null

NAK :)

(bashism, on ksh it will just put "klist -l" into the background)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3 (release/2.3)] Drop recursively routed packets

[Lev Stipakov]

From: Lev Stipakov 

v3: Use better way of figuring out IP proto version which
does not break TAP mode. Add an option to allow recursive
routing, could be useful when packets sent by openvpn itself
are not subject to the routing tables that would move packets
into the tunnel.

v2: better method naming

On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.

As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.

To prevent that, drop packets which have gateway IP as
destination address.

Tested on Win7/10, OS X.
---
 doc/openvpn.8 |  4 +++
 src/openvpn/forward.c | 71 +++
 src/openvpn/options.c | 10 
 src/openvpn/options.h |  4 +++
 src/openvpn/proto.h   | 32 +++
 5 files changed, 121 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index d9bb77c..0decc54 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3796,6 +3796,10 @@ rather than waiting for a timeout.  The
 parameter (default=1) controls the maximum number of attempts that the client
 will try to resend the exit notification message.  OpenVPN will not send any 
exit
 notifications unless this option is enabled.
+.TP
+.B \-\-allow\-recursive\-routing
+When this option is set, OpenVPN will not drop incoming tun packets
+with same destination as host.
 .\"*
 .SS Data Channel Encryption Options:
 These options are meaningful for both Static & TLS-negotiated key modes
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 5ba6fcb..d725f8d 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -968,6 +968,75 @@ read_incoming_tun (struct context *c)
   perf_pop ();
 }
 
+/**
+ * Drops UDP packets which OS decided to route via tun.
+ *
+ * On Windows and OS X when netwotk adapter is disabled or
+ * disconnected, platform starts to use tun as external interface.
+ * When packet is sent to tun, it comes to openvpn, encapsulated
+ * and sent to routing table, which sends it again to tun.
+ */
+static void
+drop_if_recursive_routing (struct context *c, struct buffer *buf)
+{
+  bool drop = false;
+  struct openvpn_sockaddr tun_sa;
+
+  if (c->c2.to_link_addr == NULL) /* no remote addr known */
+return;
+
+  tun_sa = c->c2.to_link_addr->dest;
+
+  int proto_ver = get_tun_ip_ver (TUNNEL_TYPE (c->c1.tuntap), >c2.buf);
+
+  if (proto_ver == 4)
+{
+  const struct openvpn_iphdr *pip;
+
+  /* make sure we got whole IP header */
+  if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr))
+   return;
+
+  /* skip ipv4 packets for ipv6 tun */
+  if (tun_sa.addr.sa.sa_family != AF_INET)
+   return;
+
+  pip = (struct openvpn_iphdr *) BPTR (buf);
+
+  /* drop packets with same dest addr as gateway */
+  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
+   drop = true;
+}
+  else if (proto_ver == 6)
+{
+  const struct openvpn_ipv6hdr *pip6;
+
+  /* make sure we got whole IPv6 header */
+  if (BLEN (buf) < (int) sizeof (struct openvpn_ipv6hdr))
+   return;
+
+  /* skip ipv6 packets for ipv4 tun */
+  if (tun_sa.addr.sa.sa_family != AF_INET6)
+   return;
+
+  /* drop packets with same dest addr as gateway */
+  pip6 = (struct openvpn_ipv6hdr *) BPTR(buf);
+  if (IN6_ARE_ADDR_EQUAL(_sa.addr.in6.sin6_addr, >daddr))
+   drop = true;
+}
+
+  if (drop)
+{
+  struct gc_arena gc = gc_new ();
+
+  c->c2.buf.len = 0;
+
+  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
+   print_link_socket_actual(c->c2.to_link_addr, ));
+  gc_free ();
+}
+}
+
 /*
  * Input:  c->c2.buf
  * Output: c->c2.to_link
@@ -993,6 +1062,8 @@ process_incoming_tun (struct context *c)
 
   if (c->c2.buf.len > 0)
 {
+  if ((c->options.mode == MODE_POINT_TO_POINT) && 
(!c->options.allow_recursive_routing))
+   drop_if_recursive_routing (c, >c2.buf);
   /*
* The --passtos and --mssfix options require
* us to examine the IP header (IPv4 or IPv6).
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ef0299..0ecaad9 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -500,6 +500,8 @@ static const char usage_message[] =
   "--server-poll-timeout n : when polling possible remote servers to connect 
to\n"
   "  in a round-robin fashion, spend no more than n seconds\n"
   "  waiting for a response before trying the next server.\n"
+  "--allow-recursive-routing : When this option is set, OpenVPN will not 
drop\n"
+  "  incoming tun packets with same destination as host.\n"
 #endif
 #ifdef 

[Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

[Arne Schwabe]

This option was useful when Ipv6 tun support was non standard and was an 
internal/user specified flag that tracked the Ipv6 capability of the tun device.

All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so not 
putting tun-ipv6 does not forbid ipv6 addresses.

This commit also clean up a bit of the ipv6 related tun.c. Changes for most 
platforms are minimal.

For linux a bit more cleanup is done:
- Remove compatibility defines that were added 2008
- Always use IFF_NO_PI for the linux tun and not only for IPv4 only tun setups 
(Android also always IFF_NO_PI works fine with Ipv6).

This commit also remove a non ipv6 fallback for tap driver from OpenVPN 
2.2-beta or earlier and only warns.

Patch V2: Integrate Gert's comments
Patch V3: Remove tun_ipv4 option. It only used for MTU discovery and there it 
was wrong since it should on the transport protocol if at all
Patch V4: do not send V3 as V2
---
 Changes.rst   |   3 ++
 src/openvpn/forward.c |   2 +-
 src/openvpn/helper.c  |   2 -
 src/openvpn/init.c|   6 ---
 src/openvpn/multi.c   |   8 ++--
 src/openvpn/openvpn.h |   5 ---
 src/openvpn/options.c |  11 +
 src/openvpn/options.h |   1 -
 src/openvpn/route.c   |  13 ++
 src/openvpn/tun.c | 110 ++
 src/openvpn/tun.h |   2 -
 11 files changed, 32 insertions(+), 131 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 9fcba75..2956003 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -135,6 +135,9 @@ User-visible Changes
   ciphers configured in the config file.  Use --ncp-disable if you don't want
   that.
 
+- ALl tun devices on all platforms are considered always IPv6 capable. The 
--tun-ipv6
+  option is ignored (behaves like it is always on).
+
 
 Maintainer-visible changes
 --
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 6c11439..b3077ed 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -391,7 +391,7 @@ check_fragment_dowork (struct context *c)
   struct link_socket_info *lsi = get_link_socket_info (c);
 
   /* OS MTU Hint? */
-  if (lsi->mtu_changed && c->c2.ipv4_tun)
+  if (lsi->mtu_changed)
 {
   frame_adjust_path_mtu (>c2.frame_fragment, c->c2.link_socket->mtu,
 c->options.ce.proto);
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 62f88ec..229523d 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -200,8 +200,6 @@ helper_client_server (struct options *o)
add_in6_addr( o->server_network_ipv6, 0x1000 );
o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
 
-   o->tun_ipv6 = true;
-
push_option( o, "tun-ipv6", M_USAGE );
  }
 
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9236a9f..7b73509 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1400,9 +1400,6 @@ do_init_tun (struct context *c)
   !c->options.ifconfig_nowarn,
   c->c2.es);
 
-  /* flag tunnel for IPv6 config if --tun-ipv6 is set */
-  c->c1.tuntap->ipv6 = c->options.tun_ipv6;
-
   init_tun_post (c->c1.tuntap,
 >c2.frame,
 >options.tuntap_options);
@@ -1420,9 +1417,6 @@ do_open_tun (struct context *c)
   struct gc_arena gc = gc_new ();
   bool ret = false;
 
-  c->c2.ipv4_tun = (!c->options.tun_ipv6
-   && is_dev_type (c->options.dev, c->options.dev_type, 
"tun"));
-
 #ifndef TARGET_ANDROID
   if (!c->c1.tuntap)
 {
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index ba7f2c0..228b393 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1377,8 +1377,7 @@ multi_select_virtual_addr (struct multi_context *m, 
struct multi_instance *mi)
* (see below) so issue a warning if that happens - don't break the
* session, though, as we don't even know if this client WANTS IPv6
*/
-  if ( mi->context.c1.tuntap->ipv6 &&
-  mi->context.options.ifconfig_ipv6_pool_defined &&
+  if ( mi->context.options.ifconfig_ipv6_pool_defined &&
   ! mi->context.options.push_ifconfig_ipv6_defined )
{
  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for 
IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use 
--ifconfig-ipv6-push for IPv6 then." );
@@ -1451,8 +1450,7 @@ multi_select_virtual_addr (struct multi_context *m, 
struct multi_instance *mi)
* way round ("dynamic IPv4, static IPv6") or "both static" makes sense
* -> and so it's implemented right now
*/
-  if ( mi->context.c1.tuntap->ipv6 &&
-   mi->context.options.push_ifconfig_ipv6_defined )
+  if ( mi->context.options.push_ifconfig_ipv6_defined )
 {
   mi->context.c2.push_ifconfig_ipv6_local = 
mi->context.options.push_ifconfig_ipv6_local;
@@ -1510,7 +1508,7 @@ multi_set_virtual_addr_env (struct multi_context *m, 
struct multi_instance *mi)
   setenv_del (mi->context.c2.es, 

Re: [Openvpn-devel] [PATCH] Show compile-time variant for --multihome in --version output.

[Arne Schwabe]

Am 16.09.16 um 22:45 schrieb Gert Doering:
> Instead of just [MH], show [MH/PKTINFO] or [MH/RECVDA], to see more
> easily which compile-time variant was chosen by configure and syshead.h
> 
ACK from me.

Arne


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix IP_PKTINFO related compilation failure on NetBSD 7.0

[Arne Schwabe]

Am 16.09.16 um 22:02 schrieb Gert Doering:
> NetBSD has introduced IP_PKTINFO and struct in_pktinfo, but does not
> have the "ipi_spec_dst" structure element, causing compilation errors.
> 
> Introduce a check for that (AC_CHECK_MEMBER) in configure.ac, and
> change all "#ifdef HAVE_IN_PKTINFO" to also check "HAVE_IPI_SPEC_DST".
> 
> Patch inspired by NetBSD pkgsrc patch set.
>
ACK frome me.

Arne


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] initial travis-ci support

[Gert Doering]

ACK. Your patch has been applied to the master branch

(Talking with Steffan, we've decided to squash both patches into just one,
because it seems to be somewhat silly to add a file just to completely
rewrite in the next patch again)

commit 368991264d82f038bde30a67910ac6c7681a4ba9
Author: Ilya Shipitsin
Date:   Thu Sep 15 16:26:48 2016 +0500

 initial travis-ci support

 Acked-by: Gert Doering 
 Message-Id: <1473938808-3312-1-git-send-email-chipits...@gmail.com>
 URL: 
http://www.mail-archive.com/search?l=mid=1473938808-3312-1-git-send-email-chipits...@gmail.com
 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1473938818-3375-1-git-send-email-chipits...@gmail.com>
 URL: 
http://www.mail-archive.com/search?l=mid=1473938818-3375-1-git-send-email-chipits...@gmail.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel