[Openvpn-devel] [PATCH v2] Delete the IPv6 route to the "connected" network on tun close

2016-11-24 Thread Selva Nair 
This was missing on Windows when interactive service is in use.

- Added route_ipv6_clear_host_bits(r6) to delete_route_ipv6: this is
  required for Windows IP-helper API. Won't hurt other platforms (?)

v2: Be const correct: route in delete_route_ipv6() made non-const.
None of the exisitng calls are affected.

Signed-off-by: Selva Nair 
---
 src/openvpn/route.c | 4 +++-
 src/openvpn/route.h | 2 +-
 src/openvpn/tun.c   | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index fec12c1..34b1196 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -2102,7 +2102,7 @@ delete_route (struct route_ipv4 *r,
 }
 
 void
-delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, 
unsigned int flags, const struct env_set *es)
+delete_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned 
int flags, const struct env_set *es)
 {
   struct gc_arena gc;
   struct argv argv = argv_new ();
@@ -2124,6 +2124,8 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const 
struct tuntap *tt, unsigne
 
   gc_init (&gc);
 
+  route_ipv6_clear_host_bits (r6);
+
   network = print_in6_addr( r6->network, 0, &gc);
   gateway = print_in6_addr( r6->gateway, 0, &gc);
 
diff --git a/src/openvpn/route.h b/src/openvpn/route.h
index c358681..70aeb65 100644
--- a/src/openvpn/route.h
+++ b/src/openvpn/route.h
@@ -252,7 +252,7 @@ void copy_route_ipv6_option_list (struct 
route_ipv6_option_list *dest,
   struct gc_arena *a);
 
 void add_route_ipv6 (struct route_ipv6 *r, const struct tuntap *tt, unsigned 
int flags, const struct env_set *es);
-void delete_route_ipv6 (const struct route_ipv6 *r, const struct tuntap *tt, 
unsigned int flags, const struct env_set *es);
+void delete_route_ipv6 (struct route_ipv6 *r, const struct tuntap *tt, 
unsigned int flags, const struct env_set *es);
 
 void add_route (struct route_ipv4 *r,
const struct tuntap *tt,
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 560b1a8..40ce202 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -5663,6 +5663,9 @@ close_tun (struct tuntap *tt)
 {
   if (tt->options.msg_channel)
 {
+  /* remove route pointing to interface */
+  delete_route_connected_v6_net(tt, NULL);
+
   do_address_service (false, AF_INET6, tt);
  if (tt->options.dns6_len > 0)
  do_dns6_service (false, tt);
-- 
2.1.4


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Test installer with installer, openvpn-gui and openvpnserv2 improvements

2016-11-24 Thread Selva Nair 
Hi,

On Thu, Nov 24, 2016 at 5:26 AM, Samuli Seppänen  wrote:

> Here's a Windows new test installer for 2.4_beta1:
>
>  install-2.4_beta1-I902.exe>
>
> The changes compared to standard 2.4_beta1 installers are:
>
> 1) Installer works on both 32-bit and 64-bit Windows
> - https://github.com/OpenVPN/openvpn-build/pull/44
>

Tested on 32 bit and 64 bit systems and both installs went smoothly. Great
job. Reg values under the HKLM\Software\OpenVPN key (exe_path etc.) are not
updated -- guess that is expected.

Not tested on XP.

Ukranian localization patch needs some positioning tweaks  (see comments
added to the PR).

All else look good.

Selva
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Fix using a pointer before checking against null

2016-11-24 Thread SviMik 
There was a few places where pointer was used and then checked
against null.

This patch is trying to fix that by adding additional checks or moving
it into the right place.

Signed-off-by: Sviatoslav Mikhailov 
---
 src/openvpn/buffer.c |2 +-
 src/openvpn/ps.c |4 ++--
 src/openvpn/push.c   |2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index 52c6ab9..57956dd 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -439,7 +439,7 @@ format_hex_ex (const uint8_t *data, int size, int maxoutput,
   struct gc_arena *gc)
 {
   struct buffer out = alloc_buf_gc (maxoutput ? maxoutput :
-   ((size * 2) + (size / (space_break_flags & 
FHE_SPACE_BREAK_MASK)) * (int) strlen (separator) + 2),
+   ((size * 2) + (size / (space_break_flags & 
FHE_SPACE_BREAK_MASK)) * (separator ? (int) strlen (separator) : 0) + 2),
gc);
   int i;
   for (i = 0; i < size; ++i)
diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c
index 2cb68f1..935bd0b 100644
--- a/src/openvpn/ps.c
+++ b/src/openvpn/ps.c
@@ -499,6 +499,7 @@ control_message_from_parent (const socket_descriptor_t 
sd_control,
   mesg.msg_flags = 0;
 
   h = CMSG_FIRSTHDR(&mesg);
+  ASSERT (h);
   h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t));
   h->cmsg_level = SOL_SOCKET;
   h->cmsg_type = SCM_RIGHTS;
@@ -508,8 +509,7 @@ control_message_from_parent (const socket_descriptor_t 
sd_control,
   status = recvmsg (sd_control, &mesg, MSG_NOSIGNAL);
   if (status != -1)
 {
-  if (   h == NULL
- || h->cmsg_len!= CMSG_LEN(sizeof(socket_descriptor_t))
+  if ( h->cmsg_len!= CMSG_LEN(sizeof(socket_descriptor_t))
  || h->cmsg_level  != SOL_SOCKET
  || h->cmsg_type   != SCM_RIGHTS )
{
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 9953079..b016d99 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -565,7 +565,7 @@ push_remove_option (struct options *o, const char *p)
   msg (D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
 
   /* ifconfig-ipv6 is special, as not part of the push list */
-  if ( streq( p, "ifconfig-ipv6" ))
+  if (o && streq( p, "ifconfig-ipv6" ))
 {
   o->push_ifconfig_ipv6_blocked = true;
   return;
-- 
1.7.10.msysgit.1
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Delete the IPv6 route to the "connected" network on tun close

2016-11-24 Thread Selva Nair 
This was missing on Windows when interactive service is in use.

- Added route_ipv6_clear_host_bits(r6) to delete_route_ipv6: this is
  required for Windows IP-helper API. Won't hurt other platforms (?)

Signed-off-by: Selva Nair 
---
 src/openvpn/route.c | 2 ++
 src/openvpn/tun.c   | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index fec12c1..85f969e 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -2124,6 +2124,8 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const 
struct tuntap *tt, unsigne
 
   gc_init (&gc);
 
+  route_ipv6_clear_host_bits (r6);
+
   network = print_in6_addr( r6->network, 0, &gc);
   gateway = print_in6_addr( r6->gateway, 0, &gc);
 
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 560b1a8..40ce202 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -5663,6 +5663,9 @@ close_tun (struct tuntap *tt)
 {
   if (tt->options.msg_channel)
 {
+  /* remove route pointing to interface */
+  delete_route_connected_v6_net(tt, NULL);
+
   do_address_service (false, AF_INET6, tt);
  if (tt->options.dns6_len > 0)
  do_dns6_service (false, tt);
-- 
2.1.4


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Set IPv6 DNS servers using interactive service

2016-11-24 Thread Gert Doering 
Hi,

On Thu, Nov 24, 2016 at 12:00:50PM +0100, Gert Doering wrote:
> ACK.  Code looks reasonable, and it passes compilation.
> 
> I have not been able to actually TEST it due to scheduling conflicts
> today, but I'm taking that risk, based on "it looks good, it affects
> windows only, and unless the code is activated by *pushing* a DNS6
> option, it will not affect existing setups at all".

Tested!

It was a bit more work than expected as my test machine was in an... uh...
"slightly messy" state, with a gui that crashed when trying to talk to the
service pipe, and stuff... but tested both "netsh.exe direct" and "via
service", and both produced the expected output in "ipconfig /all".

Yay :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] IPv6 route addition error on SIGHUP restarts (Windows)

2016-11-24 Thread Selva Nair 
Hi,

On Thu, Nov 24, 2016 at 5:28 AM, Gert Doering  wrote:

>
> On Wed, Nov 23, 2016 at 10:43:20PM -0500, Selva Nair wrote:
> > I see the following route addition error during SIGHUP restarts on
> Windows.
> >
> > Wed Nov 23 21:44:39 2016 add_route_ipv6(::e001:3b08::/64 ->
> > ::e001:3b08::1001 metric 0) dev SanSel-VPN
> > Wed Nov 23 21:44:39 2016 ROUTE: route addition failed using service: The
> > object already exists.   [status=5010 if_index=24]
> > Wed Nov 23 21:44:39 2016 IPv6 route addition via service failed
> >
> > I'm not familiar with the relevant code, but looks like the route added
> by
> > add_route_connected_v6_net() is not deleted on disconnect. Probably this
> > route doesn't make it into the route_list.
>
> Right, the "locally connected" routes are set directly, bypassing the
> route_list infrastructure (for no particular reason than "it was easier
> to do that way, than to try to understand all the machinery involved"
> and I was not familiar with the code yet).
>
> Is this a fatal error (= openvpn ends), or just a nuisance?
>
> We should fix it in any case, but if this is just a nuisance in the
> logs, I'd treat it as a cosmetic bug and postpone for a few weeks.


Its not fatal and looks like its a harmless (the route already exists).

Selva
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Set IPv6 DNS servers using interactive service

2016-11-24 Thread Selva Nair 
On Thu, Nov 24, 2016 at 6:00 AM, Gert Doering  wrote:

> +out:
> +  err = 0;
> +  free (cmdline);
> +  return err;
> +}
>
> .. which did not make sense, so I removed the "err = 0" line.


Good catch. That was a left over from testing ...

Selva
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Set IPv6 DNS servers using interactive service

2016-11-24 Thread Gert Doering 
ACK.  Code looks reasonable, and it passes compilation.

I have not been able to actually TEST it due to scheduling conflicts
today, but I'm taking that risk, based on "it looks good, it affects
windows only, and unless the code is activated by *pushing* a DNS6
option, it will not affect existing setups at all".

In case someone wonders whether changing struct dns_cfg_message_t is
safe - it is, because we never had a "v4 DNS message" yet, that struct
was completely unused (and the new one is theoretically multi-protocol
capable, though not "mixed mode").

I did a small code fix, though - the netsh_dns_cmd() always reset
"err = 0" at the end:

+  err = ExecCommand (argv0, cmdline, timeout);
+   
+out: 
+  err = 0;
+  free (cmdline);
+  return err;
+}

.. which did not make sense, so I removed the "err = 0" line.


Your patch has been applied to the master branch.

commit c098016a22e90575e9c3e7c27d7b457ed9d1b5d3
Author: Selva Nair
Date:   Wed Nov 23 22:35:27 2016 -0500

 Set IPv6 DNS servers using interactive service

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <1479958527-29491-1-git-send-email-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13222.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] IPv6 route addition error on SIGHUP restarts (Windows)

2016-11-24 Thread Gert Doering 
Hi,

On Wed, Nov 23, 2016 at 10:43:20PM -0500, Selva Nair wrote:
> I see the following route addition error during SIGHUP restarts on Windows.
> 
> Wed Nov 23 21:44:39 2016 add_route_ipv6(::e001:3b08::/64 ->
> ::e001:3b08::1001 metric 0) dev SanSel-VPN
> Wed Nov 23 21:44:39 2016 ROUTE: route addition failed using service: The
> object already exists.   [status=5010 if_index=24]
> Wed Nov 23 21:44:39 2016 IPv6 route addition via service failed
> 
> I'm not familiar with the relevant code, but looks like the route added by
> add_route_connected_v6_net() is not deleted on disconnect. Probably this
> route doesn't make it into the route_list.

Right, the "locally connected" routes are set directly, bypassing the
route_list infrastructure (for no particular reason than "it was easier
to do that way, than to try to understand all the machinery involved"
and I was not familiar with the code yet).

Is this a fatal error (= openvpn ends), or just a nuisance?

We should fix it in any case, but if this is just a nuisance in the
logs, I'd treat it as a cosmetic bug and postpone for a few weeks.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Test installer with installer, openvpn-gui and openvpnserv2 improvements

2016-11-24 Thread Samuli Seppänen 
Hi,

Here's a Windows new test installer for 2.4_beta1:



The changes compared to standard 2.4_beta1 installers are:

1) Installer works on both 32-bit and 64-bit Windows
- https://github.com/OpenVPN/openvpn-build/pull/44

2) Installer should fail on Windows XP and earlier
- https://github.com/OpenVPN/openvpn-build/pull/52

3) OpenVPN-GUI is DPI-aware
- https://github.com/OpenVPN/openvpn-gui/pull/99

4) OpenVPN-GUI has dynamic challenge-response support
- https://github.com/OpenVPN/openvpn-gui/pull/87

5) OpenVPN-GUI Ukrainian localization fixes
- https://github.com/OpenVPN/openvpn-gui/pull/94

6) Openvpnserv2 shuts down openvpn instances cleanly
- https://github.com/OpenVPN/openvpnserv2/pull/6

We will try to get all of this included in OpenVPN 2.4_rc1, so test 
reports are most welcome!

Best regards,

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Poor man's NCP for non-NCP peers

2016-11-24 Thread Gert Doering 
Hi,

On Wed, Nov 23, 2016 at 11:58:49PM +0100, Steffan Karger wrote:
> This will end up with the server and client using cipher bar (if the
> server has --ncp-ciphers :bar).  The client-side poor-man's
> NCP is already guarded by "if (c->options.ncp_enabled)" (in
> do_deferred_options()).

Good point.  Seems I was not very much awake anymore :-)

  /* process (potentially pushed) crypto options */
  if (c->options.pull)
{
  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
  if (found & OPT_P_NCP)
{
  msg (D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
}
  else if (c->options.ncp_enabled)
{
  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
}

... all fine, then.

thanks,

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Refactor data channel key generation API

2016-11-24 Thread Gert Doering 
ACK.  This is slightly different from the refactoring in "v4"
(as tls_session_generate_data_channel_keys() is now "static" and
no longer needs to be called externally, so the actual change is
much smaller).  The change to ssl.c is mostly identical, though,
so this was now reviewed and tested twice :-) - "just code being
moved around".  Passes all tests on server and client side.

Your patch has been applied to the master branch.

commit e2ffdb7c83faaee6541c248e8d83eb3dfb5a32f1
Author: Steffan Karger
Date:   Wed Nov 23 21:02:05 2016 +0100

 Refactor data channel key generation API

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1479931325-25919-2-git-send-email-stef...@karger.me>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13216.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel