[Openvpn-devel] [PATCH applied] Re: Remove always enabled USE_64_BIT_COUNTERS define

[Gert Doering]

Your patch has been applied to the release/2.4 branch.

commit 1bdd09e7e019ac6d8fdc1b009bdec818b9183e76
Author: Arne Schwabe
Date:   Wed Apr 21 15:43:44 2021 +0200

 Remove always enabled USE_64_BIT_COUNTERS define

 Signed-off-by: Arne Schwabe 
 Acked-by: Antonio Quartulli 
 Message-Id: <20210421134348.1950392-3-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22171.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 6/7] Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR

[Antonio Quartulli]

Hi,

On 21/04/2021 15:43, Arne Schwabe wrote:
> We have two define that do exactly the same. Also move the check
> from configure.ac to syshead.h since it is really only checking
> for Windows.
> 
> Signed-off-by: Arne Schwabe 




> ---
>  configure.ac | 8 
>  src/openvpn/platform.c   | 2 +-
>  src/openvpn/ssl_verify.c | 2 +-
>  src/openvpn/syshead.h| 6 --
>  4 files changed, 6 insertions(+), 12 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index a67bf2595..3b4d3cbc7 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -1133,14 +1133,6 @@ if test -n "${GIT}" -a -d "${srcdir}/.git"; then
>  fi
>  AC_MSG_RESULT([${GIT_CHECKOUT}])
>  
> -if test -n "${SP_PLATFORM_WINDOWS}"; then
> - AC_DEFINE_UNQUOTED([PATH_SEPARATOR], [''], [Path separator]) #"
> - AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], [""], [Path separator]) #"
> -else
> - AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['/'], [Path separator])
> - AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["/"], [Path separator])
> -fi
> -
>  dnl enable --x509-username-field feature if requested
>  if test "${enable_x509_alt_username}" = "yes"; then
>   if test "${with_crypto_library}" = "mbedtls" ; then
> diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
> index c63c1d994..bf7b1aa0a 100644
> --- a/src/openvpn/platform.c
> +++ b/src/openvpn/platform.c
> @@ -486,7 +486,7 @@ platform_gen_path(const char *directory, const char 
> *filename,
>  struct buffer out = alloc_buf_gc(outsize, gc);
>  char dirsep[2];
>  
> -dirsep[0] = OS_SPECIFIC_DIRSEP;
> +dirsep[0] = PATH_SEPARATOR;
>  dirsep[1] = '\0';
>  
>  if (directory)
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index 7608155cd..14aaf2bf7 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
> @@ -616,7 +616,7 @@ verify_check_crl_dir(const char *crl_dir, 
> openvpn_x509_cert_t *cert,
>  goto cleanup;
>  }
>  
> -if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, 
> OS_SPECIFIC_DIRSEP, serial))
> +if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, PATH_SEPARATOR, 
> serial))
>  {
>  msg(D_HANDSHAKE, "VERIFY CRL: filename overflow");
>  goto cleanup;
> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
> index a964ffd35..28ccca087 100644
> --- a/src/openvpn/syshead.h
> +++ b/src/openvpn/syshead.h
> @@ -432,9 +432,11 @@ typedef unsigned short sa_family_t;
>   * Directory separation char
>   */
>  #ifdef _WIN32
> -#define OS_SPECIFIC_DIRSEP '\\'
> +#define PATH_SEPARATOR '\\'
> +#define PATH_SEPARATOR_STR "\\"

Do we still need the define in config-msvc.h now that we have it here?

config-msvc.h:85:#define PATH_SEPARATOR '\\'
config-msvc.h:86:#define PATH_SEPARATOR_STR "\\"


Regards,

>  #else
> -#define OS_SPECIFIC_DIRSEP '/'
> +#define PATH_SEPARATOR '/'
> +#define PATH_SEPARATOR_STR "/"
>  #endif
>  
>  /*
> 

-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 4/7] Fix a number of mingw warnings

[Antonio Quartulli]

Hi,

On 21/04/2021 15:43, Arne Schwabe wrote:
> Move to definition inside the ifdef where they are used to avoid
> unused warnings.
> 
> Fix a few printf related warnings when DWORD is used as paramter and
> the printf format should be %lu (long unsigned int)
> 
> Signed-off-by: Arne Schwabe 
> ---
>  src/openvpn/route.c  | 4 ++--
>  src/openvpn/socket.c | 3 ++-
>  src/openvpn/tun.c| 2 +-
>  3 files changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/src/openvpn/route.c b/src/openvpn/route.c
> index c6b3dc584..c83bd9e2b 100644
> --- a/src/openvpn/route.c
> +++ b/src/openvpn/route.c
> @@ -2360,7 +2360,6 @@ delete_route_ipv6(const struct route_ipv6 *r6, const 
> struct tuntap *tt,
>  #else
>  int metric;
>  #endif
> -const char *device = tt->actual_name;
>  bool gateway_needed = false;
>  
>  if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
> @@ -2369,6 +2368,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const 
> struct tuntap *tt,
>  }
>  
>  #ifndef _WIN32
> +const char *device = tt->actual_name;

This variable is not used in all cases embraced by "ifndef _WIN32".
I.e. I think it is not used when any of the following is defined:
TARGET_OPENBSD
TARGET_NETBSD
TARGET_AIX

Therefore this change would fix *only* the warning on Windows.
Do we want to go this way? or should we rather rearrange the ifdefs a
bit so that we have a cleaner change/function?



>  if (r6->iface != NULL)  /* vpn server special route */
>  {
>  device = r6->iface;
> @@ -2713,7 +2713,7 @@ get_default_gateway_row(const MIB_IPFORWARDTABLE 
> *routes)
>  const DWORD index = row->dwForwardIfIndex;
>  const DWORD metric = row->dwForwardMetric1;
>  
> -dmsg(D_ROUTE_DEBUG, "GDGR: route[%d] %s/%s i=%d m=%d",
> +dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d",

shouldn't be enough to convert to %u ? (/me is not a DOWRD expert though)


>   i,
>   print_in_addr_t((in_addr_t) net, 0, &gc),
>   print_in_addr_t((in_addr_t) mask, 0, &gc),
> diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
> index b13d2e0f1..8a6e42cc6 100644
> --- a/src/openvpn/socket.c
> +++ b/src/openvpn/socket.c
> @@ -2837,10 +2837,11 @@ print_link_socket_actual_ex(const struct 
> link_socket_actual *act,
>  {
>  if (act)
>  {
> -char ifname[IF_NAMESIZE] = "[undef]";
>  struct buffer out = alloc_buf_gc(128, gc);
>  buf_printf(&out, "%s", print_sockaddr_ex(&act->dest.addr.sa, 
> separator, flags, gc));
>  #if ENABLE_IP_PKTINFO
> +char ifname[IF_NAMESIZE] = "[undef]";

This makes sense.

> +
>  if ((flags & PS_SHOW_PKTINFO) && addr_defined_ipi(act))
>  {
>  switch (act->dest.addr.sa.sa_family)
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index 2c1b270dd..4ef34e4eb 100644
> --- a/src/openvpn/tun.c
> +++ b/src/openvpn/tun.c
> @@ -5606,7 +5606,7 @@ windows_set_mtu(const int iface_index, const short 
> family,
>  
>  if (err != NO_ERROR)
>  {
> -msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%u if_index=%d]",
> +msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%lu 
> if_index=%d]",

same question as above.

>  family_name, strerror_win32(err, &gc), err, iface_index);
>  }
>  else
> 


Regards,

-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 3/7] Remove always enabled USE_64_BIT_COUNTERS define

[Antonio Quartulli]

Hi,

On 21/04/2021 15:43, Arne Schwabe wrote:
> Also change the types to use C99 uint64_t and its printf u64 define.
> 
> Signed-off-by: Arne Schwabe 

This patch looks good and compiles on my test rig.

As expected, it is basically removing a bunch of ifdefs always forced on
the "true-branch".

Since we recently confirmed that all our suppotred platforms also
support C99, I don't expect breakages on any *BSD either.

Acked-by: Antonio Quartulli 


-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/7] Move direct.h header where it is used

[Antonio Quartulli]

Hi,

On 21/04/2021 15:43, Arne Schwabe wrote:
> The direct.h header provides only a handful of functions [1] of which
> we only use _wchdir. Directly included the direct.h file where it is
> used and remove autoconf magic around it.
> 
> [1] 
> https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/as5kw0ze(v=vs.110)?redirectedfrom=MSDN
> 
> Signed-off-by: Arne Schwabe 

Should this be removed too?

config-msvc.h:33:#define HAVE_DIRECT_H 1


Regards,



-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/7] Remove --disable-multihome option

[Antonio Quartulli]

Hi,

On 21/04/2021 15:43, Arne Schwabe wrote:
> With this change we always build multihome support if the operating
> system supports it.
> 
> Signed-off-by: Arne Schwabe 

Shouldn't these go too?

$ grep -rn MULTIHOME
config-msvc.h:13:#define ENABLE_MULTIHOME 1
configure.ac:1155:test "${enable_multihome}" = "yes" &&
AC_DEFINE([ENABLE_MULTIHOME], [1], [Enable multi-homed UDP server
capability])

Otherwise it looks good.

Regards,


-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] options: check for blanks in fingerprints and reject string if found

[Antonio Quartulli]

From: Antonio Quartulli 

A fingerprint is not expected to contains any blank (white space),
howeveri, the parser routine will still attempt parsing the octect
and ignore the space.

This means that a fingerprint like
5 
:F0:A8:75:70:46:6E:0B:A2:31:53:88:0B:0E:8C:E4:8A:5E:BF:1E:08:16:16:41:63:2C:B5:F4:D2:73:9F:E5
will be parsed successfully.

Explcitly check for spaces in the various octects, before conversion,
and error out if any is found.

Signed-off-by: Antonio Quartulli 
---
 src/openvpn/options.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 817a1533..264fe383 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1099,6 +1099,18 @@ parse_hash_fingerprint(const char *str, int nbytes, int 
msglevel, struct gc_aren
 bs[0] = *cp++;
 bs[1] = *cp++;
 bs[2] = 0;
+
+/* the format string "%x" passed to sscanf will ignore any space and
+ * will still try to parse the other character. However, this is not
+ * expected format for a fingerprint, therefore explcitly check for
+ * blanks in the string and error out if any is found
+ */
+if (bs[0] == ' ' || bs[1] == ' ')
+{
+msg(msglevel, "format error in hash fingerprint unexpected blank: 
%s",
+str);
+}
+
 byte = 0;
 if (sscanf(bs, "%x", &byte) != 1)
 {
-- 
2.26.3



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 3/3] Support NCP in pure P2P VPN setups

[Antonio Quartulli]

As per Arne's request, this patch is on hold as he wants to send another
change first, which will heavily conflict with this patch.

We will wait for a new version of this patch that will be based on this
other change he will send.

Cheers,

-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

[Antonio Quartulli]

Hi,

On 08/04/2021 16:02, Arne Schwabe wrote:
> NCP has proven to be stable and apart from the one VPN Provider doing
> hacky things with homebrewed NCP we have not had any reports about
> ncp-disable being required. Remove ncp-disable to simplify code paths.
> 
> Note: This patch breaks client without --pull. The follow up patch
> for P2P NCP will restore that. But to avoid all the NCP/non-NCP special
> cases to be implemented in P2P. P2P will directly switch from always
> non-NCP to always NCP.
> 
> Signed-off-by: Arne Schwabe 

The patch looks good to me and passes my basic connectivity tests.
Also I got no compile-time complain from any platform I could build on.

However, there is a comment that still talk about NCP being
disabled/enabled. I think it should be changed too as we don't have the
two cases anymore (the if-condition below is modified by this patch):

src/openvpn/init.c:2726:* as NCP-fallback or when NCP has been
disabled or explicitly


Cheers,


-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 5/7] Remove support for blocking connect()

[Arne Schwabe]

Am 21.04.21 um 22:32 schrieb Gert Doering:
> Hi,
> 
> On Wed, Apr 21, 2021 at 03:43:46PM +0200, Arne Schwabe wrote:
>> It is hard to imagine that we still have any supported OS that does
>> not support non-blocking connect while still supporting non-blocking
>> sockets in general.
> [..]
>> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
>> index f29c63c73..a964ffd35 100644
>> --- a/src/openvpn/syshead.h
>> +++ b/src/openvpn/syshead.h
>> @@ -155,10 +155,6 @@
>>  #include 
>>  #endif
>>  
>> -#ifdef HAVE_SYS_EPOLL_H
>> -#include 
>> -#endif
>> -
> 
> Is that intentional?

Managed to slip into wrong patch. I accidentally commited it with 5/7
instead of 7/7.

Arne


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Fix build with mbedtls w/o SSL renegotiation support

[Magnus Kroken]

On 13.04.2021 07:57, Gert Doering wrote:

Your patch has been applied to the master branch.

commit e4bd17c86e01aaf6f809d9ea355419c86c4defdc
Author: Max Fillinger
Date:   Mon Apr 12 19:46:17 2021 +0200

  Fix build with mbedtls w/o SSL renegotiation support


Please backport this to release/2.5 as well. 2.5.2 is affected by this 
and does not compile with an mbed TLS library built in this manner.


Regards,
Magnus Kroken


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 5/7] Remove support for blocking connect()

[Gert Doering]

Hi,

On Wed, Apr 21, 2021 at 03:43:46PM +0200, Arne Schwabe wrote:
> It is hard to imagine that we still have any supported OS that does
> not support non-blocking connect while still supporting non-blocking
> sockets in general.
[..]
> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
> index f29c63c73..a964ffd35 100644
> --- a/src/openvpn/syshead.h
> +++ b/src/openvpn/syshead.h
> @@ -155,10 +155,6 @@
>  #include 
>  #endif
>  
> -#ifdef HAVE_SYS_EPOLL_H
> -#include 
> -#endif
> -

Is that intentional?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 4/7] Fix a number of mingw warnings

[Arne Schwabe]

Move to definition inside the ifdef where they are used to avoid
unused warnings.

Fix a few printf related warnings when DWORD is used as paramter and
the printf format should be %lu (long unsigned int)

Signed-off-by: Arne Schwabe 
---
 src/openvpn/route.c  | 4 ++--
 src/openvpn/socket.c | 3 ++-
 src/openvpn/tun.c| 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index c6b3dc584..c83bd9e2b 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -2360,7 +2360,6 @@ delete_route_ipv6(const struct route_ipv6 *r6, const 
struct tuntap *tt,
 #else
 int metric;
 #endif
-const char *device = tt->actual_name;
 bool gateway_needed = false;
 
 if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
@@ -2369,6 +2368,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const 
struct tuntap *tt,
 }
 
 #ifndef _WIN32
+const char *device = tt->actual_name;
 if (r6->iface != NULL)  /* vpn server special route */
 {
 device = r6->iface;
@@ -2713,7 +2713,7 @@ get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
 const DWORD index = row->dwForwardIfIndex;
 const DWORD metric = row->dwForwardMetric1;
 
-dmsg(D_ROUTE_DEBUG, "GDGR: route[%d] %s/%s i=%d m=%d",
+dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d",
  i,
  print_in_addr_t((in_addr_t) net, 0, &gc),
  print_in_addr_t((in_addr_t) mask, 0, &gc),
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index b13d2e0f1..8a6e42cc6 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2837,10 +2837,11 @@ print_link_socket_actual_ex(const struct 
link_socket_actual *act,
 {
 if (act)
 {
-char ifname[IF_NAMESIZE] = "[undef]";
 struct buffer out = alloc_buf_gc(128, gc);
 buf_printf(&out, "%s", print_sockaddr_ex(&act->dest.addr.sa, 
separator, flags, gc));
 #if ENABLE_IP_PKTINFO
+char ifname[IF_NAMESIZE] = "[undef]";
+
 if ((flags & PS_SHOW_PKTINFO) && addr_defined_ipi(act))
 {
 switch (act->dest.addr.sa.sa_family)
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 2c1b270dd..4ef34e4eb 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -5606,7 +5606,7 @@ windows_set_mtu(const int iface_index, const short family,
 
 if (err != NO_ERROR)
 {
-msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%u if_index=%d]",
+msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%lu if_index=%d]",
 family_name, strerror_win32(err, &gc), err, iface_index);
 }
 else
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 6/7] Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR

[Arne Schwabe]

We have two define that do exactly the same. Also move the check
from configure.ac to syshead.h since it is really only checking
for Windows.

Signed-off-by: Arne Schwabe 
---
 configure.ac | 8 
 src/openvpn/platform.c   | 2 +-
 src/openvpn/ssl_verify.c | 2 +-
 src/openvpn/syshead.h| 6 --
 4 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index a67bf2595..3b4d3cbc7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1133,14 +1133,6 @@ if test -n "${GIT}" -a -d "${srcdir}/.git"; then
 fi
 AC_MSG_RESULT([${GIT_CHECKOUT}])
 
-if test -n "${SP_PLATFORM_WINDOWS}"; then
-   AC_DEFINE_UNQUOTED([PATH_SEPARATOR], [''], [Path separator]) #"
-   AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], [""], [Path separator]) #"
-else
-   AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['/'], [Path separator])
-   AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["/"], [Path separator])
-fi
-
 dnl enable --x509-username-field feature if requested
 if test "${enable_x509_alt_username}" = "yes"; then
if test "${with_crypto_library}" = "mbedtls" ; then
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index c63c1d994..bf7b1aa0a 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -486,7 +486,7 @@ platform_gen_path(const char *directory, const char 
*filename,
 struct buffer out = alloc_buf_gc(outsize, gc);
 char dirsep[2];
 
-dirsep[0] = OS_SPECIFIC_DIRSEP;
+dirsep[0] = PATH_SEPARATOR;
 dirsep[1] = '\0';
 
 if (directory)
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 7608155cd..14aaf2bf7 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -616,7 +616,7 @@ verify_check_crl_dir(const char *crl_dir, 
openvpn_x509_cert_t *cert,
 goto cleanup;
 }
 
-if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, 
OS_SPECIFIC_DIRSEP, serial))
+if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, PATH_SEPARATOR, 
serial))
 {
 msg(D_HANDSHAKE, "VERIFY CRL: filename overflow");
 goto cleanup;
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index a964ffd35..28ccca087 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -432,9 +432,11 @@ typedef unsigned short sa_family_t;
  * Directory separation char
  */
 #ifdef _WIN32
-#define OS_SPECIFIC_DIRSEP '\\'
+#define PATH_SEPARATOR '\\'
+#define PATH_SEPARATOR_STR "\\"
 #else
-#define OS_SPECIFIC_DIRSEP '/'
+#define PATH_SEPARATOR '/'
+#define PATH_SEPARATOR_STR "/"
 #endif
 
 /*
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/7] Remove --disable-multihome option

[Arne Schwabe]

With this change we always build multihome support if the operating
system supports it.

Signed-off-by: Arne Schwabe 
---
 configure.ac  | 7 ---
 src/openvpn/syshead.h | 2 +-
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/configure.ac b/configure.ac
index 747325164..aaac65c3d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -121,13 +121,6 @@ AC_ARG_ENABLE(
[enable_fragment="yes"]
 )
 
-AC_ARG_ENABLE(
-   [multihome],
-   [AS_HELP_STRING([--disable-multihome], [disable multi-homed UDP server 
support (--multihome) @<:@default=yes@:>@])],
-   ,
-   [enable_multihome="yes"]
-)
-
 AC_ARG_ENABLE(
[port-share],
[AS_HELP_STRING([--disable-port-share], [disable TCP server port-share 
support (--port-share) @<:@default=yes@:>@])],
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index bac07d102..0b029c648 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -391,7 +391,7 @@ typedef int MIB_TCP_STATE;
  * Does this platform support linux-style IP_PKTINFO
  * or bsd-style IP_RECVDSTADDR ?
  */
-#if defined(ENABLE_MULTIHOME) && ((defined(HAVE_IN_PKTINFO) && 
defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && 
defined(HAVE_CMSGHDR) && defined(HAVE_IOVEC) && defined(CMSG_FIRSTHDR) && 
defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG)
+#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || 
defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && 
defined(HAVE_IOVEC) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && 
defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG)
 #define ENABLE_IP_PKTINFO 1
 #else
 #define ENABLE_IP_PKTINFO 0
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 7/7] Remove a number of platform specific checks in configure.ac

[Arne Schwabe]

- Remove windows XP/old mingw compat code in socket.c
- Use _WIN32 instead checking for existence of windows.h, winsock2.h
  and ws2tcpip.h in autconf
- Remove check for unlink. The last remaining use is a check inside
  a Unix socket.
- Even Windows has umask, so remove the check for it

Signed-off-by: Arne Schwabe 
---
 configure.ac  | 11 +--
 src/compat/compat.h   |  5 +
 src/openvpn/event.c   |  4 
 src/openvpn/socket.c  | 16 
 src/openvpn/syshead.h |  6 ++
 5 files changed, 12 insertions(+), 30 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3b4d3cbc7..94897c863 100644
--- a/configure.ac
+++ b/configure.ac
@@ -412,7 +412,6 @@ AC_CHECK_HEADERS([ \
unistd.h dlfcn.h \
netinet/in.h netinet/in_systm.h \
netinet/tcp.h arpa/inet.h netdb.h \
-   windows.h winsock2.h ws2tcpip.h \
versionhelpers.h \
 ])
 AC_CHECK_HEADERS([ \
@@ -438,13 +437,13 @@ SOCKET_INCLUDES="
 #ifdef HAVE_NETINET_IN_H
 #include 
 #endif
-#ifdef HAVE_WINDOWS_H
+#ifdef _WIN32
 #include 
 #endif
-#ifdef HAVE_WINSOCK2_H
+#ifdef _WIN32
 #include 
 #endif
-#ifdef HAVE_WS2TCPIP_H
+#ifdef _WIN32
 #include 
 #endif
 #ifdef HAVE_NETINET_IN_SYSTM_H
@@ -623,8 +622,8 @@ AC_CHECK_FUNCS([ \
daemon chroot getpwnam setuid nice system getpid dup dup2 \
syslog openlog mlockall getrlimit getgrnam setgid \
setgroups flock readv writev time gettimeofday \
-   setsid chdir getpeername unlink \
-   chsize ftruncate execve getpeereid umask basename dirname access \
+   setsid chdir getpeername \
+   chsize ftruncate execve getpeereid basename dirname access \
epoll_create strsep \
 ])
 
diff --git a/src/compat/compat.h b/src/compat/compat.h
index 2bf48a5eb..026974a81 100644
--- a/src/compat/compat.h
+++ b/src/compat/compat.h
@@ -24,11 +24,8 @@
 #ifndef COMPAT_H
 #define COMPAT_H
 
-#ifdef HAVE_WINSOCK2_H
+#ifdef _WIN32
 #include 
-#endif
-
-#ifdef HAVE_WS2TCPIP_H
 #include 
 #endif
 
diff --git a/src/openvpn/event.c b/src/openvpn/event.c
index 14a25155c..d766f8be8 100644
--- a/src/openvpn/event.c
+++ b/src/openvpn/event.c
@@ -35,6 +35,10 @@
 #include "event.h"
 #include "fdmisc.h"
 
+#if EPOLL
+#include 
+#endif
+
 #include "memdbg.h"
 
 /*
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 4e13c65e8..01c65b3e0 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1385,14 +1385,6 @@ socket_listen_accept(socket_descriptor_t sd,
 return new_sd;
 }
 
-/* older mingw versions and WinXP do not have this define,
- * but Vista and up support the functionality - just define it here
- */
-#ifdef _WIN32
-#ifndef IPV6_V6ONLY
-#define IPV6_V6ONLY 27
-#endif
-#endif
 void
 socket_bind(socket_descriptor_t sd,
 struct addrinfo *local,
@@ -3905,10 +3897,7 @@ socket_bind_unix(socket_descriptor_t sd,
  const char *prefix)
 {
 struct gc_arena gc = gc_new();
-
-#ifdef HAVE_UMASK
 const mode_t orig_umask = umask(0);
-#endif
 
 if (bind(sd, (struct sockaddr *) local, sizeof(struct sockaddr_un)))
 {
@@ -3919,10 +3908,7 @@ socket_bind_unix(socket_descriptor_t sd,
 sockaddr_unix_name(local, "NULL"));
 }
 
-#ifdef HAVE_UMASK
 umask(orig_umask);
-#endif
-
 gc_free(&gc);
 }
 
@@ -3967,12 +3953,10 @@ void
 socket_delete_unix(const struct sockaddr_un *local)
 {
 const char *name = sockaddr_unix_name(local, NULL);
-#ifdef HAVE_UNLINK
 if (name && strlen(name))
 {
 unlink(name);
 }
-#endif
 }
 
 bool
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 28ccca087..15de0b46d 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -100,10 +100,6 @@
 #include 
 #endif
 
-#ifdef HAVE_IO_H
-#include 
-#endif
-
 #ifdef HAVE_SYS_FILE_H
 #include 
 #endif
@@ -338,6 +334,8 @@ typedef int MIB_TCP_STATE;
 #include 
 #include 
 #include 
+#include 
+
 /* The following two headers are needed of PF_INET6 */
 #include 
 #include 
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 5/7] Remove support for blocking connect()

[Arne Schwabe]

It is hard to imagine that we still have any supported OS that does
not support non-blocking connect while still supporting non-blocking
sockets in general.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/socket.c  |  8 
 src/openvpn/syshead.h | 11 ---
 2 files changed, 19 deletions(-)

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 8a6e42cc6..4e13c65e8 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1459,7 +1459,6 @@ openvpn_connect(socket_descriptor_t sd,
 protect_fd_nonlocal(sd, remote);
 #endif
 
-#ifdef CONNECT_NONBLOCK
 set_nonblock(sd);
 status = connect(sd, remote, af_addr_size(remote->sa_family));
 if (status)
@@ -1540,13 +1539,6 @@ openvpn_connect(socket_descriptor_t sd,
 }
 }
 }
-#else  /* ifdef CONNECT_NONBLOCK */
-status = connect(sd, remote, af_addr_size(remote->sa_family));
-if (status)
-{
-status = openvpn_errno();
-}
-#endif /* ifdef CONNECT_NONBLOCK */
 
 return status;
 }
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index f29c63c73..a964ffd35 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -155,10 +155,6 @@
 #include 
 #endif
 
-#ifdef HAVE_SYS_EPOLL_H
-#include 
-#endif
-
 #ifdef ENABLE_SELINUX
 #include 
 #endif
@@ -545,13 +541,6 @@ socket_defined(const socket_descriptor_t sd)
 #define EPOLL 0
 #endif
 
-/*
- * Is non-blocking connect() supported?
- */
-#if defined(SOL_SOCKET) && defined(SO_ERROR) && defined(EINPROGRESS) && 
defined(ETIMEDOUT)
-#define CONNECT_NONBLOCK
-#endif
-
 /*
  * Compression support
  */
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/7] Remove always enabled USE_64_BIT_COUNTERS define

[Arne Schwabe]

Also change the types to use C99 uint64_t and its printf u64 define.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/common.h  | 15 +++
 src/openvpn/syshead.h |  5 -
 2 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/src/openvpn/common.h b/src/openvpn/common.h
index 623b3e0d7..544fa238e 100644
--- a/src/openvpn/common.h
+++ b/src/openvpn/common.h
@@ -25,19 +25,10 @@
 #define COMMON_H
 
 /*
- * Statistics counters and associated printf formats.
+ * Statistics counters and associated printf format.
  */
-#ifdef USE_64_BIT_COUNTERS
-typedef unsigned long long int counter_type;
-#ifdef _WIN32
-#define counter_format  "%I64u"
-#else
-#define counter_format  "%llu"
-#endif
-#else  /* ifdef USE_64_BIT_COUNTERS */
-typedef unsigned int counter_type;
-#define counter_format   "%u"
-#endif
+typedef uint64_t counter_type;
+#define counter_format  "%" PRIu64
 
 /*
  * Time intervals
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index cb9bf7dc7..f29c63c73 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -458,11 +458,6 @@ socket_defined(const socket_descriptor_t sd)
 return sd != SOCKET_UNDEFINED;
 }
 
-/*
- * Should statistics counters be 64 bits?
- */
-#define USE_64_BIT_COUNTERS
-
 /*
  * Should we enable the use of execve() for calling subprocesses,
  * instead of system()?
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/7] Move direct.h header where it is used

[Arne Schwabe]

The direct.h header provides only a handful of functions [1] of which
we only use _wchdir. Directly included the direct.h file where it is
used and remove autoconf magic around it.

[1] 
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/as5kw0ze(v=vs.110)?redirectedfrom=MSDN

Signed-off-by: Arne Schwabe 
---
 configure.ac   | 2 +-
 src/openvpn/platform.c | 4 
 src/openvpn/syshead.h  | 4 
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index aaac65c3d..a67bf2595 100644
--- a/configure.ac
+++ b/configure.ac
@@ -407,7 +407,7 @@ AX_TYPE_SOCKLEN_T
 AC_CHECK_SIZEOF([unsigned int])
 AC_CHECK_SIZEOF([unsigned long])
 AC_CHECK_HEADERS([ \
-   fcntl.h io.h direct.h \
+   fcntl.h io.h \
sys/types.h sys/socket.h \
unistd.h dlfcn.h \
netinet/in.h netinet/in_systm.h \
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 45ee54541..c63c1d994 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -39,6 +39,10 @@
 
 #include "platform.h"
 
+#if _WIN32
+#include 
+#endif
+
 /* Redefine the top level directory of the filesystem
  * to restrict access to files for security */
 void
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 0b029c648..cb9bf7dc7 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -100,10 +100,6 @@
 #include 
 #endif
 
-#ifdef HAVE_DIRECT_H
-#include 
-#endif
-
 #ifdef HAVE_IO_H
 #include 
 #endif
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (21st April 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 21st April 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


--

Noted that OpenVPN 2.5.2 and 2.4.11 are out and include important 
security fixes. Fixes to "master" and release/2.3 branch will follow soon.


Also wrote our security announcement for those releases:



--

Noted that Lev is working on the ovpn-dco MSI installer.

--

Discussed AWS MacOS instances in context of Buildbot. Noted that they're 
essentially dedicated Mac Minis and the minimum billing is one day. So, 
not really disposable virtual machines you could use for five minutes 
and get rid of. The daily price is around $25.


There is an internal OpenVPN Inc. ticket for providing a virtualized 
MacOS VM for use by the community. So we don't need the overprices AWS 
Mac Minis for this.


--

Noted that mattock is 90% free from OpenVPN ops work now. [This means 
the Buildbot environment upgrade can start soon].


---

Full chatlog attached
(15:01:58) mattock: hi
(15:02:00) plaisthos: hey
(15:02:15) ordex: we stic to the chat?
(15:02:19) cron2: *burb*
(15:02:19) ordex: *stick
(15:02:50) ordex: *prot*
(15:03:18) mattock: chat is fine for me, easier to summarize :)
(15:04:10) ordex: kk
(15:04:15) mattock: I'll add the agenda page
(15:05:48) mattock: I stripped out pretty much everything: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-04-21
(15:05:55) mattock: the previous meeting agenda was also a summary
(15:06:05) ordex: 2.5.2 is out - congrats!!!
(15:06:18) ordex: our palindrome release
(15:06:39) dazo: heh :)
(15:06:58) mattock: added back some stuff
(15:07:18) mattock: also known as "The Plaishos Release"
(15:07:49) dazo: Plaisthos Pandora Box Release
(15:08:12) mattock: "State machine release"
(15:08:12) dazo: but  so ... topics?
(15:08:15) plaisthos: why my release?
(15:08:20) mattock: 10 patches from you
(15:08:25) mattock: and your Pandora's box
(15:08:27) mattock: :)
(15:08:38) ordex: anything specific to discuss about 2.5 at the moment ?
(15:08:46) mattock: no
(15:08:50) ***cron2 is annoyed about 2.4.11
(15:08:58) ordex: cron2: because of the patch?
(15:09:01) cron2: yes
(15:09:11) dazo: I'm finalizing the Fedora, EPEL and Copr builds for 2.4 and 2.5
(15:09:19) ordex: you could change the commit and repush and retag
(15:09:24) ordex: not sure anybody has pulled yet
(15:09:28) ordex: but might be ugl
(15:09:29) ordex: y
(15:09:40) dazo: what about .11?
(15:09:50) mattock: rewriting history should be reserved for kings, emperors 
and bishops
(15:10:10) cron2: ordex: no, never
(15:10:24) ordex: cron2: I agree - but wanted to see if you could feel a little 
better :p
(15:10:25) cron2: dazo: the commit message for "the CVE patch" is... lacking
(15:10:36) dazo: As the emperor, I announce cron2 as a king :-P
(15:11:04) cron2: yeah, but rewriting *public* history needs lots of "burning 
books" and I'm not going to do that :-)
(15:11:09) ordex: we could/should come up with a wikipage about this security 
situation maybe? and there we could add links to the commits? this way the 
2.4.11 commit would somewhat be logically extended
(15:11:32) cron2: we have a wiki page and refer to it from Changes.rst
(15:11:33) cron2: 
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
(15:11:38) dazo: cron2: force-push of an amended commit message might be 
acceptable, if it's just the last commit needing changes  otherwise there 
is the 'git note', which is a bit annoying to push and fetch
(15:11:41) dazo: but!
(15:11:43) cron2: so that should now be maintained
(15:11:47) dazo: we could use tags here as well 
(15:12:09) cron2: dazo: well, it's the commit before that... and the release 
has a signed tag... nothing good will come out of this
(15:12:11) dazo: tag the release with cve/2020-  and a signed tag can 
have the appropriate message
(15:12:53) plaisthos: is this really a big deal?
(15:12:55) cron2: we've never used CVE IDs as tags, and it won't trivially work 
anyway as the CVE is fixed in 2.4, 2.5 and master (eventually)...
(15:13:10) dazo: oh, true
(15:13:18) cron2: plaisthos: it totally annoys *me*, but in the grand scheme, 
it's probably not that important
(15:13:21) ordex: honestly, I think we can live with this. I don't think it's a 
big deal
(15:13:29) mattock: my hope is that whatever we do does not require 2.4.12
(15:13:41) ordex: I presume 3 or 4 people in total will look at the release/2.4 
branch
(15:13:46) ordex: mattock: nope
(15:14:36) mattock: anyways, do we have the text for 
https://community.openvpn.net/openvpn/wiki/

[Openvpn-devel] [PATCH v2] Allow all GCM ciphers

[Arne Schwabe]

OpenSSL also allows ARIA-GCM and that works well with our implementation
While the handpicked list was needed for earlier OpenSSL versions (and
is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
1.0.2 and 1.1.x works as expected.

Patch V2: Remove special cases for AES-GCM ciphers.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/crypto_openssl.c | 15 ---
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index f8b36bf85..57731ed79 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -728,16 +728,17 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher)
 {
 if (cipher)
 {
-switch (EVP_CIPHER_nid(cipher))
+if (EVP_CIPHER_mode(cipher) == OPENVPN_MODE_GCM)
 {
-case NID_aes_128_gcm:
-case NID_aes_192_gcm:
-case NID_aes_256_gcm:
+return true;
+}
+
 #ifdef NID_chacha20_poly1305
-case NID_chacha20_poly1305:
-#endif
-return true;
+if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305)
+{
+return true;
 }
+#endif
 }
 
 return false;
-- 
2.31.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.4.11 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.4.11. 
It fixes two related security vulnerabilities (CVE-2020-15078) which 
under very specific circumstances allow tricking a server using delayed 
authentication (plugin or management) into returning a PUSH_REPLY before 
the AUTH_FAILED message, which can possibly be used to gather 
information about a VPN setup. This release also includes other bug 
fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in 
Windows installers.


Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.5.2 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.5.2. It 
fixes two related security vulnerabilities (CVE-2020-15078) which under 
very specific circumstances allow tricking a server using delayed 
authentication (plugin or management) into returning a PUSH_REPLY before 
the AUTH_FAILED message, which can possibly be used to gather 
information about a VPN setup. In combination with "--auth-gen-token" or 
a user-specific token auth solution it can be possible to get access to 
a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes 
other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are 
included in Windows installers.


Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.



---

Overview of changes since OpenVPN 2.4

  Faster connections

Connections setup is now much faster

  Crypto specific changes

ChaCha20-Poly1305 cipher in the OpenVPN data channel
  Requires OpenSSL 1.1.0 or newer)
Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
Client-specific tls-crypt keys (--tls-crypt-v2)
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration (see below for
possible incompatibilities)

  Server-side improvements

HMAC based auth-token support for seamless reconnects to standalone
  servers or a group of servers.
Asynchronous (deferred) authentication support for auth-pam plugin
Asynchronous (deferred) support for client-connect scripts and
  plugins

  Network-related changes

Support IPv4 configs with /31 netmasks now
802.1q VLAN support on TAP servers
IPv6-only tunnels
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

  Linux-specific features

VRF support
Netlink integration (OpenVPN no longer needs to execute
  ifconfig/route or ip commands)

Windows-specific features

Wintun driver support, a faster alternative to tap-windows6
Setting tun/tap interface MTU
Setting DHCP search domain
Allow unicode search string in --cryptoapicert option
EasyRSA3, a modern take on OpenVPN CA management
MSI installer

---

Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly
changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no
"default cipher BF-CBC" anymore because it is no longer considered a
reasonable default. BF-CBC is still available, but it needs to be
explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both
ends will be able  to negotiate a better cipher than BF-CBC. By default
they will select one of the AES-GCM ciphers, but this can be influenced
using the --data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting
in the config (= defaulting to BF-CBC and not being negotiation-capable)
must be updated. Unless BF-CBC is included in --data-ciphers or there is
a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server
will refuse to talk to a v2.3 server or client, because it has no common
data channel cipher and negotiating a cipher is not possible. Generally,
we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading
is not possible we recommend adding data-ciphers
AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC
(v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older)
release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5
based client will need a config file change to re-enable BF-CBC.  But be
warned that BF-CBC and other related weak ciphers will be removed in
coming OpenVPN major releases.

For full details see the Data channel cipher negotiation section on the
man page.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN
service that
implemented their own cipher negotiation method that always reports back
that it is using BF-CBC to the client is broken in v2.5. This has always
caused warning about mismatch ciphers. We have been in contact with some
service providers and they are looking into it.  This is not something
the OpenVPN community can fix. If your commercial VPN does not work with
a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:



---

Linux packages are available from

[Openvpn-devel] [PATCH] tapctl: support for ovpn-dco Windows driver

[Lev Stipakov]

From: Lev Stipakov 

Make tapctl aware of ovpn-dco.

Signed-off-by: Lev Stipakov 
---
 src/tapctl/main.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/tapctl/main.c b/src/tapctl/main.c
index d5bc7290..3350bf1f 100644
--- a/src/tapctl/main.c
+++ b/src/tapctl/main.c
@@ -81,9 +81,9 @@ static const TCHAR usage_message_create[] =
 TEXT("   specified, a default adapter name is chosen by 
Windows. \n")
 TEXT("   Note: This name can also be specified as OpenVPN's 
--dev-node   \n")
 TEXT("   option.   
  \n")
-TEXT("--hwid   Adapter hardware ID. Default value is root\\tap0901, 
which   \n")
-TEXT("   describes tap-windows6 driver. To work with wintun 
driver,  \n")
-TEXT("   specify 'wintun'. 
  \n")
+TEXT("--hwid   Adapter hardware ID. Default value is root\\tap0901, 
which  \n")
+TEXT("   describes tap-windows6 driver. To work with wintun or 
ovpn-dco  \n")
+TEXT("   driver, specify 'wintun' or 'ovpn-dco'.   
  \n")
 TEXT("\n")
 TEXT("Output:\n")
 TEXT("\n")
@@ -101,8 +101,8 @@ static const TCHAR usage_message_list[] =
 TEXT("\n")
 TEXT("Options:\n")
 TEXT("\n")
-TEXT("--hwid   Adapter hardware ID. By default, root\\tap0901, 
tap0901 and  \n")
-TEXT("   wintun adapters are listed. Use this switch to limit 
the list.  \n")
+TEXT("--hwid   Adapter hardware ID. By default, root\\tap0901, 
tap0901, wintun and \n")
+TEXT("   ovpn-dco adapters are listed. Use this switch to 
limit the list.\n")
 TEXT("\n")
 TEXT("Output:\n")
 TEXT("\n")
@@ -275,7 +275,8 @@ create_delete_adapter:
 TCHAR szzHwId[0x100] =
 TEXT("root\\") TEXT(TAP_WIN_COMPONENT_ID) TEXT("\0")
 TEXT(TAP_WIN_COMPONENT_ID) TEXT("\0")
-TEXT("Wintun\0");
+TEXT("Wintun\0")
+TEXT("ovpn-dco\0");
 
 /* Parse options. */
 for (int i = 2; i < argc; i++)
-- 
2.17.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel