[Openvpn-devel] [PATCH v3 (release/2.3)] Drop recursively routed packets

From: Lev Stipakov <lev.stipa...@f-secure.com> v3: Use better way of figuring out IP proto version which does not break TAP mode. Add an option to allow recursive routing, could be useful when packets sent by openvpn itself are not subject to the routing tables that would move p

[Openvpn-devel] [PATCH v3] Support for disabled peer-id

From: Lev Stipakov <lev.stipa...@f-secure.com> v3: * move assert outside of loop * add max-clients value check to options v2: * Add round brackets for clarity * Rephrase comment Support for disabled peer-id When peer-id value is 0xFF, server should ignore it and treat packet in a sa

[Openvpn-devel] [PATCH v4] Support for disabled peer-id

From: Lev Stipakov <lev.stipa...@f-secure.com> v4: - replace magic number with define - show user a decimal value instead of hex v3: * move assert outside of loop * add max-clients value check to options v2: * Add round brackets for clarity * Rephrase comment Support for disabled peer-id

[Openvpn-devel] [PATCH v5] Support for disabled peer-id

From: Lev Stipakov <lev.stipa...@f-secure.com> v5: * Few more nickpicks v4: * replace magic number with define * show user a decimal value instead of hex v3: * move assert outside of loop * add max-clients value check to options v2: * Add round brackets for clarity * Rephrase comment S

[Openvpn-devel] [PATCH] Fix duplicated PUSH_REPLY options

ontext, when options are added and context is reused - we got duplicates. Fixed by adding options to buffer, as it was done previously. Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/push.c | 83 +++--- 1 file changed, 22 inser

[Openvpn-devel] [PATCH 2.3] Exclude peer-id from pulled options digest

Peer-id might change on restart and this should not trigger reopening tun. Trac #649 --- src/openvpn/push.c | 38 -- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 71f39c1..6feaa2a 100644 ---

[Openvpn-devel] [PATCH master] Exclude peer-id from pulled options digest

Peer-id might change on restart and this should not trigger reopening tun. Trac #649 --- src/openvpn/push.c | 39 --- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index a1b999e..d7d54bf 100644 ---

Re: [Openvpn-devel] [PATCH] Fix duplicated PUSH_REPLY options

Hi, ACK from me - tested that peer-id and cipher are not duplicated in PUSH_REPLY when client reconnects and push-continuation works. -Lev 2016-09-29 20:49 GMT+03:00 Steffan Karger <stef...@karger.me>: > Hi, > > On 24 September 2016 at 12:23, Lev Stipakov <lstipa..

[Openvpn-devel] Fwd: [PATCH] Fix duplicated PUSH_REPLY options

+03:00 Subject: Re: [Openvpn-devel] [PATCH] Fix duplicated PUSH_REPLY options To: Lev Stipakov <lstipa...@gmail.com> Hi, On 24 September 2016 at 12:23, Lev Stipakov <lstipa...@gmail.com> wrote: > Starting from https://github.com/OpenVPN/openvpn/commit/3a5a46cf2b7f6a8b85 20c2513a805

[Openvpn-devel] [PATCH v2 2.3] Exclude peer-id from pulled options digest

v2: - Use md5_* methods - Move digest update to separate method Peer-id might change on restart and this should not trigger reopening tun. Trac #649 --- src/openvpn/push.c | 43 +-- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git

[Openvpn-devel] [PATCH v2] Exclude peer-id from pulled options digest

v2: - Move digest update to separate method Peer-id might change on restart and this should not trigger reopening tun. Trac #649 --- src/openvpn/push.c | 45 ++--- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/src/openvpn/push.c

Re: [Openvpn-devel] [PATCH 2.3] Fix compilation in pedantic mode

Hi, I am, and the first version is what we do in (most?) other places, so I'll > change that on the fly. > Got it. > Also, the patch introduces spurious tab<->whitespace changes "close to > comments" in a few places - will undo those, too. I noticed that in few places indentation is a bit

Re: [Openvpn-devel] [PATCH v3] Floating: Add support for floating in TLS mode

Hi Arne, I am researching how "session id" can be added to packet. Could you please clarify the statement "If we choose the session id to be 3 or 7 byte we would not need the "hack" for the packets with session id." ? I am currently at very beginning, so questions might look odd. 1) "3 or 7"

[Openvpn-devel] New frame format with session ID

Hi guys, I've read January's IRC meeting minutes and there was a discussion about new frame format with session id. Is there any progress in this field so far? If James or someone happen to have time to document a new format, would be nice to see it. -- -Lev

[Openvpn-devel] session-id implementation

ens seamlessly. I would love to hear any critics / comments! -- -Lev From 284e473548a49012baf6c954a637161eec11c2e8 Mon Sep 17 00:00:00 2001 From: Lev Stipakov <lev.stipa...@f-secure.com> Date: Tue, 11 Mar 2014 17:58:31 +0200 Subject: [PATCH] Floating implementation. Use array lookup for n

Re: [Openvpn-devel] session-id implementation

Hi, Same patch with added NULL check in push.c:308. Turns out that peer_info might be NULL. -Lev On Wed, Mar 26, 2014 at 10:52 AM, Lev Stipakov <lstipa...@gmail.com> wrote: > Hello, > > Despite that implementation of session-id has already been discussed, > I wou

[Openvpn-devel] ipv6 env vars to client scripts

Hello, Are there any plans to support ipv6 env vars in client-connect/disconnect scripts? There are at least 2 tickes on that feature: https://community.openvpn.net/openvpn/ticket/230 https://community.openvpn.net/openvpn/ticket/369 Is there anything that prevents merging any of suggested

[Openvpn-devel] Rekey and Defer sample plugin

Hello, I'm facing a problem with "defer" sample plugin and rekeying. I use plugin from https://github.com/OpenVPN/openvpn/tree/master/sample/sample-plugins/defer. Relevant part of openvpn config: > auth-user-pass-optional > setenv test_deferred_auth 2 > plugin /etc/openvpn/simple.so >

[Openvpn-devel] Async OPENVPN_PLUGIN_CLIENT_CONNECT plugin support

Hello, I am pondering about asynchronous OPENVPN_PLUGIN_CLIENT_CONNECT callback. Basically, I want _not_ to establish connection until response is received and ofcI don't want to block rest of traffic. My idea is to have some kind of connect_control_file (similar to auth_conrol_file) and pass

[Openvpn-devel] Possible memory leaks found by Coverity

Hello, I have analyzed OpenVPN code with Coverity and I could not explain some resource leaks Coverity has found. 1) https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c#L4378 char * ipv6_local; VERIFY_PERMISSION (OPT_P_UP); if ( get_ipv6_addr( p[1], NULL, , _local, msglevel )

Re: [Openvpn-devel] session-id implementation

;>> Am 27.03.14 09:57, schrieb Lev Stipakov: >>>> >>>> Hi, >>>> >>>> Same patch with added NULL check in push.c:308. Turns out that >>>> peer_info might be NULL. >>>> >>> I looked at the patched, a few minor nitp

Re: [Openvpn-devel] Async OPENVPN_PLUGIN_CLIENT_CONNECT plugin support

0:21 GMT+03:00 Fabian Knittel <fabian.knit...@lettink.de>: > Hi Lev, > > 2014-07-29 12:56 GMT+02:00 Lev Stipakov <lstipa...@gmail.com>: >> >> I am pondering about asynchronous OPENVPN_PLUGIN_CLIENT_CONNECT >> callback. Basically, I want _not_ to establish connec

Re: [Openvpn-devel] Async OPENVPN_PLUGIN_CLIENT_CONNECT plugin support

Hi Fabian, > You say that you've added support for the client-connect plugin call. May I > ask what was missing? Nothing dramatic, I just added deferred support for client-connect v2. > So this is basically about replacing a 5s poll-interval with something that > should proceed near

Re: [Openvpn-devel] session-id implementation

(nickname lev__) to discuss how we should process with this feature. -Lev 2014-10-09 22:49 GMT+03:00 Steffan Karger <stef...@karger.me>: > Hi Lev, > > On 02-10-14 13:47, Lev Stipakov wrote: >> Apologize for the delay. Patch with review suggestions attached. > > Tha

Re: [Openvpn-devel] session-id implementation

Hi Steffan, Patch attached. -Lev 2014-10-23 10:52 GMT+03:00 Steffan Karger <steffan.kar...@fox-it.com>: > Hi Lev, > > On 10/21/2014 09:33 AM, Lev Stipakov wrote: >> >> Thanks for your comments. I have fixed (1) and (2) - well, reusing >> existing code in (2) h

Re: [Openvpn-devel] session-id implementation

Hello, As discussed on IRC meeting, we replace session-id with peer-id. So, waiting for review and code-ACK :) -Lev 2014-10-23 17:07 GMT+03:00 Lev Stipakov <lstipa...@gmail.com>: > Hi Steffan, > > Patch attached. > > -Lev > > 2014-10-23 10:52 GMT+03:00 Steffan Karger

[Openvpn-devel] [PATCH] Peer-id patch

Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in

[Openvpn-devel] [PATCH] Peer-id patch v2

Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in

[Openvpn-devel] [PATCH] Peer-id patch v4

Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in

[Openvpn-devel] [PATCH] Peer-id patch v5

Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in

[Openvpn-devel] [PATCH] Peer-id patch v6

Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in

[Openvpn-devel] [PATCH] Peer-id patch v7

Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in

Re: [Openvpn-devel] [PATCH] Peer-id patch v7

is. Maybe we could make it opt-out and have "-no-peer-id" config option? -Lev 2014-11-27 16:22 GMT+02:00 Gert Doering <g...@greenie.muc.de>: > Hi, > > On Sun, Nov 23, 2014 at 05:17:11PM +0200, Lev Stipakov wrote: >> Changes in v7: >> A few nitpicks. > &g

[Openvpn-devel] [PATCH] Send push reply right after async auth complete

following settings: auth-user-pass-optional setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- configure.ac | 15 ++ src/openvpn/forward.c | 8 +++ src/openvpn/mtcp.c| 28 +++ src/openvpn/mudp.c| 27 ++ src

[Openvpn-devel] [PATCH] Prevent memory drain for long lasting floating sessions

For every float event we generate prefix, which allocates 256 + 64 bytes. That memory is reclaimed when client disconnects, so long lasting and constantly floating sessions drain memory. As a fix use preallocated buffer inside multi_instance for storing multi_prefix. Signed-off-by: Lev Stipakov

[Openvpn-devel] [PATCH] Add the peer-id to the output of the status command

This adds peer-id to the status output which might help analyze floating logs. This will change the output of status in the same way commit 662ce6acc065bddf6490b3494725b8b3987b7def did. Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/multi.c | 14 -- 1 file c

Re: [Openvpn-devel] OpenVPN protocol extensions update

Hi James, A few comments on peer-id part: * A disabled peer ID is denoted by 0xFF. * Server tells the client to use DATA_V2/peer_id by pushing the directive "peer-id ID" where ID is a decimal integer in the range [-1, 16777215]. Setting the peer ID to -1 transmits DATA_V2

Re: [Openvpn-devel] [PATCH] Account for peer-id in frame size calculation

ACK Reproduced the problem with ping -s 1500 (also no compression) and patch on both sides have fixed it. 2015-01-23 21:52 GMT+02:00 Steffan Karger : > Data channel packet using P_DATA_V2 will use three bytes extra for the > peer-id. This needs to be accounted for, otherwise

[Openvpn-devel] [PATCH] Fix NULL dereferencing

In certain cases buf.len can be -1, which causes BPTR to return NULL and NULL pointer dereferencing on the next line. As a fix, process only packets with non-zero length. --- src/openvpn/mudp.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/openvpn/mudp.c

[Openvpn-devel] [PATCH] Notify clients about server's restart/shutdown

When server gets shutdown signal (SIGUSR1, SIGTERM, SIGHUP, SIGINT), it broadcasts new OCC_SHUTTING_DOWN command to all clients and reschedules received signal in 2 secs. When client receives OCC_SHUTTING_DOWN, it fires SIGUSR1 and switches to the next remote. --- src/openvpn/multi.c | 63

[Openvpn-devel] [PATCH v2] Notify clients about server's exit/restart

When server exits / restarts (gets SIGUSR1, SIGTERM, SIGHUP, SIGINT) and explicit-exit-notify is set, server broadcasts new OCC_SERVER_EXIT command to all clients and reschedules received signal in 2 secs. When client receives OCC_SERVER_EXIT, it fires SIGUSR1 and switches to the next server.

[Openvpn-devel] [PATCH] Client-side handling of OCC_SERVER_EXIT

When client receives OCC_SERVER_EXIT, it fires SIGUSR1 and switches to the next server. Next server is defined as same remote with different IP address if remote resolves into multiple addresses or next remote otherwise. This is a client-side only verion of "Notify clients about server's

[Openvpn-devel] [PATCH] Fast recovery when host is in unreachable network

When client connects to the server which is in unreachable network (for example hostname got resolved into ipv6 address and client has no ipv6), throw SIGUSR1 and connect to the next server without waiting 60 seconds for "TLS key negotiation failed". --- src/openvpn/forward.c | 10 ++ 1

[Openvpn-devel] [PATCH] Fix mssfix default value

Due to this bug, mssfix hasn't been assigned to fragment value and used default value (1450) instead. As a consequence, TCP packets get fragmented, which causes performance penalty. Since dual stack patch https://github.com/OpenVPN/openvpn/commit/23d61c56b9fd218c39ad151b01b7e2d6690e6093 OpenVPN

Re: [Openvpn-devel] [PATCH] Change float log message to include common name, if available.

ACK 2015-03-07 18:23 GMT+02:00 Steffan Karger : > Makes it a lot easier to see which client is floating. > > Signed-off-by: Steffan Karger > --- > src/openvpn/multi.c | 7 +-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git

Re: [Openvpn-devel] Packet loss due to radius issues

Hello Samuel, Do you use radius plugin from http://www.nongnu.org/radiusplugin/ ? I think the way OpenVPN delegates authentication to a plugin (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook) is asynchronous, as well as plugin implementation, i. e. OpenVPN does not wait for a response. Instead it

[Openvpn-devel] [PATCH] This fixes MSVS 2013 compilation.

* Tools version changed to 12 * Added comp.c/h and compat.c/h to project files * Workaround for missing __attribute__ support Also, as a preparation for MSVS2015, ensured that snprintf is not defined for that VS version. --- config-msvc.h | 3 +++

[Openvpn-devel] [PATCH v2] Fix MSVS 2013 compilation

v2: * Bump API level to Vista to for get_default_gateway_ipv6() implementation * Define HAVE_INET_NTOP/PTON for Vista since it has own implementation of inet_ntop/pton v1: * Add comp/compstub to project files * Bump tools version to 12 * define __attribute__ Signed-off-by: Lev Stipakov <lst

[Openvpn-devel] [PATCH] Continuation of MSVS fixes

* Upgrade API level to Vista to implement get_default_gateway_ipv6 * Define HAVE_INET_NTOP/PTON since Vista has its own implementation of those Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- config-msvc.h | 6 ++ msvc-env.bat | 2 +- 2 files changed, 7 insertions(+), 1 de

[Openvpn-devel] [PATCH v2] Send push reply right after async auth complete

or when file is removed. We catch that event and remove it from the dictionary. Feature is easily tested with sample "defer" plugin and following settings: auth-user-pass-optional setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipa...@gmail.com> -

[Openvpn-devel] [PATCH] Support for disabled peer-id

When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. Make sure that issued peer-id does not exceed 0xFF. --- src/openvpn/mudp.c | 15 --- src/openvpn/multi.c | 3 ++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git

[Openvpn-devel] [PATCH v2] Support for disabled peer-id

v2: * Add round brackets for clarity. * Rephrase comment. v1: * When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. * Make sure that issued peer-id does not exceed 0xFF. --- src/openvpn/mudp.c | 14 +++--- src/openvpn/multi.c | 3

[Openvpn-devel] [PATCH] Fix compilcation error with --disable-crypto

Also disable behavior for static key setup. --- src/openvpn/forward.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 513fbae..c17be35 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1199,13 +1199,16

Re: [Openvpn-devel] ipv6 env vars to client scripts

seth, le Fri 02 May 2014 01:39:05 +0200, a écrit : On 17/04/14 14:07, Lev Stipakov wrote: Hello, Are there any plans to support ipv6 env vars in client-connect/disconnect scripts? There are at least 2 tickes on that feature: https://community.openvpn.net/openvpn/ticket/230 https://community.

Re: [Openvpn-devel] ipv6 env vars to client scripts

.org>: > David Sommerseth, le Fri 02 May 2014 01:39:05 +0200, a écrit : >> On 17/04/14 14:07, Lev Stipakov wrote: >> > Hello, >> > >> > Are there any plans to support ipv6 env vars in >> > client-connect/disconnect scripts? >> > >> >

Re: [Openvpn-devel] ipv6 env vars to client scripts

seth, le Fri 02 May 2014 01:39:05 +0200, a écrit : On 17/04/14 14:07, Lev Stipakov wrote: Hello, Are there any plans to support ipv6 env vars in client-connect/disconnect scripts? There are at least 2 tickes on that feature: https://community.openvpn.net/openvpn/ticket/230 https://community.

Re: [Openvpn-devel] ipv6 env vars to client scripts

seth, le Fri 02 May 2014 01:39:05 +0200, a écrit : On 17/04/14 14:07, Lev Stipakov wrote: Hello, Are there any plans to support ipv6 env vars in client-connect/disconnect scripts? There are at least 2 tickes on that feature: https://community.openvpn.net/openvpn/ticket/230 https://community.

[Openvpn-devel] [PATCH v3] Send push reply right after async auth complete

nal setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipa...@gmail.com> Add doxygen comment --- configure.ac | 15 + src/openvpn/forward.c | 8 +++ src/openvpn/mtcp.c| 28 + src/openvpn/mudp.c| 27 + src/openvpn

[Openvpn-devel] [PATCH] Fix compilation with --disable-server

Add missing #if P2MP_SERVER --- src/openvpn/push.c | 2 ++ src/openvpn/push.h | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 704818d..a4cb726 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -410,6 +410,7 @@

[Openvpn-devel] [PATCH v3] Notify clients about server's exit/restart

if client should reconnect to the same server or advance to the next one - Fix compilation when OCC is disabled (--enable-small) - Update man page v2: - Take into use explicit-exit-notify on the server side - OCC_SHUTTING_DOWN renamed to OCC_SERVER_EXIT - Code prettifying Signed-off-by: Le

Re: [Openvpn-devel] [PATCH V2] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992

ACK from me. Tested on ics-openvpn, problem with endtag now fixed. A nitpick. git am says: /home/stiple/Projects/ics-openvpn/.git/modules/main/openvpn/rebase-apply/patch:20: trailing whitespace. char *line_ptr = line; warning: 1 line adds whitespace errors. On 14.10.2015 16:05, Arne

[Openvpn-devel] [PATCH] Decrease log level for peer float message

Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/mudp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 3aed3a0..9fa9f9e 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -79,7

[Openvpn-devel] [PATCH] Refine float logging

v2: * Bump log level for attack attempt message * More clear message for float event v1: * Decrease log level for peer float message Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/mudp.c | 2 +- src/openvpn/multi.c | 2 +- 2 files changed, 2 insertions(+), 2 del

[Openvpn-devel] [PATCH] Replace variable length array with malloc

Commit https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51 introduced a variable length array. Although C99 supports that, MSVS 2013 still requires size of array to be compiler time constant. As a fix, use OPENSSL_malloc/free. Signed-off-by: Lev Stipakov <lst

Re: [Openvpn-devel] [PATCH] Replace variable length array with malloc

t; You don't have to use OPENSSL_malloc() in an application but you do you can make use of OpenSSLs memory leak checking routines if you do. -Lev On 20.10.2015 16:52, Gert Doering wrote: Hi, On Tue, Oct 20, 2015 at 04:22:59PM +0300, Lev Stipakov wrote: Commit https://github.com/OpenVPN/o

Re: [Openvpn-devel] [PATCH] Replace variable length array with malloc

don't have to use OPENSSL_malloc() in an application but you do you can make use of OpenSSLs memory leak checking routines if you do. -Lev On 20.10.2015 16:52, Gert Doering wrote: Hi, On Tue, Oct 20, 2015 at 04:22:59PM +0300, Lev Stipakov wrote: Commit https://github.com/OpenVPN/openvpn/commit

[Openvpn-devel] [PATCH v2] Replace variable length array with malloc

Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/ssl_openssl.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index c08d4fe..3c8d41f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/o

Re: [Openvpn-devel] [PATCH] openssl: remove usage of OPENSSL_malloc() from show_available_curves

ACK from me. Less code is better. On 21.10.2015 01:39, Steffan Karger wrote: There is no need to use OPENSSL_malloc(), so use our own functions that automatically check for NULL and remove the now redundant NULL check. Signed-off-by: Steffan Karger ---

Re: [Openvpn-devel] [PATCH] Fix memory leak in auth-pam plugin

ACK from me. My Clang static analyzer concurs. On 21.10.2015 01:38, Steffan Karger wrote: As it says on the tin. aresp would not be free'd nor returned by my_conv() on errors. Note that we never reach this code if allocation of aresp failed. Found with the Clang static analyzer.

[Openvpn-devel] [PATCH] Generate openvpn-plugin.h for MSVC build

openvpn-plugin.h was not generated for MSVC build since it has been removed from sources and made generated by configure script. This fix generates it for MSVC build and substitutes macroses like @OPENVPN_VERSION_MAJOR@ with actual values. Signed-off-by: Lev Stipakov <lstipa...@gmail.

[Openvpn-devel] [PATCH] Use adapter index instead of name

e to get adapter index, try with adapter name. Signed-off-by: Olli Mannisto <olmanni...@gmail.com> Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/tun.c | 26 +++--- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/openvpn/tun

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

Hello, > And with interface indexes, it works all the time? We have tested it on a few machines which previously have had this problem and this patch has fixed that. We will test it for larger audience in near future and report results. -Lev On 22.10.2015 16.59, Gert Doering wrote: hi,

[Openvpn-devel] [PATCH v2] Use adapter index instead of name

to get adapter index and use it instead of adapter name for netsh set address command. if unable to get adapter index, try with adapter name. Signed-off-by: Olli Mannisto <olmanni...@gmail.com> Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/tun.c | 10 +- 1

Re: [Openvpn-devel] [PATCH v2] Use adapter index instead of name

Hi, It should actually be not very hard - we should be able to set "tt->actual" to read "interface=nnn", and then it should work automagically without even touching route.c at all Setting "interface=" to "tt->actual_name" will affect all code branches which use that value, for example

[Openvpn-devel] [PATCH v3] Use adapter index instead of name

netsh when using adapter name on "netsh.exe interface ipv6 set address" command. Changed logic to get adapter index and use it instead of adapter name for netsh set address command. if unable to get adapter index, try with adapter name. Signed-off-by: Olli Mannisto <olmanni...@gmail.

[Openvpn-devel] [PATCH] Fix "implicit declaration" compiler warning

Add missing "include" directive. Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/mtcp.c | 4 1 file changed, 4 insertions(+) diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index b27c5eb..9926d47 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn

Re: [Openvpn-devel] [PATCH v3] Notify clients about server's exit/restart

Hi, Since the new server side code does not actually *do* OCC any more we are just #ifdef'ing it to access options->ce.explicit_exit_notify because that one is only compiled in #ifdef ENABLE_OCC ... so we're coupling this new functionality to an #ifdef which is not really

[Openvpn-devel] [PATCH v4] Notify clients about server's exit/restart

-enable-small) - Update man page v2: - Take into use explicit-exit-notify on the server side - OCC_SHUTTING_DOWN renamed to OCC_SERVER_EXIT - Code prettifying Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- doc/openvpn.8 | 15 ++-- src/ope

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

Hi, Sorry for the late response. +bool +win_wfp_uninit() +{ +dmsg (D_LOW, "Uninitializing WFP"); +if (m_hEngineHandle) { +FwpmSubLayerDeleteByKey0(m_hEngineHandle, _subLayerGUID); +CLEAR(m_subLayerGUID); +FwpmEngineClose0(m_hEngineHandle); +

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

On 10.12.2015 18:49, ValdikSS wrote: I'd better go with just closing the engine without deleting everything. I don't see any drawbacks, that should be perfectly OK for a dynamic session. Is this correct, Lev? If yes, I'll push v9 today or tomorrow morning. Removing non-working

Re: [Openvpn-devel] [PATCH v2] Use adapter index instead of name

Hi, So, if we want to use index also for "add/del route", I'd gently modify add/del_route_ipv6 and make it use "interface=" (without breaking "vpn server special route" case). For consistency, I think we should do that. What I'd avoid is to do the adapter_index lookup for every single route

Re: [Openvpn-devel] [PATCH v2] Use adapter index instead of name

Thanks, I think (I think!) I got it now. 1) Since we have tt->adapter_index (which temporarily disappeared from my perception of reality), no need to add new member to tuntap or tuntap_options. 2) tt->adapter_index has nothing to do with rgi->adapter_index, first one is windows adapter

[Openvpn-devel] [PATCH master] Use adapter index for add/delete_route_ipv6

Trac #637 Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/route.c | 16 src/openvpn/tun.c | 2 ++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 4a60345..2012b5c 100644 --- a/src/o

[Openvpn-devel] [PATCH v2 master] Use adapter index for add/delete_route_ipv6

Trac #637 Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/route.c | 16 src/openvpn/tun.c | 6 +- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 4a60345..2012b5c 100644 --- a/src/o

[Openvpn-devel] [PATCH 2.3] Use adapter index for add/delete_route_ipv6

Trac #637 --- src/openvpn/route.c | 8 src/openvpn/tun.c | 6 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 1775a9c..cf5a067 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -1623,6 +1623,10 @@

[Openvpn-devel] [PATCH] Pass adapter index to up/down scripts

Trac #637 Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/init.c | 18 ++ src/openvpn/misc.c | 6 ++ src/openvpn/misc.h | 3 +++ 3 files changed, 27 insertions(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 179c7ef..b0c0e26 100644 ---

Re: [Openvpn-devel] [PATCH] Make MSVC happy about route.c

ACK. I don't have VC2010, but at least on 2013 it compiles nicely.

[Openvpn-devel] [PATCH 2.3] Fix VS2013 compilation

Update toolset, define __attribute__. Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/compat/compat.vcxproj | 4 +++- src/openvpn/openvpn.vcxproj | 6 -- src/openvpn/syshead.h | 1 + src/openvpnserv/openvpnserv.vcxproj | 4 +++- 4 files chang

Re: [Openvpn-devel] XP broken

Hi, Screenshot seems to be lost in transmission. Moving to openvpn-devel. We could probably detect XP only (or technically "less then Vista") by checking that IsWindowsVistaOrGreater() == false which seems to be simpler. It should fix the problem. However I like the idea that server will be

[Openvpn-devel] [PATCH] Detecting Windows version

* Use adapter name instead of index on WinXP - sadly XP does not support indexes * Write Windows version to log * Send it with peer-info as IV_PLAT_VER Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- config-msvc.h | 1 + configure.ac | 1

[Openvpn-devel] [PATCH v2 2.3] Repair IPv6 netsh calls if Win XP is detected

v2: * Add compat-versionhelpers.h to compat/Makefile.am so that "make dist" will include it into tarball. * Indentation v1: * Use adapter name instead of index on WinXP - sadly XP does not support indexes * Write Windows version to log * Send it with peer-info as IV_PLAT_VER Signed-o

[Openvpn-devel] [PATCH] Drop recursively routed packets

. As a consequence, system starts talking to itself on full power, traffic counters skyrocket and user is not happy. To prevent that, drop packets which have gateway IP as destination address. Tested on Win7/10, OS X. Trac #642 Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/forward.

[Openvpn-devel] [PATCH v2] Drop recursively routed packets

to.. tun. As a consequence, system starts talking to itself on full power, traffic counters skyrocket and user is not happy. To prevent that, drop packets which have gateway IP as destination address. Tested on Win7/10, OS X. Trac #642 Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --

[Openvpn-devel] [PATCH] Report Windows bitness

Trac #599 Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/win32.c | 16 1 file changed, 16 insertions(+) diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 6c6ac4c..5702304 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -

Re: [Openvpn-devel] --block-outside-dns speed

Hi James, Has anyone seen issues with --block-outside-dns speed? Because this approach drops certain DNS packets, I'm wondering if apps will experience lag time while waiting for dropped DNS requests to time out. Yes, I have experienced issues with that patch. On only machine I was able to

Re: [Openvpn-devel] [PATCH] Support for disabled peer-id

Yep, was a bit busy with other stuff last weeks. On 27.04.2016 11:16, Arne Schwabe wrote: I am just going through the patches. Lev, do you plan a follow up for this? Arne

Re: [Openvpn-devel] [PATCH v2] Drop recursively routed packets

So, following changes are required for V3: 1) No drop_if_recursive() call for P2P 2) Same for TAP 3) Add an option to disable it Sounds reasonable? 2016-08-24 16:13 GMT+03:00 Gert Doering : > Hi, > > On Wed, Aug 24, 2016 at 10:12:54AM +0200, Jan Just Keijser wrote: > >

[Openvpn-devel] [PATCH] Use separate list for per-client push options

Move client-specific push options (currently peer-id and cipher) to separate list, which is deallocated after push_reply has been send. This makes sure that options are fit into buf, not duplicated nor leak memory on renegotiation. Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --

[Openvpn-devel] [PATCH v4] Drop recursively routed packets

From: Lev Stipakov <lev.stipa...@f-secure.com> v4: - Account for IP header offset in TAP mode - Correct handle of non-IP protocols in TAP mode v3: Use better way of figuring out IP proto version which does not break TAP mode. Add an option to allow recursive routing, could be usefu

[Openvpn-devel] [PATCH v2] Use separate list for per-client push options

. Signed-off-by: Lev Stipakov <lstipa...@gmail.com> --- src/openvpn/push.c | 186 ++--- 1 file changed, 104 insertions(+), 82 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index a1b999e..f7bcad1 100644 --- a/src/openvpn/

  1   2   3   4   5   6   7   8   >