Steffan Karger | 26 Mar 01:01 2015

[PATCH] Remove unneeded parameter 'first_time' from possibility_become_daemon()

The static helper function possibily_become_deamon() is called only once,
by do_init_first_time(), which checks 'first_time' to be true before
calling possibily_become_daemon().  This makes the parameter useless.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/init.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b670a48..b97d2da 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
 <at>  <at>  -917,10 +917,10  <at>  <at>  do_persist_tuntap (const struct options *options)
  * Return true if we did it.
  */
 static bool
-possibly_become_daemon (const struct options *options, const bool first_time)
+possibly_become_daemon (const struct options *options)
 {
   bool ret = false;
-  if (first_time && options->daemon)
+  if (options->daemon)
     {
       ASSERT (!options->inetd);
       if (daemon (options->cd_dir != NULL, options->log) < 0)
 <at>  <at>  -2771,7 +2771,7  <at>  <at>  do_init_first_time (struct context *c)
       get_pid_file (c->options.writepid, &c0->pid_state);

       /* become a daemon if --daemon */
(Continue reading)

Samuli Seppänen | 23 Mar 20:21 2015
Picon

Topics for next week's (Monday, 30th Mar 2015) community meeting

Hi,

We're going to have an IRC meeting _next_ Monday, 30th March, starting
at 20:00 CET (19:00 UTC) on #openvpn-devel <at> irc.freenode.net. Current
topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2015-03-30>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(Continue reading)

Ryan O'Connor | 19 Mar 14:48 2015

OpenVPN Service Windows 8

I have been using OpenVPN Service to run my clients vpn connections on Windows 8 and have noticed that they never starts automatically even though its set to.

 

I have found that to fix this you need to go into services.msc and in OpenVPN Service you need to go to the Log On tab and change the Local System account to Allow service to interact with desktop.  Is this expected behaviour or only new because of Win 8/10

 

Thanks,


Ryan

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
| 17 Mar 02:28 2015
Picon

Where to find tap-win32 documentation?

Hello everyone, Where to find the tap-win32 developer documentation, about how to open it(CreateFile), And How to change the stat, How to ifconfig(DeviceIoControl), thx..

Forgvie my poor english. thx again.


--
★Suncc★
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Steffan Karger | 10 Mar 20:26 2015

[PATCH] Re-enable TLS version negotiation by default

Re-enable TLS version negotiation by default, so that users
benefit from the stronger and better crypto of TLSv1.1 and
TLSv1.2, without having to add 'tls-version-min' to their
config files.

We tried this before in 2.3.3, but got various reports of people
no longer being able to connect.  Back then, we did not have a
way for users to control the TLS version.  We now have
--tls-version-min and --tls-version-max, and even automatically
set --tls-version-max to 1.1 if --cryptoapi is used, because
the cryptoapi code is incompatible with TLS 1.2.

To make sure users can fall back to the _exact_ old default
behaviour, not only limit the TLS version to 1.0 if
--tls-version-max 1.0 is set, but also keep using the API calls
TLSv1_{client,server}_method(), instead of the ones that support
negotiation (SSLv23_{client,server}_method()).  (Yes, the naming
is awkward, but 'SSLv23' really means 'enable negotiation' in
OpenSSL-API language.

This patch is for the release/2.3 branch only.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/ssl_openssl.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 5207dfd..fd382fb 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
 <at>  <at>  -121,15 +121,15  <at>  <at>  tmp_rsa_cb (SSL * s, int is_export, int keylength)
 void
 tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
-  const int tls_version_min =
-      (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
+  const int tls_version_max =
+      (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;

   ASSERT(NULL != ctx);

-  if (tls_version_min > TLS_VER_UNSPEC)
-    ctx->ctx = SSL_CTX_new (SSLv23_server_method ());
-  else
+  if (tls_version_max == TLS_VER_1_0)
     ctx->ctx = SSL_CTX_new (TLSv1_server_method ());
+  else
+    ctx->ctx = SSL_CTX_new (SSLv23_server_method ());

   if (ctx->ctx == NULL)
     msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method");
 <at>  <at>  -140,15 +140,15  <at>  <at>  tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 void
 tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
-  const int tls_version_min =
-      (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
+  const int tls_version_max =
+      (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;

   ASSERT(NULL != ctx);

-  if (tls_version_min > TLS_VER_UNSPEC)
-    ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
-  else
+  if (tls_version_max == TLS_VER_1_0)
     ctx->ctx = SSL_CTX_new (TLSv1_client_method ());
+  else
+    ctx->ctx = SSL_CTX_new (SSLv23_client_method ());

   if (ctx->ctx == NULL)
     msg (M_SSLERR, "SSL_CTX_new SSLv23_client_method");
--

-- 
2.1.0

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
David Sommerseth | 10 Mar 14:57 2015
Picon

[PATCH] Create directory on-the-fly for pid file if it does not exist

From: David Sommerseth <davids <at> redhat.com>

Some distros, like RHEL7, have placed the directory it uses to
track pid files (/run) on a tmpfs file system.  This results in
the /run directory to be wiped on each boot.  As the systemd unit
file may expect OpenVPN pid-files (one for each openvpn connection)
to reside inside a sub-directory, OpenVPN will then fail to start.

This patch enhanches the check_file_access() function to support
a CHKACC_MKDIR type flag, which will tell it to create a directory
if it is missing.

Signed-off-by: David Sommerseth <davids <at> redhat.com>
---
 src/openvpn/options.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index df9a641..6a0fbf6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
 <at>  <at>  -2545,6 +2545,7  <at>  <at>  options_postprocess_mutate (struct options *o)
 #define CHKACC_FILEXSTWR (1<<2)  /** If file exists, is it writable? */
 #define CHKACC_INLINE (1<<3)     /** File is present if it's an inline file */
 #define CHKACC_ACPTSTDIN (1<<4)  /** If filename is stdin, it's allowed and "exists" */
+#define CHKACC_MKDIR (1<<5)      /** If directory is missing, create it on-the-fly */

 static bool
 check_file_access(const int type, const char *file, const int mode, const char *opt)
 <at>  <at>  -2571,8 +2572,14  <at>  <at>  check_file_access(const int type, const char *file, const int mode, const char *
       char *fullpath = strdup(file);  /* POSIX dirname() implementaion may modify its arguments */
       char *dirpath = dirname(fullpath);

-      if (platform_access (dirpath, mode|X_OK) != 0)
+      if (platform_access (dirpath, mode|X_OK) != 0) {
+          /* If the directory does not exist, we might have been told to create it */
+          if (errno == ENOENT && (type & CHKACC_MKDIR)) {
+            mode_t dirmask =  (R_OK ? S_IRUSR : 0) | (W_OK ? S_IWUSR : 0 ) | S_IXUSR;
+            errno = (mkdir(dirpath, dirmask) == 0) ? 0 : errno;
+          }
           errcode = errno;
+      }
       free(fullpath);
     }

 <at>  <at>  -2738,7 +2745,7  <at>  <at>  options_postprocess_filechecks (struct options *options)
   /* ** System related ** */
   errs |= check_file_access (CHKACC_FILE, options->chroot_dir,
                              R_OK|X_OK, "--chroot directory");
-  errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
+  errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR|CHKACC_MKDIR, options->writepid,
                              R_OK|W_OK, "--writepid");

   /* ** Log related ** */
--

-- 
1.8.3.1

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Gert Doering | 8 Mar 13:56 2015
Picon

[PATCH] Fix incorrect use of get_ipv6_addr() for iroute options.

get_ipv6_addr() returns "bool/false", not "int < 0" to signal error.

Signed-off-by: Gert Doering <gert <at> greenie.muc.de>
---
 src/openvpn/options.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 20b37db..df9a641 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
 <at>  <at>  -1254,7 +1254,7  <at>  <at>  option_iroute_ipv6 (struct options *o,

   ALLOC_OBJ_GC (ir, struct iroute_ipv6, &o->gc);

-  if ( get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, NULL, msglevel ) < 0 )
+  if ( !get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, NULL, msglevel ))
     {
       msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
 	   prefix_str);
--

-- 
2.0.5

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Steffan Karger | 8 Mar 11:38 2015

Remove support for key-method 1 from master/2.4

Hi,

To create keys for the data channel, OpenVPN currently supports two 
mechanisms, 'Key method 1' and the newer 'Key method 2'.  Key method 2 
is supported since OpenVPN 1.5, and has been the default from OpenVPN 
2.0.  See the manpage and/or 
http://openvpn.net/index.php/open-source/documentation/security-overview.html 
for a short recap of both methods.

I think the time has come to remove support for key method 1 from 
OpenVPN.  This will allow us to remove quite some legacy code, and will 
probably allow us to simplify some of the surrounding code.

However, before investing time in preparing a patch for this, I would 
like to hear if there are objections to this proposal.  So, if you have 
a setup that uses key method 1, and you want to use that setup with 
OpenVPN 2.4, or have other reasons to believe we should keep supporting 
key method 1 in OpenVPN 2.4, please speak up.

-Steffan

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Steffan Karger | 8 Mar 11:20 2015

[PATCH 1/2] polarssl: add easy logging for PolarSSL errors

Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.

This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/crypto_polarssl.c | 27 +++++++++++++++++++++++++++
 src/openvpn/crypto_polarssl.h | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
index e083398..263b4dc 100644
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
 <at>  <at>  -46,6 +46,7  <at>  <at> 
 #include "misc.h"

 #include <polarssl/des.h>
+#include <polarssl/error.h>
 #include <polarssl/md5.h>
 #include <polarssl/cipher.h>
 #include <polarssl/havege.h>
 <at>  <at>  -86,6 +87,32  <at>  <at>  crypto_clear_error (void)
 {
 }

+bool polar_log_err(unsigned int flags, int errval, const char *prefix)
+{
+  if (0 != errval)
+    {
+      char errstr[256];
+      polarssl_strerror(errval, errstr, sizeof(errstr));
+
+      if (NULL == prefix) prefix = "PolarSSL error";
+      msg (flags, "%s: %s", prefix, errstr);
+    }
+
+  return 0 == errval;
+}
+
+bool polar_log_func_line(unsigned int flags, int errval, const char *func,
+    int line)
+{
+  char prefix[256];
+
+  if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line))
+    return polar_log_err(flags, errval, func);
+
+  return polar_log_err(flags, errval, prefix);
+}
+
+
 #ifdef DMALLOC
 void
 crypto_init_dmalloc (void)
diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_polarssl.h
index b6da436..bd0f8b8 100644
--- a/src/openvpn/crypto_polarssl.h
+++ b/src/openvpn/crypto_polarssl.h
 <at>  <at>  -91,4 +91,44  <at>  <at>  ctr_drbg_context * rand_ctx_get();
 void rand_ctx_enable_prediction_resistance();
 #endif

+/**
+ * Log the supplied PolarSSL error, prefixed by supplied prefix.
+ *
+ *  <at> param flags		Flags to indicate error type and priority.
+ *  <at> param errval	PolarSSL error code to convert to error message.
+ *  <at> param prefix	Prefix to PolarSSL error message.
+ *
+ *  <at> returns true if no errors are detected, false otherwise.
+ */
+bool polar_log_err(unsigned int flags, int errval, const char *prefix);
+
+/**
+ * Log the supplied PolarSSL error, prefixed by function name and line number.
+ *
+ *  <at> param flags		Flags to indicate error type and priority.
+ *  <at> param errval	PolarSSL error code to convert to error message.
+ *  <at> param func		Function name where error was reported.
+ *  <at> param line		Line number where error was reported.
+ *
+ *  <at> returns true if no errors are detected, false otherwise.
+ */
+bool polar_log_func_line(unsigned int flags, int errval, const char *func,
+    int line);
+
+/**
+ * Check errval and log on error.
+ *
+ * Convenience wrapper to put around polarssl library calls, e.g.
+ *   if (!polar_ok(polarssl_func())) return 0;
+ * or
+ *   ASSERT (polar_ok(polarssl_func()));
+ *
+ *  <at> param errval	PolarSSL error code to convert to error message.
+ *
+ *  <at> returns true if no errors are detected, false otherwise.
+ */
+#define polar_ok(errval) \
+  polar_log_func_line(D_CRYPT_ERRORS, errval, __func__, __LINE__)
+
+
 #endif /* CRYPTO_POLARSSL_H_ */
--

-- 
2.1.0

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Steffan Karger | 7 Mar 17:23 2015

[PATCH] Change float log message to include common name, if available.

Makes it a lot easier to see which client is floating.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/multi.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 4412491..b0f66ca 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
 <at>  <at>  -2151,8 +2151,11  <at>  <at>  void multi_process_float (struct multi_context* m, struct multi_instance* mi)
       multi_close_instance(m, ex_mi, false);
     }

-    msg (D_MULTI_MEDIUM, "peer %" PRIu32 " floated from %s to %s", mi->context.c2.tls_multi->peer_id,
-        mroute_addr_print (&mi->real, &gc), print_link_socket_actual (&m->top.c2.from, &gc));
+    msg (D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
+	mi->context.c2.tls_multi->peer_id,
+	tls_common_name (mi->context.c2.tls_multi, false),
+	mroute_addr_print (&mi->real, &gc),
+	print_link_socket_actual (&m->top.c2.from, &gc));

     ASSERT (hash_remove(m->hash, &mi->real));
     ASSERT (hash_remove(m->iter, &mi->real));
--

-- 
2.1.0

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Nicholas Hall | 6 Mar 20:07 2015
Picon

[PATCH] Fix autotools check for res_init

Autotools configure check fails to detect res_init on recent glibc
versions.  It appears that resolv.h in recent glibc maps res_init to
__res_init which autotools doesn't catch.

This is my first patch ever to anything autotools related.  I used the
check that the ntpd uses and tested on Debian 8 x64 (glibc 2.19) and
LFS 7.4 (glibc 2.18) successfully.

This fixes bug #525
https://community.openvpn.net/openvpn/ticket/523
---
 configure.ac         | 14 ++++++++------
 src/openvpn/socket.c |  4 ++++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9132468..c4db43a 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -613,12 +613,14  <at>  <at>  AC_SUBST([SOCKETS_LIBS])
 old_LIBS="${LIBS}"
 LIBS="${LIBS} ${SOCKETS_LIBS}"
 AC_CHECK_FUNCS([sendmsg recvmsg inet_ntop inet_pton])
-AC_CHECK_FUNCS(
-    [res_init],
-    ,
-    ,
-    [[#include <resolv.h>]]
-)
+AC_SEARCH_LIBS([res_init], [resolv], [], [], [-lsocket -lnsl])
+case "$host" in
+    *-*-darwin*)
+        AC_CHECK_LIB([resolv],[res_9_init])
+        ;;
+esac
+AC_HEADER_RESOLV
+AC_CHECK_FUNCS([res_init __res_init])
 # Windows use stdcall for winsock so we cannot auto detect these
 m4_define(
     [SOCKET_FUNCS],
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index f5c740d..5f98f01 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
 <at>  <at>  -41,6 +41,10  <at>  <at> 
 #include "manage.h"
 #include "openvpn.h"

+#if !defined(HAVE_RES_INIT) && defined(HAVE___RES_INIT)
+# define HAVE_RES_INIT
+#endif
+
 #include "memdbg.h"

 const int proto_overhead[] = { /* indexed by PROTO_x */
--

-- 
2.1.4

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

Gmane