Menu ▾ ▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 | Jan | Feb | Mar | Apr (24) | May (14) | Jun (29) | Jul (33) | Aug (3) | Sep (8) | Oct (18) | Nov (1) | Dec (10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 | Jan (3) | Feb (33) | Mar (7) | Apr (28) | May (30) | Jun (5) | Jul (10) | Aug (7) | Sep (32) | Oct (41) | Nov (20) | Dec (10) |
| 2004 | Jan (24) | Feb (18) | Mar (57) | Apr (40) | May (55) | Jun (48) | Jul (77) | Aug (15) | Sep (56) | Oct (80) | Nov (74) | Dec (52) |
| 2005 | Jan (38) | Feb (42) | Mar (39) | Apr (56) | May (79) | Jun (73) | Jul (16) | Aug (23) | Sep (68) | Oct (77) | Nov (52) | Dec (27) |
| 2006 | Jan (27) | Feb (18) | Mar (51) | Apr (62) | May (28) | Jun (50) | Jul (36) | Aug (33) | Sep (47) | Oct (50) | Nov (77) | Dec (13) |
| 2007 | Jan (15) | Feb (8) | Mar (14) | Apr (18) | May (25) | Jun (16) | Jul (16) | Aug (19) | Sep (32) | Oct (17) | Nov (5) | Dec (5) |
| 2008 | Jan (64) | Feb (25) | Mar (25) | Apr (6) | May (28) | Jun (20) | Jul (10) | Aug (27) | Sep (28) | Oct (59) | Nov (37) | Dec (43) |
| 2009 | Jan (40) | Feb (25) | Mar (12) | Apr (57) | May (46) | Jun (29) | Jul (39) | Aug (10) | Sep (20) | Oct (42) | Nov (50) | Dec (57) |
| 2010 | Jan (82) | Feb (165) | Mar (256) | Apr (260) | May (36) | Jun (87) | Jul (53) | Aug (89) | Sep (107) | Oct (51) | Nov (88) | Dec (117) |
| 2011 | Jan (69) | Feb (60) | Mar (113) | Apr (71) | May (67) | Jun (90) | Jul (88) | Aug (90) | Sep (48) | Oct (64) | Nov (69) | Dec (118) |
| 2012 | Jan (49) | Feb (528) | Mar (351) | Apr (190) | May (238) | Jun (193) | Jul (104) | Aug (100) | Sep (57) | Oct (41) | Nov (47) | Dec (51) |
| 2013 | Jan (94) | Feb (57) | Mar (96) | Apr (105) | May (77) | Jun (102) | Jul (27) | Aug (81) | Sep (32) | Oct (53) | Nov (127) | Dec (65) |
| 2014 | Jan (113) | Feb (59) | Mar (104) | Apr (259) | May (70) | Jun (70) | Jul (146) | Aug (45) | Sep (58) | Oct (149) | Nov (77) | Dec (83) |
| 2015 | Jan (53) | Feb (66) | Mar (86) | Apr (50) | May (135) | Jun (76) | Jul (151) | Aug (83) | Sep (97) | Oct (262) | Nov (245) | Dec (231) |
| 2016 | Jan (131) | Feb (233) | Mar (97) | Apr (138) | May (221) | Jun (254) | Jul (92) | Aug (248) | Sep (168) | Oct (275) | Nov (477) | Dec (445) |
| 2017 | Jan (218) | Feb (217) | Mar (146) | Apr (172) | May (216) | Jun (252) | Jul (164) | Aug (192) | Sep (190) | Oct (143) | Nov (255) | Dec (182) |
| 2018 | Jan (295) | Feb (164) | Mar (113) | Apr (147) | May (64) | Jun (262) | Jul (184) | Aug (90) | Sep (69) | Oct (364) | Nov (102) | Dec (101) |
| 2019 | Jan (119) | Feb (64) | Mar (64) | Apr (102) | May (57) | Jun (154) | Jul (84) | Aug (81) | Sep (76) | Oct (102) | Nov (233) | Dec (89) |
| 2020 | Jan (38) | Feb (170) | Mar (155) | Apr (172) | May (120) | Jun (223) | Jul (461) | Aug (227) | Sep (268) | Oct (113) | Nov (56) | Dec (124) |
| 2021 | Jan (121) | Feb (48) | Mar (334) | Apr (345) | May (207) | Jun (136) | Jul (71) | Aug (112) | Sep (122) | Oct (173) | Nov (184) | Dec (223) |
| 2022 | Jan (197) | Feb (206) | Mar (156) | Apr (212) | May (192) | Jun (170) | Jul (143) | Aug (380) | Sep (182) | Oct (148) | Nov (128) | Dec (269) |
| 2023 | Jan (248) | Feb (196) | Mar (264) | Apr (36) | May (123) | Jun (66) | Jul (120) | Aug (48) | Sep (157) | Oct (198) | Nov (300) | Dec (273) |
| 2024 | Jan (271) | Feb (147) | Mar (207) | Apr (78) | May (107) | Jun (168) | Jul (151) | Aug (51) | Sep (438) | Oct (221) | Nov (302) | Dec (357) |
| 2025 | Jan (451) | Feb (219) | Mar (326) | Apr (232) | May (306) | Jun (181) | Jul (452) | Aug (282) | Sep (620) | Oct (793) | Nov (682) | Dec |
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| | 1 | 2 | 3 (7) | 4 | 5 | 6 (1) |
| 7 | 8 (2) | 9 (6) | 10 | 11 (4) | 12 (5) | 13 |
| 14 | 15 (1) | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 (1) | 29 | 30 | 31 | | | |
| From: James Y. <ja...@op...> - 2013-07-28 22:05:55 |
Fixes to allow compilation with Microsoft Visual Studio 2008 * Fixed several instances of declarations after statements. * In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror. * ssl.c is trying to access multi_output_peer_info_env function in multi.c, causing an undefined symbol warning at compile time. ssl.c is strictly a client of multi.c (but not the other way around), therefore ssl.c does not include multi.h and should not depend on multi.h API. To fix, moved validate_peer_info_line and multi_output_peer_info_env from multi.c to misc.c. * MSVC doesn't support %z as a printf format specifier for size_t * MSVC doesn't support a const variable being used to dimension an array. * Explicitly cast the third parameter to setsockopt to const void * --- src/openvpn/init.c | 10 ++++---- src/openvpn/misc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/misc.h | 7 ++++++ src/openvpn/multi.c | 52 ----------------------------------------- src/openvpn/multi.h | 3 --- src/openvpn/socket.c | 5 ++-- src/openvpn/socket.h | 2 +- src/openvpn/ssl.c | 2 +- src/openvpn/ssl_openssl.c | 7 +++--- src/openvpn/win32.c | 6 ++--- 10 files changed, 79 insertions(+), 71 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index fb14726..031fb20 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -183,10 +183,12 @@ ce_management_query_proxy (struct context *c) if (management) { gc = gc_new (); - struct buffer out = alloc_buf_gc (256, &gc); - buf_printf (&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, - (proto_is_udp (ce->proto) ? "UDP" : "TCP"), np (ce->remote)); - management_notify_generic (management, BSTR (&out)); + { + struct buffer out = alloc_buf_gc (256, &gc); + buf_printf (&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, + (proto_is_udp (ce->proto) ? "UDP" : "TCP"), np (ce->remote)); + management_notify_generic (management, BSTR (&out)); + } ce->flags |= CE_MAN_QUERY_PROXY; while (ce->flags & CE_MAN_QUERY_PROXY) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 1120adc..4688444 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -2063,3 +2063,59 @@ compat_flag (unsigned int flag) return (compat_flags & (flag >> 1)); } + +#if P2MP_SERVER + +/* helper to parse peer_info received from multi client, validate + * (this is untrusted data) and put into environment + */ +bool +validate_peer_info_line(char *line) +{ + uint8_t c; + int state = 0; + while (*line) + { + c = *line; + switch (state) + { + case 0: + case 1: + if (c == '=' && state == 1) + state = 2; + else if (isalnum(c) || c == '_') + state = 1; + else + return false; + case 2: + /* after the '=', replace non-printable or shell meta with '_' */ + if (!isprint(c) || isspace(c) || + c == '$' || c == '(' || c == '`' ) + *line = '_'; + } + line++; + } + return (state == 2); +} + +void +output_peer_info_env (struct env_set *es, const char * peer_info) +{ + char line[256]; + struct buffer buf; + buf_set_read (&buf, (const uint8_t *) peer_info, strlen(peer_info)); + while (buf_parse (&buf, '\n', line, sizeof (line))) + { + chomp (line); + if (validate_peer_info_line(line) && + (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) ) + { + msg (M_INFO, "peer info: %s", line); + env_set_add(es, line); + } + else + msg (M_WARN, "validation failed on peer_info line received from client"); + } +} + +#endif /* P2MP_SERVER */ diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 183898e..41748bd 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -369,4 +369,11 @@ void argv_printf_cat (struct argv *a, const char *format, ...) #define COMPAT_NO_NAME_REMAPPING (1<<2) /** compat flag: --compat-names without char remapping */ bool compat_flag (unsigned int flag); +#if P2MP_SERVER +/* helper to parse peer_info received from multi client, validate + * (this is untrusted data) and put into environment */ +bool validate_peer_info_line(char *line); +void output_peer_info_env (struct env_set *es, const char * peer_info); +#endif /* P2MP_SERVER */ + #endif diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 50f398d..f016b14 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1562,58 +1562,6 @@ multi_client_connect_mda (struct multi_context *m, #endif -/* helper to parse peer_info received from multi client, validate - * (this is untrusted data) and put into environment - */ -bool -validate_peer_info_line(char *line) -{ - uint8_t c; - int state = 0; - while (*line) - { - c = *line; - switch (state) - { - case 0: - case 1: - if (c == '=' && state == 1) - state = 2; - else if (isalnum(c) || c == '_') - state = 1; - else - return false; - case 2: - /* after the '=', replace non-printable or shell meta with '_' */ - if (!isprint(c) || isspace(c) || - c == '$' || c == '(' || c == '`' ) - *line = '_'; - } - line++; - } - return (state == 2); -} - -void -multi_output_peer_info_env (struct env_set *es, const char * peer_info) -{ - char line[256]; - struct buffer buf; - buf_set_read (&buf, (const uint8_t *) peer_info, strlen(peer_info)); - while (buf_parse (&buf, '\n', line, sizeof (line))) - { - chomp (line); - if (validate_peer_info_line(line) && - (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) ) - { - msg (M_INFO, "peer info: %s", line); - env_set_add(es, line); - } - else - msg (M_WARN, "validation failed on peer_info line received from client"); - } -} - static void multi_client_connect_setenv (struct multi_context *m, struct multi_instance *mi) diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 7b97b0d..fc2ffb2 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -312,9 +312,6 @@ void multi_close_instance_on_signal (struct multi_context *m, struct multi_insta void init_management_callback_multi (struct multi_context *m); void uninit_management_callback_multi (struct multi_context *m); -bool validate_peer_info_line(char *line); -void multi_output_peer_info_env (struct env_set *es, const char * peer_info); - /* * Return true if our output queue is not full */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 40356a0..3c0a379 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1158,7 +1158,6 @@ resolve_bind_local (struct link_socket *sock) case AF_INET6: { int status; - int err; CLEAR(sock->info.lsa->local.addr.in6); if (sock->local_host) { @@ -1181,7 +1180,7 @@ resolve_bind_local (struct link_socket *sock) { msg (M_FATAL, "getaddr6() failed for local \"%s\": %s", sock->local_host, - gai_strerror(err)); + gai_strerror(status)); } sock->info.lsa->local.addr.in6.sin6_port = htons (sock->local_port); } @@ -1235,6 +1234,7 @@ resolve_remote (struct link_socket *sock, unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); int retry = 0; int status = -1; + struct addrinfo* ai; if (sock->connection_profiles_defined && sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) { @@ -1271,7 +1271,6 @@ resolve_remote (struct link_socket *sock, ASSERT (0); } - struct addrinfo* ai; /* Temporary fix, this need to be changed for dual stack */ status = openvpn_getaddrinfo(flags, sock->remote_host, retry, signal_received, af, &ai); diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 4e7e7f8..793cd9f 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -1023,7 +1023,7 @@ static inline void link_socket_set_tos (struct link_socket *ls) { if (ls && ls->ptos_defined) - setsockopt (ls->sd, IPPROTO_IP, IP_TOS, &ls->ptos, sizeof (ls->ptos)); + setsockopt (ls->sd, IPPROTO_IP, IP_TOS, (const void *)&ls->ptos, sizeof (ls->ptos)); } #endif diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e4b802f..69f77f3 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2062,7 +2062,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi free (multi->peer_info); multi->peer_info = read_string_alloc (buf); if ( multi->peer_info ) - multi_output_peer_info_env (session->opt->es, multi->peer_info); + output_peer_info_env (session->opt->es, multi->peer_info); #endif if (verify_user_pass_enabled(session)) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 12c725d..ec76b30 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -242,8 +242,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) const tls_cipher_name_pair *cipher_pair; - const size_t openssl_ciphers_size = 4096; - char openssl_ciphers[openssl_ciphers_size]; + char openssl_ciphers[4096]; size_t openssl_ciphers_len = 0; openssl_ciphers[0] = '\0'; @@ -282,8 +281,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } // Make sure new cipher name fits in cipher string - if (((openssl_ciphers_size-1) - openssl_ciphers_len) < current_cipher_len) { - msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%zu).", openssl_ciphers_size-1); + if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) { + msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1); } // Concatenate cipher name to OpenSSL cipher string diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 178e2c3..022eec5 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -870,6 +870,9 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i WCHAR *cl = wide_cmd_line (a, &gc); WCHAR *cmd = wide_string (a->argv[0], &gc); + /* this allows console programs to run, and is ignored otherwise */ + DWORD proc_flags = CREATE_NO_WINDOW; + CLEAR (start_info); CLEAR (proc_info); @@ -879,9 +882,6 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i start_info.dwFlags = STARTF_USESHOWWINDOW; start_info.wShowWindow = SW_HIDE; - /* this allows console programs to run, and is ignored otherwise */ - DWORD proc_flags = CREATE_NO_WINDOW; - if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info)) { DWORD exit_status = 0; -- 1.7.9.5 |
| From: Michal L. <ml...@lo...> - 2013-07-15 12:17:32 |
Make OpenVPN read the username from the auth file parameter of --auth-user-pass and prompt for a password if it's not in the file. Rationale: Prior to this change OpenVPN either required both username and password present in the auth file or prompted for both on the console. Unlike passwords usernames usually don't change and can therefore be "hardcoded" in the config. Signed-off-by: Michal Ludvig <ml...@lo...> --- doc/openvpn.8 | 3 +- src/openvpn/misc.c | 110 ++++++++++++++++++++++++++------------------------ src/openvpn/options.c | 3 +- 3 files changed, 62 insertions(+), 54 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index f74fe81..7ea204d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3601,7 +3601,8 @@ over the client's routing table. .B \-\-auth-user-pass [up] Authenticate with server using username/password. .B up -is a file containing username/password on 2 lines (Note: OpenVPN +is a file containing username/password on 2 lines. If the +password line is missing OpenVPN will prompt for one. (Note: OpenVPN will only read passwords from a file if it has been built with the \-\-enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in win/settings.in). diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 1120adc..0362d6c 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1036,7 +1036,9 @@ get_user_pass_cr (struct user_pass *up, if (!up->defined) { - const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin")); + bool from_authfile = (auth_file && strcmp (auth_file, "stdin") != 0); + bool username_from_stdin = !from_authfile; + bool password_from_stdin = !from_authfile; if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) msg (M_WARN, "Note: previous '%s' credentials failed", prefix); @@ -1046,7 +1048,7 @@ get_user_pass_cr (struct user_pass *up, * Get username/password from management interface? */ if (management - && ((auth_file && streq (auth_file, "management")) || (from_stdin && (flags & GET_USER_PASS_MANAGEMENT))) + && ((auth_file && streq (auth_file, "management")) || (username_from_stdin && (flags & GET_USER_PASS_MANAGEMENT))) && management_query_user_pass_enabled (management)) { const char *sc = NULL; @@ -1083,11 +1085,61 @@ get_user_pass_cr (struct user_pass *up, if (!strlen (up->password)) strcpy (up->password, "ok"); } - + else if (from_authfile) + { + /* + * Try to get username/password from a file. + */ + FILE *fp; + char password_buf[USER_PASS_LEN] = { '\0' }; + + warn_if_group_others_accessible (auth_file); + + fp = platform_fopen (auth_file, "r"); + if (!fp) + msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); + + if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0) + { + /* Read username first */ + if (fgets (up->username, USER_PASS_LEN, fp) == NULL) + msg (M_FATAL, "Error reading username from %s authfile: %s", + prefix, + auth_file); + } + chomp (up->username); + + if (fgets (password_buf, USER_PASS_LEN, fp) != NULL) + { +#ifndef ENABLE_PASSWORD_SAVE + /* + * Unless ENABLE_PASSWORD_SAVE is defined, don't allow sensitive passwords + * to be read from a file. + */ + if (flags & GET_USER_PASS_SENSITIVE) + msg (M_FATAL, "Sorry, '%s' password cannot be read from a file", prefix); +#endif + chomp (password_buf); + } + + if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0]) + msg (M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file); + + if (password_buf[0]) + strncpy(up->password, password_buf, USER_PASS_LEN); + else + password_from_stdin = 1; + + fclose (fp); + + if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen (up->username) == 0) + msg (M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file); + } + /* * Get username/password from standard input? */ - else if (from_stdin) + if (username_from_stdin || password_from_stdin) { #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) @@ -1119,7 +1171,7 @@ get_user_pass_cr (struct user_pass *up, buf_printf (&user_prompt, "Enter %s Username:", prefix); buf_printf (&pass_prompt, "Enter %s Password:", prefix); - if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) + if (username_from_stdin && !(flags & GET_USER_PASS_PASSWORD_ONLY)) { if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN)) msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix); @@ -1127,7 +1179,7 @@ get_user_pass_cr (struct user_pass *up, msg (M_FATAL, "ERROR: %s username is empty", prefix); } - if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN)) + if (password_from_stdin && !get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN)) msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix); #ifdef ENABLE_CLIENT_CR @@ -1153,52 +1205,6 @@ get_user_pass_cr (struct user_pass *up, #endif } } - else - { - /* - * Get username/password from a file. - */ - FILE *fp; - -#ifndef ENABLE_PASSWORD_SAVE - /* - * Unless ENABLE_PASSWORD_SAVE is defined, don't allow sensitive passwords - * to be read from a file. - */ - if (flags & GET_USER_PASS_SENSITIVE) - msg (M_FATAL, "Sorry, '%s' password cannot be read from a file", prefix); -#endif - - warn_if_group_others_accessible (auth_file); - - fp = platform_fopen (auth_file, "r"); - if (!fp) - msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); - - if (flags & GET_USER_PASS_PASSWORD_ONLY) - { - if (fgets (up->password, USER_PASS_LEN, fp) == NULL) - msg (M_FATAL, "Error reading password from %s authfile: %s", - prefix, - auth_file); - } - else - { - if (fgets (up->username, USER_PASS_LEN, fp) == NULL - || fgets (up->password, USER_PASS_LEN, fp) == NULL) - msg (M_FATAL, "Error reading username and password (must be on two consecutive lines) from %s authfile: %s", - prefix, - auth_file); - } - - fclose (fp); - - chomp (up->username); - chomp (up->password); - - if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen (up->username) == 0) - msg (M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file); - } string_mod (up->username, CC_PRINT, CC_CRLF, 0); string_mod (up->password, CC_PRINT, CC_CRLF, 0); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2191916..dc445dd 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -495,7 +495,8 @@ static const char usage_message[] = "--client : Helper option to easily configure client mode.\n" "--auth-user-pass [up] : Authenticate with server using username/password.\n" " up is a file containing username/password on 2 lines,\n" - " or omit to prompt from console.\n" + " or provide only username on one line and be prompted\n" + " for password or omit to prompt for both from console.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" -- 1.8.1.4 |
| From: David S. <ope...@to...> - 2013-07-12 14:52:42 |
On 12/07/13 12:18, Michael Ludvig wrote: > Hi > > I'm having troubles with client-connect and client-disconnect scripts in > OpenVPN 2.3.2. > > 1) client-connect script is called on the server only once (maybe once > for each user?) and on subsequent connects its previous output is > re-used but the script isn't called again. It looks like the config > produced by the script is cached - can I somehow disable that caching > and force calling the script for every client connect? > > 2) client-disconnect never seems to be called. If I successfully connect > (and and then kill the client the disconnect is never called. I tried to > wait for a timeout for openvpn to realise the other end has died but it > never happened. > > Any idea how what's causing these problems and how to make openvpn do > what I want? That is call the scripts on all client connects and > disconnects? I believe 1) and 2) are connected in your case. I've not poked much at the source code yet, but I have some similar experiences when working with my eurephia plug-in. It's hard to say exactly what's happening without seeing client and server logs and configs. But it sounds like you're experiencing a re-connection scenario. This isn't necessarily so obvious if you're using UDP, as this is a stateless connection. In TCP mode, OpenVPN will close the connection with the server explicitly, which should trigger the disconnect script. However in UDP mode, there's no explicit disconnection. So if you reconnect with UDP, it might actually try it's best to re-establish the previous connection. If you wait until a connection time-out happens (I believe the default is 2 minutes, defined by --ping-restart), see if your disconnect script is called then. If this is the issue you're hitting, you can try to add --explict-exit-notify to your client configs if you're using UDP. You can also try TCP and see if that changes the behaviour - but of course, we don't recommend TCP mode if UDP works for you. -- kind regards, David Sommerseth |
| From: Michael L. <ml...@lo...> - 2013-07-12 10:46:21 |
Hi I'm having troubles with client-connect and client-disconnect scripts in OpenVPN 2.3.2. 1) client-connect script is called on the server only once (maybe once for each user?) and on subsequent connects its previous output is re-used but the script isn't called again. It looks like the config produced by the script is cached - can I somehow disable that caching and force calling the script for every client connect? 2) client-disconnect never seems to be called. If I successfully connect (and and then kill the client the disconnect is never called. I tried to wait for a timeout for openvpn to realise the other end has died but it never happened. Any idea how what's causing these problems and how to make openvpn do what I want? That is call the scripts on all client connects and disconnects? Thanks! Michael |
| From: Peter M. <me...@gm...> - 2013-07-12 10:32:08 |
Hi, I just updated the Android app to "OpenVPN Connect 1.1.12 (build 45)" and it works flawlessly. Thanks a lot!!! Best regards, Peter Am 11.07.2013 10:48, schrieb Peter Meiser: > Hi Steffan, > > please find attached the logs, both for PolarSSL and OpenSSL (which works). > > Best regards, > Peter > > Am 09.07.2013 14:41, schrieb Steffan Karger: >> On 07/09/2013 11:09 AM, p.j...@po... wrote: >>> Yeah! >>> >>> -82 is: POLARSSL_ERR_NET_WANT_READ >>> >>> It means that somewhere in the code, OpenVPN calls a read() or a write() and >>> seems to not handle the return value properly. >> >> I've peaked into the code, but in all cases where ssl_read() or >> ssl_write() is called, there is checked for a POLARSSL_ERR_NET_WANT_READ >> of POLARSSL_ERR_NET_WANT_WRITE return value. In those cases, no error is >> returned and a read or write will be retried later on, but the polarssl >> debugging output will still be printed. It could very well be that this >> is not the actual issue. >> >> Peter, do you perhaps have full, possibly redacted, logs available? >> >> -Steffan >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> Openvpn-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel >> >> > |
| From: richard -r. w. <ric...@gm...> - 2013-07-12 06:38:53 |
On Wed, Jul 10, 2013 at 2:25 PM, richard -rw- weinberger <ric...@gm...> wrote: > Hi! > > I'm facing a strange issue on Windows 8. > It happens very often that the TUN/TAP adapter is not started and > OpenVPN is unable to setup IPs and routes. > > openvpn.exe writes over and over "Waiting for TUN/TAP interface to come up...". > After ~30 seconds it continues without a proper network configuration. > This is very nasty because from the users point of few it looks like > the tunnel is up but nothing works. > > On the net I found some halve baked "solutions" for that issue. > Like disabling the Windows Firewall, disabling IPv6, setting the > DHCP-Client service to autostart, and so on. But nothing helped so far > nor really explained the root issue. > > Please see the attached log file. > (It is sightly censored to hide my customers name and public IP.) > > I ran also Wireshark on my TUN/TAP device while connecting. > When facing the issue zero packets were captured. So, it is not really > a networking issue between server and client. > > Can you please help me? CC'ing openvpn-devel to reach the right audience. -- Thanks, //richard |
| From: Samuli S. <sa...@op...> - 2013-07-12 06:19:17 |
Hi, Here's the summary of the previous IRC meeting. --- COMMUNITY MEETING Place: #openvpn-devel on irc.freenode.net Date: Thursday 11th Jul 2013 Time: 18:00 UTC Planned meeting topics for this meeting were on this page: <https://community.openvpn.net/openvpn/wiki/Topics-2013-07-11> Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> or with $ date -u SUMMARY cron2, dazo, jamesyonan, krzee, mattock, plaisthos and syzzer participated in this meeting. -- Discussed the two-part "TLS versioning" patch: <http://news.gmane.org/find-root.php?message_id=%3C5...@op...%3E> <https://github.com/jamesyonan/openvpn/commit/03a5599202bdc3ba07983dc4efdae387fb8fb436> <https://github.com/jamesyonan/openvpn/commit/d23005413b0e0f28a3c48a6342f494763d5c9b40> Also discussed the "setenv opt" patch: <https://github.com/jamesyonan/openvpn/commit/27713761e4110bb92f1c6dfe85db291e8c6e0f56> Both were ACKed in the previous meeting and first one was merged during the meeting. -- Discussed the "Add support to ignore specific options" patch: <http://news.gmane.org/find-root.php?message_id=%3C1...@rf...%3E> This patch already has a feature-ACK from the previous meeting. Agreed that the code itself needs some changes before being merged to master. -- Discussed the "Always load intermediate certificates from a PKCS#12 file" patch: <http://news.gmane.org/find-root.php?message_id=%3Ca...@ja...%3E> Currently the use of the "ca" parameter prevents any intermediate certificates from a pkcs12 store from being loaded. This patch fixes that behaviour by sending intermediate certificates regardless of the "ca" parameter. Agreed that this patch fixes a bug, and it was given an ACK by jamesyonan, plaisthos and syzzer. Although this patch is OpenSSL-specific, that's not an issue because OpenVPN 3.0 only supports PKCS12 via keychains and PolarSSL does not yet support PKCS12 at all. --- Full chatlog as an attachment -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |
| From: David S. <da...@us...> - 2013-07-11 18:54:02 |
From: David Sommerseth <da...@re...> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your patch has been applied to the master branch. commit 35e5d8c5f05a1821a5ca4384462427b00b871f82 Author: James Yonan Date: Mon Jun 10 22:59:30 2013 -0600 TLS version negotiation Signed-off-by: James Yonan <ja...@op...> Acked-by: Gert Doering <ge...@gr...> Acked-by: Arne Schwabe <ar...@rf...> URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743 URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744 Message-Id: 51C...@op... Signed-off-by: David Sommerseth <da...@re...> - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlHe/08ACgkQDC186MBRfrqzmgCfZE9K8QB+eXQreHYh6j/Ptb2Q U2kAn1UHEX4RZv9aii13vNQV5+H0WIPV =HIhP -----END PGP SIGNATURE----- |
| From: Gert D. <ge...@gr...> - 2013-07-11 18:24:37 |
Hi, On Fri, Jun 21, 2013 at 02:43:30PM +0200, Arne Schwabe wrote: > +.B \-\-ignore-unknown-option opt1 opt2 opt3 ... optN > +When one of options Feature-ACK, but the code confuses me a bit... > + else if (streq (p[0], "ignore-unknown-option") && p[1]) > + { > + int i; > + int j; > + int numignored=0; > + const char **ignore; > + > + VERIFY_PERMISSION (OPT_P_GENERAL); > + /* Find out how many options to be ignored */ > + for (i=1;p[i];i++) > + numignored++; > + > + numignored=i; This... (I think the "numignored=i" bit should just go - while it does not harm, it doesn't help, and confuses people :-)) > + { > + const char* opt = options->ignore_unknown_option[i]; > + > + if (streq(p[0], opt)) ... and I'm not *so* happy about that either - if you only need "opt" once, why add an extra variable for that? Code is technically OK, though. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... |
| From: Samuli S. <sa...@op...> - 2013-07-11 16:23:45 |
Hi, We're having an IRC meeting today, starting at 18:00 UTC on #ope...@ir.... Current topic list is here: <https://community.openvpn.net/openvpn/wiki/Topics-2013-07-11> If you have any other things you'd like to bring up, respond to this mail, send me mail privately or add them to the list yourself. In case you can't attend the meeting, please feel free to make comments on the topics by responding to this email or to the summary email sent after the meeting. Whenever possible, we'll also respond to existing, related email threads. NOTE: It's required to use a registered Freenode IRC nickname to join #openvpn-devel - look here for details: <https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel> -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |
| From: Peter M. <me...@gm...> - 2013-07-11 08:54:09 |
Hi Steffan, please find attached the logs, both for PolarSSL and OpenSSL (which works). Best regards, Peter Am 09.07.2013 14:41, schrieb Steffan Karger: > On 07/09/2013 11:09 AM, p.j...@po... wrote: >> Yeah! >> >> -82 is: POLARSSL_ERR_NET_WANT_READ >> >> It means that somewhere in the code, OpenVPN calls a read() or a write() and >> seems to not handle the return value properly. > > I've peaked into the code, but in all cases where ssl_read() or > ssl_write() is called, there is checked for a POLARSSL_ERR_NET_WANT_READ > of POLARSSL_ERR_NET_WANT_WRITE return value. In those cases, no error is > returned and a read or write will be retried later on, but the polarssl > debugging output will still be printed. It could very well be that this > is not the actual issue. > > Peter, do you perhaps have full, possibly redacted, logs available? > > -Steffan > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > |
| From: Josh C. <jos...@us...> - 2013-07-09 17:55:50 |
I've recently done a complete re-write of the Easy-RSA codebase and have a beta-release (currently beta-2) available at the following project homepage: http://pekster.sdf.org/code/projects/easyrsa3.html This beta is open for comment and suggestions. Still on the TODO list is integration for PKCS#11 support, including forward-porting an open github pull request for smartcard improvements from the 2.x project. I wanted to get a beta released prior to smartcard support for general consumption and comment; I'm particularly interested in feedback from Windows users and use by batch-mode (non-interactive) callers of any platform. The overall design goals are similar to the 2.x series including using a portable shell backend. A short improvements list can be found on the project page, but the two largest advantages include a simpler X.509 Subject format that does away with the all the unnecessary location fields by default, and a unified codebase that runs the same shell code on Unix-alikes as well as Windows. Mandatory use of the 'vars' file is also done away with, making invocation and use easier for most common tasks, including use with OpenVPN. -- Josh |
| From: Steffan K. <ste...@fo...> - 2013-07-09 12:43:46 |
On 07/09/2013 11:09 AM, p.j...@po... wrote: > Yeah! > > -82 is: POLARSSL_ERR_NET_WANT_READ > > It means that somewhere in the code, OpenVPN calls a read() or a write() and > seems to not handle the return value properly. I've peaked into the code, but in all cases where ssl_read() or ssl_write() is called, there is checked for a POLARSSL_ERR_NET_WANT_READ of POLARSSL_ERR_NET_WANT_WRITE return value. In those cases, no error is returned and a read or write will be retried later on, but the polarssl debugging output will still be printed. It could very well be that this is not the actual issue. Peter, do you perhaps have full, possibly redacted, logs available? -Steffan |
| From: <p.j...@po...> - 2013-07-09 09:54:26 |
Yeah! -82 is: POLARSSL_ERR_NET_WANT_READ It means that somewhere in the code, OpenVPN calls a read() or a write() and seems to not handle the return value properly. Paul > -----Original Message----- > From: Peter Meiser [mailto:me...@gm...] > Sent: maandag 8 juli 2013 14:43 > To: p.j...@po... > Subject: Re: [Openvpn-devel] OpenVPN Connect on Android fails to connect > > Hi Paul, > > I changed include/polarssl/config.h and defined POLARSSL_DEBUG_C. I see > the following output in the OpenVPN debug output (configuring "verb 11" in > the config). > > Mon Jul 8 14:09:57 2013 us=442655 ::ffff:127.0.0.1 PolarSSL alert: > ssl_srv.c(0421): ssl_fetch_input() returned -82 (0xffffffae) Mon Jul 8 14:09:57 > 2013 us=442796 ::ffff:127.0.0.1 PolarSSL alert: ssl_tls.c(3708): ssl_handshake() > returned -82 (0xffffffae) > > Does that help? > > Best regards, > Peter > > Am 08.07.2013 14:05, schrieb Peter Meiser: > > Hi Paul, > > > > could you give me some hints to enable debug output in PolarSSL? > > > > Thanks in advance, > > Peter > > > > Am 08.07.2013 12:50, schrieb p.j...@po...: > >> Hi Peter, > >> > >> Are you able to enable the PolarSSL debug and send us some debug > >> information? > >> That would help with determining possible angles. > >> > >> Paul > >> > >>> -----Original Message----- > >>> From: Peter Meiser [mailto:me...@gm...] > >>> Sent: zaterdag 6 juli 2013 10:12 > >>> To: ope...@li... > >>> Subject: [Openvpn-devel] OpenVPN Connect on Android fails to connect > >>> > >>> Hi, > >>> > >>> I run OpenVPN 2.3.2 with PolarSSL 1.2.8 on a MIPS embedded linux. > >>> > >>> When trying to connect with OpenVPN Connect on Android (version > >>> 1.1.11), I see the following error message in the log: > >>> > >>> > >>> 21:35:11.463 -- Client exception in transport_recv_excode: PolarSSL: > >>> SSL > >> read > >>> error : SSL - Verification of the message MAC failed > >>> > >>> > >>> When OpenVPN is linked against OpenSSL, the smartphone connects > >>> successfully. > >>> > >>> Could you help me finding out the issue? > >>> > >>> Thanks in advance, > >>> Peter > >>> > >>> > >>> > >> --------------------------------------------------------------------- > >> ------- > >> -- > >>> This SF.net email is sponsored by Windows: > >>> > >>> Build for Windows Store. > >>> > >>> http://p.sf.net/sfu/windows-dev2dev > >>> _______________________________________________ > >>> Openvpn-devel mailing list > >>> Ope...@li... > >>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel > >> > >> |
| From: Samuli S. <sa...@op...> - 2013-07-09 09:20:35 |
> Hi, > > I setup a page for tracking the status of our patches: > > <https://community.openvpn.net/openvpn/wiki/PatchTrackingPage> > > Hopefully this will help our patch tracking a bit. I will try to keep > the page updated on a weekly basis. > > Feel free to add your own patch(es) there and to fix any errors or > omissions you may find. > It seems Arne had setup a similar page earlier: <https://community.openvpn.net/openvpn/wiki/Patches> I suggest we use that one, as it looks nicer than my page. A script is attached to that page which makes creating patch entries easier. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |
| From: Samuli S. <sa...@op...> - 2013-07-09 09:04:39 |
Here are the new tickets for week 27: Enable use of ECDH: <https://community.openvpn.net/openvpn/ticket/307> I will send these mails manually until I get Trac configured to do it automatically. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |
| From: Samuli S. <sa...@op...> - 2013-07-09 08:58:49 |
Hi, I setup a page for tracking the status of our patches: <https://community.openvpn.net/openvpn/wiki/PatchTrackingPage> Hopefully this will help our patch tracking a bit. I will try to keep the page updated on a weekly basis. Feel free to add your own patch(es) there and to fix any errors or omissions you may find. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |
| From: Eric C. <ec...@se...> - 2013-07-08 13:44:55 |
On Jul 8, 2013, at 08:20:05, Samuli Seppänen <sa...@op...> wrote: > >> Hi, >> >> On Sun, Jun 30, 2013 at 10:32:31PM +0200, Max Muster wrote: >>> So maybe it would be a simple idea to think of a switch in "bug >>> handling". Why not simply use this list as "#1 input" for bug reports. >> This list isn't always working better or quicker... it really comes down >> to whoever has time to go through open issues. (We *do* have plans to >> improve the ticket handling...) >> >> So - as I said before, things have improved as far as community involvement >> and feedback goes, but still have quite a way to go. Working on it. >> >> gert > > I think it would probably make sense to configure Trac to send > notifications of new tickets to this list. Although it would not > increase the time at our hands, it would at the very least keep us > updated on new issues. I'm also hoping that it would encourage others > outside the current core developer team to review the new bug reports. > I've reviewed quite a few bug reports in the past, and many of them seem > to be simple configuration errors or based on misunderstandings. These > non-valid bug reports could be fairly easily be filtered out by people > who would not normally participate in writing OpenVPN code. > > Looking at the past record of new bug reports[1] we could expect maybe > 0-3 new tickets each week. Would this amount of extra mails be acceptable? I think it's more than acceptable. Anyone interested in working on bug reports is welcome to do so. Either Samuli or myself can grant them the needed permissions in Trac. ----- Eric F Crist |
| From: Samuli S. <sa...@op...> - 2013-07-08 13:20:18 |
> Hi, > > On Sun, Jun 30, 2013 at 10:32:31PM +0200, Max Muster wrote: >> So maybe it would be a simple idea to think of a switch in "bug >> handling". Why not simply use this list as "#1 input" for bug reports. > This list isn't always working better or quicker... it really comes down > to whoever has time to go through open issues. (We *do* have plans to > improve the ticket handling...) > > So - as I said before, things have improved as far as community involvement > and feedback goes, but still have quite a way to go. Working on it. > > gert I think it would probably make sense to configure Trac to send notifications of new tickets to this list. Although it would not increase the time at our hands, it would at the very least keep us updated on new issues. I'm also hoping that it would encourage others outside the current core developer team to review the new bug reports. I've reviewed quite a few bug reports in the past, and many of them seem to be simple configuration errors or based on misunderstandings. These non-valid bug reports could be fairly easily be filtered out by people who would not normally participate in writing OpenVPN code. Looking at the past record of new bug reports[1] we could expect maybe 0-3 new tickets each week. Would this amount of extra mails be acceptable? -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock [1] <https://community.openvpn.net/openvpn/wiki/OpenVPN2013> |
| From: Peter M. <me...@gm...> - 2013-07-06 08:12:25 |
Hi, I run OpenVPN 2.3.2 with PolarSSL 1.2.8 on a MIPS embedded linux. When trying to connect with OpenVPN Connect on Android (version 1.1.11), I see the following error message in the log: 21:35:11.463 -- Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed When OpenVPN is linked against OpenSSL, the smartphone connects successfully. Could you help me finding out the issue? Thanks in advance, Peter |
| From: Gert D. <ge...@gr...> - 2013-07-03 19:40:42 |
Your patch has been applied to the master and release/2.3 branch. commit 8065cd1c65273ef05ba2ac66f15224e170a57290 (master) commit 030fcea03c59e333d78726f5e2da979762a249d8 (release/2.3) Author: David Sommerseth Date: Fri Jun 7 12:15:30 2013 +0200 autoconf: Fix typo Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <137...@us...> URL: http://article.gmane.org/gmane.network.openvpn.devel/7658 Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering |
| From: Gert D. <ge...@gr...> - 2013-07-03 19:22:54 |
ACK, as discussed on IRC in parallel. Patch has been applied to the master and release/2.3 branches (as discussed in the context of earlier revisions - considered a bugfix for the new plugin v3 infrastructure introduced in 2.3.0, and bugfixes go into 2.3). commit 587df08abda3c8f1f85ccdba4d8b82a736c11e2d (master) commit 570da542877a1f42ed6549a6ca3f54df9ec53c1f (release/2.3) Author: David Sommerseth Date: Wed Jul 3 21:17:10 2013 +0200 plugin: Extend the plug-in v3 API to identify the SSL implementation used Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <137...@us...> URL: http://article.gmane.org/gmane.network.openvpn.devel/7754 Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering |
| From: David S. <da...@us...> - 2013-07-03 19:17:07 |
From: David Sommerseth <da...@re...> OpenVPN would segfault unexpectedly if it would be compiled against PolarSSL and the plug-in would expect OpenSSL, or vice-versa. This segfault would not appear before the plug-in would try to access functions which would be available if the plug-in and OpenVPN uses the same SSL implementation. This patch adds a member to the plug-in initialisation function, which identifies the SSL implementation. The log_v3 plug-in is updated accordingly + a simple fix to make it buildable again using the ./build script. A minor documentation error in the openvpn-plugin.h was also corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of OPENVPN_PLUGINv3_STRUCTVER. v2 - add const ovpnSSLAPI ssl_api at the end of struct openvpn_plugin_args_open_in and not in the "middle" v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the args struct sent to the openvpn_plugin_open_v3() function. v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown Signed-off-by: David Sommerseth <da...@re...> --- include/openvpn-plugin.h | 25 ++++++++++++++++++++++--- sample/sample-plugins/log/build | 2 +- sample/sample-plugins/log/log_v3.c | 5 +++++ src/openvpn/plugin.c | 5 +++-- src/openvpn/ssl_backend.h | 7 +++++++ 5 files changed, 38 insertions(+), 6 deletions(-) diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index 0879f49..03da92a 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -201,10 +201,15 @@ struct openvpn_plugin_string_list * * Version Comment * 1 Initial plugin v3 structures providing the same API as - * the v2 plugin interface + X509 certificate information. + * the v2 plugin interface, X509 certificate information + + * a logging API for plug-ins. + * + * 2 Added ssl_api member in struct openvpn_plugin_args_open_in + * which identifies the SSL implementation OpenVPN is compiled + * against. * */ -#define OPENVPN_PLUGINv3_STRUCTVER 1 +#define OPENVPN_PLUGINv3_STRUCTVER 2 /** * Definitions needed for the plug-in callback functions. @@ -260,6 +265,18 @@ struct openvpn_plugin_callbacks }; /** + * Used by the openvpn_plugin_open_v3() function to indicate to the + * plug-in what kind of SSL implementation OpenVPN uses. This is + * to avoid SEGV issues when OpenVPN is complied against PolarSSL + * and the plug-in against OpenSSL. + */ +typedef enum { + SSLAPI_NONE, + SSLAPI_OPENSSL, + SSLAPI_POLARSSL +} ovpnSSLAPI; + +/** * Arguments used to transport variables to the plug-in. * The struct openvpn_plugin_args_open_in is only used * by the openvpn_plugin_open_v3() function. @@ -286,6 +303,7 @@ struct openvpn_plugin_args_open_in const char ** const argv; const char ** const envp; struct openvpn_plugin_callbacks *callbacks; + const ovpnSSLAPI ssl_api; }; @@ -557,7 +575,8 @@ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2) * ARGUMENTS * * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in - * should validate that this value is matching the OPENVPN_PLUGIN_VERSION value. + * should validate that this value is matching the OPENVPN_PLUGINv3_STRUCTVER + * value. * * arguments : Structure with all arguments available to the plug-in. * diff --git a/sample/sample-plugins/log/build b/sample/sample-plugins/log/build index bbb05f7..c07ec40 100755 --- a/sample/sample-plugins/log/build +++ b/sample/sample-plugins/log/build @@ -6,7 +6,7 @@ # # This directory is where we will look for openvpn-plugin.h -CPPFLAGS="${CPPFLAGS:--I../../..}" +CPPFLAGS="${CPPFLAGS:--I../../../include}" CC="${CC:-gcc}" CFLAGS="${CFLAGS:--O2 -Wall -g}" diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c index 742c756..4d3af91 100644 --- a/sample/sample-plugins/log/log_v3.c +++ b/sample/sample-plugins/log/log_v3.c @@ -85,6 +85,11 @@ openvpn_plugin_open_v3 (const int v3structver, return OPENVPN_PLUGIN_FUNC_ERROR; } + if( args->ssl_api != SSLAPI_OPENSSL ) { + printf("This plug-in can only be used against OpenVPN with OpenSSL\n"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + /* Which callbacks to intercept. */ ret->type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) | diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index c96c121..0948f23 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -40,8 +40,8 @@ #include "error.h" #include "misc.h" #include "plugin.h" +#include "ssl_backend.h" #include "win32.h" - #include "memdbg.h" #define PLUGIN_SYMBOL_REQUIRED (1<<0) @@ -374,7 +374,8 @@ plugin_open_item (struct plugin *p, struct openvpn_plugin_args_open_in args = { p->plugin_type_mask, (const char ** const) o->argv, (const char ** const) envp, - &callbacks }; + &callbacks, + SSLAPI }; struct openvpn_plugin_args_open_return retargs; CLEAR(retargs); diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 72235ae..b1dce22 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -36,10 +36,17 @@ #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_openssl.h" #include "ssl_verify_openssl.h" +#define SSLAPI SSLAPI_OPENSSL #endif #ifdef ENABLE_CRYPTO_POLARSSL #include "ssl_polarssl.h" #include "ssl_verify_polarssl.h" +#define SSLAPI SSLAPI_POLARSSL +#endif + +/* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */ +#ifndef SSLAPI +#define SSLAPI SSLAPI_NONE #endif /** -- 1.8.3.1 |
| From: Gert D. <ge...@gr...> - 2013-07-03 19:10:45 |
Your patch has been applied to the master and release/2.3 branches. commit e3d388652f59fd2ddd9c7f470f7ef62ee6b35595 (master) commit 14566e4374229c39db96d60a88ffecc17273efa3 (release/2.3) Author: David Sommerseth Date: Fri Jun 7 12:15:23 2013 +0200 Remove the --disable-eurephia configure option Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <137...@us...> URL: http://article.gmane.org/gmane.network.openvpn.devel/7660 Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering |
| From: Gert D. <ge...@gr...> - 2013-07-03 19:10:14 |
Your patch has been applied to the master and release/2.3 branches. commit ace54e9b3c26c4d13fd278fac2d2dc37138270e4 (master) commit 8141daa218dc3534c76604ad6b55fb5adcf9a260 (release/2.3) Author: David Sommerseth Date: Fri Jun 7 12:15:11 2013 +0200 man page: Update man page about the tls_digest_{n} environment variable Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <137...@us...> URL: http://article.gmane.org/gmane.network.openvpn.devel/7659 Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering |
