openvpn-devel Mailing List for OpenVPN

On Tuesday 31 July 2012 14:14:10 David Sommerseth wrote: > - From another point of view, an evil plug-in would have to know/figure > out the address to x_msg() ... so that would require a bit more work, > at least to work against different distro/compiler/linker > combinations, as it's not given the address will be the same. > However, it's not necessarily hard to figure it out, but requires more > work. And an evil plug-in would anyway need to first be installed > somehow too. So I consider this attack vector less attractive. All the symbols are exported to plugins, so it's just a matter of adding the function prototype and flag values, if you do care at all. > And, AFAIK, you can't use dlsym() without a handle to a shared lib > opened with dlopen(). And I don't think you can't export the log > function in the openvpn-plugin.h file as an external function, as the > plug-in would fail to link (I would expect the linker wouldn't find > the required symbol) ... which then brings us back to the point where > you need to send a pointer to the log function to the plug-in ... > That's basically how I came to this conclusion. The dynamic linker resolves undefined symbols in the plugin automagically, so there's no need to get the address by hand. Haven't tested on Windows, but the symbols are there as well. We could limit the exported functions by hand, but then plugins should not be considered evil. We kind of had the discussion during the interactive service privilege escalation discussion a while ago. If you let someone into your home, you better make sure you trust him anyway. =) Heiko -- Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200 SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany 

Some plugins want to add messages to the openvpn log file. The plugin_log() API provides a way for them to do so. Signed-off-by: Heiko Hund <hei...@so...> --- include/openvpn-plugin.h | 20 ++++++++++++++++++++ src/openvpn/error.c | 11 ++++++++--- src/openvpn/error.h | 2 ++ src/openvpn/plugin.c | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 65 insertions(+), 3 deletions(-) diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index 1c80eec..e966baf 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -47,6 +47,26 @@ typedef X509 openvpn_x509_cert_t; extern "C" { #endif +/** + * Struct to transport log lines from the plugin to openvpn. + * The plugin should allocate all structure instances and msg strings + * with malloc, since OpenVPN will free them after logging took place. + */ +typedef enum +{ + PLOG_ERR = (1 << 0), /* Error condition message */ + PLOG_WARN = (1 << 1), /* General warning message */ + PLOG_NOTE = (1 << 2), /* Informational message */ + PLOG_DEBUG = (1 << 3), /* Debug message, displayed if verb >= 7 */ + + PLOG_ERRNO = (1 << 8), /* Add error description to message */ + PLOG_NOMUTE = (1 << 9), /* Mute setting does not apply for message */ + PLOG_NOIPREFIX = (1 << 10) /* No instance prefix for this message */ + +} openvpn_plugin_log_flags_t; + +void plugin_log (openvpn_plugin_log_flags_t flags, const char *fmt, ...); + /* * Plug-in types. These types correspond to the set of script callbacks * supported by OpenVPN. diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 8396fe0..6848425 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -201,8 +201,15 @@ int x_msg_line_num; /* GLOBAL */ void x_msg (const unsigned int flags, const char *format, ...) { - struct gc_arena gc; va_list arglist; + va_start (arglist, format); + x_msg_va (flags, format, arglist); + va_end (arglist); +} + +void x_msg_va (const unsigned int flags, const char *format, va_list arglist) +{ + struct gc_arena gc; #if SYSLOG_CAPABILITY int level; #endif @@ -237,9 +244,7 @@ void x_msg (const unsigned int flags, const char *format, ...) m1 = (char *) gc_malloc (ERR_BUF_SIZE, false, &gc); m2 = (char *) gc_malloc (ERR_BUF_SIZE, false, &gc); - va_start (arglist, format); vsnprintf (m1, ERR_BUF_SIZE, format, arglist); - va_end (arglist); m1[ERR_BUF_SIZE - 1] = 0; /* windows vsnprintf needs this */ if ((flags & M_ERRNO) && e) diff --git a/src/openvpn/error.h b/src/openvpn/error.h index aedb7c3..27c48b6 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -182,6 +182,8 @@ void x_msg (const unsigned int flags, const char *format, ...) #endif ; /* should be called via msg above */ +void x_msg_va (const unsigned int flags, const char *format, va_list arglist); + /* * Function prototypes */ diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 7ce2f5e..cbad76b 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -286,6 +286,41 @@ plugin_init_item (struct plugin *p, const struct plugin_option *o) gc_free (&gc); } + +void +plugin_log (openvpn_plugin_log_flags_t plog_flags, const char *format, ...) +{ + unsigned int msg_flags; + va_list arglist; + + if (format == NULL) + return; + + if (plog_flags & PLOG_ERR) + msg_flags = M_INFO | M_NONFATAL; + else if (plog_flags & PLOG_WARN) + msg_flags = M_INFO | M_WARN; + else if (plog_flags & PLOG_NOTE) + msg_flags = M_INFO; + else if (plog_flags & PLOG_DEBUG) + msg_flags = D_PLUGIN_DEBUG; + + if (plog_flags & PLOG_ERRNO) + msg_flags |= M_ERRNO; + if (plog_flags & PLOG_NOMUTE) + msg_flags |= M_NOMUTE; + if (plog_flags & PLOG_NOIPREFIX) + msg_flags |= M_NOIPREFIX; + + if (MSG_TEST (msg_flags)) + { + va_start (arglist, format); + x_msg_va (msg_flags, format, arglist); + va_end (arglist); + } +} + + static void plugin_open_item (struct plugin *p, const struct plugin_option *o, -- 1.7.9.5 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/07/12 13:31, Heiko Hund wrote: >> But it should also prefix these log lines as coming from a >> plug-in (preferably with the plug-in name included)... > > I don't think enforcing something like this makes much sense, as > evil plugins, trying to forge log lines to appear originating from > the core process, will just call x_msg() directly then. Agreed, the intention wasn't to nail evil plug-ins, it was more a convenience - as the plug-in itself doesn't need to "identify" itself. The plug-in cares for what it wants to add to the log, and the rest is automatic and will also be "tagged" consistently among all plug-ins. - From another point of view, an evil plug-in would have to know/figure out the address to x_msg() ... so that would require a bit more work, at least to work against different distro/compiler/linker combinations, as it's not given the address will be the same. However, it's not necessarily hard to figure it out, but requires more work. And an evil plug-in would anyway need to first be installed somehow too. So I consider this attack vector less attractive. And, AFAIK, you can't use dlsym() without a handle to a shared lib opened with dlopen(). And I don't think you can't export the log function in the openvpn-plugin.h file as an external function, as the plug-in would fail to link (I would expect the linker wouldn't find the required symbol) ... which then brings us back to the point where you need to send a pointer to the log function to the plug-in ... That's basically how I came to this conclusion. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAXzBAACgkQDC186MBRfrrDDgCfdGlu8GK4oD4aELiskzgqmoXm yoIAni0vANC55rDK3AtV9BqIlaTtx0gj =ezeg -----END PGP SIGNATURE----- 

Hi David. Thanks for the feedback. On Monday 30 July 2012 19:06:02 David Sommerseth wrote: > My immediate thought/question is: Why can we not export msg() to > plug-ins? Or at least provide something more like a functional > oriented API to work with? Actually that's my favored way as well. I just thought I'd stick to the, admittedly rather strange, way plugins interact with openvpn for the start. I'll hack a patch that provides a plugin_log() function, with the same semantics as the struct based approach. > But it should also prefix > these log lines as coming from a plug-in (preferably with the plug-in > name included)... I don't think enforcing something like this makes much sense, as evil plugins, trying to forge log lines to appear originating from the core process, will just call x_msg() directly then. Heiko -- Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200 SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/07/12 18:35, Heiko Hund wrote: > Some plugins want to add messages to the openvpn log file. > > V3 plugins can indirectly write to the log by specifying one or > more openvpn_plugin_log_list structs and returning them in the > provided openvpn_plugin_args_{open,func}_return struct. > > The openvpn plugin backend will log the provided information upon > reception. > > Signed-off-by: Heiko Hund <hei...@so...> --- > include/openvpn-plugin.h | 39 > ++++++++++++++++++++++++++++++++++++++- src/openvpn/plugin.c | > 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 75 > insertions(+), 1 deletion(-) Just a few quick thoughts. As the implementer of the v3 API, I'm happy to see such attempts. And as the developer of eurephia (which is an authentication plug-in for OpenVPN), I see the need for such a feature. But I'm not fully convinced yet this is the proper way. In many ways, it is elegant, but in some parts I feel it falls short too. But it is a good starting point for a discussion. The advantage of the log struct is that the plug-in can have far better control on how to format the log data. But it raises the complexity as each plug-in with this proposal needs to write their own logging mechanism which does the pointer-chain stuff. And adding new structs have the pitfall that it's easy to not be ABI (not API) compliant across versions, something the v3 plug-in API strives for. I would expect the vast majority of all plug-ins don't require this kind of flexibility. My immediate thought/question is: Why can we not export msg() to plug-ins? Or at least provide something more like a functional oriented API to work with? What if we extend the openvpn_plugin_args_open_in struct to include a function pointer to a log function? This log function can provide somewhat the same feature set as msg(). But it should also prefix these log lines as coming from a plug-in (preferably with the plug-in name included)... plug-ins wanting to log, can then save that function pointer and call this directly. It's not so flexible as this current proposal can be, but it should be easier to provide a more predictable ABI for the future, And it would cover the use case for most of the plug-ins. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAWvvcACgkQDC186MBRfrpQ2ACeMoAv/ugw+V0SMvxUSLm8iXw/ AWoAnj8O8c9OV0BmpC37MpFuSr0qGsgh =2RqT -----END PGP SIGNATURE----- 

Some plugins want to add messages to the openvpn log file. V3 plugins can indirectly write to the log by specifying one or more openvpn_plugin_log_list structs and returning them in the provided openvpn_plugin_args_{open,func}_return struct. The openvpn plugin backend will log the provided information upon reception. Signed-off-by: Heiko Hund <hei...@so...> --- include/openvpn-plugin.h | 39 ++++++++++++++++++++++++++++++++++++++- src/openvpn/plugin.c | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index 1c80eec..08db7b2 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -201,8 +201,39 @@ struct openvpn_plugin_string_list * 1 Initial plugin v3 structures providing the same API as * the v2 plugin interface + X509 certificate information. * + * 2 Add log_list to openvpn_plugin_args_{open,func}_return + * structs. The log_list struct is evaluated by openvpn and + * enables plugins to add information to the openvpn log + * output. + * + */ +#define OPENVPN_PLUGINv3_STRUCTVER 2 + + +typedef enum +{ + PLOG_ERR = (1 << 0), /* Error condition message */ + PLOG_WARN = (1 << 1), /* General warning message */ + PLOG_NOTE = (1 << 2), /* Informational message */ + PLOG_DEBUG = (1 << 3), /* Debug message, displayed if verb >= 7 */ + + PLOG_NOMUTE = (1 << 8), /* Mute setting does not apply for message */ + PLOG_NOIPREFIX = (1 << 9) /* No instance prefix for this message */ + +} openvpn_plugin_log_flags_t; + +/** + * Struct to transport log lines from the plugin to openvpn. + * The plugin should allocate all structure instances and msg strings + * with malloc, since OpenVPN will free them after logging took place. */ -#define OPENVPN_PLUGINv3_STRUCTVER 1 +struct openvpn_plugin_log_list +{ + struct openvpn_plugin_log_list *next; + const openvpn_plugin_log_flags_t flags; + const char *msg; +}; + /** * Arguments used to transport variables to the plug-in. @@ -250,12 +281,15 @@ struct openvpn_plugin_args_open_in * * return_list : used to return data back to OpenVPN. * + * log_list : used to return log lines back to OpenVPN. + * */ struct openvpn_plugin_args_open_return { int type_mask; openvpn_plugin_handle_t *handle; struct openvpn_plugin_string_list **return_list; + struct openvpn_plugin_log_list *log_list; }; /** @@ -313,10 +347,13 @@ struct openvpn_plugin_args_func_in * return_list : used to return data back to OpenVPN for further processing/usage by * the OpenVPN executable. * + * log_list : used to return log lines back to OpenVPN. + * */ struct openvpn_plugin_args_func_return { struct openvpn_plugin_string_list **return_list; + struct openvpn_plugin_log_list *log_list; }; /* diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 7ce2f5e..f4833df 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -286,6 +286,41 @@ plugin_init_item (struct plugin *p, const struct plugin_option *o) gc_free (&gc); } + +static void +plugin_do_log_list (struct openvpn_plugin_log_list *log_list) +{ + while (log_list) + { + struct openvpn_plugin_log_list *this = log_list; + if (log_list->msg) + { + unsigned int flags; + + if (log_list->flags & PLOG_ERR) + flags = M_INFO | M_NONFATAL; + else if (log_list->flags & PLOG_WARN) + flags = M_INFO | M_WARN; + else if (log_list->flags & PLOG_NOTE) + flags = M_INFO; + else if (log_list->flags & PLOG_DEBUG) + flags = D_PLUGIN_DEBUG | M_DEBUG; + + if (log_list->flags & PLOG_NOMUTE) + flags |= M_NOMUTE; + if (log_list->flags & PLOG_NOIPREFIX) + flags |= M_NOIPREFIX; + + msg (flags, log_list->msg); + free (log_list->msg); + } + + log_list = log_list->next; + free (this); + } +} + + static void plugin_open_item (struct plugin *p, const struct plugin_option *o, @@ -317,6 +352,7 @@ plugin_open_item (struct plugin *p, CLEAR(retargs); if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs) == OPENVPN_PLUGIN_FUNC_SUCCESS) { + plugin_do_log_list(retargs.log_list); p->plugin_type_mask = retargs.type_mask; p->plugin_handle = retargs.handle; retlist = retargs.return_list; @@ -399,6 +435,7 @@ plugin_call_item (const struct plugin *p, CLEAR(retargs); status = (*p->func3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs); + plugin_do_log_list(retargs.log_list); retlist = retargs.return_list; } else if (p->func2)	status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, per_client_context, retlist); -- 1.7.10.4 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/07/12 11:05, Heiko Hund wrote: > Commit af1bf85a introducing the --management-query-proxy option > broke the initialization of HTTP proxy options by not assigning the > allocated object to the options element in the function > init_http_proxy_options_once(). > > Signed-off-by: Heiko Hund <hei...@so...> --- > src/openvpn/init.c | 3 +-- src/openvpn/options.c | 8 > ++++---- src/openvpn/proxy.c | 12 ++++++------ > src/openvpn/proxy.h | 2 +- 4 files changed, 12 insertions(+), > 13 deletions(-) > Applied to master. commit 4f879daeb9b1b709c80d01e4872b30e23747c4a8 Author: Heiko Hund <hei...@so...> Date: Mon Jul 30 11:05:22 2012 +0200 fix regression with --http-proxy[-*] options Signed-off-by: Heiko Hund <hei...@so...> Acked-by: Arne Schwabe <ar...@rf...> Message-Id: 134...@so... URL: http://article.gmane.org/gmane.network.openvpn.devel/6913 Signed-off-by: David Sommerseth <da...@us...> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAWkZMACgkQDC186MBRfroVPQCfUbhvHxx9O+TqdCJ7suLK5c5f 3ZgAnjlNdrw9oxJPN5AtEoBTcUtC+ZCD =rKlw -----END PGP SIGNATURE----- 

Am 30.07.12 11:05, schrieb Heiko Hund: > Commit af1bf85a introducing the --management-query-proxy option > broke the initialization of HTTP proxy options by not assigning > the allocated object to the options element in the function > init_http_proxy_options_once(). > > Signed-off-by: Heiko Hund <hei...@so...> > In my test this patch worked. It also worked for reporting user. So ACK from me. Arne 

Commit af1bf85a introducing the --management-query-proxy option broke the initialization of HTTP proxy options by not assigning the allocated object to the options element in the function init_http_proxy_options_once(). Signed-off-by: Heiko Hund <hei...@so...> --- src/openvpn/init.c | 3 +-- src/openvpn/options.c | 8 ++++---- src/openvpn/proxy.c | 12 ++++++------ src/openvpn/proxy.h | 2 +- 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2f84375..270ee6a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -144,12 +144,11 @@ management_callback_proxy_cmd (void *arg, const char **p) msg (M_WARN, "HTTP proxy support only works for TCP based connections"); return false; } - ho = init_http_proxy_options_once (ce->http_proxy_options, gc); + ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); ho->server = string_alloc (p[2], gc); ho->port = port; ho->retry = true; ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); - ce->http_proxy_options = ho; ret = true; #endif } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index cd1cb1c..9f4ddbb 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -4879,7 +4879,7 @@ add_option (struct options *options, goto err; } -	ho = init_http_proxy_options_once (options->ce.http_proxy_options, &options->gc); +	ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);	ho->server = p[1];	ho->port = port; @@ -4914,7 +4914,7 @@ add_option (struct options *options, { struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - ho = init_http_proxy_options_once (options->ce.http_proxy_options, &options->gc); + ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); ho->retry = true; } else if (streq (p[0], "http-proxy-timeout") && p[1]) @@ -4922,7 +4922,7 @@ add_option (struct options *options, struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - ho = init_http_proxy_options_once (options->ce.http_proxy_options, &options->gc); + ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); ho->timeout = positive_atoi (p[1]); } else if (streq (p[0], "http-proxy-option") && p[1]) @@ -4930,7 +4930,7 @@ add_option (struct options *options, struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - ho = init_http_proxy_options_once (options->ce.http_proxy_options, &options->gc); + ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); if (streq (p[1], "VERSION") && p[2])	{ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 28ce019..363d8a7 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -47,17 +47,17 @@ #define UP_TYPE_PROXY "HTTP Proxy" struct http_proxy_options * -init_http_proxy_options_once (struct http_proxy_options *hpo, +init_http_proxy_options_once (struct http_proxy_options **hpo, struct gc_arena *gc) { - if (!hpo) + if (!*hpo) { - ALLOC_OBJ_CLEAR_GC (hpo, struct http_proxy_options, gc); + ALLOC_OBJ_CLEAR_GC (*hpo, struct http_proxy_options, gc); /* http proxy defaults */ - hpo->timeout = 5; - hpo->http_version = "1.0"; + (*hpo)->timeout = 5; + (*hpo)->http_version = "1.0"; } - return hpo; + return *hpo; } diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index dc62261..5e476f1 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -70,7 +70,7 @@ struct http_proxy_info { bool queried_creds; }; -struct http_proxy_options *init_http_proxy_options_once (struct http_proxy_options *hpo, +struct http_proxy_options *init_http_proxy_options_once (struct http_proxy_options **hpo, struct gc_arena *gc); struct http_proxy_info *http_proxy_new (const struct http_proxy_options *o); -- 1.7.9.5 

Am 19.07.12 21:57, schrieb David Sommerseth: > On 11/07/12 14:16, Heiko Hund wrote: >> Make openvpn query for proxy information through the >> management interface. This allows GUIs to provide (automatically >> detected) proxy information on a per connection basis. >> >> This new option supersedes the undocumented --http-proxy-fallback >> option and puts the responsibilty for HTTP proxy fallback handling >> to the GUI caring for such. >> >> Signed-off-by: Heiko Hund <hei...@so...> >> --- >> doc/management-notes.txt | 31 ++++++++ >> doc/openvpn.8 | 6 ++ >> src/openvpn/init.c | 185 +++++++++++++++++++++------------------------- >> src/openvpn/manage.c | 52 +++---------- >> src/openvpn/manage.h | 17 ++--- >> src/openvpn/options.c | 112 ++++------------------------ >> src/openvpn/options.h | 28 +------ >> src/openvpn/proxy.c | 15 ++++ >> src/openvpn/proxy.h | 3 + >> src/openvpn/syshead.h | 6 +- >> 10 files changed, 178 insertions(+), 277 deletions(-) >> > This patch got reviewed by James Yonan, but he never responded publicly to > this list. But it's applied to the master branch, as James said this made > sense if it makes writing the GUI easier. > This patch somehow proxy connecting with a simple http-proxy xx yy option. Openvpn just ignores the proxy and connects directly. On a quick glance I could not determine what went wrong. Arne 

Hi, On Wed, Jul 25, 2012 at 01:57:20PM +0800, jay alco wrote: > Hi, i build openvpn from source with the following featured disabled SSL, > CRYPTO. I have successfully build openpn without this option but during the > test running the server configuration it gives me error > > Options error: Unrecognized option or missing parameter(s) in > config.ovpn:6: client-cert-not-required (2.2.2) If you build without SSL, none of the SSL-related options are compiled in (surprise!). [..] > It looks like all options under P2MP and P2MP_SERVER are disable when i > disable SSL, CRYPTO. and for that i can not use client-cert-not-required, > username-as-common-name, server X X, etc.. and cannot run the server. How > do i eneable P2MP and P2MP_SERVER during build? P2MP_SERVER requires SSL to operate - if you disable SSL, there is no way you can use the OpenVPN server functionality. All you can do is use OpenVPN in point-to-point mode. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

On Wednesday 25 July 2012 11:39:16 Samuli Seppänen wrote: > This release fixes a major problem in "tap server" mode (Trac #216), > adds support for querying proxy information via the management interface > and fixes some smaller issues. In addition, the Windows installer comes > with tap-windows-9.9.2 (fixes the "DHCP NAK bomb on Windows 7" bug, Trac > #97) and openvpn-gui-1.0.5. I also want to mention that the GUI is now correctly supplying the HTTPS and SOCKS proxy server system settings to openvpn. The info is queried from the control panel internet settings. If WPAD or a PAC file are configured there, it uses automatic proxy detection as well. I would like to ask people to give this a try and report any shortcomings back to the -devel list. Thanks, Heiko -- Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200 SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany 

Hi Jay, > I'm trying to build openvpn on windows with mingw but having trouble. > I tried building both openvpn 2.1.4 and 2.2.2 from source without > changing configuration, just executing domake-win and it builds the > exe perfectly. But when i change configurations in makeopenvpn file i > cause me the error. > > I use the following configuration to guild without crypto and ssl. just lzo. > > --enable-strict \ > --prefix=$H/windest \ > MAN2HTML=true \ > --disable-crypto \ > --disable-ssl \ > --enable-password-save \ > --with-lzo-headers=$H/$LZO_DIR/include \ > --with-lzo-lib=$H/$LZO_DIR \ > --with-pkcs11-helper-headers=$H/$PKCS11_HELPER_DIR/usr/local/include \ > --with-pkcs11-helper-lib=$H/$PKCS11_HELPER_DIR/usr/local/lib > > but it produce the following error both 2.1.4 and 2.2.2. Trust me, trying to build 2.1.4 for Windows is (as Gert said) a way to insanity. If you really have to use a s.c. "stable" version of OpenVPN, I suggest 2.2.2 which at least has a more or less complete Python-based buildsystem which is documented here: <https://community.openvpn.net/openvpn/wiki/BuildingOnWindows> However, I'd recommend taking the just released openvpn-2.3-alpha3 and using the new "openvpn-build" buildsystem to build it: <https://github.com/OpenVPN/openvpn-build> <https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem> If you want to try building on a Windows using Microsoft Visual Studio 2010 or later, "openvpn-build" has a separate "msvc" buildsystem for that purpose. The "generic" buildsystem, which is a cross-compile buildsystem for *NIX environments, is more well tested, and works very nicely. Ubuntu 12.04 64-bit is a good build platform, provided you install backported mingw-w64 packages: <https://community.openvpn.net/openvpn/wiki/InstallingMingwW64> Hope this helps, -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

The OpenVPN community project team is proud to release OpenVPN 2.3_alpha3. It can be downloaded from here: <http://openvpn.net/index.php/open-source/downloads.html> This release fixes a major problem in "tap server" mode (Trac #216), adds support for querying proxy information via the management interface and fixes some smaller issues. In addition, the Windows installer comes with tap-windows-9.9.2 (fixes the "DHCP NAK bomb on Windows 7" bug, Trac #97) and openvpn-gui-1.0.5. A full list of new features and the changelog are available here: <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23> The changelog is also attached to this email. For generic help use these support channels: - Official documentation: <http://openvpn.net/index.php/open-source/documentation/howto.html> - Wiki: <https://community.openvpn.net> - Forums: <https://forums.openvpn.net> - User mailing list: <http://sourceforge.net/mail/?group_id=48978> - User IRC channel: #openvpn at irc.freenode.net Please report bugs and ask development questions here: - Bug tracker and Wiki: <https://community.openvpn.net> - Developer mailing list: <http://sourceforge.net/mail/?group_id=48978> - Developer IRC channel: #openvpn-devel at irc.freenode.net (requires Freenode registration) -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/07/12 07:57, jay alco wrote: [...snip...] > It looks like all options under P2MP and P2MP_SERVER are disable > when i disable SSL, CRYPTO. and for that i can not use > client-cert-not-required, username-as-common-name, server X X, > etc.. and cannot run the server. How do i eneable P2MP and > P2MP_SERVER during build? OpenVPN does not support P2MP mode without PKI (certificates/keys). So what you're trying to do is not possible. And even though you want to use --client-cert-not-required, the server-side would still need both a key and a certificate. And the client would still need the CA certificate which issued the server certificate. In addition common name is used in the code paths which are related to X509 verifications. These code paths are also disabled when SSL/CRYPTO features are disabled. Which again would remove the - --username-as-common-name feature. Compiling without SSL/CRYPTO will only make it possible to use P2P mode, which means you need a single OpenVPN process using a dedicated port for each client. Further, if you want to use --secret instead of SSL/TLS certificates, that would be really a weak solution in a P2MP setup, as all clients would be able to decrypt the traffic from all other clients. Using SSL/TLS certificates, each client have an individual encryption so it would be much harder for other clients to eavesdrop other connected clients communication. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAPqeEACgkQDC186MBRfro0DgCgg2eckszK19J/6WFzj4zajQmn 3GMAn2KfoqiYWdJ/ygTV8GW21apBLOkA =vsQE -----END PGP SIGNATURE----- 

Hi, i build openvpn from source with the following featured disabled SSL, CRYPTO. I have successfully build openpn without this option but during the test running the server configuration it gives me error Options error: Unrecognized option or missing parameter(s) in config.ovpn:6: client-cert-not-required (2.2.2) i user the following options. local xxx.xxx.xxx.xxx port 800 proto tcp dev tun client-cert-not-required script-security 2 username-as-common-name plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login server 10.10.0.0 255.255.255.0 persist-key persist-tun It looks like all options under P2MP and P2MP_SERVER are disable when i disable SSL, CRYPTO. and for that i can not use client-cert-not-required, username-as-common-name, server X X, etc.. and cannot run the server. How do i eneable P2MP and P2MP_SERVER during build? 

Hi, On Wed, Jul 25, 2012 at 12:45:18AM +0800, jay alco wrote: > XD.. My work station is windows. Anyway. Is there any refference i can use > to cross build 2.3alpha2? Samuli has instructions on http://community.openvpn.net/ (Incidentially there are also instructions how to build older versions, but you *really* do not want that) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

Hi, On Wed, Jul 25, 2012 at 12:28:56AM +0800, jay alco wrote: > As much as i like to try 2.3_alpha2 i have no idea how to build it on > windowns using mingw since i'm just starting with unix commands. how do i > build it using mingw both for linux server and windows client? You build on Linux. Building on Windows is the way to insanity. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

Hi, On Tue, Jul 24, 2012 at 11:50:36PM +0800, jay alco wrote: > I'm trying to build openvpn on windows with mingw but having trouble. > I tried building both openvpn 2.1.4 and 2.2.2 from source without > changing configuration, just executing domake-win and it builds the > exe perfectly. But when i change configurations in makeopenvpn file i > cause me the error. 2.3_alpha2 contains a completely rewritten build system, which eases building windows binary enormously (cross-build on linux using mingw64). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

I'm trying to build openvpn on windows with mingw but having trouble. I tried building both openvpn 2.1.4 and 2.2.2 from source without changing configuration, just executing domake-win and it builds the exe perfectly. But when i change configurations in makeopenvpn file i cause me the error. I use the following configuration to guild without crypto and ssl. just lzo. --enable-strict \ --prefix=$H/windest \ MAN2HTML=true \ --disable-crypto \ --disable-ssl \ --enable-password-save \ --with-lzo-headers=$H/$LZO_DIR/include \ --with-lzo-lib=$H/$LZO_DIR \ --with-pkcs11-helper-headers=$H/$PKCS11_HELPER_DIR/usr/local/include \ --with-pkcs11-helper-lib=$H/$PKCS11_HELPER_DIR/usr/local/lib but it produce the following error both 2.1.4 and 2.2.2. LZO headers were not found LZO libraby available from http:\\'' etc.....etc... configure: error: Or try ./configure --disable-lzo //I don't wan to disable lzo install-win32/makeopenvpn: line 24: --with-lzo-headers=/c/mingw/msys/1.0/home/administrator/openvpn-2.1.4/../lzo-2.02/inlcude: No such file or directory i have the lzo libs in the directory and was able to complete it without disabling crypto and ssl. But when i disable SSL and crypto it doesn't seem to find the lzo libs. then i tried disabling lzo in openvpn 2.2.2 and it created the exe file without cryto and ssl but not what i want since i need lzo. Problem with openvpn 2.1.4 is even with lzo features disabled it still gives me error options.c: In fuction 'parse_http_proxy_fallback': options.c:1474:33: error: dereferencing pointer to incomplete type options.c:1477:4: error: dereferencing pointer to incomplete type options.c:1478:4: error: dereferencing pointer to incomplete type I don't even know what parse_http_proxy_fallback got to do with SSL and CRYTO. any one knows what i'm doing wrong except from the fact that i disabled ssl? 

Am 21.07.12 01:02, schrieb Arne Schwabe: > Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used > > Ignore that patch version. It did not compile. I am too tired today. I will post the correct version tommorow. Sorry for the noise. Arne 

Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used Signed-off-by: Arne Schwabe <ar...@rf...> --- src/openvpn/options.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index cd1cb1c..7041e94 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1930,6 +1930,15 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if ((options->management_client_user || options->management_client_group) && !(options->management_flags & MF_UNIX_SOCK)) msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); +#ifdef MANAGMENT_EXTERNAL_KEY + if(options->management_flags & MF_EXTERNAL_KEY) { + if(options->priv_key_file) + msg (M_USAGE, "--key and --management-external-key are mutually exclusive"); + /* set a filename for nicer output in the logs */ + options->priv_key_file = "EXTERNAL_PRIVATE_KEY"; + } +#endif + #endif /* @@ -2627,6 +2636,9 @@ options_postprocess_filechecks (struct options *options) errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert"); errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, "--extra-certs"); +#ifdef MANAGMENT_EXTERNAL_KEY + if(!options->management_flags & MF_EXTERNAL_KEY) +#endif errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->priv_key_file, R_OK, "--key"); errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->pkcs12_file, R_OK, @@ -4141,7 +4153,6 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_EXTERNAL_KEY; - options->priv_key_file = "EXTERNAL_PRIVATE_KEY"; } #endif #ifdef MANAGEMENT_DEF_AUTH -- 1.7.9.5 

Support --management-query-passwords for SOCKS 5 proxies as well. Signed-off-by: Heiko Hund <hei...@so...> --- src/openvpn/socks.c | 38 +++++++++++++++----------------------- src/openvpn/socks.h | 4 ++-- 2 files changed, 17 insertions(+), 25 deletions(-) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 235982e..e0ce5f7 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -72,14 +72,9 @@ socks_proxy_new (const char *server, ASSERT (server); ASSERT (legal_ipv4_port (port)); - strncpynt (p->server, server, sizeof (p->server)); + p->server = server; p->port = port; - - if (authfile) - strncpynt (p->authfile, authfile, sizeof (p->authfile)); - else - p->authfile[0] = 0; - + p->authfile = authfile; p->retry = retry; p->defined = true; @@ -107,13 +102,18 @@ socks_username_password_auth (struct socks_proxy_info *p, creds.defined = 0; get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT); - if( !creds.username || (strlen(creds.username) > 255) - || !creds.password || (strlen(creds.password) > 255) ) { - msg (M_NONFATAL, - "SOCKS username and/or password exceeds 255 characters. " - "Authentication not possible."); - return false; - } + if (creds.username == NULL || creds.password == NULL) + { + msg (D_LINK_ERRORS, "socks_username_password_auth: " + "server asked for auth but no credentials were provided"); + return false; + } + else if (strlen (creds.username) > 255 || strlen (creds.password) > 255) + { + msg (M_NONFATAL, "SOCKS username and/or password exceed 255 characters. " + "Authentication not possible."); + return false; + } openvpn_snprintf (to_send, sizeof (to_send), "\x01%c%s%c%s", (int) strlen(creds.username), creds.username, (int) strlen(creds.password), creds.password); size = send (sd, to_send, strlen(to_send), MSG_NOSIGNAL); @@ -259,16 +259,8 @@ socks_handshake (struct socks_proxy_info *p, break; case 2: /* login/password */ - if (!p->authfile[0]) - { -	msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were " - "not provided any credentials"); + if (!socks_username_password_auth (p, sd, signal_received))	return false; - } - - if (!socks_username_password_auth(p, sd, signal_received)) -	return false; - break; default: /* unknown auth method */ diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index b55ff6f..6afc8bd 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -41,9 +41,9 @@ struct socks_proxy_info { bool defined; bool retry; - char server[128]; + const char *server; int port; - char authfile[256]; + const char *authfile; }; void socks_adjust_frame_parameters (struct frame *frame, int proto); -- 1.7.9.5 

On 17/07/12 18:25, Heiko Hund wrote: > WSAGetLastError() is just a wrapper for GetLastError(). So, there's > no need to differentiate between socket related and other errors. > > This patch removes all special handling of socket errors in favor > of simplifying the codebase somewhat. > > Signed-off-by: Heiko Hund <hei...@so...> > --- > src/openvpn/error.c | 9 ++----- > src/openvpn/error.h | 4 --- > src/openvpn/fdmisc.c | 2 +- > src/openvpn/manage.c | 4 +- > src/openvpn/proxy.c | 10 ++++---- > src/openvpn/ps.c | 6 ++-- > src/openvpn/socket.c | 56 +++++++++++++++++++++++++------------------------- > src/openvpn/socket.h | 2 +- > src/openvpn/socks.c | 26 +++++++++++----------- > src/openvpn/win32.c | 6 ++-- > 10 files changed, 59 insertions(+), 66 deletions(-) > Applied to master. commit 910675de28956cf8d028aed727486b64747362fb Author: Heiko Hund <hei...@so...> Date: Tue Jul 17 18:25:16 2012 +0200 don't treat socket related errors special anymore Signed-off-by: Heiko Hund <hei...@so...> Acked-by: Gert Doering <ge...@gr...> Message-Id: 134...@so... URL: http://article.gmane.org/gmane.network.openvpn.devel/6876 Signed-off-by: David Sommerseth <da...@us...> kind regards, David Sommerseth 

On 17/07/12 18:19, Heiko Hund wrote: > Instead of EINPROGRESS WinSock2 returns WSAEWOULDBLOCK if a non-blocking > connect(2) cannot be completed immediately. > > Signed-off-by: Heiko Hund <hei...@so...> > --- > src/openvpn/socket.c | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > Applied to master. commit 9081e0ad4c496a0334a21fc4e8e4f1f73a470b5a Author: Heiko Hund <hei...@so...> Date: Tue Jul 17 18:19:53 2012 +0200 make non-blocking connect work on Windows Signed-off-by: Heiko Hund <hei...@so...> Acked-by: Gert Doering <ge...@gr...> Message-Id: 134...@so... URL: http://article.gmane.org/gmane.network.openvpn.devel/6875 Signed-off-by: David Sommerseth <da...@us...> kind regards, David Sommerseth