openvpn-devel Mailing List for OpenVPN

Hi, This pull request has been lingering on GitHub for quite a while: <https://github.com/OpenVPN/openvpn-gui/pull/26> Here's the code: <https://github.com/OpenVPN/openvpn-gui/pull/26/files> I think "generic" code review would be enough. If we wait for a review from a Windows developer we might have to wait a bit too long :). -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

Hi, In recent versions of openvpn, with "management localhost xxx" openvpn management interface listens on "[::1]:xxx" on most machines including windows. Looking at the code, ::1 makes sense as getaddrinfo is called with AF_UNSPEC and the first address in the list returned is used. I'm trying to support this correctly in the GUI and have a question: Is it ok to rely on the order in which addresses are returned by getaddrinfo (with the same hints) -- especially on windows? Or, how best to make sure openvpn's interpretation of the host is the same as that of the GUI? I would prefer to avoid having to try all addresses in the list. On linux, apparently, getaddrinfo returns entries for localhost in /etc/hosts re-ordered as per RFC 3484 (as per the manpage) unless modified by gai.conf settings. How does it work on windows?[*] Previously this has not been an issue, as the GUI crafts the command line with "--management 127.0.0.1 stdin". I'm trying to support any "management .." line specified in the config file, which is useful for controlling always on connections (say, started by nssm or openvpnserv), among other things.. Even otherwise, using "localhost" instead of 127.0.0.1 looks better.. Thanks, Selva [*] No mention in MSDN of the order of addresses or whether it could be altered by some settings 

Reported by coverity (in 2009!): 1648 static char * 1649 argv_extract_cmd_name (const char *path) 1650 { 1. Condition path, taking true branch 1651 if (path) 1652 { 1653 char *path_cp = string_alloc(path, NULL); /* POSIX basename() implementaions may modify its arguments */ 1654 const char *bn = basename (path_cp); 2. Condition bn, taking true branch 1655 if (bn) 1656 { 3. alloc_fn: Storage is returned from allocation function string_alloc. [show details] 4. var_assign: Assigning: ret = storage returned from string_alloc(bn, NULL). 1657 char *ret = string_alloc (bn, NULL); 5. noescape: Resource ret is not freed or pointed-to in strrchr. 1658 char *dot = strrchr (ret, '.'); 6. Condition dot, taking false branch 1659 if (dot) 1660 *dot = '\0'; 1661 free(path_cp); 7. Condition ret[0] != 0, taking false branch 1662 if (ret[0] != '\0') 1663 return ret; CID 27023 (#2-1 of 2): Resource leak (RESOURCE_LEAK)8. leaked_storage: Variable ret going out of scope leaks the storage it points to. 1664 } 1665 } 1666 return NULL; 1667 } This function is only used by argv_printf_arglist(), and in a very specific case, so it might be that this leak can not even occur. But coverity is clearly right that this is a bug, so let's just fix it. Signed-off-by: Steffan Karger <st...@ka...> --- src/openvpn/misc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 05ed073..f76c2e5 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1648,22 +1648,27 @@ argv_system_str_append (struct argv *a, const char *str, const bool enquote) static char * argv_extract_cmd_name (const char *path) { + char *ret = NULL; if (path) { char *path_cp = string_alloc(path, NULL); /* POSIX basename() implementaions may modify its arguments */ const char *bn = basename (path_cp); if (bn)	{ - char *ret = string_alloc (bn, NULL); - char *dot = strrchr (ret, '.'); + char *dot = NULL; + ret = string_alloc (bn, NULL); + dot = strrchr (ret, '.'); if (dot) *dot = '\0'; free(path_cp); - if (ret[0] != '\0') - return ret; + if (ret[0] == '\0') + { + free(ret); + ret = NULL; + }	} } - return NULL; + return ret; } const char * -- 2.5.0 

Using a static inline function instead of a macro has the advantages that (1) 'flags' is not evaluated twice and (2) coverity will stop complaining that 'Macro compares unsigned to 0 (NO_EFFECT)' each time we use flags with loglevel 0 (e.g. M_FATAL or M_WARN). This has a performance impact when compiler optimizations are fully disabled ('-O0'), but should otherwise be as fast as using a macro. Signed-off-by: Steffan Karger <st...@ka...> --- src/openvpn/error.c | 2 +- src/openvpn/error.h | 17 +++++++++++------ src/openvpn/plugin.c | 2 +- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/openvpn/error.c b/src/openvpn/error.c index cfd5a41..bb0ab5b 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -228,7 +228,7 @@ void x_msg_va (const unsigned int flags, const char *format, va_list arglist) #ifndef HAVE_VARARG_MACROS /* the macro has checked this otherwise */ - if (!MSG_TEST (flags)) + if (!msg_test (flags)) return; #endif diff --git a/src/openvpn/error.h b/src/openvpn/error.h index dd5ccf7..76515d6 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -135,26 +135,31 @@ extern int x_msg_line_num; * msg() as a macro for optimization win. */ -bool dont_mute (unsigned int flags); /* check muting filter */ +/** Check muting filter */ +bool dont_mute (unsigned int flags); -#define MSG_TEST(flags) (unlikely((((unsigned int)flags) & M_DEBUG_LEVEL) <= x_debug_level) && dont_mute (flags)) +/** Return true if flags represent an enabled, not muted log level */ +static inline bool msg_test (unsigned int flags) +{ + return ((flags & M_DEBUG_LEVEL) <= x_debug_level) && dont_mute (flags); +} /* Macro to ensure (and teach static analysis tools) we exit on fatal errors */ #define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) _exit(1); } while (false) #if defined(HAVE_CPP_VARARG_MACRO_ISO) && !defined(__LCLINT__) # define HAVE_VARARG_MACROS -# define msg(flags, ...) do { if (MSG_TEST(flags)) x_msg((flags), __VA_ARGS__); EXIT_FATAL(flags); } while (false) +# define msg(flags, ...) do { if (msg_test(flags)) x_msg((flags), __VA_ARGS__); EXIT_FATAL(flags); } while (false) # ifdef ENABLE_DEBUG -# define dmsg(flags, ...) do { if (MSG_TEST(flags)) x_msg((flags), __VA_ARGS__); EXIT_FATAL(flags); } while (false) +# define dmsg(flags, ...) do { if (msg_test(flags)) x_msg((flags), __VA_ARGS__); EXIT_FATAL(flags); } while (false) # else # define dmsg(flags, ...) # endif #elif defined(HAVE_CPP_VARARG_MACRO_GCC) && !defined(__LCLINT__) # define HAVE_VARARG_MACROS -# define msg(flags, args...) do { if (MSG_TEST(flags)) x_msg((flags), args); EXIT_FATAL(flags); } while (false) +# define msg(flags, args...) do { if (msg_test(flags)) x_msg((flags), args); EXIT_FATAL(flags); } while (false) # ifdef ENABLE_DEBUG -# define dmsg(flags, args...) do { if (MSG_TEST(flags)) x_msg((flags), args); EXIT_FATAL(flags); } while (false) +# define dmsg(flags, args...) do { if (msg_test(flags)) x_msg((flags), args); EXIT_FATAL(flags); } while (false) # else # define dmsg(flags, args...) # endif diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 9be0b0c..542e5b1 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -319,7 +319,7 @@ plugin_vlog (openvpn_plugin_log_flags_t flags, const char *name, const char *for if (flags & PLOG_NOMUTE) msg_flags |= M_NOMUTE; - if (MSG_TEST (msg_flags)) + if (msg_test (msg_flags)) { struct gc_arena gc; char* msg_fmt; -- 2.5.0 

 > Hi, > > On Mon, Mar 14, 2016 at 02:18:08PM +0200, Samuli Seppänen wrote: >> Lack of the update might become more problematic after I rebuild the >> tap-windows6 driver and sign it with our new key, in which case Windows >> 7 might reject the driver altogether. So that part requires more >> thorough pre-release testing. > > The old key is still valid, just not "good enough" for win8+, right? > > In that case we might consider building two tap driver packages, one > signed with the vista/win7 key, one with the win8+ key. > > Or maybe I'm totally misunderstanding this, so ignore me :) > > gert > In case I did not respond to this earlier (my email client claims that)... Old tap-windows6 signatures will be as valid as they were before. We might run into trouble whe we sign tap-windows6 with the EV dongle, which probably generates SHA-2 signatures. The same goes for our new generic code-signing certificate, which was recently rekeyed to SHA-2. My view of what will happen once we fully move to SHA-2 for signing the executables, libraries and drivers: - Windows XP will show "Unknown publisher" for everything - Some Windows 7 installations _might_ have issues: - Might not recognize the SHA-2 signatures ("Unknown publisher") - Might fail to install the SHA-2 tap-windows6 driver - Windows 8.1+ should work just fine That said, the Windows 7 issue has not been verified. So far nobody has complained about the new SHA-2 based Windows installers I published. The tap-windows6 driver contained in the installers was still signed with the non-EV SHA-1 key, so at worst we'd see the "Unknown publisher" problem. I can probably sign Windows XP (I00x) installers with the old SHA-1 key until it expires in September. After that I will need to sign everything with SHA-2. I think that at that point we should consider dropping official Windows XP support, namely: - Stop publishing tap-windows-based (I00x) OpenVPN installers - Stop caring about "Unknown publisher" warnings on Windows XP We could still allow use of I60x installers on Windows XP, and let people downgrade to tap-windows manually. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

 > Hi > > currently the Forum Rank are like so: > > RANK TITLE MINIMUM POSTS > > OpenVpn Newbie 0 > - OpenVPN User 10 > - OpenVPN Power User 50 > - OpenVPN Expert 200 > - I should be on the dev team. 500 > > While it is possible that "X should be on the dev team" > it is not very likely to happen .. due to circumstances .. > > I would like to propose a new, more suitable rank for one > particular (currently) case: > > Proposed rank - OpenVPN Protagonist > Minimum posts - 2000 or 1500 or 1000 or 999 etc > > I once proposed "Guru" before but was asked not to change anything. > (Not to this list) > > But I feel like as this is so simple to do (2 mins on the ACP) > and it more accurately reflects reality .. Sounds good. Samuli 

I have no problem. Eric > On Mar 22, 2016, at 5:28 PM, debbie10t <deb...@gm...> wrote: > > Hi > > currently the Forum Rank are like so: > > RANK TITLE MINIMUM POSTS > > OpenVpn Newbie 0 > - OpenVPN User 10 > - OpenVPN Power User 50 > - OpenVPN Expert 200 > - I should be on the dev team. 500 > > While it is possible that "X should be on the dev team" > it is not very likely to happen .. due to circumstances .. > > I would like to propose a new, more suitable rank for one > particular (currently) case: > > Proposed rank - OpenVPN Protagonist > Minimum posts - 2000 or 1500 or 1000 or 999 etc > > I once proposed "Guru" before but was asked not to change anything. > (Not to this list) > > But I feel like as this is so simple to do (2 mins on the ACP) > and it more accurately reflects reality .. > > I ask for your opinions and/or other suggestions > > Thank you > > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel 

Hi currently the Forum Rank are like so: RANK TITLE MINIMUM POSTS OpenVpn Newbie 0 - OpenVPN User 10 - OpenVPN Power User 50 - OpenVPN Expert 200 - I should be on the dev team. 500 While it is possible that "X should be on the dev team" it is not very likely to happen .. due to circumstances .. I would like to propose a new, more suitable rank for one particular (currently) case: Proposed rank - OpenVPN Protagonist Minimum posts - 2000 or 1500 or 1000 or 999 etc I once proposed "Guru" before but was asked not to change anything. (Not to this list) But I feel like as this is so simple to do (2 mins on the ACP) and it more accurately reflects reality .. I ask for your opinions and/or other suggestions Thank you 

 > This particular link returns 404 > > https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I603-x86_64.exe > > Notified here > > https://forums.openvpn.net/topic21280.html > Hi, This confirms my feeling that every time I make a release, some of the links are broken for some people, but that the problem goes away by itself after a while. That said, one of the download nodes was updated, so this could have been a temporary glitch during switchover. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

 All links on the downloads page are now working Thanks On 15/03/16 11:55, debbie10t wrote: > This particular link returns 404 > > https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I603-x86_64.exe > > > Notified here > > https://forums.openvpn.net/topic21280.html > > Regards > > 

This particular link returns 404 https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I603-x86_64.exe Notified here https://forums.openvpn.net/topic21280.html Regards 

Hi, On Mon, Mar 14, 2016 at 02:18:08PM +0200, Samuli Seppänen wrote: > Lack of the update might become more problematic after I rebuild the > tap-windows6 driver and sign it with our new key, in which case Windows > 7 might reject the driver altogether. So that part requires more > thorough pre-release testing. The old key is still valid, just not "good enough" for win8+, right? In that case we might consider building two tap driver packages, one signed with the vista/win7 key, one with the win8+ key. Or maybe I'm totally misunderstanding this, so ignore me :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

Just thought Arne might be interested: https://forums.openvpn.net/topic21272.html Regards 

On Mon, 2016-03-14 at 14:18 +0200, Samuli Seppänen wrote: > > >> <https://support.microsoft.com/en-us/kb/3033929> > > > > Is there a link to the corresponding grub bug? In an ideal world, > > things like the above would never be posted *without* such a link. But > > I suppose we don't necessarily expect Microsoft to do the right thing. > > Hopefully *someone* has? > > I believe the bug is not in Grub, but in the said Windows update, which  > can put the computer into reboot loop: Is Grub supposed to boot Windows, or is Grub supposed to boot some theoretical ideal Windows-like thing, but not actually work reliably for Windows in the real world? I assert that it should be the latter, and thus this is by *definition* a bug in Grub. At least until it's been properly analysed and shown that Grub *can't* possibly work around it. And even then, there'd be a bug with that analysis and a 'WONTFIX' conclusion.  -- dwmw2 

 > On Thu, 2016-03-10 at 16:34 +0200, Samuli Seppänen wrote: >> >> A second problem should be limited to Windows 7 and Windows Server 2008 >> R2 installations that are booted through a non-Windows bootloader (e.g. >> grub): >> >> <https://support.microsoft.com/en-us/kb/3033929> > > Is there a link to the corresponding grub bug? In an ideal world, > things like the above would never be posted *without* such a link. But > I suppose we don't necessarily expect Microsoft to do the right thing. > Hopefully *someone* has? I believe the bug is not in Grub, but in the said Windows update, which can put the computer into reboot loop: <http://answers.microsoft.com/en-us/windows/forum/all/kb3033929- does-not-install-multi-boot-win7-linux/8f35f8f8-c0b2-461a-a8aa-4bbf16c49920?auth=1> I could not find a bug report in Grub bug tracker[1] using the above KB number. However, this problem is only tangentially related to the new OpenVPN installers: - If KB3033929 has been installed, the problem will manifest itself regardless of OpenVPN - If the said update has not been installed, then Windows 7 will/might fail to verify the signature of the installer and the libraries/binaries in it, showing "Unknown publisher" in UAC Lack of the update might become more problematic after I rebuild the tap-windows6 driver and sign it with our new key, in which case Windows 7 might reject the driver altogether. So that part requires more thorough pre-release testing. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock [1] <http://savannah.gnu.org/bugs/?group=grub> 

On Thu, 2016-03-10 at 16:34 +0200, Samuli Seppänen wrote: > > A second problem should be limited to Windows 7 and Windows Server 2008  > R2 installations that are booted through a non-Windows bootloader (e.g.  > grub): > > <https://support.microsoft.com/en-us/kb/3033929> Is there a link to the corresponding grub bug? In an ideal world, things like the above would never be posted *without* such a link. But I suppose we don't necessarily expect Microsoft to do the right thing. Hopefully *someone* has? -- dwmw2 

 > Hi, > > Here are new Windows 2.3.10 installers with OpenSSL 1.0.1s and SHA-2 > signatures: > > <http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-i686.exe> > > <http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-x86_64.exe> > > > I tested the latter lightly on Windows 7 Pro 64-bit and it seemed to > work just fine and the signatures seemed to be correct. However, more > testing is required before these installers can be officially released. > > There is potentially a severe issue which manifests itself on Windows > Vista SP2 / Windows Server 2008 SP2: > > <https://support.microsoft.com/en-us/kb/2763674> > > A second problem should be limited to Windows 7 and Windows Server 2008 > R2 installations that are booted through a non-Windows bootloader (e.g. > grub): > > <https://support.microsoft.com/en-us/kb/3033929> > > Let me know if you can confirm or discredit either of these issues - > that would help us get the new installers released soon. > > Thanks, > Hi, These installers are now live: <https://openvpn.net/index.php/download/community-downloads.html> Best regards, -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

The call to the service returns promptly after delegating the job to a thread, before the task is completed. In the thread, "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /register-dns" are executed in that order. Parallel execution of these commands is prevented by a lock that is common to all connections started by the service. Note: "net stop .." is used instead of "sc stop.." as the latter can return before the service has fully stopped (in STOP_PENDING state), causing the subsequent start to fail. Signed-off-by: Selva Nair <sel...@gm...> --- include/openvpn-msg.h | 3 +- src/openvpn/tun.c | 35 ++++++++- src/openvpnserv/interactive.c | 156 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 192 insertions(+), 2 deletions(-) diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h index 7470512..4c13acf 100644 --- a/include/openvpn-msg.h +++ b/include/openvpn-msg.h @@ -37,7 +37,8 @@ typedef enum { msg_del_nbt_cfg, msg_flush_neighbors, msg_add_block_dns, - msg_del_block_dns + msg_del_block_dns, + msg_register_dns } message_type_t; typedef struct { diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index eaeb6cc..dd9bdaf 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -5101,10 +5101,43 @@ fork_dhcp_action (struct tuntap *tt) } } +static void +register_dns_service (const struct tuntap *tt) +{ + DWORD len; + HANDLE msg_channel = tt->options.msg_channel; + ack_message_t ack; + struct gc_arena gc = gc_new (); + + message_header_t rdns = { msg_register_dns, sizeof(message_header_t), 0 }; + + if (!WriteFile (msg_channel, &rdns, sizeof (rdns), &len, NULL) || + !ReadFile (msg_channel, &ack, sizeof (ack), &len, NULL)) + { + msg (M_WARN, "Register_dns: could not talk to service: %s [status=0x%lx]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + } + + else if (ack.error_number != NO_ERROR) + { + msg (M_WARN, "Register_dns failed using service: %s [status=0x%x]", + strerror_win32 (ack.error_number, &gc), ack.error_number); + } + + else + msg (M_INFO, "Register_dns request sent to the service"); + + gc_free (&gc); +} + void fork_register_dns_action (struct tuntap *tt) { - if (tt && tt->options.register_dns) + if (tt && tt->options.register_dns && tt->options.msg_channel) + { + register_dns_service (tt); + } + else if (tt && tt->options.register_dns) { struct gc_arena gc = gc_new (); struct buffer cmd = alloc_buf_gc (256, &gc); diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index d83ea65..df30ad7 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -50,6 +50,9 @@ static SERVICE_STATUS_HANDLE service; static SERVICE_STATUS status; static HANDLE exit_event = NULL; static settings_t settings; +static HANDLE rdns_semaphore = NULL; +#define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */ + openvpn_service_t interactive_service = { interactive, @@ -803,6 +806,147 @@ HandleBlockDNSMessage (const block_dns_message_t *msg, undo_lists_t *lists) return err; } +/* + * Execute a command and return its exit code. If timeout > 0, terminate + * the process if still running after timeout milliseconds. In that case + * the return value is the windows error code WAIT_TIMEOUT = 0x102 + */ +static DWORD +ExecCommand (const WCHAR *argv0, const WCHAR *cmdline, DWORD timeout) +{ + DWORD exit_code; + STARTUPINFOW si; + PROCESS_INFORMATION pi; + DWORD proc_flags = CREATE_NO_WINDOW|CREATE_UNICODE_ENVIRONMENT; + WCHAR *cmdline_dup = NULL; + + ZeroMemory (&si, sizeof(si)); + ZeroMemory (&pi, sizeof(pi)); + + si.cb = sizeof(si); + + /* CreateProcess needs a modifiable cmdline: make a copy */ + cmdline_dup = wcsdup (cmdline); + if ( cmdline_dup && CreateProcessW (argv0, cmdline_dup, NULL, NULL, FALSE, + proc_flags, NULL, NULL, &si, &pi) ) + { + WaitForSingleObject (pi.hProcess, timeout ? timeout : INFINITE); + if (!GetExitCodeProcess (pi.hProcess, &exit_code)) + { + MsgToEventLog (M_SYSERR, TEXT("ExecCommand: Error getting exit_code:")); + exit_code = GetLastError(); + } + else if (exit_code == STILL_ACTIVE) + { + exit_code = WAIT_TIMEOUT; /* Windows error code 0x102 */ + + /* kill without impunity */ + TerminateProcess (pi.hProcess, exit_code); + MsgToEventLog (M_ERR, TEXT("ExecCommand: \"%s %s\" killed after timeout"), + argv0, cmdline); + } + else if (exit_code) + MsgToEventLog (M_ERR, TEXT("ExecCommand: \"%s %s\" exited with status = %lu"), + argv0, cmdline, exit_code); + else + MsgToEventLog (M_INFO, TEXT("ExecCommand: \"%s %s\" completed"), argv0, cmdline); + + CloseHandle(pi.hProcess); + CloseHandle(pi.hThread); + } + else + { + exit_code = GetLastError(); + MsgToEventLog (M_SYSERR, TEXT("ExecCommand: could not run \"%s %s\" :"), + argv0, cmdline); + } + + free (cmdline_dup); + return exit_code; +} + +/* + * Entry point for register-dns thread. + */ +static DWORD WINAPI +RegisterDNS (LPVOID unused) +{ + DWORD err; + DWORD i; + WCHAR sys_path[MAX_PATH]; + DWORD timeout = RDNS_TIMEOUT * 1000; /* in milliseconds */ + + /* default paths of net and ipconfig commands */ + WCHAR net[MAX_PATH] = L"C:\\Windows\\system32\\net.exe"; + WCHAR ipcfg[MAX_PATH] = L"C:\\Windows\\system32\\ipconfig.exe"; + + struct + { + WCHAR *argv0; + WCHAR *cmdline; + DWORD timeout; + } cmds [] = { + { net, L"net stop dnscache", timeout }, + { net, L"net start dnscache", timeout }, + { ipcfg, L"ipconfig /flushdns", timeout }, + { ipcfg, L"ipconfig /registerdns", timeout }, + }; + int ncmds = sizeof (cmds) / sizeof (cmds[0]); + + HANDLE wait_handles[2] = {rdns_semaphore, exit_event}; + + if(GetSystemDirectory(sys_path, MAX_PATH)) + { + _snwprintf (net, MAX_PATH, L"%s\\%s", sys_path, L"net.exe"); + net[MAX_PATH-1] = L'\0'; + + _snwprintf (ipcfg, MAX_PATH, L"%s\\%s", sys_path, L"ipconfig.exe"); + ipcfg[MAX_PATH-1] = L'\0'; + } + + if (WaitForMultipleObjects (2, wait_handles, FALSE, timeout) == WAIT_OBJECT_0) + { + /* Semaphore locked */ + for (i = 0; i < ncmds; ++i) + { + ExecCommand (cmds[i].argv0, cmds[i].cmdline, cmds[i].timeout); + } + err = 0; + if ( !ReleaseSemaphore (rdns_semaphore, 1, NULL) ) + err = MsgToEventLog (M_SYSERR, TEXT("RegisterDNS: Failed to release regsiter-dns semaphore:")); + } + else + { + MsgToEventLog (M_ERR, TEXT("RegisterDNS: Failed to lock register-dns semaphore")); + err = ERROR_SEM_TIMEOUT; /* Windows error code 0x79 */ + } + return err; +} + +static DWORD +HandleRegisterDNSMessage (void) +{ + DWORD err; + HANDLE thread = NULL; + + /* Delegate this job to a sub-thread */ + thread = CreateThread (NULL, 0, RegisterDNS, NULL, 0, NULL); + + /* + * We don't add these thread handles to the undo list -- the thread and + * processes it spawns are all supposed to terminate or timeout by themselves. + */ + if (thread) + { + err = 0; + CloseHandle (thread); + } + else + err = GetLastError(); + + return err; +} + static VOID HandleMessage (HANDLE pipe, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { @@ -854,6 +998,10 @@ HandleMessage (HANDLE pipe, DWORD bytes, DWORD count, LPHANDLE events, undo_list ack.error_number = HandleBlockDNSMessage (&msg.block_dns, lists); break; + case msg_register_dns: + ack.error_number = HandleRegisterDNSMessage (); + break; + default: ack.error_number = ERROR_MESSAGE_TYPE; MsgToEventLog (MSG_FLAGS_ERROR, TEXT("Unknown message type %d"), msg.header.type); @@ -1381,6 +1529,13 @@ ServiceStartInteractive (DWORD dwArgc, LPTSTR *lpszArgv) goto out; } + rdns_semaphore = CreateSemaphoreW (NULL, 1, 1, NULL); + if (!rdns_semaphore) + { + error = MsgToEventLog (M_SYSERR, TEXT("Could not create semaphore for register-dns")); + goto out; + } + error = UpdateWaitHandles (&handles, &handle_count, io_event, exit_event, threads); if (error != NO_ERROR) goto out; @@ -1458,6 +1613,7 @@ out: FreeWaitHandles (handles); CloseHandleEx (&io_event); CloseHandleEx (&exit_event); + CloseHandleEx (&rdns_semaphore); status.dwCurrentState = SERVICE_STOPPED; status.dwWin32ExitCode = error; -- 1.7.10.4 

W dniu 18.02.2016 o 19:08, Gert Doering pisze: > Hi, > > On Thu, Feb 18, 2016 at 06:08:02PM +0100, Jacek Wielemborek wrote: >> Well the attacker could send a funny packet with a valid checksum, >> encrypted and authenticated, right? > > Indeed, but that would be someone we trust enough to let him talk to > our network - protects against Joe Random from the Internet crashing > our servers (or burning CPU resources trying to). > > But yeah. Mistakes do happen :-) - so software shouldn't ever crash > on malformed packets. > > gert For the record, I'm unsubscribing I hadn't heard a response for quite a while and I'm not interested in other openvpn-devel topic. Please CC me if you'd like to continue the discussion with me. 

Hi, Here are new Windows 2.3.10 installers with OpenSSL 1.0.1s and SHA-2 signatures: <http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-i686.exe> <http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-x86_64.exe> I tested the latter lightly on Windows 7 Pro 64-bit and it seemed to work just fine and the signatures seemed to be correct. However, more testing is required before these installers can be officially released. There is potentially a severe issue which manifests itself on Windows Vista SP2 / Windows Server 2008 SP2: <https://support.microsoft.com/en-us/kb/2763674> A second problem should be limited to Windows 7 and Windows Server 2008 R2 installations that are booted through a non-Windows bootloader (e.g. grub): <https://support.microsoft.com/en-us/kb/3033929> Let me know if you can confirm or discredit either of these issues - that would help us get the new installers released soon. Thanks, -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock PS. The tap-windows6 driver in the installers is still the old one signed with SHA-1. I'm working on signing it with an EV certificatte, so that Windows 10 accepts it. 

Hi, Some of you may have noticed that our apt repositories did not work with apt-1.1 bundled with Ubuntu 16.04 alphas and Debian testing/unstable. That problem has now been fixed. Let me know if you still encounter issues using the apt repository. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

Hi, This addition is welcome and the code does the job it promises to do, but after reviewing the code I would like to propose a different implementation. The reasons for this are gives as inline replies below. The alternative patch proposal is attached. On Thu, Mar 3, 2016 at 9:19 AM, James Yonan <ja...@op...> wrote: > Signed-off-by: James Yonan <ja...@op...> > --- > src/openvpn/ssl_verify_polarssl.c | 166 ++++++++++++++++++++++++++++++++++++++ > src/openvpn/syshead.h | 2 +- > 2 files changed, 167 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c > index 9d0d086..ab693d2 100644 > --- a/src/openvpn/ssl_verify_polarssl.c > +++ b/src/openvpn/ssl_verify_polarssl.c > @@ -198,6 +198,172 @@ x509_get_subject(x509_crt *cert, struct gc_arena *gc) > return subject; > } > > +#ifdef ENABLE_X509_TRACK > + > +/* these match NID's in OpenSSL crypto/objects/objects.h */ > +#define NID_undef 0 > +#define NID_sha1 64 > +#define NID_commonName 13 > +#define NID_countryName 14 > +#define NID_localityName 15 > +#define NID_stateOrProvinceName 16 > +#define NID_organizationName 17 > +#define NID_organizationalUnitName 18 > +#define NID_pkcs9_emailAddress 48 Hmm, I don't really like to maintain lists in the source code. If possible, I would prefer an implementation that fits the polarssl approach, rather than wrapping polarssl with openssl-like code. > diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h > index 7e77b6c..25aa69b 100644 > --- a/src/openvpn/syshead.h > +++ b/src/openvpn/syshead.h > @@ -634,7 +634,7 @@ socket_defined (const socket_descriptor_t sd) > /* > * Enable x509-track feature? > */ > -#if defined(ENABLE_CRYPTO) && defined (ENABLE_CRYPTO_OPENSSL) > +#if defined(ENABLE_CRYPTO) && (defined(ENABLE_CRYPTO_OPENSSL) || defined(ENABLE_CRYPTO_POLARSSL)) Since both crypto backends now support --x509-track, let's just get rid of this define all together :) Finally, while reviewing I noticed that the --x509-track code in options.c lives inside #ifdef MANAGEMENT, but there seems to be no valid reason for this. Let's move it outside of this #ifdef. The attached patch takes all these remarks into account. The upsides of my alternative are less code, and no lists to maintain. The downside is less error reporting. I'm curious to hear what you think of the alternative implementation. -Steffan 

> I just thought it was interesting that somebody found > *a* solution to what seems to be a common problem > and it was worth letting ppl here know. Indeed. It remains to be seen whether this overly aggressive power saving configuration is limited to Samsung, or whether it's a Android 6.0.x thing. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock 

Hi, On Mon, Mar 7, 2016 at 3:04 AM, Gert Doering <ge...@gr...> wrote: > > Then its only register-dns that remains... > > Yep. Its semantics are not totally clear to me (the code does more, like > turn off dns cache off/on) and I have no idea whether there's a real API > for that... Yes, it does much more than "ipconfig /registerdns": it restarts dns service, flushes the dns cache, and then does registerdns. Looks like someone decided to throw everything at it. In my own very limited tests I've never seen anything more than registerdns needed to get the DNS server registered. In fact, a manual "dhcp /renew" after the connection comes up also appears to do the job: this is not the same as the --dhcp-renew option, though. But I haven't tested any of this beyond a single windows 7 machine, so cant say for use that ipconfig /registerdns or dhcp renew is enough. Considering that many folks appear to be dependent on this option, we have to keep it as is, I guess. AFAIK, there is no API for either of these. There are some undocumented calls like DnsFlushReseolverCache in dnsapi.dll but there are no official docs on them. The service can be started and restarted using API but its no less pain than using "net stop" and "net start" I suppose we need to just queue this request to the service and let it do it asynchronously in a separate thread. Which is not very unlike the current fork_to_self approach. It shouldn't be hard to add that to interactive.c Selva 

----- Original Message ----- From: "Arne Schwabe" <ar...@rf...> To: "Selva Nair" <sel...@gm...>; "Debbie Tent" <deb...@gm...> Cc: <ope...@li...>; <ope...@li...> Sent: Monday, March 07, 2016 3:40 PM Subject: Re: [Openvpn-devel] Samsung Galaxy S6 to android 6.0.1 powersave > > > Am 07.03.16 um 16:28 schrieb Selva Nair: >> Hi, >> >> On Mon, Mar 7, 2016 at 9:55 AM, <deb...@gm... >> <mailto:deb...@gm...>> wrote: >> >> An interesting tid-bit about Samsung Galaxy S6 to android 6.0.1 >> and OpenVPN Connect >> >> https://forums.openvpn.net/post59478.html#p59478 >> >> >> Sounds, suspiciously similar to the sleep-resume issue we had on >> windows.. The interface probably suspends and openvpn exits? >> > In this case that is again some Samsung "optmization". If there is one > manufacture of Android that consistently breaks things it is Samsung. I > have no idea what new idea they now had to break the VPNService when > combined with powersaving features or if OpenVPN Connect is doing > something wrong but normally the app is notified by an onRevoke call > before the tun device is closed. > > Arne > I just thought it was interesting that somebody found *a* solution to what seems to be a common problem and it was worth letting ppl here know. regards