gmane.network.openvpn.devel

[PATCH 4/5 v3] Always push basic set of peer infovalues to server.

Gert Doering — 2013-05-20T10:13:21

From: James Yonan <james< at >openvpn.net>

On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.

This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).

Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.

v1: equivalent to OpenVPN SVN r8225 (2.1.21c)

v2: distinguish 3 levels of peer-info detail

  --push-peer-info specified --> send all we have
  --pull           specified --> send basic set, as per r8225
  default                    --> send nothing (do not leak from server)

v3: undo extra whitespace changes in v1 and v2

Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
---
 src/openvpn/init.c       |  7 ++++++-
 src/openvpn/ssl.c        | 31 ++++++++++++++++---------------
 src/openvpn/ssl_common.h |  2 +-
 3 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e700cd6..2a0ba85 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
< at >< at > -2213,7 +2213,12 < at >< at > do_init_crypto_tls (struct context *c, const unsigned int flags)
   to.renegotiate_seconds = options->renegotiate_seconds;
   to.single_session = options->single_session;
 #ifdef ENABLE_PUSH_PEER_INFO
-  to.push_peer_info = options->push_peer_info;
+  if (options->push_peer_info)/* all there is */
+    to.push_peer_info_detail = 2;
+  else if (options->pull)/* pull clients send some details */
+    to.push_peer_info_detail = 1;
+  else/* default: no peer-info at all */
+    to.push_peer_info_detail = 0;
 #endif
 
   /* should we not xmit any packets until we get an initial
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9ca409f..1026ad4 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
< at >< at > -1775,7 +1775,7 < at >< at > push_peer_info(struct buffer *buf, struct tls_session *session)
   bool ret = false;
 
 #ifdef ENABLE_PUSH_PEER_INFO
-  if (session->opt->push_peer_info) /* write peer info */
+  if (session->opt->push_peer_info_detail > 0)
     {
       struct env_set *es = session->opt->es;
       struct env_item *e;
< at >< at > -1803,26 +1803,27 < at >< at > push_peer_info(struct buffer *buf, struct tls_session *session)
       buf_printf (&out, "IV_PLAT=win\n");
 #endif
 
-      /* push mac addr */
-      {
-struct route_gateway_info rgi;
-get_default_gateway (&rgi);
-if (rgi.flags & RGI_HWADDR_DEFINED)
-  buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
-      }
-
       /* push compression status */
 #ifdef USE_COMP
       comp_generate_peer_info_string(&session->opt->comp_options, &out);
 #endif
 
-      /* push env vars that begin with UV_ */
-      for (e=es->list; e != NULL; e=e->next)
-{
-  if (e->string)
+      if (session->opt->push_peer_info_detail >= 2)
+        {
+  /* push mac addr */
+  struct route_gateway_info rgi;
+  get_default_gateway (&rgi);
+  if (rgi.flags & RGI_HWADDR_DEFINED)
+    buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
+
+  /* push env vars that begin with UV_ */
+  for (e=es->list; e != NULL; e=e->next)
     {
-      if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
-buf_printf (&out, "%s\n", e->string);
+      if (e->string)
+{
+  if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
+    buf_printf (&out, "%s\n", e->string);
+}
     }
 }
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 47dbefb..0e97487 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
< at >< at > -233,7 +233,7 < at >< at > struct tls_options
   bool disable_occ;
 #endif
 #ifdef ENABLE_PUSH_PEER_INFO
-  bool push_peer_info;
+  int push_peer_info_detail;
 #endif
   int transition_window;
   int handshake_window;

[PATCH 4/5 v2] Always push basic set of peer infovalues to server.

Gert Doering — 2013-05-20T10:02:28

From: James Yonan <james< at >openvpn.net>

On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.

This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).

Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.

v1: equivalent to OpenVPN SVN r8225 (2.1.21c)

v2: distinguish 3 levels of peer-info detail

  --push-peer-info specified --> send all we have
  --pull           specified --> send basic set, as per r8225
  default                    --> send nothing (do not leak from server)

Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
---
 src/openvpn/init.c       |  7 ++++++-
 src/openvpn/ssl.c        | 43 ++++++++++++++++++++++---------------------
 src/openvpn/ssl_common.h |  2 +-
 3 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e700cd6..2a0ba85 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
< at >< at > -2213,7 +2213,12 < at >< at > do_init_crypto_tls (struct context *c, const unsigned int flags)
   to.renegotiate_seconds = options->renegotiate_seconds;
   to.single_session = options->single_session;
 #ifdef ENABLE_PUSH_PEER_INFO
-  to.push_peer_info = options->push_peer_info;
+  if (options->push_peer_info)/* all there is */
+    to.push_peer_info_detail = 2;
+  else if (options->pull)/* pull clients send some details */
+    to.push_peer_info_detail = 1;
+  else/* default: no peer-info at all */
+    to.push_peer_info_detail = 0;
 #endif
 
   /* should we not xmit any packets until we get an initial
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9ca409f..85d8db2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
< at >< at > -1775,7 +1775,7 < at >< at > push_peer_info(struct buffer *buf, struct tls_session *session)
   bool ret = false;
 
 #ifdef ENABLE_PUSH_PEER_INFO
-  if (session->opt->push_peer_info) /* write peer info */
+  if (session->opt->push_peer_info_detail > 0)
     {
       struct env_set *es = session->opt->es;
       struct env_item *e;
< at >< at > -1803,38 +1803,39 < at >< at > push_peer_info(struct buffer *buf, struct tls_session *session)
       buf_printf (&out, "IV_PLAT=win\n");
 #endif
 
-      /* push mac addr */
-      {
-struct route_gateway_info rgi;
-get_default_gateway (&rgi);
-if (rgi.flags & RGI_HWADDR_DEFINED)
-  buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
-      }
-
       /* push compression status */
 #ifdef USE_COMP
       comp_generate_peer_info_string(&session->opt->comp_options, &out);
 #endif
 
-      /* push env vars that begin with UV_ */
-      for (e=es->list; e != NULL; e=e->next)
-{
-  if (e->string)
+      if (session->opt->push_peer_info_detail >= 2)
+        {
+  /* push mac addr */
+  struct route_gateway_info rgi;
+  get_default_gateway (&rgi);
+  if (rgi.flags & RGI_HWADDR_DEFINED)
+    buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
+
+  /* push env vars that begin with UV_ */
+  for (e=es->list; e != NULL; e=e->next)
     {
-      if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
-buf_printf (&out, "%s\n", e->string);
+      if (e->string)
+{
+  if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
+    buf_printf (&out, "%s\n", e->string);
+}
     }
 }
 
-      if (!write_string(buf, BSTR(&out), -1))
-goto error;
+if (!write_string(buf, BSTR(&out), -1))
+  goto error;
     }
   else
 #endif
-    {
-      if (!write_empty_string (buf)) /* no peer info */
-goto error;
-    }
+  {
+    if (!write_empty_string (buf)) /* no peer info */
+      goto error;
+  }
   ret = true;
 
  error:
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 47dbefb..0e97487 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
< at >< at > -233,7 +233,7 < at >< at > struct tls_options
   bool disable_occ;
 #endif
 #ifdef ENABLE_PUSH_PEER_INFO
-  bool push_peer_info;
+  int push_peer_info_detail;
 #endif
   int transition_window;
   int handshake_window;

[PATCH applied] Re: Fix usage of 'compression ...'from global config.

Gert Doering — 2013-05-19T17:55:42

Patch has been applied to the master branch.

commit 1690f290f4bd2b203634e8fef9a82f7a03e5b06b

Author: Gert Doering
Date:   Fri Apr 19 19:41:08 2013 +0200

     Fix usage of 'compression ...' from global config.

     Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
     Acked-by: Arne Schwabe <arne< at >rfc2549.org>
     Message-Id: <1366393268-27392-6-git-send-email-gert< at >greenie.muc.de>
     URL: http://article.gmane.org/gmane.network.openvpn.devel/7529


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

[PATCH applied] Re: Added support for the Snappycompression algorithm

Gert Doering — 2013-05-19T17:55:06

Patch has been applied to the master branch.

commit 38d96bd7975e626d490b3d9f9514d81e070a5495

Author: James Yonan
Date:   Tue Sep 18 08:33:34 2012 +0200

     Added support for the Snappy compression algorithm

     Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
     Acked-by: Arne Schwabe <arne< at >rfc2549.org>
     Message-Id: <1366393268-27392-3-git-send-email-gert< at >greenie.muc.de>
     URL: http://article.gmane.org/gmane.network.openvpn.devel/7531


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

[PATCH applied] Re: Fix Windows script executionwhen called from script hooks

Gert Doering — 2013-05-19T12:28:35

Your patch has been applied to the master and release/2.3 branch.

commit a19e35a95bf4a0177ae115535a3755d3acd894e9 (master)
commit 93ec740f94867e10980c8a87bd3c2a037b221f31 (release/2.3)

Author: Josh Cepek
Date:   Thu May 16 09:09:23 2013 -0500

     Fix Windows script execution when called from script hooks

     Signed-off-by: Josh Cepek <josh.cepek< at >usa.net>
     Acked-by: Heiko Hund <heiko.hund< at >sophos.com>
     Message-Id: <kn2pao$5sv$1< at >ger.gmane.org>
     URL: http://article.gmane.org/gmane.network.openvpn.devel/7594
     Signed-off-by: Gert Doering <gert< at >greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

[PATCH] pkcs12-additional-cas option to load CA+intermediate certs from both PKCS#12 and a --ca PEM file

Heikki Hannikainen — 2013-05-18T11:53:51

Hi,

I've set up a VPN service which authenticates users using certificates
provided by a 3rd party (which has manually authenticated the users
from paper documents and given out some 50k certs). Their tools allow
the end users to nicely export a PKCS#12 certificate which OpenVPN can
currently use out of the box. Grand!

The 3rd party does not give out server certificates, so my VPN server
uses a certificate signed by my own CA. Thus I need to pass my CA to
the VPN client using the --ca option.

Currently OpenVPN ignores CA and intermediate certificates inside the
PKCS#12 file if --ca is set. Without --ca it loads them. The problem
is that the 3rd party CA uses intermediate certificates, and rotates
them ~yearly without warning, so I need the client to load the
intermediates from PKCS#12. To get both client and server validation
working I need to load certs from both the PKCS#12 file and a PEM file
provided using --ca.

So, I added a client option 'pkcs12-additional-cas' to make the --ca
and pkcs12 CA certs additive, not exclusive either-or. Default
functionality is like before. Manual page updated, too.

Patch attached, feedback welcome. I'm not quite sure if the name of
the option (--pkcs12-additional-cas) is good.


---
 doc/openvpn.8             |   16 ++++++++++++++++
 src/openvpn/options.c     |   16 ++++++++++++++++
 src/openvpn/options.h     |    1 +
 src/openvpn/ssl.c         |    2 +-
 src/openvpn/ssl_openssl.c |    2 +-
 5 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index cbfc107..c758776 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
< at >< at > -4225,6 +4225,22 < at >< at > and
 Not available with PolarSSL.
 .\"*********************************************************
 .TP
+.B \-\-pkcs12-additional-cas
+Load trusted CA and intermediate certificates from both the PKCS #12
+file specified using
+.B \-\-pkcs12
+and an additional PEM file specified using
+.B \-\-ca.
+The default is to not load CA or intermediate certificates from a
+PKCS #12 file if
+.B \-\-ca
+is set. This option can be used when the PKCS #12 client certificate
+is provided by a different CA than the server certificate, and
+contains intermediate certificates required for successful client
+authentication, but does not contain the CA certificate used for signing
+the server's certificate.
+.\"*********************************************************
+.TP
 .B \-\-verify-hash hash
 Specify SHA1 fingerprint for level-1 cert.  The level-1 cert is the
 CA (or intermediate cert) that signs the leaf certificate, and is
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c5ed0d6..5175607 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
< at >< at > -578,6 +578,10 < at >< at > static const char usage_message[] =
 #ifndef ENABLE_CRYPTO_POLARSSL
   "--pkcs12 file   : PKCS#12 file containing local private key, local
certificate\n"
   "                  and optionally the root CA certificate.\n"
+  "--pkcs12-additional-cas : Load CA certificates from both the
PKCS#12 file and a\n"
+  "                          PEM file specified using --ca. Default
is to ignore\n"
+  "                          CAs and intermediate certificates
contained in the\n"
+  "                          PKCS#12 file if --ca is set.\n"
 #endif
 #ifdef ENABLE_X509ALTUSERNAME
   "--x509-username-field : Field used in x509 certificate to be username.\n"
< at >< at > -1594,6 +1598,7 < at >< at > show_settings (const struct options *o)
   SHOW_STR (priv_key_file);
 #ifndef ENABLE_CRYPTO_POLARSSL
   SHOW_STR (pkcs12_file);
+  SHOW_BOOL (pkcs12_additional_cas);
 #endif
 #ifdef ENABLE_CRYPTOAPI
   SHOW_STR (cryptoapi_cert);
< at >< at > -2286,6 +2291,12 < at >< at > options_postprocess_verify_ce (const struct
options *options, const struct conne
       notnull (options->priv_key_file, "private key file (--key) or
PKCS#12 file (--pkcs12)");
     }
  }
+
+      if (options->pkcs12_additional_cas && !options->ca_file &&
!options->pkcs12_file)
+        {
+          msg (M_USAGE, "When --pkcs12-additional-cas is set, CA
certificates are loaded from both a PEM file (--ca) and a PKCS#12 file
(--pkcs12). Both options must be specified.");
+        }
+
     }
   else
     {
< at >< at > -6458,6 +6469,11 < at >< at > add_option (struct options *options,
   options->pkcs12_file_inline = p[2];
  }
     }
+  else if (streq (p[0], "pkcs12-additional-cas"))
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs12_additional_cas = true;
+    }
 #endif /* ENABLE_CRYPTO_POLARSSL */
   else if (streq (p[0], "askpass"))
     {
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index d2ad94c..2f2fe8b 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
< at >< at > -504,6 +504,7 < at >< at > struct options
   const char *extra_certs_file;
   const char *priv_key_file;
   const char *pkcs12_file;
+  bool pkcs12_additional_cas;
   const char *cipher_list;
   const char *tls_verify;
   int verify_x509_type;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 09cf300..e4457fd 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
< at >< at > -472,7 +472,7 < at >< at > init_ssl (const struct options *options, struct
tls_root_ctx *new_ctx)
   if (options->pkcs12_file)
     {
       if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
-  options->pkcs12_file_inline, !options->ca_file))
+  options->pkcs12_file_inline, options->pkcs12_additional_cas ||
!options->ca_file))
         goto err;
     }
 #ifdef ENABLE_PKCS11

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

[PATCH] Improve documentation and help text for--route-ipv6.

Gert Doering — 2013-05-18T10:43:01

Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
---
 doc/openvpn.8         | 6 +++++-
 src/openvpn/options.c | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index cbfc107..366e2f5 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
< at >< at > -5359,7 +5359,11 < at >< at > if no gateway is specified.
 .TP
 .B --route-ipv6 ipv6addr/bits [gateway] [metric]
 setup IPv6 routing in the system to send the specified IPv6 network
-into OpenVPN's ``tun'' device
+into OpenVPN's ``tun''.  The gateway parameter is only used for
+IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote''
+field from
+.B --ifconfig-ipv6
+is used.
 .TP
 .B --server-ipv6 ipv6addr/bits
 convenience-function to enable a number of IPv6 related options at
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c5ed0d6..fdf52e0 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
< at >< at > -215,7 +215,7 < at >< at > static const char usage_message[] =
   "--route-ipv6 network/bits [gateway] [metric] :\n"
   "                  Add IPv6 route to routing table after connection\n"
   "                  is established.  Multiple routes can be specified.\n"
-  "                  gateway default: taken from --route-ipv6-gateway or --ifconfig\n"
+  "                  gateway default: taken from 'remote' in --ifconfig-ipv6\n"
   "--max-routes n :  Specify the maximum number of routes that may be defined\n"
   "                  or pulled from a server.\n"
   "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"

[PATCH applied] Re: Fix NULL-pointer crash inroute_list_add_vpn_gateway().

Gert Doering — 2013-05-18T10:24:39

The patch has been applied to the master and release/2.3 branches.

commit eb95f367348f4c2aae301cfa7c3adc8e0f2e711e (master)
commit 4203296fb9166c672e55586490e5bf237910ec56 (release/2.3)

Author: Gert Doering
Date:   Fri May 3 21:13:24 2013 +0200

     Fix NULL-pointer crash in route_list_add_vpn_gateway().

     Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
     Acked-by: Josh Cepek <josh.cepek< at >usa.net>
     Message-Id: <1367608404-2257-1-git-send-email-gert< at >greenie.muc.de>
     URL: http://article.gmane.org/gmane.network.openvpn.devel/7581


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Re: [PATCH] Fix NULL-pointer crash inroute_list_add_vpn_gateway().

Josh Cepek — 2013-05-16T16:30:23

ACK to the fix.

As briefly discussed online, in the long-term the
route_list_add_vpn_gateway() call in forward.c should probably be moved
to a better location; it sounds like that's already in the works for a
future changeset (and not required to fix this crash.)

--
Josh Cepek


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Re: [PATCH v2] Fix Windows script execution whencalled from script hooks

Heiko Hund — 2013-05-16T14:27:53

OK from my side for this.

Heiko

Re: [PATCH v2] Fix Windows script execution when called from script hooks

Josh Cepek — 2013-05-16T14:09:23

Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.

Fixes bug #240.

Signed-off-by: Josh Cepek <josh.cepek< at >usa.net>
---
 src/openvpn/win32.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 2db96a8..178e2c3 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
< at >< at > -879,7 +879,10 < at >< at > openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
           start_info.dwFlags = STARTF_USESHOWWINDOW;
           start_info.wShowWindow = SW_HIDE;
 
-          if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info))
+          /* this allows console programs to run, and is ignored otherwise */
+          DWORD proc_flags = CREATE_NO_WINDOW;
+
+          if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info))
             {
               DWORD exit_status = 0;
               CloseHandle (proc_info.hThread);

Re: [PATCH] Fix Windows script execution whencalled from script hooks

Heiko Hund — 2013-05-16T08:28:07

ACK, because it's the truth. =)


However, this should be a DWORD instead of unsigned int.

Regards
Heiko

[PATCH] Fix Windows script execution when calledfrom script hooks

Josh Cepek — 2013-05-11T19:00:24

Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.

Fixes bug #240.

Signed-off-by: Josh Cepek <josh.cepek< at >usa.net>
---
 src/openvpn/win32.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 2db96a8..291124e 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
< at >< at > -879,7 +879,10 < at >< at > openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
           start_info.dwFlags = STARTF_USESHOWWINDOW;
           start_info.wShowWindow = SW_HIDE;
 
-          if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info))
+          /* this allows console programs to run, and is ignored otherwise */
+          unsigned int proc_flags = CREATE_NO_WINDOW;
+
+          if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info))
             {
               DWORD exit_status = 0;
               CloseHandle (proc_info.hThread);

Re: [PATCH v3] Make push-peer-info visible in "normal" per-instance environment.

Arne Schwabe — 2013-05-09T14:26:50

Am 05.05.13 14:36, schrieb Gert Doering:
ACK

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [PATCH 5/5] Fix usage of "compression ..." from global config.

Arne Schwabe — 2013-05-09T13:34:51

Am 19.04.13 19:41, schrieb Gert Doering:
ACK.

Arne

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [PATCH 2/5] Added support for the Snappy compression algorithm

Arne Schwabe — 2013-05-09T13:34:01

Am 19.04.13 19:41, schrieb Gert Doering:

I looked through the patch. I looks reasonable good. I wonder what the 
overhead for always enabling USE_COMP is. That way every client would be 
able to understand at least the compression framing.

Arne


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[PATCH applied] Re: Use constrain_int() instead of MIN()+syshead.c compat definition - v2.

David Sommerseth — 2013-05-07T09:48:01

Your patch has been applied to the master branch.

commit bd25aa66b76b82f335abbb7377c278a44da194ac
Author: Gert Doering
Date:   Mon May 6 09:55:41 2013 +0200

     Use constrain_int() instead of MIN()+syshead.c compat definition - v2.

     Signed-off-by: Gert Doering <gert< at >greenie.muc.de>
     Acked-by: David Sommerseth <davids< at >redhat.com>
     Message-Id: 1367826941-22412-1-git-send-email-gert< at >greenie.muc.de
     URL: http://article.gmane.org/gmane.network.openvpn.devel/7586
     Signed-off-by: David Sommerseth <davids< at >redhat.com>

Re: [PATCH v2] Use constrain_int() instead of MIN()+syshead.c compat definition - v2.

David Sommerseth — 2013-05-07T09:38:40

I like this version better, as it ensures that the "field" length (of
'%.*s') is enforced to be between 0 and 256.

So ACK from me.

[PATCH v2] Use constrain_int() instead ofMIN()+syshead.c compat definition - v2.

Gert Doering — 2013-05-06T07:55:41

Reverts commit 15ca5c297b556fbb, instead change ssl_openssl.c to use
"constrain_int()", which already exists in "integer.h".

Using this instead of min_int() ensures that the result is always bounded
to 0...256 even in the case of a potential MAX_INT overflow.
---
 src/openvpn/ssl_openssl.c |    2 +-
 src/openvpn/syshead.h     |    7 -------
 2 files changed, 1 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 79cc056..c1b19dc 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
< at >< at > -232,7 +232,7 < at >< at > tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
           // %.*s format specifier expects length of type int, so guarantee
           // that length is small enough and cast to int.
           msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
-              (int) MIN(current_cipher_len, 256), current_cipher);
+                 constrain_int(current_cipher_len, 0, 256), current_cipher);
         }
       else
 {
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 0c3e4ee..db02c23 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
< at >< at > -399,13 +399,6 < at >< at >
 #endif
 
 /*
- * do we have the MIN() macro?
- */
-#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-
-/*
  * Do we have the capability to report extended socket errors?
  */
 #if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) && defined(HAVE_IOVEC)

Re: openvpn-gui build error (cross-compile forWindows)

Samuli Seppänen — 2013-05-06T07:51:41

Hi Felix,

I suggest patching the MinGW version that's bundled with Debian. These
links should contain all the information you need:

<https://community.openvpn.net/openvpn/wiki/SettingUpGenericBuildsystem>
<https://community.openvpn.net/openvpn/wiki/InstallingMingwW64>

The patches attached to the second page probably work on Debian, too.

Best regards,

Re: [PATCH] Use min_int() instead of MIN()+syshead.c compat definition.

Arne Schwabe — 2013-05-05T13:36:58

ACK

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2