[Openvpn-devel] [PATCH v2] Persist management-query-remote and proxy prompts
From: Selva Nair Currently this prompt is only output once, not re-written to the management interface when the management client connects. It is thus not seen by a client that connects after the prompt is output or one that disconnects and reconnects. This leads to a deadlock: the daemon waiting for the "remote" command from the client, the latter not aware of it. Resolve by adding the ">REMOTE" and ">PROXY" prompt to man.persist.special_state_msg as done for other persisted prompts such as ">PASSWORD" Signed-off-by: Selva Nair --- v2: bump and rebase to master src/openvpn/init.c | 4 1 file changed, 4 insertions(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1cfffbb..b4781a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -271,6 +271,7 @@ ce_management_query_proxy(struct context *c) buf_printf(, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); management_notify_generic(management, BSTR()); +management->persist.special_state_msg = BSTR(); } ce->flags |= CE_MAN_QUERY_PROXY; while (ce->flags & CE_MAN_QUERY_PROXY) @@ -282,6 +283,7 @@ ce_management_query_proxy(struct context *c) break; } } +management->persist.special_state_msg = NULL; gc_free(); } @@ -351,6 +353,7 @@ ce_management_query_remote(struct context *c) buf_printf(, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR()); +management->persist.special_state_msg = BSTR(); ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); @@ -364,6 +367,7 @@ ce_management_query_remote(struct context *c) break; } } +management->persist.special_state_msg = NULL; } gc_free(); -- 2.1.4 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Fix possible access of uninitialized pipe handles
Hi On Thu, Feb 20, 2020 at 1:20 PM David Sommerseth wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Your patch has been applied to the master branch > > commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72 > Author: Selva Nair > Date: Wed Feb 19 20:56:43 2020 -0500 I think this and next one could also go into 2.4. Here are the commits, in case . 32723d29b2775d63d3fe329d017e7a08e0cdcb72 e1f7d7885752ac3a0279ecc7e31ccee2af40fbe4 Thanks, Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4 4/5] Move NCP related function into a seperate file and add unit tests
On 17/02/2020 15:43, Arne Schwabe wrote: > This allows unit test the NCP functions. The ssl.c file has too > many dependencies to make unit testing of it viable. > > Patch V2: Removing the include "ssl_ncp.h" from options.c for V2 of > implement dynamic NCP forces a new version of this patch to > add the #include in this patch. Merge VS studio file changes > for ssl_ncp.[ch] into this patch > > Patch V3: Regenerate for changes in earlier patches, apply Lev's changes > to Visual Studio project file > > Patch V4: Regenerate to also have the changes of earlier patches. > > Signed-off-by: Arne Schwabe > --- > src/openvpn/Makefile.am | 1 + > src/openvpn/init.c | 1 + > src/openvpn/multi.c | 1 + > src/openvpn/openvpn.vcxproj | 2 + > src/openvpn/openvpn.vcxproj.filters | 8 +- > src/openvpn/options.c| 1 + > src/openvpn/push.c | 1 + > src/openvpn/ssl.c| 176 +--- > src/openvpn/ssl.h| 65 > src/openvpn/ssl_ncp.c| 231 +++ > src/openvpn/ssl_ncp.h| 101 > tests/unit_tests/openvpn/Makefile.am | 18 ++- > tests/unit_tests/openvpn/test_ncp.c | 179 + > 13 files changed, 544 insertions(+), 241 deletions(-) > create mode 100644 src/openvpn/ssl_ncp.c > create mode 100644 src/openvpn/ssl_ncp.h > create mode 100644 tests/unit_tests/openvpn/test_ncp.c > Sorry, but this gets a NAK from me. $ ./tests/unit_tests/openvpn/ncp_testdriver [==] Running 4 test(s). [ RUN ] test_check_ncp_ciphers_list Unsupported cipher in --ncp-ciphers: AES-256-GCM Unsupported cipher in --ncp-ciphers: AES-128-GCM [ ERROR ] --- tls_check_ncp_cipher_list(aes_ciphers) [ LINE ] --- test_ncp.c:50: error: Failure! [ FAILED ] test_check_ncp_ciphers_list [ RUN ] test_extract_client_ciphers [ OK ] test_extract_client_ciphers [ RUN ] test_poor_man [ OK ] test_poor_man [ RUN ] test_ncp_best [ OK ] test_ncp_best [==] 4 test(s) run. [ PASSED ] 3 test(s). [ FAILED ] 1 test(s), listed below: [ FAILED ] test_check_ncp_ciphers_list 1 FAILED TEST(S) We can't have any failing tests ;-) This is tested on RHEL-7.7 (openssl-1.0.2k-19) which I also do know have AES-GCM support. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles
Hi On Thu, Feb 20, 2020 at 4:24 AM Lev Stipakov wrote: > > Strangely, I do not see this warning (unlike another one about error > in common.c) > with GCC 7.3 despite adding -O1 and -Wmaybe-uninitialized. I saw it on the travis build. With gcc 7.3, for some reason, -O1 doesn't show it but -O2 or higher does. Some older versions of gcc seem to show it only with require -O3 or higher! But the potential for attempting to close wrong handles looks real. Thanks, Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Fix possibly uninitialized return value in GetOpenvpnSettings()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit e1f7d7885752ac3a0279ecc7e31ccee2af40fbe4 Author: Selva Nair Date: Wed Feb 19 19:49:37 2020 -0500 Fix possibly uninitialized return value in GetOpenvpnSettings() Signed-off-by: Selva Nair Acked-by: Lev Stipakov Message-Id: <1582159777-2437-1-git-send-email-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19479.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTsaVAAoJEIbPlEyWcf3yC3UP/1i/BYgIF0RXaUY4ghyOZcWk zuDvSrwBu2xCBNjV31h060vIDpLkV7hFNpN1/sxnDblQE2k+R5kInLfJHQs1vDs6 DzyexfFgmZDxexjXkNpUCRfHwL1u1Jv7OFjXGk93OnmUhxIRFtj+ik9RgLG0Hwae vf+uj5Df1LXRRaCb8Psxg2gubcQU800XNZDVhrtCEaaiDjdz691C6ptTBzCNzAIQ 6ptwz2axAzmlIi5QunPKwSmBu5WHrf0azQs2P6adxxRhZyw1a3A3ZadxcgTur+Xj SvD2MNixlmUAm8AbYroQ88sttdExYPR4lasw1l3fDICICcvMj3Eo3bArcD0mfips 3qWIib4cCMQ8EwwSaE9l//fYHcJTvSnKkAhzzQvCcKpbIP0Sl4AYjrZomWwD07bk R6uX2VMc8yBKy8ZYt14mhhxYFpKa2R7UUHagUQXFuiIRppEglnblHJXz89jaUzTj gSJpPDLhrpsg1RLKHhVf3O6T7FKe7ZVu4bek9iICC3lNBJx7k9Kr1ufCPaeO5bD5 +KnPwEX5tK83Xs5fLnAY14iT9PypmCMEn+4AvyoA60dNL56xCUUntRNaD4un57Bg KHoKg69qRCW4Fmr00e3mf40bZaa6PNRZ8A966GgVUFacg0f6inufrVoP+tRFzZqZ dfiltjeR5NdkBSsuMIVL =55lQ -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Warn about insecure ciphers also in init_key_type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 3ca9d94f8688b7851312f7edabae0ff8690bee63 Author: Arne Schwabe Date: Wed Feb 19 12:21:53 2020 +0100 Warn about insecure ciphers also in init_key_type Signed-off-by: Arne Schwabe Acked-by: Steffan Karger Message-Id: <20200219112153.13013-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19476.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTs1+AAoJEIbPlEyWcf3ybAkP+weT5r8liaQauL7MOXTepXSz 0GfDyrCYwnQ9ITZ609j2ad24lqd1rZfiHZXuKwg8eQXFXg+64v3/1V6PUBktCW2f ZkkSfRnyC8N2c3vk09qpt2Y14k8ZZzpBxd0bIM1DT/5RFcjDtM8waZObttcB9qqc 8rxB6JJh49VgE/5YTzcx/LiEmCeGMCRwQa1ag88XDgPDTsNJ+pReK7WpRUeD0i8G k72sTBi96cV1kNicuy1q/dIhlr9J9BfvVoD6nrt8jN9earbw+yFnxlwpW8+Km20s g0A/BgEE1IqBwwdUxOzaA6clfQSmcFmAsXac79KlZdsgDvSJnvaOAuFBlPqas5os 2cMSBG+VEsEGfJ21qpAdmuzB2vxfS4TXxIClwMIPM9FVqrAwOWbqgaLTr5hiV6kd /pp/2GMyHCi5/8YfXPxrpEwSsNkPbrHF6j+uRgO3O8LnvQEJaHGlgG/9kHaX52S+ RKUVA1jmCrGwcn9jWlv4KbNPaOQSttDLDtVCpjUj4DA8jKU5dpxIV5AuqIy7o+cm QRM+AZ3MlW0y0LW1/+9lj7YfhEXwmcmQudHj2j7Tg4pHvTpFVoP5Z9Ky0Gw+H7h7 8mrK4fXL1bC7ERYReqYj05fL+Gd6de7bJbP3vnOswd7xEnAhsiRoB3A3VPB5E55x zvpl6mZgRCcYZD63qeIe =xJub -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Fix possible access of uninitialized pipe handles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72 Author: Selva Nair Date: Wed Feb 19 20:56:43 2020 -0500 Fix possible access of uninitialized pipe handles Signed-off-by: Selva Nair Acked-by: Lev Stipakov Message-Id: <1582163803-3342-1-git-send-email-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19480.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTsejAAoJEIbPlEyWcf3ysT0QALdZe2FV06fMaBp4oljUr2AZ H/bViP11W21UpcyiHDAGR2YsjOf+Uzrg7z5S/eEmAdIk6TdymsOlEwLkxOwog9qd ve5EQp2Zpwnnugz5YPdAsnXt5BY6FwfEA3roeU20s4O+dnovuHxmquDmZr8MosXD b2Zj+OTaQbKlggqtpc7J0uaVWirV3EPK9sE86VGHBp43di2DzA+OlJBawrzqOJj8 9XTC5VPgncFsfQ5IxwnlaW0JkFJxQAceTEstGbkzPaf17o4uot7eW7xmeiA7z8A5 MAxJj8gM0sTgQx20hn0il9tqn9k6UazRLyQ+KIZpK4yeRyZRNRXiR9VhjozmVu5T y36IwDhghoLnJGHwcpLoys0ZLEP43RLhZRZ2ez6/8A/06+NsFMWkUmJnlaPmGuOP iJqFoQBixnyWxWbnN5vuYGeem5x9CBF0WS7gk6wyP36yzmFAgbie0NgbC25sXE7L 0iJ5ZMzuKFcrik3NosNeqr6wl4yVeTXmRDxGoCaImBo1UD3GIo7z/j3+mnSl6HpC qaEpYrxrXxH6oV518QZLC5NWR4JtlEalXml46KnH8vaKETR2+1Qh/thCEfprkxC+ D3SsPsGfuMHjRr7wyuBczpdrOlUMRlkO4D2RfBdPPhtr4W5jlWS/1KughzXiFsSm ITg12xX4ms+SQ1Sf5XXf =IIso -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] re-implement argv_printf_*()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 4ed7bf7f94a8cecbc2430d8025a2b8a46f94e429 Author: Heiko Hund Date: Thu Feb 6 14:21:00 2020 +0100 re-implement argv_printf_*() Signed-off-by: Heiko Hund Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-2-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19380.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqgvAAoJEIbPlEyWcf3yydQQAKcm4yux1TlCBPXt7PUmM26a RYbEy2FxeGTwHGVidHgP79H1XH1W06Pu0i24KeE6FzRYpilBSW3DJ4zm5MJMByKM iiXYHItsyUCQdJaQJrYleBwSp9LQ6bYWRLQ6Lu5IMrcVwnnxReGFVI7fkDfNE+d2 u1jAyDGw5XWnsaT+Aycc5GmaDujB2nlcX4dlyJW9UUK6tFkelhVS2pXF47ABSzRl 7o4IPa7tFuVQIV0yTrqQW6LcQa3vSgLusWr5MQPJWbdccfpX0l4iySjTH1c1o7ii qNqDzGsnnf0rq9xO4McN4j/PTFZfKFBVr3nwtwCd1c5EJ1RtkwWEuI3llaipG7ZJ 7jc1o4PiQdawxCLWKlbWgQcscAcQbDJQYSfKOFZVYnDn2P8SvWfcZ8EkIS3nKjMs CV2zx5emb+5+u+TnSkeAPPgY4xMsKXGbfJHssbf1xu163Bw3Yf2fteUxmeWjwLMv N8iqQlVHHQolqvKg7ChFOK1ZqhTvFkmcSX1ZLPGs4ADGbrDZOvQXPrjqUGf0loBR m8xW/4QrG99LVxBxQ/20vfGWtVaQ7ohxVS9qm4/YKcmV+cBxGcCX+V1SGsJTvWCO KeG9ngTmUdPjuQ3v6QxreG2Ha3DuvpSkw5nHOoPFK+/Mlmi+g2u1GDvu1nTBRaEV k1FYYjJ/0kyfnKV3EUV5 =1hgh -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Documented all the argv related code with minor refactoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 3226c2edaf0ddd1b4541ce81ebce97a9ae9ecd2a Author: David Sommerseth Date: Thu Feb 6 14:21:03 2020 +0100 Documented all the argv related code with minor refactoring Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-5-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19377.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqjQAAoJEIbPlEyWcf3y/uQP/0Qi832YfcHF7oYwGy2QNjII 0Sg42prQVlDPtaflH0VsR6Zcvy/1aOK2Bjl6JsepvAepNNGzreebEo3qgoOnfzVK hgV1ZxffUfoaS2g43xgjb5E3nGPtlQhDDV20djQG9CYZ9eyHIVW3fPDzHlssfV+A jLYM71hptQ8I3YFvk7A2rKSNKgJzT46ilDVo7c7AUbNOjLb7BLP0VWLpeTTgbz4m 1Ydh2Aur26TgmYF4Lf2KRAxQYCBcLwN9XsQU7BjALxnFZi9NOdTV2mOIXBewXc7E iorOEZcXsCSL+xc6Ek8jIs3bTJym0K3Rsxg9ymu3ybfUcaIGNAcu0FbMrvrYNB2F K281FfRdv4AKm8J4qnujeO4+kOGfxG2WJ4uovPASP2R3kLVgv/YA5XAAVMGbYW9x tmPVOtiHCYkwqXMmgrxEXbmvk6WksDnxGIAyqzFvIcSROmMtcL8qnsdsSvLJX8xG 4JJMmz25v/YYYR6HG3hp1rhtv7+P+dwSd47maqOyQe4DdBOEczqlg3/TBAmDI7vc N1z4/fNGPCskEOdhkUyGQAJ2G9/mxSnh1pm2lmDgKRAKox/lQ22IUprC19bBQtVA PHjhF8dJZrAVyM9fzBdgTrMp/FFp7EWDJMPj81E3Y8EODcobeW2kRshEKjyvQUbS zmvCpm4eaDfme/UGgwum =VckR -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Add gc_arena to struct argv to save allocations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit e7500875efe03937fc222d737050789f97c30c03 Author: Heiko Hund Date: Thu Feb 6 14:21:02 2020 +0100 Add gc_arena to struct argv to save allocations Signed-off-by: Heiko Hund Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-4-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19376.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqiqAAoJEIbPlEyWcf3y/W4P/RmiDlqxefz7bcvn6FFXuqhX V4z4S54+J/GyvTtrOZhVUsaQ0/J2i6R6qvKdTd87jUOYhrkwd5rfN3D10WCizYhH reGU5nTiMjhIKeCDfaI2gRN0XNXngL7bxFrv+1ND6wsJe1b4dBoqqU+YvSfEusI+ IPD/YWe1QlAW2oYzFAnZL8rx3FZwKGm2BMA0gC3bgEeTwSdh6R9K4PPxkfUiFe/e NgC5N5mAspH6JMARIfWxaqqRM3QysOXruKshvWs+L4N+Y4Rp96ZOm7U6QWK2FXPZ PI66l/GEzhY2PyQj3TpZrTM5+ibD8nOnAyMqceqA6j+mkhggpR0V3gJLRrO/KJM7 J/XTpFrUbnkGxoHWCUNsc495cQedm76cg+sLK73eF0FKIhpAsSvWh1W1pwVAmAtO jRL7g1Xtc+AdM5j/m02dK+jCxgGfIaqobptRGdMGsi2KwJjUxrQeag11+5zLg/x/ GME52Xzf7gHcLw0dZPYxflA+ZCtA/zh6Xfi0ab9J5oM3N+LmOzhUeJGX4WaCRgod cNWD+kYLXWNlyOWPTNm/HhSSgFS6w3KlZ+pezAdp8A40kOtTGLXUN7XRQVpsVUH4 ZZyYb05XiZnDjFmcj547WNQPCzSSyok+mt8nw/yZdFs6HAyqY7XrI8iWmb6zET1Y Ans8eFG2HBWsXcOhbzHX =iJcm -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] argv: do fewer memory re-allocations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 870e2405e27fb0c119ade6fc0032c81af4d89819 Author: Heiko Hund Date: Thu Feb 6 14:21:01 2020 +0100 argv: do fewer memory re-allocations Signed-off-by: Heiko Hund Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-3-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19378.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqh3AAoJEIbPlEyWcf3y7JoP/j7hrKtTzmEpYVIbPqC5NDjr qwk9knNt5tQ1dcoae18qtYkyPXoanxgWnqgMwwyyFZfvU9LenQkFx/edioxRX0VV PtoniuM512sGKUoPXiKjs8Kpdhpg1swnOqPbgUMx1mhdD3KFpzhKq2U39pAn5d2G 7hzGJd4jP7dU8ilfqpYfNneIXRr65VRimOGTAgquQgkndcy3WUlrLAxpmUS+HYMk pvWTP6wRi6607ECTTcuRJTrc2317o3RiFcmVxodxSuGWSbASaqtt0hsbChwWG2pu QFc7Cjxc9Gd7EG2eKG2SItocOpcFJ8tg6tgGj8clnBjWhvLXHGO2TWiBMg3RLEEm Vq7+3MrCUYwtIUgfSEqnmUCfEEqz+7cwVXONdWnCxW+adN0Iafk1FevCyTIhGF+J 0ZdAVecy8g6eZJTgUC8OX6iIZxKu4JEI6VfgXZ1E0CK196YgIpeDC31xyxB3h/nR 4tmFitE/bh3W/D2QNPe+XJlZKOqbMaq7iluclJuqkE73TWWA9nlK5HRnuaUzYIZv nYjYyzWrNsDQ5JrLuW7TNFFuONJeUEmuJUaq0HVTOwYCAv+ELScbNCT2Sri3iXg4 a5BibPdVmQOJepLri+7IVdRObtkDbhrJzHj42p/N7Er57BBZLAM1De7jXtLI8ayd 6aO6VHgW5wsUN5ZUbcHn =KeLS -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2.4 v3] Swap the order of checks for validating interactive service user
Compared this code code with corresponding patch to master
and ensured that only changes are using swprintf+manually adding null terminator
instead of openvpn_swprintf.
Compiled with MinGW.
Acked-by: Lev Stipakov
ke 19. helmik. 2020 klo 3.55 selva.n...@gmail.com kirjoitti:
>
> From: Selva Nair
>
> Check the config file location and command line options first
> and membership in OpenVPNAdministrators group after that as
> the latter could be a slow process for active directory users.
>
> When connection to domain controllers is poor or unavailable, checking
> the group membership is slow and causes timeouts in the GUI (Trac
> 1051). However, in cases where the config is in the global directory,
> no group membership check should be required. The re-ordering here
> avoids the redundant check in such cases.
>
> In addition to this, its also proposed to improve the timeout handling
> in the GUI, but this change is still useful as it should completely
> eliminate the timeout issue for many users.
>
> v3: Do not send error message to the client pipe from ValidateOptions().
> Instead save the error and send it on only if user authorization also
> fails. The error buffer size is increased to 512 wide chars as these
> messages could get long in some cases and may get truncated otherwise.
>
> Also see: https://github.com/OpenVPN/openvpn-gui/issues/332
>
> Signed-off-by: Selva Nair
> ---
> cherry-picked from commit c6cc66a13568dd1078bfbeb763998c1b9e2a2999
> with one change:
> - openvpn_swprintf() -> swprintf() as the latter is not readily accessible
>here in 2.4
>
> src/openvpnserv/interactive.c | 39 ++-
> 1 file changed, 22 insertions(+), 17 deletions(-)
>
> diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
> index d7c9eea..a2b3b20 100644
> --- a/src/openvpnserv/interactive.c
> +++ b/src/openvpnserv/interactive.c
> @@ -360,14 +360,13 @@ ReturnOpenvpnOutput(HANDLE pipe, HANDLE ovpn_output,
> DWORD count, LPHANDLE event
> /*
> * Validate options against a white list. Also check the config_file is
> * inside the config_dir. The white list is defined in validate.c
> - * Returns true on success
> + * Returns true on success, false on error with reason set in errmsg.
> */
> static BOOL
> -ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options)
> +ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options,
> WCHAR *errmsg, DWORD capacity)
> {
> WCHAR **argv;
> int argc;
> -WCHAR buf[256];
> BOOL ret = FALSE;
> int i;
> const WCHAR *msg1 = L"You have specified a config file location (%s
> relative to %s)"
> @@ -382,8 +381,10 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const
> WCHAR *options)
>
> if (!argv)
> {
> -ReturnLastError(pipe, L"CommandLineToArgvW");
> -ReturnError(pipe, ERROR_STARTUP_DATA, L"Cannot validate options", 1,
> _event);
> +swprintf(errmsg, capacity,
> +L"Cannot validate options: CommandLineToArgvW failed with
> error = 0x%08x",
> +GetLastError());
> +errmsg[capacity-1] = L'\0';
> goto out;
> }
>
> @@ -403,10 +404,9 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const
> WCHAR *options)
>
> if (!CheckOption(workdir, 2, argv_tmp, ))
> {
> -swprintf(buf, _countof(buf), msg1, argv[0], workdir,
> +swprintf(errmsg, capacity, msg1, argv[0], workdir,
> settings.ovpn_admin_group);
> -buf[_countof(buf) - 1] = L'\0';
> -ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, _event);
> +errmsg[capacity-1] = L'\0';
> }
> goto out;
> }
> @@ -422,18 +422,15 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir,
> const WCHAR *options)
> {
> if (wcscmp(L"--config", argv[i]) == 0 && argc-i > 1)
> {
> -swprintf(buf, _countof(buf), msg1, argv[i+1], workdir,
> +swprintf(errmsg, capacity, msg1, argv[i+1], workdir,
> settings.ovpn_admin_group);
> -buf[_countof(buf) - 1] = L'\0';
> -ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, _event);
> }
> else
> {
> -swprintf(buf, _countof(buf), msg2, argv[i],
> +swprintf(errmsg, capacity, msg2, argv[i],
> settings.ovpn_admin_group);
> -buf[_countof(buf) - 1] = L'\0';
> -ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, _event);
> }
> +errmsg[capacity-1] = L'\0';
> goto out;
> }
> }
> @@ -1367,6 +1364,7 @@ RunOpenvpn(LPVOID p)
> WCHAR *cmdline = NULL;
> size_t cmdline_size;
> undo_lists_t undo_lists;
> +WCHAR errmsg[512] = L"";
>
> SECURITY_ATTRIBUTES inheritable = {
> .nLength =
Re: [Openvpn-devel] [PATCH] Fix float comparisons of OPENVPN_VERSION_NUMBER
чт, 20 февр. 2020 г. в 13:44, Arne Schwabe :
> Am 20.02.20 um 09:38 schrieb Arne Schwabe:
> > These checks are probably the result of copying a
> > check from the LibreSSL and modifying it to be
> > a OpenSSL check. For some arcane reason LibreSSL decided
> > that its version number should be a long float (double) rather
> > than an integer.
> >
> > Signed-off-by: Arne Schwabe
> > ---
> > src/openvpn/ssl_openssl.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> > index 21651a3e..bcdfb543 100644
> > --- a/src/openvpn/ssl_openssl.c
> > +++ b/src/openvpn/ssl_openssl.c
> > @@ -231,7 +231,7 @@ tls_version_max(void)
> > * We only need to check this for OpenSSL versions that can be
> > * upgraded to 1.1.1 without recompile (>= 1.1.0)
> > */
> > -if (OpenSSL_version_num() >= 0x1010100fL)
> > +if (OpenSSL_version_num() >= 0x1010100L)
> > {
> > return TLS_VER_1_3;
> > }
> > @@ -2104,7 +2104,7 @@ show_available_tls_ciphers_list(const char
> *cipher_list,
> > crypto_msg(M_FATAL, "Cannot create SSL object");
> > }
> >
> > -#if (OPENSSL_VERSION_NUMBER < 0x101fL)\
> > +#if (OPENSSL_VERSION_NUMBER < 0x101L)\
> > || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <=
> 0x209fL)
> > STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
> > #else
> > @@ -2134,7 +2134,7 @@ show_available_tls_ciphers_list(const char
> *cipher_list,
> > printf("%s\n", pair->iana_name);
> > }
> > }
> > -#if (OPENSSL_VERSION_NUMBER >= 0x101fL)
> > +#if (OPENSSL_VERSION_NUMBER >= 0x101L)
> > sk_SSL_CIPHER_free(sk);
> > #endif
> > SSL_free(ssl);
> >
>
>
> Ignore that patch. I am not awake yet. the fL is not a suffix. LibreSSL
> has has its patch version to be 0f.
>
can you also close it here https://patchwork.openvpn.net/patch/1015/ ?
to prevent someone from taking it accidently
>
> Arne
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles
Strangely, I do not see this warning (unlike another one about error in common.c) with GCC 7.3 despite adding -O1 and -Wmaybe-uninitialized. Change looks reasonable, compiled with MSVC and MinGW. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix possibly uninitialized return value in GetOpenvpnSettings()
Hi, Compiled with MSVC and MinGW, warning is gone. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix float comparisons of OPENVPN_VERSION_NUMBER
Am 20.02.20 um 09:38 schrieb Arne Schwabe:
> These checks are probably the result of copying a
> check from the LibreSSL and modifying it to be
> a OpenSSL check. For some arcane reason LibreSSL decided
> that its version number should be a long float (double) rather
> than an integer.
>
> Signed-off-by: Arne Schwabe
> ---
> src/openvpn/ssl_openssl.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index 21651a3e..bcdfb543 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -231,7 +231,7 @@ tls_version_max(void)
> * We only need to check this for OpenSSL versions that can be
> * upgraded to 1.1.1 without recompile (>= 1.1.0)
> */
> -if (OpenSSL_version_num() >= 0x1010100fL)
> +if (OpenSSL_version_num() >= 0x1010100L)
> {
> return TLS_VER_1_3;
> }
> @@ -2104,7 +2104,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
> crypto_msg(M_FATAL, "Cannot create SSL object");
> }
>
> -#if (OPENSSL_VERSION_NUMBER < 0x101fL)\
> +#if (OPENSSL_VERSION_NUMBER < 0x101L)\
> || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <=
> 0x209fL)
> STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
> #else
> @@ -2134,7 +2134,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
> printf("%s\n", pair->iana_name);
> }
> }
> -#if (OPENSSL_VERSION_NUMBER >= 0x101fL)
> +#if (OPENSSL_VERSION_NUMBER >= 0x101L)
> sk_SSL_CIPHER_free(sk);
> #endif
> SSL_free(ssl);
>
Ignore that patch. I am not awake yet. the fL is not a suffix. LibreSSL
has has its patch version to be 0f.
Arne
signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix float comparisons of OPENVPN_VERSION_NUMBER
These checks are probably the result of copying a
check from the LibreSSL and modifying it to be
a OpenSSL check. For some arcane reason LibreSSL decided
that its version number should be a long float (double) rather
than an integer.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 21651a3e..bcdfb543 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -231,7 +231,7 @@ tls_version_max(void)
* We only need to check this for OpenSSL versions that can be
* upgraded to 1.1.1 without recompile (>= 1.1.0)
*/
-if (OpenSSL_version_num() >= 0x1010100fL)
+if (OpenSSL_version_num() >= 0x1010100L)
{
return TLS_VER_1_3;
}
@@ -2104,7 +2104,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
crypto_msg(M_FATAL, "Cannot create SSL object");
}
-#if (OPENSSL_VERSION_NUMBER < 0x101fL)\
+#if (OPENSSL_VERSION_NUMBER < 0x101L)\
|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <=
0x209fL)
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
#else
@@ -2134,7 +2134,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
printf("%s\n", pair->iana_name);
}
}
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL)
+#if (OPENSSL_VERSION_NUMBER >= 0x101L)
sk_SSL_CIPHER_free(sk);
#endif
SSL_free(ssl);
--
2.25.0
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
