[Openvpn-devel] [PATCH v2] Persist management-query-remote and proxy prompts
From: Selva Nair Currently this prompt is only output once, not re-written to the management interface when the management client connects. It is thus not seen by a client that connects after the prompt is output or one that disconnects and reconnects. This leads to a deadlock: the daemon waiting for the "remote" command from the client, the latter not aware of it. Resolve by adding the ">REMOTE" and ">PROXY" prompt to man.persist.special_state_msg as done for other persisted prompts such as ">PASSWORD" Signed-off-by: Selva Nair --- v2: bump and rebase to master src/openvpn/init.c | 4 1 file changed, 4 insertions(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1cfffbb..b4781a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -271,6 +271,7 @@ ce_management_query_proxy(struct context *c) buf_printf(, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); management_notify_generic(management, BSTR()); +management->persist.special_state_msg = BSTR(); } ce->flags |= CE_MAN_QUERY_PROXY; while (ce->flags & CE_MAN_QUERY_PROXY) @@ -282,6 +283,7 @@ ce_management_query_proxy(struct context *c) break; } } +management->persist.special_state_msg = NULL; gc_free(); } @@ -351,6 +353,7 @@ ce_management_query_remote(struct context *c) buf_printf(, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR()); +management->persist.special_state_msg = BSTR(); ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); @@ -364,6 +367,7 @@ ce_management_query_remote(struct context *c) break; } } +management->persist.special_state_msg = NULL; } gc_free(); -- 2.1.4 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Fix possible access of uninitialized pipe handles
Hi On Thu, Feb 20, 2020 at 1:20 PM David Sommerseth wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Your patch has been applied to the master branch > > commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72 > Author: Selva Nair > Date: Wed Feb 19 20:56:43 2020 -0500 I think this and next one could also go into 2.4. Here are the commits, in case . 32723d29b2775d63d3fe329d017e7a08e0cdcb72 e1f7d7885752ac3a0279ecc7e31ccee2af40fbe4 Thanks, Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4 4/5] Move NCP related function into a seperate file and add unit tests
On 17/02/2020 15:43, Arne Schwabe wrote: > This allows unit test the NCP functions. The ssl.c file has too > many dependencies to make unit testing of it viable. > > Patch V2: Removing the include "ssl_ncp.h" from options.c for V2 of > implement dynamic NCP forces a new version of this patch to > add the #include in this patch. Merge VS studio file changes > for ssl_ncp.[ch] into this patch > > Patch V3: Regenerate for changes in earlier patches, apply Lev's changes > to Visual Studio project file > > Patch V4: Regenerate to also have the changes of earlier patches. > > Signed-off-by: Arne Schwabe > --- > src/openvpn/Makefile.am | 1 + > src/openvpn/init.c | 1 + > src/openvpn/multi.c | 1 + > src/openvpn/openvpn.vcxproj | 2 + > src/openvpn/openvpn.vcxproj.filters | 8 +- > src/openvpn/options.c| 1 + > src/openvpn/push.c | 1 + > src/openvpn/ssl.c| 176 +--- > src/openvpn/ssl.h| 65 > src/openvpn/ssl_ncp.c| 231 +++ > src/openvpn/ssl_ncp.h| 101 > tests/unit_tests/openvpn/Makefile.am | 18 ++- > tests/unit_tests/openvpn/test_ncp.c | 179 + > 13 files changed, 544 insertions(+), 241 deletions(-) > create mode 100644 src/openvpn/ssl_ncp.c > create mode 100644 src/openvpn/ssl_ncp.h > create mode 100644 tests/unit_tests/openvpn/test_ncp.c > Sorry, but this gets a NAK from me. $ ./tests/unit_tests/openvpn/ncp_testdriver [==] Running 4 test(s). [ RUN ] test_check_ncp_ciphers_list Unsupported cipher in --ncp-ciphers: AES-256-GCM Unsupported cipher in --ncp-ciphers: AES-128-GCM [ ERROR ] --- tls_check_ncp_cipher_list(aes_ciphers) [ LINE ] --- test_ncp.c:50: error: Failure! [ FAILED ] test_check_ncp_ciphers_list [ RUN ] test_extract_client_ciphers [ OK ] test_extract_client_ciphers [ RUN ] test_poor_man [ OK ] test_poor_man [ RUN ] test_ncp_best [ OK ] test_ncp_best [==] 4 test(s) run. [ PASSED ] 3 test(s). [ FAILED ] 1 test(s), listed below: [ FAILED ] test_check_ncp_ciphers_list 1 FAILED TEST(S) We can't have any failing tests ;-) This is tested on RHEL-7.7 (openssl-1.0.2k-19) which I also do know have AES-GCM support. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles
Hi On Thu, Feb 20, 2020 at 4:24 AM Lev Stipakov wrote: > > Strangely, I do not see this warning (unlike another one about error > in common.c) > with GCC 7.3 despite adding -O1 and -Wmaybe-uninitialized. I saw it on the travis build. With gcc 7.3, for some reason, -O1 doesn't show it but -O2 or higher does. Some older versions of gcc seem to show it only with require -O3 or higher! But the potential for attempting to close wrong handles looks real. Thanks, Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Fix possibly uninitialized return value in GetOpenvpnSettings()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit e1f7d7885752ac3a0279ecc7e31ccee2af40fbe4 Author: Selva Nair Date: Wed Feb 19 19:49:37 2020 -0500 Fix possibly uninitialized return value in GetOpenvpnSettings() Signed-off-by: Selva Nair Acked-by: Lev Stipakov Message-Id: <1582159777-2437-1-git-send-email-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19479.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTsaVAAoJEIbPlEyWcf3yC3UP/1i/BYgIF0RXaUY4ghyOZcWk zuDvSrwBu2xCBNjV31h060vIDpLkV7hFNpN1/sxnDblQE2k+R5kInLfJHQs1vDs6 DzyexfFgmZDxexjXkNpUCRfHwL1u1Jv7OFjXGk93OnmUhxIRFtj+ik9RgLG0Hwae vf+uj5Df1LXRRaCb8Psxg2gubcQU800XNZDVhrtCEaaiDjdz691C6ptTBzCNzAIQ 6ptwz2axAzmlIi5QunPKwSmBu5WHrf0azQs2P6adxxRhZyw1a3A3ZadxcgTur+Xj SvD2MNixlmUAm8AbYroQ88sttdExYPR4lasw1l3fDICICcvMj3Eo3bArcD0mfips 3qWIib4cCMQ8EwwSaE9l//fYHcJTvSnKkAhzzQvCcKpbIP0Sl4AYjrZomWwD07bk R6uX2VMc8yBKy8ZYt14mhhxYFpKa2R7UUHagUQXFuiIRppEglnblHJXz89jaUzTj gSJpPDLhrpsg1RLKHhVf3O6T7FKe7ZVu4bek9iICC3lNBJx7k9Kr1ufCPaeO5bD5 +KnPwEX5tK83Xs5fLnAY14iT9PypmCMEn+4AvyoA60dNL56xCUUntRNaD4un57Bg KHoKg69qRCW4Fmr00e3mf40bZaa6PNRZ8A966GgVUFacg0f6inufrVoP+tRFzZqZ dfiltjeR5NdkBSsuMIVL =55lQ -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Warn about insecure ciphers also in init_key_type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 3ca9d94f8688b7851312f7edabae0ff8690bee63 Author: Arne Schwabe Date: Wed Feb 19 12:21:53 2020 +0100 Warn about insecure ciphers also in init_key_type Signed-off-by: Arne Schwabe Acked-by: Steffan Karger Message-Id: <20200219112153.13013-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19476.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTs1+AAoJEIbPlEyWcf3ybAkP+weT5r8liaQauL7MOXTepXSz 0GfDyrCYwnQ9ITZ609j2ad24lqd1rZfiHZXuKwg8eQXFXg+64v3/1V6PUBktCW2f ZkkSfRnyC8N2c3vk09qpt2Y14k8ZZzpBxd0bIM1DT/5RFcjDtM8waZObttcB9qqc 8rxB6JJh49VgE/5YTzcx/LiEmCeGMCRwQa1ag88XDgPDTsNJ+pReK7WpRUeD0i8G k72sTBi96cV1kNicuy1q/dIhlr9J9BfvVoD6nrt8jN9earbw+yFnxlwpW8+Km20s g0A/BgEE1IqBwwdUxOzaA6clfQSmcFmAsXac79KlZdsgDvSJnvaOAuFBlPqas5os 2cMSBG+VEsEGfJ21qpAdmuzB2vxfS4TXxIClwMIPM9FVqrAwOWbqgaLTr5hiV6kd /pp/2GMyHCi5/8YfXPxrpEwSsNkPbrHF6j+uRgO3O8LnvQEJaHGlgG/9kHaX52S+ RKUVA1jmCrGwcn9jWlv4KbNPaOQSttDLDtVCpjUj4DA8jKU5dpxIV5AuqIy7o+cm QRM+AZ3MlW0y0LW1/+9lj7YfhEXwmcmQudHj2j7Tg4pHvTpFVoP5Z9Ky0Gw+H7h7 8mrK4fXL1bC7ERYReqYj05fL+Gd6de7bJbP3vnOswd7xEnAhsiRoB3A3VPB5E55x zvpl6mZgRCcYZD63qeIe =xJub -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Fix possible access of uninitialized pipe handles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72 Author: Selva Nair Date: Wed Feb 19 20:56:43 2020 -0500 Fix possible access of uninitialized pipe handles Signed-off-by: Selva Nair Acked-by: Lev Stipakov Message-Id: <1582163803-3342-1-git-send-email-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19480.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTsejAAoJEIbPlEyWcf3ysT0QALdZe2FV06fMaBp4oljUr2AZ H/bViP11W21UpcyiHDAGR2YsjOf+Uzrg7z5S/eEmAdIk6TdymsOlEwLkxOwog9qd ve5EQp2Zpwnnugz5YPdAsnXt5BY6FwfEA3roeU20s4O+dnovuHxmquDmZr8MosXD b2Zj+OTaQbKlggqtpc7J0uaVWirV3EPK9sE86VGHBp43di2DzA+OlJBawrzqOJj8 9XTC5VPgncFsfQ5IxwnlaW0JkFJxQAceTEstGbkzPaf17o4uot7eW7xmeiA7z8A5 MAxJj8gM0sTgQx20hn0il9tqn9k6UazRLyQ+KIZpK4yeRyZRNRXiR9VhjozmVu5T y36IwDhghoLnJGHwcpLoys0ZLEP43RLhZRZ2ez6/8A/06+NsFMWkUmJnlaPmGuOP iJqFoQBixnyWxWbnN5vuYGeem5x9CBF0WS7gk6wyP36yzmFAgbie0NgbC25sXE7L 0iJ5ZMzuKFcrik3NosNeqr6wl4yVeTXmRDxGoCaImBo1UD3GIo7z/j3+mnSl6HpC qaEpYrxrXxH6oV518QZLC5NWR4JtlEalXml46KnH8vaKETR2+1Qh/thCEfprkxC+ D3SsPsGfuMHjRr7wyuBczpdrOlUMRlkO4D2RfBdPPhtr4W5jlWS/1KughzXiFsSm ITg12xX4ms+SQ1Sf5XXf =IIso -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] re-implement argv_printf_*()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 4ed7bf7f94a8cecbc2430d8025a2b8a46f94e429 Author: Heiko Hund Date: Thu Feb 6 14:21:00 2020 +0100 re-implement argv_printf_*() Signed-off-by: Heiko Hund Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-2-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19380.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqgvAAoJEIbPlEyWcf3yydQQAKcm4yux1TlCBPXt7PUmM26a RYbEy2FxeGTwHGVidHgP79H1XH1W06Pu0i24KeE6FzRYpilBSW3DJ4zm5MJMByKM iiXYHItsyUCQdJaQJrYleBwSp9LQ6bYWRLQ6Lu5IMrcVwnnxReGFVI7fkDfNE+d2 u1jAyDGw5XWnsaT+Aycc5GmaDujB2nlcX4dlyJW9UUK6tFkelhVS2pXF47ABSzRl 7o4IPa7tFuVQIV0yTrqQW6LcQa3vSgLusWr5MQPJWbdccfpX0l4iySjTH1c1o7ii qNqDzGsnnf0rq9xO4McN4j/PTFZfKFBVr3nwtwCd1c5EJ1RtkwWEuI3llaipG7ZJ 7jc1o4PiQdawxCLWKlbWgQcscAcQbDJQYSfKOFZVYnDn2P8SvWfcZ8EkIS3nKjMs CV2zx5emb+5+u+TnSkeAPPgY4xMsKXGbfJHssbf1xu163Bw3Yf2fteUxmeWjwLMv N8iqQlVHHQolqvKg7ChFOK1ZqhTvFkmcSX1ZLPGs4ADGbrDZOvQXPrjqUGf0loBR m8xW/4QrG99LVxBxQ/20vfGWtVaQ7ohxVS9qm4/YKcmV+cBxGcCX+V1SGsJTvWCO KeG9ngTmUdPjuQ3v6QxreG2Ha3DuvpSkw5nHOoPFK+/Mlmi+g2u1GDvu1nTBRaEV k1FYYjJ/0kyfnKV3EUV5 =1hgh -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Documented all the argv related code with minor refactoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 3226c2edaf0ddd1b4541ce81ebce97a9ae9ecd2a Author: David Sommerseth Date: Thu Feb 6 14:21:03 2020 +0100 Documented all the argv related code with minor refactoring Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-5-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19377.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqjQAAoJEIbPlEyWcf3y/uQP/0Qi832YfcHF7oYwGy2QNjII 0Sg42prQVlDPtaflH0VsR6Zcvy/1aOK2Bjl6JsepvAepNNGzreebEo3qgoOnfzVK hgV1ZxffUfoaS2g43xgjb5E3nGPtlQhDDV20djQG9CYZ9eyHIVW3fPDzHlssfV+A jLYM71hptQ8I3YFvk7A2rKSNKgJzT46ilDVo7c7AUbNOjLb7BLP0VWLpeTTgbz4m 1Ydh2Aur26TgmYF4Lf2KRAxQYCBcLwN9XsQU7BjALxnFZi9NOdTV2mOIXBewXc7E iorOEZcXsCSL+xc6Ek8jIs3bTJym0K3Rsxg9ymu3ybfUcaIGNAcu0FbMrvrYNB2F K281FfRdv4AKm8J4qnujeO4+kOGfxG2WJ4uovPASP2R3kLVgv/YA5XAAVMGbYW9x tmPVOtiHCYkwqXMmgrxEXbmvk6WksDnxGIAyqzFvIcSROmMtcL8qnsdsSvLJX8xG 4JJMmz25v/YYYR6HG3hp1rhtv7+P+dwSd47maqOyQe4DdBOEczqlg3/TBAmDI7vc N1z4/fNGPCskEOdhkUyGQAJ2G9/mxSnh1pm2lmDgKRAKox/lQ22IUprC19bBQtVA PHjhF8dJZrAVyM9fzBdgTrMp/FFp7EWDJMPj81E3Y8EODcobeW2kRshEKjyvQUbS zmvCpm4eaDfme/UGgwum =VckR -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Add gc_arena to struct argv to save allocations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit e7500875efe03937fc222d737050789f97c30c03 Author: Heiko Hund Date: Thu Feb 6 14:21:02 2020 +0100 Add gc_arena to struct argv to save allocations Signed-off-by: Heiko Hund Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-4-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19376.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqiqAAoJEIbPlEyWcf3y/W4P/RmiDlqxefz7bcvn6FFXuqhX V4z4S54+J/GyvTtrOZhVUsaQ0/J2i6R6qvKdTd87jUOYhrkwd5rfN3D10WCizYhH reGU5nTiMjhIKeCDfaI2gRN0XNXngL7bxFrv+1ND6wsJe1b4dBoqqU+YvSfEusI+ IPD/YWe1QlAW2oYzFAnZL8rx3FZwKGm2BMA0gC3bgEeTwSdh6R9K4PPxkfUiFe/e NgC5N5mAspH6JMARIfWxaqqRM3QysOXruKshvWs+L4N+Y4Rp96ZOm7U6QWK2FXPZ PI66l/GEzhY2PyQj3TpZrTM5+ibD8nOnAyMqceqA6j+mkhggpR0V3gJLRrO/KJM7 J/XTpFrUbnkGxoHWCUNsc495cQedm76cg+sLK73eF0FKIhpAsSvWh1W1pwVAmAtO jRL7g1Xtc+AdM5j/m02dK+jCxgGfIaqobptRGdMGsi2KwJjUxrQeag11+5zLg/x/ GME52Xzf7gHcLw0dZPYxflA+ZCtA/zh6Xfi0ab9J5oM3N+LmOzhUeJGX4WaCRgod cNWD+kYLXWNlyOWPTNm/HhSSgFS6w3KlZ+pezAdp8A40kOtTGLXUN7XRQVpsVUH4 ZZyYb05XiZnDjFmcj547WNQPCzSSyok+mt8nw/yZdFs6HAyqY7XrI8iWmb6zET1Y Ans8eFG2HBWsXcOhbzHX =iJcm -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] argv: do fewer memory re-allocations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the master branch commit 870e2405e27fb0c119ade6fc0032c81af4d89819 Author: Heiko Hund Date: Thu Feb 6 14:21:01 2020 +0100 argv: do fewer memory re-allocations Signed-off-by: Heiko Hund Signed-off-by: David Sommerseth Acked-by: Arne Schwabe Message-Id: <20200206132103.15977-3-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19378.html - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJeTqh3AAoJEIbPlEyWcf3y7JoP/j7hrKtTzmEpYVIbPqC5NDjr qwk9knNt5tQ1dcoae18qtYkyPXoanxgWnqgMwwyyFZfvU9LenQkFx/edioxRX0VV PtoniuM512sGKUoPXiKjs8Kpdhpg1swnOqPbgUMx1mhdD3KFpzhKq2U39pAn5d2G 7hzGJd4jP7dU8ilfqpYfNneIXRr65VRimOGTAgquQgkndcy3WUlrLAxpmUS+HYMk pvWTP6wRi6607ECTTcuRJTrc2317o3RiFcmVxodxSuGWSbASaqtt0hsbChwWG2pu QFc7Cjxc9Gd7EG2eKG2SItocOpcFJ8tg6tgGj8clnBjWhvLXHGO2TWiBMg3RLEEm Vq7+3MrCUYwtIUgfSEqnmUCfEEqz+7cwVXONdWnCxW+adN0Iafk1FevCyTIhGF+J 0ZdAVecy8g6eZJTgUC8OX6iIZxKu4JEI6VfgXZ1E0CK196YgIpeDC31xyxB3h/nR 4tmFitE/bh3W/D2QNPe+XJlZKOqbMaq7iluclJuqkE73TWWA9nlK5HRnuaUzYIZv nYjYyzWrNsDQ5JrLuW7TNFFuONJeUEmuJUaq0HVTOwYCAv+ELScbNCT2Sri3iXg4 a5BibPdVmQOJepLri+7IVdRObtkDbhrJzHj42p/N7Er57BBZLAM1De7jXtLI8ayd 6aO6VHgW5wsUN5ZUbcHn =KeLS -END PGP SIGNATURE- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2.4 v3] Swap the order of checks for validating interactive service user
Compared this code code with corresponding patch to master and ensured that only changes are using swprintf+manually adding null terminator instead of openvpn_swprintf. Compiled with MinGW. Acked-by: Lev Stipakov ke 19. helmik. 2020 klo 3.55 selva.n...@gmail.com kirjoitti: > > From: Selva Nair > > Check the config file location and command line options first > and membership in OpenVPNAdministrators group after that as > the latter could be a slow process for active directory users. > > When connection to domain controllers is poor or unavailable, checking > the group membership is slow and causes timeouts in the GUI (Trac > 1051). However, in cases where the config is in the global directory, > no group membership check should be required. The re-ordering here > avoids the redundant check in such cases. > > In addition to this, its also proposed to improve the timeout handling > in the GUI, but this change is still useful as it should completely > eliminate the timeout issue for many users. > > v3: Do not send error message to the client pipe from ValidateOptions(). > Instead save the error and send it on only if user authorization also > fails. The error buffer size is increased to 512 wide chars as these > messages could get long in some cases and may get truncated otherwise. > > Also see: https://github.com/OpenVPN/openvpn-gui/issues/332 > > Signed-off-by: Selva Nair > --- > cherry-picked from commit c6cc66a13568dd1078bfbeb763998c1b9e2a2999 > with one change: > - openvpn_swprintf() -> swprintf() as the latter is not readily accessible >here in 2.4 > > src/openvpnserv/interactive.c | 39 ++- > 1 file changed, 22 insertions(+), 17 deletions(-) > > diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c > index d7c9eea..a2b3b20 100644 > --- a/src/openvpnserv/interactive.c > +++ b/src/openvpnserv/interactive.c > @@ -360,14 +360,13 @@ ReturnOpenvpnOutput(HANDLE pipe, HANDLE ovpn_output, > DWORD count, LPHANDLE event > /* > * Validate options against a white list. Also check the config_file is > * inside the config_dir. The white list is defined in validate.c > - * Returns true on success > + * Returns true on success, false on error with reason set in errmsg. > */ > static BOOL > -ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options) > +ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, > WCHAR *errmsg, DWORD capacity) > { > WCHAR **argv; > int argc; > -WCHAR buf[256]; > BOOL ret = FALSE; > int i; > const WCHAR *msg1 = L"You have specified a config file location (%s > relative to %s)" > @@ -382,8 +381,10 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const > WCHAR *options) > > if (!argv) > { > -ReturnLastError(pipe, L"CommandLineToArgvW"); > -ReturnError(pipe, ERROR_STARTUP_DATA, L"Cannot validate options", 1, > _event); > +swprintf(errmsg, capacity, > +L"Cannot validate options: CommandLineToArgvW failed with > error = 0x%08x", > +GetLastError()); > +errmsg[capacity-1] = L'\0'; > goto out; > } > > @@ -403,10 +404,9 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const > WCHAR *options) > > if (!CheckOption(workdir, 2, argv_tmp, )) > { > -swprintf(buf, _countof(buf), msg1, argv[0], workdir, > +swprintf(errmsg, capacity, msg1, argv[0], workdir, > settings.ovpn_admin_group); > -buf[_countof(buf) - 1] = L'\0'; > -ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, _event); > +errmsg[capacity-1] = L'\0'; > } > goto out; > } > @@ -422,18 +422,15 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, > const WCHAR *options) > { > if (wcscmp(L"--config", argv[i]) == 0 && argc-i > 1) > { > -swprintf(buf, _countof(buf), msg1, argv[i+1], workdir, > +swprintf(errmsg, capacity, msg1, argv[i+1], workdir, > settings.ovpn_admin_group); > -buf[_countof(buf) - 1] = L'\0'; > -ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, _event); > } > else > { > -swprintf(buf, _countof(buf), msg2, argv[i], > +swprintf(errmsg, capacity, msg2, argv[i], > settings.ovpn_admin_group); > -buf[_countof(buf) - 1] = L'\0'; > -ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, _event); > } > +errmsg[capacity-1] = L'\0'; > goto out; > } > } > @@ -1367,6 +1364,7 @@ RunOpenvpn(LPVOID p) > WCHAR *cmdline = NULL; > size_t cmdline_size; > undo_lists_t undo_lists; > +WCHAR errmsg[512] = L""; > > SECURITY_ATTRIBUTES inheritable = { > .nLength =
Re: [Openvpn-devel] [PATCH] Fix float comparisons of OPENVPN_VERSION_NUMBER
чт, 20 февр. 2020 г. в 13:44, Arne Schwabe : > Am 20.02.20 um 09:38 schrieb Arne Schwabe: > > These checks are probably the result of copying a > > check from the LibreSSL and modifying it to be > > a OpenSSL check. For some arcane reason LibreSSL decided > > that its version number should be a long float (double) rather > > than an integer. > > > > Signed-off-by: Arne Schwabe > > --- > > src/openvpn/ssl_openssl.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > > index 21651a3e..bcdfb543 100644 > > --- a/src/openvpn/ssl_openssl.c > > +++ b/src/openvpn/ssl_openssl.c > > @@ -231,7 +231,7 @@ tls_version_max(void) > > * We only need to check this for OpenSSL versions that can be > > * upgraded to 1.1.1 without recompile (>= 1.1.0) > > */ > > -if (OpenSSL_version_num() >= 0x1010100fL) > > +if (OpenSSL_version_num() >= 0x1010100L) > > { > > return TLS_VER_1_3; > > } > > @@ -2104,7 +2104,7 @@ show_available_tls_ciphers_list(const char > *cipher_list, > > crypto_msg(M_FATAL, "Cannot create SSL object"); > > } > > > > -#if (OPENSSL_VERSION_NUMBER < 0x101fL)\ > > +#if (OPENSSL_VERSION_NUMBER < 0x101L)\ > > || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= > 0x209fL) > > STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); > > #else > > @@ -2134,7 +2134,7 @@ show_available_tls_ciphers_list(const char > *cipher_list, > > printf("%s\n", pair->iana_name); > > } > > } > > -#if (OPENSSL_VERSION_NUMBER >= 0x101fL) > > +#if (OPENSSL_VERSION_NUMBER >= 0x101L) > > sk_SSL_CIPHER_free(sk); > > #endif > > SSL_free(ssl); > > > > > Ignore that patch. I am not awake yet. the fL is not a suffix. LibreSSL > has has its patch version to be 0f. > can you also close it here https://patchwork.openvpn.net/patch/1015/ ? to prevent someone from taking it accidently > > Arne > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles
Strangely, I do not see this warning (unlike another one about error in common.c) with GCC 7.3 despite adding -O1 and -Wmaybe-uninitialized. Change looks reasonable, compiled with MSVC and MinGW. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix possibly uninitialized return value in GetOpenvpnSettings()
Hi, Compiled with MSVC and MinGW, warning is gone. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix float comparisons of OPENVPN_VERSION_NUMBER
Am 20.02.20 um 09:38 schrieb Arne Schwabe: > These checks are probably the result of copying a > check from the LibreSSL and modifying it to be > a OpenSSL check. For some arcane reason LibreSSL decided > that its version number should be a long float (double) rather > than an integer. > > Signed-off-by: Arne Schwabe > --- > src/openvpn/ssl_openssl.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 21651a3e..bcdfb543 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -231,7 +231,7 @@ tls_version_max(void) > * We only need to check this for OpenSSL versions that can be > * upgraded to 1.1.1 without recompile (>= 1.1.0) > */ > -if (OpenSSL_version_num() >= 0x1010100fL) > +if (OpenSSL_version_num() >= 0x1010100L) > { > return TLS_VER_1_3; > } > @@ -2104,7 +2104,7 @@ show_available_tls_ciphers_list(const char *cipher_list, > crypto_msg(M_FATAL, "Cannot create SSL object"); > } > > -#if (OPENSSL_VERSION_NUMBER < 0x101fL)\ > +#if (OPENSSL_VERSION_NUMBER < 0x101L)\ > || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= > 0x209fL) > STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); > #else > @@ -2134,7 +2134,7 @@ show_available_tls_ciphers_list(const char *cipher_list, > printf("%s\n", pair->iana_name); > } > } > -#if (OPENSSL_VERSION_NUMBER >= 0x101fL) > +#if (OPENSSL_VERSION_NUMBER >= 0x101L) > sk_SSL_CIPHER_free(sk); > #endif > SSL_free(ssl); > Ignore that patch. I am not awake yet. the fL is not a suffix. LibreSSL has has its patch version to be 0f. Arne signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix float comparisons of OPENVPN_VERSION_NUMBER
These checks are probably the result of copying a check from the LibreSSL and modifying it to be a OpenSSL check. For some arcane reason LibreSSL decided that its version number should be a long float (double) rather than an integer. Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 21651a3e..bcdfb543 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -231,7 +231,7 @@ tls_version_max(void) * We only need to check this for OpenSSL versions that can be * upgraded to 1.1.1 without recompile (>= 1.1.0) */ -if (OpenSSL_version_num() >= 0x1010100fL) +if (OpenSSL_version_num() >= 0x1010100L) { return TLS_VER_1_3; } @@ -2104,7 +2104,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL object"); } -#if (OPENSSL_VERSION_NUMBER < 0x101fL)\ +#if (OPENSSL_VERSION_NUMBER < 0x101L)\ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x209fL) STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); #else @@ -2134,7 +2134,7 @@ show_available_tls_ciphers_list(const char *cipher_list, printf("%s\n", pair->iana_name); } } -#if (OPENSSL_VERSION_NUMBER >= 0x101fL) +#if (OPENSSL_VERSION_NUMBER >= 0x101L) sk_SSL_CIPHER_free(sk); #endif SSL_free(ssl); -- 2.25.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel