Re: [Openvpn-devel] [PATCH] Document some limitations of --auth-user-pass

Hi, On Tue, Mar 17, 2020 at 6:25 AM Gert Doering wrote: > > Hi, > > On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote: > > On 16/03/2020 14:48, Selva Nair wrote: > > [...snip...] > > >> I would just rephrase it to say: > > >>

[Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

From: Selva Nair If only username is found in the file, redirect the auth-user-pass query to the management on Windows if (i) management-query-passwords is enabled and (ii) stdout is redirected to a log file. These restrictions avoid regressive behaviour: those running from the command line

[Openvpn-devel] [PATCH 1/2] Move querying username/password from management to a function

From: Selva Nair This helps the next patch. No functionality changes, only refactoring. Signed-off-by: Selva Nair --- src/openvpn/misc.c | 54 ++ 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/src/openvpn/misc.c b/src

Re: [Openvpn-devel] Summary of the community meeting (26th March 2020)

Hi, Quoting from the 26th March meeting summary > Noted that the combination of a username-only --auth-user-pass and > --management-query-passwords does not work. Dazo will take a stab at > fixing the actual problem. There is already a > GET_USER_PASS_PASSWORD_ONLY flag which just needs to be

Re: [Openvpn-devel] [PATCH] Document some limitations of --auth-user-pass

Hi, On Mon, Mar 16, 2020 at 8:39 AM David Sommerseth wrote: > > On 13/03/2020 14:01, sam...@openvpn.net wrote: > > From: Samuli Seppänen > > > > URL: https://community.openvpn.net/openvpn/ticket/757 > > Signed-off-by: Samuli Seppänen > > --- > > doc/openvpn.8 | 6 ++ > > 1 file changed, 6

Re: [Openvpn-devel] [PATCH] interactive.c: remove unused function

Hi, On Sat, Feb 29, 2020 at 7:36 AM Lev Stipakov wrote: > > From: Lev Stipakov > > Function ReturnOpenvpnOutput was used to read > openvpn process output and write it to openvpn-gui. > > Commit 852f1e4 has directed stdout/stderr streams of openvpn > process to NUL, after which

[Openvpn-devel] [PATCH v2] Persist management-query-remote and proxy prompts

From: Selva Nair Currently this prompt is only output once, not re-written to the management interface when the management client connects. It is thus not seen by a client that connects after the prompt is output or one that disconnects and reconnects. This leads to a deadlock: the daemon

Re: [Openvpn-devel] [PATCH applied] Fix possible access of uninitialized pipe handles

Hi On Thu, Feb 20, 2020 at 1:20 PM David Sommerseth wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Your patch has been applied to the master branch > > commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72 > Author: Selva Nair > Date: Wed Feb 19 2

Re: [Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles

Hi On Thu, Feb 20, 2020 at 4:24 AM Lev Stipakov wrote: > > Strangely, I do not see this warning (unlike another one about error > in common.c) > with GCC 7.3 despite adding -O1 and -Wmaybe-uninitialized. I saw it on the travis build. With gcc 7.3, for some reason, -O1 doesn't show it but -O2 or

[Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles

From: Selva Nair Compile time warning for openvpnserv.exe interactive.c: In function ‘RunOpenvpn’: interactive.c:160:27: warning: ‘svc_pipe’ may be used uninitialized in this function [-Wmaybe-uninitialized] When RunOpenvpn exits early due to errors, uninitialized svc_pipe and ovpn_pipe vars

[Openvpn-devel] [PATCH] Fix possibly uninitialized return value in GetOpenvpnSettings()

From: Selva Nair Compile time warning for openvpnserv.exe common.c:90:11: warning: ‘error’ may be used uninitialized in this function [-Wmaybe-uninitialized]; Uninitialized value gets returned if install-path is not found in the registry. Fix by setting it to the return value of GetRegString

[Openvpn-devel] [PATCH 2.4 v3] Swap the order of checks for validating interactive service user

From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH] cryptoapi.c: fix run-time check failure in msvc debugger

_CTX_get0_pkey(ctx); > if (pkey) Yeah, technically it may be "undefined behaviour" to pass an uninitialized var to a function even when its not used there. Acked-by: Selva Nair Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4 2/2] Allow unicode search string in --cryptoapicert option

From: Selva Nair Currently when the certificate is specified as "SUBJ:foo", the string foo is assumed to be ascii. Change that and interpret it as utf-8, convert to a wide string, and flag it as unicode in CertFindCertifcateInStore(). Signed-off-by: Selva Nair --- v4: matched to

[Openvpn-devel] [PATCH v4 1/2] Skip expired certificates in Windows certificate store

From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect

Re: [Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store

Hi, Thanks for reviewing this. On Tue, Feb 11, 2020 at 4:52 AM Lev Stipakov wrote: > > Hi, > >> +DWORD find_type; >> +const void *find_param; >> >> >> >> if (!strncmp(cert_prop, "SUBJ:", 5)) >> { >> >> +find_param = cert_prop + 5; >> +find_type =

[Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store

From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect

[Openvpn-devel] [PATCH 2/2 v3] Allow unicode search string in --cryptoapicert option

From: Selva Nair Currently when the certificate is specified as "SUBJ:foo", the string foo is assumed to be ascii. Change that and interpret it as utf-8, convert to a wide string, and flag it as unicode in CertFindCertifcateInStore(). Signed-off-by: Selva Nair --- v3: nud

[Openvpn-devel] [PATCH v3] Swap the order of checks for validating interactive service user

From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH 1/2] Skip DNS address validation

Hi, On Wed, Feb 5, 2020 at 10:28 AM Lev Stipakov wrote: > > Hi, > > Built and tested with msvc, works as expected - "validate=no" is added to > netsh command line. > > There is a similar commit in Simon's repo (not yet sent to ml) : >

[Openvpn-devel] Fwd: [PATCH 2/2] Fix linking issues on MinGW

-- Forwarded message - From: Selva Nair Date: Wed, Feb 5, 2020 at 10:16 AM Subject: Re: [Openvpn-devel] [PATCH 2/2] Fix linking issues on MinGW To: Domagoj Pensa Cc: Gert Doering Hi, On Wed, Feb 5, 2020 at 8:31 AM Domagoj Pensa wrote: > > Hi! > > On Wed, Feb 05

Re: [Openvpn-devel] [PATCH v2] Swap the order of checks for validating interactive service user

Hi, On Mon, Feb 3, 2020 at 3:49 AM Lev Stipakov wrote: > > I am sorry, I have to retract my ACK. > > When ValidateOptions is called first and config is non located in global > directory (Program Files), > service replies to gui via pipe with error message: > > 0x2001 > You have specified a

[Openvpn-devel] [PATCH v2] Swap the order of checks for validating interactive service user

From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH] Swap the order of checks for validating interactive service user

Hi, On Fri, Jan 31, 2020 at 5:29 AM Lev Stipakov wrote: > > Hi, > >> +if (!ValidateOptions(pipe, sud.directory, sud.options) >> +&& !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, >> settings.ovpn_admin_group) >> { > > > Closing parenthesis is missing: That is embarrassing..

[Openvpn-devel] [PATCH] Swap the order of checks for validating interactive service user

From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH v3 7/7] wintun: clear adapter settings on tun close

Hi, Probably this is the only one in the series without an ACK. v2 was reviewed by Simon and suggested changes are in here. This looks good to me. On Tue, Nov 12, 2019 at 9:44 AM Lev Stipakov wrote: > > From: Lev Stipakov > > With tap-windows6 we clear adapter settings with DHCP, > but since

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

Hi On Tue, Dec 17, 2019 at 6:09 AM Simon Rozman wrote: > > I have been playing with Lev's patches for the past few days. Tested them, > debugged them, did some fixes. There are things to be desired like > netsh=>ipcfg, remove or #ifdef the SYSTEM token hack... But those are design > choices

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

Hi Simon, A quick reply: > > IMO, the right approach on Windows is to run a bare minimal code as a > > service to get SYSTEM rights and the rest with limited privileges. > > Selva, those are two different use-cases. And none is "right" or "wrong". > OpenVPN can or should have both. :) > > 1. I

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

Hi On Mon, Dec 16, 2019 at 4:31 PM Lev Stipakov wrote: >> >> I have already said what I think of it. As an admin I wouldn't like to see >> users running processes that elevate to SYSTEM like this. > > > Would it be too much if > > - openvpn.exe process detects that it is not started by

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

Hi On Mon, Dec 16, 2019 at 3:01 PM Lev Stipakov wrote: > > Hi, > > Thanks for looking into this. See my comments below. > >> TLDR: >> (i) stealing SYSTEM access from winlogon.exe is not a good thing to do > > > This doesn't happen for the majority of use cases - only when iservice is not >

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

Hi, I was reluctant to review this as I do not understand the event processing in OpenVPN well enough. Now that Stefann has reviewed those bits and given an Ack, here are some comments on the rest of the code. TLDR: (i) stealing SYSTEM access from winlogon.exe is not a good thing to do (ii) with

Re: [Openvpn-devel] [PATCH] fix clang warning about missing braces

Hi On Thu, Nov 28, 2019 at 10:23 AM Steffan Karger < steffan.kar...@foxcrypto.com> wrote: > On 28-11-2019 09:06, Lev Stipakov wrote: > > A struct with subobjects should be initialized > > with double braces. > > This is not true. {0} is a valid initializer for structs in C. Both > clang and gcc

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

Hi On Mon, Nov 25, 2019 at 4:03 AM Lev Stipakov wrote: > Hi, > > (cc:ed to -devel) > > >> I would vote for B and not the combination. >> >> With wintun there is no backwards compatibility requirements, so we could >> use a cleaner, consistent and simpler approach (i.e B). Do not create any >>

Re: [Openvpn-devel] [PATCH v7 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Hi, Thanks for the updates. In spite of several nits below, I'm ACKing this. All remarks are typos or grammar, important only for docs and some comments. I suggest to handle these as a minor follow up patch. I'm also ignoring most typos in commit message except a few that could be corrected

Re: [Openvpn-devel] [PATCH v7 1/2] Make tls_version_max return the actual maximum version

Hi, On Fri, Nov 22, 2019 at 9:34 AM Arne Schwabe wrote: > Before OpenSSL 1.1.1 there could be no mismatch between > compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need > runtime detection to detect the actual best TLS version supported. > > Allowing this runtime detection also

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

Hi, On Tue, Nov 19, 2019 at 9:09 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 14/11/2019 22:58, Selva Nair wrote: > > Hi David > > > > Thanks for the comments > > > > My idea was just to add -Werror ri

Re: [Openvpn-devel] [PATCH v3] wintun: add --windows-driver config option

Hi, On Tue, Nov 19, 2019 at 3:29 AM Lev Stipakov wrote: > Hello, > > ti 19. marrask. 2019 klo 9.37 Gert Doering (g...@greenie.muc.de) > kirjoitti: > > > Looks like this will most likely break any dhcp-related options >> > in the client config.. Say "dhcp-option DNS xxx". > > > Oops, indeed.

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

Hi, On Tue, Nov 19, 2019 at 3:50 AM Lev Stipakov wrote: > Hi, > > Doesn't this mean that if --dev-node is specified, we'll open tapwindows >> adapter >> with that name even if "--window-driver wintun" is specified? The open >> may succeed >> but subsequent wintun-specific processing will

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

Hi, On Thu, Nov 7, 2019 at 12:49 PM Lev Stipakov wrote: > From: Lev Stipakov > > To open wintun device, we cannot use "\\.\Global\Wintun" > path as before. To get device path which we supply to CreateFile, > we have to use SetupAPI to: > > - enumerate network adapters with "wintun" as

Re: [Openvpn-devel] [PATCH v3] wintun: add --windows-driver config option

Hi, I have been late to this wintun party (no time for anything fun, these days) and this has already been committed, it seems. But some concerns below.. > +/* for wintun kernel doesn't send DHCP requests, so use ipapi to set > IP address and netmask */ > +if (options->wintun) > +{

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

Hi, On Thu, Nov 14, 2019 at 3:16 PM Илья Шипицин wrote: > Thank you for your efforts. > As you are touching this, can you try "dist: bionic" ? It might bring > newer compilers > I don't expect newer compilers on bionic break this patch. But fwiw, I've started a travis build with dist: bionic.

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

Hi David Thanks for the comments My idea was just to add -Werror right in the line above, and not extend the > ACL_CHECK_ADD_COMPILE_FLAGS macro with another argument. > I'm fine with that approach as well. Let me know if you want a v2. > I think you said it pretty well in your mail: > > >

[Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

From: Selva Nair Some compilers (e.g., clang) only issue a warning for unsupported options unless additional flags such as -Werror are used to convert the warning to an error. Add support for extra flags in ACL_CHECK_ADD_COMPILE_FLAGS. Note: a similar approach is used in AX_CHECK_COMPILE_FLAG

Re: [Openvpn-devel] [PATCH 3/3] travis: compile with -Werror on Linux

Forgot to hit send on this, and probably this is only partially relevant now, but here goes. Hi On Sun, Nov 10, 2019 at 12:03 PM Gert Doering wrote: > Hi, > > On Sun, Nov 10, 2019 at 11:48:16AM -0500, Selva Nair wrote: > > But it seems it may also affect mingw builds on travis.

Re: [Openvpn-devel] [PATCH 3/3] travis: compile with -Werror on Linux

Hi, On Sun, Nov 10, 2019 at 8:36 AM Antonio Quartulli wrote: > Signed-off-by: Antonio Quartulli > --- > .travis/build-check.sh | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/.travis/build-check.sh b/.travis/build-check.sh > index 039a7dcf..250bb454 100755 > ---

Re: [Openvpn-devel] [PATCH v6 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Hi, This started exactly a year ago, so let's get over with it :) By any chance is this an older version rebased to master? Saying this because most of the comments below are also in my previous remarks and were agreed to in your response... See https://patchwork.openvpn.net/patch/587/#1157 and

Re: [Openvpn-devel] [PATCH applied] Re: VLAN: add basic VLAN tagging support

Hi On Thu, Nov 7, 2019 at 7:43 AM Lev Stipakov wrote: > Hi, > > >> I'm a bit unhappy with that one, as it changes behaviour for all >> non-windows >> builds (including all the openssl build output even if it succeeds). >> > > The only place it changes behavior is this > > install: >- if [

Re: [Openvpn-devel] [PATCH] [PATCH v2] Insert client connection data into PAM environment

On Fri, Oct 25, 2019 at 7:08 AM wrote: > > From: Paolo Cerrito > > Without this patch, the PAM environment lacks any information about the > remote client address. > > syslog output for auth and authpriv facilities changes > from: >Oct 25 11:52:02 openvpndev openvpn: pam_unix(openvpn:auth):

Re: [Openvpn-devel] [PATCH] msvc: OpenSSL 1.1.0 support

On Thu, Oct 17, 2019 at 8:11 AM Lev Stipakov wrote: > > Hi François, > > François Kooman kirjoitti 17.10.2019 klo 13.39: > > > "Version 1.1.0 will be supported until 2019-09-11" [1]. > > > > Is there a plan to update to 1.1.1 for the Windows client? > > Indeed, there is probably no reason to not

Re: [Openvpn-devel] Summary of the community meeting (2nd October 2019)

Hi, On Wed, Oct 2, 2019 at 7:47 AM Samuli Seppänen wrote: > Discussed tap-windows6. Mattock produced a test installer which includes > two PRs: > > > > > An installer for Windows 10 and Server

Re: [Openvpn-devel] [PATCH] Insert client connection data into PAM environment

Hi, On Tue, Oct 1, 2019 at 1:02 PM Antonio Quartulli wrote: > Hi Paolo, > > On 01/10/2019 14:06, Paolo Cerrito wrote: > > From: paolo > > On June 27th another patch with the same subject was sent by you to this > mailing list. Is this new patch any different? > > If so, it should bear a "v2"

Re: [Openvpn-devel] [PATCH] Insert client connection data into PAM environment

Hi, Its useful to set PAM_RHOSTS which will allow use of pam_access for access control etc. So feature ACK. I would like to see a more precise commit message header like: "Insert remote IP address into PAM environment" On Tue, Oct 1, 2019 at 8:25 AM Paolo Cerrito wrote: > From: paolo > > ---

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Forgot copy this to the list -- sending again On Mon, Sep 23, 2019 at 6:19 AM Arne Schwabe wrote: > > Am 20.09.19 um 22:55 schrieb Selva Nair: > > Hi, > > > > Reviving this thread/patch as now users are running into this padding > > issue (trac 1216 <https://com

Re: [Openvpn-devel] [PATCH v2 for 2.4] Handle PSS padding in cryptoapicert

Hi, On Sun, Jul 28, 2019 at 4:34 PM wrote: > > From: Selva Nair > > For PSS padding, CNG requires the digest to be signed > and the digest algorithm in use, which are not accessible > via the rsa_sign and rsa_priv_enc callbacks of OpenSSL. > This patch uses the EVP_

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Hi, Reviving this thread/patch as now users are running into this padding issue (trac 1216 ). IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..) to >PK_SIGN for new clients and erroring out with old clients that cannot

Re: [Openvpn-devel] [PATCH 1/7] Visual Studio: upgrade project files to VS2019

Hi, On Fri, Sep 20, 2019 at 1:55 PM Lev Stipakov wrote: > > Hi Steffan, > >> Out of curiosity: does the (signed) driver from wintun.net not work? Of so, >> why? > > > It does. It is just not usable for openvpn yet because: > > 1) Wintun is distributed as msm module, which is supposed to be

[Openvpn-devel] [PATCH v2 for 2.4] Handle PSS padding in cryptoapicert

From: Selva Nair For PSS padding, CNG requires the digest to be signed and the digest algorithm in use, which are not accessible via the rsa_sign and rsa_priv_enc callbacks of OpenSSL. This patch uses the EVP_KEY interface to hook to evp_pkey_sign callback if OpenSSL version is > 1.1.0. Mapp

[Openvpn-devel] [PATCH for 2.4] Correct the return value of cryptoapi RSA signature callbacks

From: Selva Nair Fixes the wrong check on siglen instead of *siglen for signing failures. Bug reported by: lilulo Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index

[Openvpn-devel] [PATCH] Correct the return value of cryptoapi RSA signature callbacks

From: Selva Nair Fixes the wrong check on siglen instead of *siglen for signing failures. Bug reported by: lilulo Signed-off-by: Selva Nair --- 2.4 will need a separate patch src/openvpn/cryptoapi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn

Re: [Openvpn-devel] [PATCH v6] openvpnserv: enable interactive service to open tun

{ > +err = ERROR_OUTOFMEMORY; > +goto out; > +} > + > +/* validate device guid */ > +const size_t guid_len = wcslen(wguid); > +if (guid_len != 38 || wcsspn(wguid, L"0123456789ABCDEFabcdef-{}") != > guid_len) > +{ > +

Re: [Openvpn-devel] [PATCH v5] openvpnserv: enable interactive service to open tun

Hi, On Thu, Jul 18, 2019 at 7:42 AM Lev Stipakov wrote: > From: Lev Stipakov > > This patch enables interactive service to open tun device. > This is mostly needed by Wintun, which could be opened > only by privileged process. > > When interactive service is used, instead of calling >

Re: [Openvpn-devel] [PATCH v3] openvpnserv: enable interactive service to open tun

Hi On Wed, Jul 17, 2019 at 8:20 AM Lev Stipakov wrote: > Hi, > > Sorry for delay - I was on vacation. > > (i) The new message is named message_open_tun, but it allows opening >> any file using the service. This is not secure. > > > I am thinking of possible vector of attack here. > > In our

Re: [Openvpn-devel] [PATCH v3] openvpnserv: enable interactive service to open tun

Hi, On Thu, Jun 27, 2019 at 8:08 AM Lev Stipakov wrote: > > From: Lev Stipakov > > This patch enables interactive service to open tun device. > This is mostly needed by Wintun, which could be opened > only by privileged process. > > When interactive service is used, instead of calling >

Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

Hi, On Sat, Jun 29, 2019 at 10:35 AM Lev Stipakov wrote: > > Hi, > >> So Lev's patch proposes to do service calls for wintun *and* tap6, and >> do so "always"? Or only if the registry key says so? > > > Yep, patch always opens wintun and tap6 via service no matter what > registry key says.

Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

Hi, On Sat, Jun 29, 2019 at 10:50 AM Lev Stipakov wrote: > > That --allow-nonadmin functionality was included into commit 3c7f2f553 from > yeah 2005. Here is code from tap-win32/tapdrv.c from the same commit: > > +#if ENABLE_NONADMIN > + /* Read AllowNonAdmin setting from registry */ > +

Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

Hi, On Fri, Jun 28, 2019 at 5:03 PM Gert Doering wrote: > > Hi, > > On Fri, Jun 28, 2019 at 04:51:47PM -0400, Selva Nair wrote: > > Would that mean we can assume that always allowing all users access to > > the tap (say, using the service to open it) w

Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

On Fri, Jun 28, 2019 at 4:51 PM Selva Nair wrote: > > Hi, > > While testing a patch, I failed to toggle AllowNonAdmin access to the > tap-adapter. > Looking at the sources it seems we do not respect that setting. > > From adapter.c ~line The quoted code was from tap-wind

[Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

Hi, While testing a patch, I failed to toggle AllowNonAdmin access to the tap-adapter. Looking at the sources it seems we do not respect that setting. >From adapter.c ~line #if ENABLE_NONADMIN NdisReadConfiguration ( , , configHandle,

Re: [Openvpn-devel] [PATCH v2] openvpnserv: enable interactive service to open tun

Hi, I haven't compiled or run tested, but there are few issues that need to be addressed before that: On Wed, Jun 26, 2019 at 5:52 AM Lev Stipakov wrote: > > From: Lev Stipakov > > This patch enables interactive service to open tun device. > This is mostly needed by Wintun, which could be

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, What I have in mind would also require editing all calls to send_msg_iservice() which is essentially what Gert is objecting to. So ignore me -- a separate send_msg_iservice_ex may be the best option. Selva On Tue, Jun 25, 2019 at 5:00 PM Selva Nair wrote: > > Hi, > > On Tue,

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, On Tue, Jun 25, 2019 at 4:38 PM Lev Stipakov wrote: > > Hi, > >> >> The way interactive service structures are coded should not require >> this at all, does it? The size and message type are already in the >> header, so why do we need to pass it? > > > But we need to know the response size

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi On Tue, Jun 25, 2019 at 4:34 PM Gert Doering wrote: > > Hi, > > On Tue, Jun 25, 2019 at 03:57:18PM -0400, Selva Nair wrote: > > The way interactive service structures are coded should not require > > this at all, does it? The size and message type are already in the

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi On Tue, Jun 25, 2019 at 3:49 PM Gert Doering wrote: > > Hi, > > On Tue, Jun 25, 2019 at 10:34:01PM +0300, Lev Stipakov wrote: > > ack_message_t ack; > > struct gc_arena gc = gc_new(); > > > > -if (!send_msg_iservice(pipe, rt, size, , "ROUTE")) > > +if

Re: [Openvpn-devel] [PATCH 0/5] Implement additional two step authentication methods

Hi On Thu, Jun 13, 2019 at 10:42 AM Arne Schwabe wrote: > > These patches mainly implement forwarding passing/forwarding extra > messages between management interface on server and client side. > > These new extra messages can be used to implement a two step > authentication like TOTP (Google

Re: [Openvpn-devel] Preliminary Wintun support in OpenVPN2

the date on my calendar > and waiting for Antonio to send the accommodation recommendation. > > > > Best regards, > > Simon > > > > From: Lev Stipakov > Date: Tuesday, 11 June 2019 at 19:26 > To: Jason Donenfeld , Simon Rozman , Selva > Nair >

Re: [Openvpn-devel] [PATCH 2/2] Allow repeated cycles through remotes when management-query-remote is in use

Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201 Hi, These patches were meant to help implement choosing the remote through the GUI. I may not find time for that but the patches by themselves are still relevant. If there is some interest I'll rebase to master. Selva

Re: [Openvpn-devel] New OpenVPN 2.4.7 Windows installers released

Hi, On Wed, Apr 24, 2019 at 6:50 AM Samuli Seppänen wrote: > > Hi, > > New OpenVPN Windows installers have been released. The release > highlights are: > > - Latest openvpn-gui > - Latest openvpnserv2 (OpenVPNService) > - Latest tap-windows6 driver > - ARM64 support > - NDIS 6.30 support >

Re: [Openvpn-devel] New OpenVPN 2.4.7 installers with tap-windows6 and other componets

Hi, On Sat, Apr 20, 2019 at 5:17 AM Samuli Seppänen wrote: > > Hi all, > > Here are completely untested OpenVPN 2.4.7 installers which I wanted to > get out for testing a.s.a.p.: > > >

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi, On Fri, Apr 19, 2019 at 3:15 PM Gert Doering wrote: > Hi, > > On Fri, Apr 19, 2019 at 03:12:49PM +0200, Jan Just Keijser wrote: > > Can you do a pull request for your pkcs11-helper patch on the > > pkcs11helper github page? or shall we simply patch pkcs11-helper > ourselves? > > I agree

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi, On Fri, Apr 19, 2019 at 9:13 AM Jan Just Keijser wrote: > Hi Selva,I had not written a patch when I wrote my earlier email, but your > patch is exactly what I had in mind; getting it all to compile and run with > OpenSSL 1.1.1b + OpenVPN 2.4.7 was a bit of a challenge, but I finally >

Re: [Openvpn-devel] [PATCH] Set the correct mtu on windows based systems

PHANDLE events, > undo_lists_t *lists) > { > @@ -1210,6 +1233,7 @@ HandleMessage(HANDLE pipe, DWORD bytes, DWORD count, > LPHANDLE events, undo_lists > block_dns_message_t block_dns; > dns_cfg_message_t dns; > enable_dhcp_message_t dhcp; > +set_mtu_m

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi JJK, On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser wrote: > Hi Selva, > > On 10/04/19 19:09, Selva Nair wrote: > > > > On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser > wrote: > > snipped... > patching pkcs11-helper does not seem too difficult for

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi, On Wed, Apr 10, 2019 at 6:00 PM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 10/04/2019 17:58, Selva Nair wrote: > > > > As I replied to the openssl-users list[*], pkcs11-helper only supports > PKCS1 > > signatures, not raw signature needed

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser wrote: > On 10/04/19 17:58, Selva Nair wrote: > > Hi, > > This is more relevant to OpenVPN than OpenSSL, so copying to the > openvpn-devel list. > > On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis > wrote: > >

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list. On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis wrote: > Hi all, > > I have a working openvpn setup with client certificate and private key > stored on my laptop. Then, I have loaded them into a smartcard

Re: [Openvpn-devel] [PATCH 4/4] Simplified if statements for better readability

Hi, On Mon, Apr 1, 2019 at 7:22 AM Christopher Schenk < csch...@mail.uni-paderborn.de> wrote: > --- > src/openvpn/tun.c | 58 --- > 1 file changed, 14 insertions(+), 44 deletions(-) > @@ -213,7 +213,7 @@ do_set_mtu_service(const struct tuntap *tt,

Re: [Openvpn-devel] [PATCH 3/4] Use netioapi instead of netsh to set mtu

Hi, On Mon, Apr 1, 2019 at 7:22 AM Christopher Schenk < csch...@mail.uni-paderborn.de> wrote: > --- > src/openvpn/tun.c | 68 +++ > src/openvpnserv/interactive.c | 44 +-- > 2 files changed, 46 insertions(+), 66 deletions(-) > >

Re: [Openvpn-devel] [PATCH] Setting adapter mtu on windows systems

Hi, On Fri, Mar 29, 2019 at 6:25 AM Christopher Schenk wrote: > > Hi, > > On 28/03/2019 16:00, Selva Nair wrote: > > I would go a step further to say we should not add new features that > > do not work when started using the interactive service. > > > > Sec

Re: [Openvpn-devel] [PATCH] Setting adapter mtu on windows systems

Hi On Thu, Mar 28, 2019 at 9:13 AM Arne Schwabe wrote: > Am 28.03.19 um 13:27 schrieb Christopher Schenk: > > From: Christopher Schenk > > > > --- > > src/openvpn/tun.c | 39 ++- > > 1 file changed, 38 insertions(+), 1 deletion(-) > > > > diff --git

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

On Wed, Mar 20, 2019 at 10:52 AM tincanteksup wrote: > > > > On 20/03/2019 13:25, Selva Nair wrote: > > Hi, > > > > On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote: > >> > >> Hi, > >> > >> On 18/03/2019 22:30, tincant

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

Hi, On Wed, Mar 20, 2019 at 9:45 AM Arne Schwabe wrote: > > Am 20.03.19 um 14:25 schrieb Selva Nair: > > Hi, > > > > On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote: > >> > >> Hi, > >> > >> On 18/03/2019 22:30, tincanteksup

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

Hi, On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote: > > Hi, > > On 18/03/2019 22:30, tincanteksup wrote: > > Hi, > > > > this situation has been hanging around for so long is this brief note > > really enough? Considering that the manual has numerous other URLs why > > not include this

[Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

From: Selva Nair Make clear that --dhcp-option is not processed on non-Windows clients and the user is expected to handle it using an --up script. Signed-off-by: Selva Nair --- doc/openvpn.8 | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/doc/openvpn.8

[Openvpn-devel] [PATCH for-2.4] Better error message when script fails due to script-security setting

From: Selva Nair - Add a new return value (-2) for openvpn_execve() when external program execution is not allowed due to a low script-security setting. - Add a corresponding error message Errors and warnings in such cases will now display as "WARNING: failed running command () :"

Re: [Openvpn-devel] [PATCH applied] Re: Better error message when script fails due to script-security setting

Hi, On Thu, Feb 28, 2019 at 12:25 PM Gert Doering wrote: > Acked-by: Gert Doering > > Thanks. I have not tested the various error conditions, but the code > makes sense to me and it passes compile and t_client tests (which use > --up here), so it's not breaking stuff in fundamental and

[Openvpn-devel] [PATCH v2] Better error message when script fails due to script-security setting

From: Selva Nair - Add a new return value (-2) for openvpn_execve() when external program execution is not allowed due to a low script-security setting. - Add a corresponding error message Errors and warnings in such cases will now display as "WARNING: failed running command () :"

Re: [Openvpn-devel] [PATCH] Better error message when script fails due to script-security setting

Hi, Thanks for the review. On Tue, Feb 19, 2019 at 12:39 PM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 17/02/2019 02:55, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - Add a new return value (-2) for openvpn_execve() when ext

Re: [Openvpn-devel] [PATCH] Better error message when script fails due to script-security setting

Hi On Mon, Feb 18, 2019 at 9:24 AM Gert Doering wrote: > Hi, > > On Sat, Feb 16, 2019 at 08:55:41PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - Add a new return value (-2) for openvpn_execve() when external > > program execution is not all

[Openvpn-devel] [PATCH] Better error message when script fails due to script-security setting

From: Selva Nair - Add a new return value (-2) for openvpn_execve() when external program execution is not allowed due to a low script-security setting. - Add a corresponding error message Errors and warnings in such cases will now display as "WARNING: failed running command () :"

Re: [Openvpn-devel] [PATCH] Exit early when external scripts are specified with script-security < 2

Hi, On Sat, Feb 16, 2019 at 8:19 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 15/02/2019 21:31, Selva Nair wrote: > > Hi > > > > On Fri, Feb 15, 2019 at 3:26 PM David Sommerseth > > open...@sf.lists.topphemmelig.net>> > > wr

<    1   2   3   4   5   6   7   8   9   10   >