[Openvpn-devel] [PATCH applied] Re: Don't clear capability bounding set on capng_change_id
Acked-by: Gert Doering Thanks for so quickly coming to help with investigating the issue and providing a fix :-) I have not tested this myself, but the code change is trivial, and the positive effects have been verified in the GH issue. I have tested that "running a DCO p2mp instance as user nobody" still works (it does). Your patch has been applied to the master and release/2.6 branch. commit d8523119b95db55d2c101b8364ce7e9d0d0f6f3a (master) commit 99a098e13a427e72ade5ef2812b7ea342ea64aa6 (release/2.6) Author: Timo Rothenpieler Date: Wed Jan 18 15:24:28 2023 +0100 Don't clear capability bounding set on capng_change_id Signed-off-by: Timo Rothenpieler Acked-by: Gert Doering Message-Id: <20230118142428.162-1-t...@rothenpieler.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26048.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] openvpnmsica: remove dco installer custom actions
From: Lev Stipakov
Those have been moved into MSM to be reused by openvpn-gui and Connect.
Signed-off-by: Lev Stipakov
---
src/openvpnmsica/openvpnmsica.c | 283
1 file changed, 283 deletions(-)
diff --git a/src/openvpnmsica/openvpnmsica.c b/src/openvpnmsica/openvpnmsica.c
index 229eff00..af12b2c4 100644
--- a/src/openvpnmsica/openvpnmsica.c
+++ b/src/openvpnmsica/openvpnmsica.c
@@ -64,12 +64,6 @@
#define MSICA_ADAPTER_TICK_SIZE (16*1024) /** Amount of tick space to reserve
for one TAP/TUN adapter creation/deletition. */
#define FILE_NEED_REBOOTL".ovpn_need_reboot"
-#define CMP_OVPN_DCO_INFL"CMP_ovpn_dco.inf"
-#define ACTION_ADD_DRIVER L"AddDriver"
-#define ACTION_DELETE_DRIVERL"DeleteDriver"
-#define ACTION_NOOP L"Noop"
-#define FILE_OVPN_DCO_INF L"ovpn-dco.inf"
-#define OVPN_DCO_HWID L"ovpn-dco"
/**
* Joins an argument sequence and sets it to the MSI property.
@@ -1196,280 +1190,3 @@ CheckAndScheduleReboot(_In_ MSIHANDLE hInstall)
}
return ERROR_SUCCESS;
}
-
-static BOOL
-IsInstalling(_In_ INSTALLSTATE InstallState, _In_ INSTALLSTATE ActionState)
-{
-return INSTALLSTATE_LOCAL == ActionState || INSTALLSTATE_SOURCE ==
ActionState
- || (INSTALLSTATE_DEFAULT == ActionState
- && (INSTALLSTATE_LOCAL == InstallState || INSTALLSTATE_SOURCE
== InstallState));
-}
-
-static BOOL
-IsReInstalling(_In_ INSTALLSTATE InstallState, _In_ INSTALLSTATE ActionState)
-{
-return (INSTALLSTATE_LOCAL == ActionState || INSTALLSTATE_SOURCE ==
ActionState
-|| INSTALLSTATE_DEFAULT == ActionState)
- && (INSTALLSTATE_LOCAL == InstallState || INSTALLSTATE_SOURCE ==
InstallState);
-}
-
-static BOOL
-IsUninstalling(_In_ INSTALLSTATE InstallState, _In_ INSTALLSTATE ActionState)
-{
-return (INSTALLSTATE_ABSENT == ActionState || INSTALLSTATE_REMOVED ==
ActionState)
- && (INSTALLSTATE_LOCAL == InstallState || INSTALLSTATE_SOURCE ==
InstallState);
-}
-
-UINT __stdcall
-EvaluateDriver(_In_ MSIHANDLE hInstall)
-{
-#ifdef _MSC_VER
-#pragma comment(linker, DLLEXP_EXPORT)
-#endif
-
-debug_popup(__FUNCTION__);
-
-UINT ret;
-BOOL bIsCoInitialized = SUCCEEDED(CoInitialize(NULL));
-
-OPENVPNMSICA_SAVE_MSI_SESSION(hInstall);
-
-INSTALLSTATE InstallState, ActionState;
-ret = MsiGetComponentStateW(hInstall, CMP_OVPN_DCO_INF, &InstallState,
&ActionState);
-if (ret != ERROR_SUCCESS)
-{
-SetLastError(ret);
-msg(M_NONFATAL | M_ERRNO, "%s: MsiGetComponentState(\"%ls\") failed",
__FUNCTION__, CMP_OVPN_DCO_INF);
-goto cleanup;
-}
-
-/* get user-specific temp path, to where we create reboot indication file
*/
-WCHAR tempPath[MAX_PATH];
-GetTempPathW(MAX_PATH, tempPath);
-
-WCHAR pathToInf[MAX_PATH];
-DWORD pathLen = _countof(pathToInf);
-ret = MsiGetPropertyW(hInstall, L"OVPNDCO", pathToInf, &pathLen);
-if (ret != ERROR_SUCCESS)
-{
-SetLastError(ret);
-msg(M_NONFATAL | M_ERRNO, "%s: MsiGetProperty failed", __FUNCTION__);
-goto cleanup;
-}
-
-WCHAR action[0x400];
-if ((IsReInstalling(InstallState, ActionState) ||
IsInstalling(InstallState, ActionState)))
-{
-swprintf_s(action, _countof(action), L"%s|%s%s|%s", ACTION_ADD_DRIVER,
pathToInf, FILE_OVPN_DCO_INF, tempPath);
-}
-else if (IsUninstalling(InstallState, ActionState))
-{
-swprintf_s(action, _countof(action), L"%s|%s%s|%s",
ACTION_DELETE_DRIVER, pathToInf, FILE_OVPN_DCO_INF, tempPath);
-}
-else
-{
-swprintf_s(action, _countof(action), L"%s||", ACTION_NOOP);
-}
-
-ret = MsiSetPropertyW(hInstall, L"OvpnDcoProcess", action);
-
-cleanup:
-if (bIsCoInitialized)
-{
-CoUninitialize();
-}
-return ret;
-}
-
-static BOOL
-GetPublishedDriverName(_In_z_ LPCWSTR hwid, _Out_writes_z_(len) LPWSTR
publishedName, _In_ DWORD len)
-{
-wcscpy_s(publishedName, len, L"");
-
-HDEVINFO devInfoSet = SetupDiGetClassDevsW(&GUID_DEVCLASS_NET, NULL, NULL,
0);
-if (!devInfoSet)
-{
-msg(M_NONFATAL | M_ERRNO, "%s: SetupDiGetClassDevsW failed",
__FUNCTION__);
-return FALSE;
-}
-BOOL res = FALSE;
-if (!SetupDiBuildDriverInfoList(devInfoSet, NULL, SPDIT_CLASSDRIVER))
-{
-msg(M_NONFATAL | M_ERRNO, "%s: SetupDiBuildDriverInfoList failed",
__FUNCTION__);
-goto cleanupDeviceInfoSet;
-}
-for (DWORD idx = 0;; ++idx)
-{
-SP_DRVINFO_DATA_W drvInfo = { .cbSize = sizeof(drvInfo) };
-if (!SetupDiEnumDriverInfoW(devInfoSet, NULL, SPDIT_CLASSDRIVER, idx,
&drvInfo))
-{
-if (GetLastError() == ERROR_NO_MORE_ITEMS)
-{
-break;
-}
-msg(M_NONFATAL | M_ERRNO, "%s: SetupDiEnumDriverInfoW failed",
__FUNCTION__);
-goto cleanupDriverInfoList;
-}
-DWORD size;
-if (Setu
[Openvpn-devel] [PATCH applied] Re: Workaround: make ovpn-dco more reliable
"Another bandaid so 2.6 does not fall apart right away"... but anyway, while not pretty, it seems to get the job done... Tested on the Ubuntu 20.04 / DCO server, client and server. Your patch has been applied to the master and release/2.6 branch. commit f84a9fc5d4ac0f24912d239a3fccf3701926a50c (master) commit 74a7cf9b9b9a4cb04d0bff9a85880e9bafbefca8 (release/2.6) Author: Arne Schwabe Date: Thu Jan 12 17:37:37 2023 +0100 Workaround: make ovpn-dco more reliable Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20230112163737.1240059-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25988.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: openvpnmsica: remove dco installer custom actions
Acked-by: Gert Doering As you all guessed, I'm a big fan of ripping out large chunks of stuff that I have no use for ;-) - seriously, moving windco into a MSM is the right thing, so we do not need the installer code here anymore. (I do not fully understand all the details in the grand scheme of things, like "where have these functions been called from, previously?" but I guess this is what the windows-build patch is about...) Tested by pushing to my GH instance and getting a windows test build, for good measure... but that fails because LZO downloads fail... meh. Your patch has been applied to the master and release/2.6 branch. commit 7217c7137ef835eb70a3e0c0fcf1cbdf3d5f65b2 (master) commit 640c4d82611b744a4e032b827c82e365eca4f361 (release/2.6) Author: Lev Stipakov Date: Thu Jan 19 10:59:59 2023 +0200 openvpnmsica: remove dco installer custom actions Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20230119085959.157-1-lstipa...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26053.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Warn when pkcs11-id or pkcs11-id-management options are ignored
From: Selva Nair
- If there are no pkcs11-providers either directly specified or
through p11-kit-proxy made available through a build-time detection,
these options are ignored. Log a warning in such cases.
Especially important on Windows where automatic loading of p11-kit
is not enabled in our release builds.
- Document this behaviour.
Signed-off-by: Selva Nair
---
doc/man-sections/pkcs11-options.rst | 23 ++-
src/openvpn/options.c | 9 +
2 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/doc/man-sections/pkcs11-options.rst
b/doc/man-sections/pkcs11-options.rst
index c064aca5..de1662b7 100644
--- a/doc/man-sections/pkcs11-options.rst
+++ b/doc/man-sections/pkcs11-options.rst
@@ -13,7 +13,8 @@ PKCS#11 / SmartCard options
--pkcs11-id name
Specify the serialized certificate id to be used. The id can be gotten
- by the standalone ``--show-pkcs11-ids`` option.
+ by the standalone ``--show-pkcs11-ids`` option. See also the description
+ of ``--pkcs11-providers`` option.
--pkcs11-id-management
Acquire PKCS#11 id from management interface. In this case a
@@ -21,6 +22,7 @@ PKCS#11 / SmartCard options
application may use pkcs11-id-count command to retrieve available number of
certificates, and pkcs11-id-get command to retrieve certificate id and
certificate body.
+ See also the description of ``--pkcs11-providers`` option.
--pkcs11-pin-cache seconds
Specify how many seconds the PIN can be cached, the default is until the
@@ -51,15 +53,18 @@ PKCS#11 / SmartCard options
pkcs11-protected-authentication 0
pkcs11-protected-authentication 1
---pkcs11-providers provider
+--pkcs11-providers providers
Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface
- (Cryptoki) providers to load. This option can be used instead of
- ``--cert``, ``--key`` and ``--pkcs12``.
-
- If p11-kit is present on the system, its :code:`p11-kit-proxy.so` module
- will be loaded by default if either the ``--pkcs11-id`` or
- ``--pkcs11-id-management`` options are specified without
- ``--pkcs11-provider`` being given.
+ (Cryptoki) providers to load. A space-separated list of one or more
+ provider library names may be specified. This option along with
``--pkcs11-id``
+ or ``pkcs11-id-management`` can be used instead of
+ ``--cert`` and ``--key`` or ``--pkcs12``.
+
+ If p11-kit is present on the system and was enabled during build, its
+ :code:`p11-kit-proxy.so` module will be loaded by default if either
+ the ``--pkcs11-id`` or ``--pkcs11-id-management`` options is present without
+ ``--pkcs11-providers``. If default loading is not enabled in the build and
+ no providers are specified, the former options will be ignored.
--show-pkcs11-ids args
(Standalone) Show PKCS#11 token object list.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 4932a869..f24af3d7 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2855,6 +2855,15 @@ options_postprocess_verify_ce(const struct options
*options,
{
check_ca_required(options);
#ifdef ENABLE_PKCS11
+if (!options->pkcs11_providers[0] && options->pkcs11_id)
+{
+msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers
are specified");
+}
+else if (!options->pkcs11_providers[0] &&
options->pkcs11_id_management)
+{
+msg(M_WARN, "Option pkcs11-id-management is ignored as no
pkcs11-providers are specified");
+}
+
if (options->pkcs11_providers[0])
{
if (options->pkcs11_id_management && options->pkcs11_id != NULL)
--
2.34.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
