[Openvpn-devel] Better error recognition and error/status reporting to the mgmt i/f

2017-09-14 Thread Selva
05243166> > <https://github.com/OpenVPN/openvpn-gui/issues/9> > <https://github.com/OpenVPN/openvpn-gui/issues/183> > > This problem is probably not limited to OpenVPN GUI (Windows), but also > affects other GUI's like NetworkManager. It was agreed that the best

Re: [Openvpn-devel] [PATCH] Check whether in pull_mode before warning about previous connection blocks

2017-09-15 Thread Selva
On Fri, Sep 15, 2017 at 11:40 AM, Gert Doering wrote: > Hi, > > On Fri, Sep 15, 2017 at 12:41:03AM -0400, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > Eliminate the confusing message that says "explicit-exit-notify is > ignored by > > pr

Re: [Openvpn-devel] [PATCH] Check whether in pull_mode before warning about previous connection blocks

2017-09-15 Thread Selva
On Fri, Sep 15, 2017 at 11:44 AM, Arne Schwabe wrote: > On 9/15/17 6:41 AM, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > Eliminate the confusing message that says "explicit-exit-notify is > ignored by > > previous blocks" when the option

Re: [Openvpn-devel] [PATCH] Check whether in pull_mode before warning about previous connection blocks

2017-09-15 Thread Selva
Hi, On Fri, Sep 15, 2017 at 12:14 PM, Gert Doering wrote: > Hi, > > On Fri, Sep 15, 2017 at 11:53:59AM -0400, Selva wrote: > > No it doesn't change any functionality. By not including OPT_P_CONNECTION > > in the mask sent to verify permission the previous connec

Re: [Openvpn-devel] [PATCH v2] Check whether in pull_mode before warning about previous connection blocks

2017-09-20 Thread Selva
Hi, On Fri, Sep 15, 2017 at 2:46 PM, wrote: > From: Selva Nair > > In particular, this eliminates the message that says "explicit-exit-notify > is ignored by previous blocks" when the option is pushed. > > Note: pull_mode is identified as "allowed &

Re: [Openvpn-devel] Better error recognition and error/status reporting to the mgmt i/f

2017-09-20 Thread Selva
Hi, On Thu, Sep 14, 2017 at 3:21 PM, Selva wrote: > Hi, > > Quoting from the meeting logs: > > >> Discussed having more fine-grained signalling from OpenVPN to OpenVPN >> GUI. The lack of clear signals from OpenVPN to OpenVPN GUI has been a >> rather

Re: [Openvpn-devel] Better error recognition and error/status reporting to the mgmt i/f

2017-09-22 Thread Selva
Hi David, Thanks for taking time to look through this and for your well-considered response. Given that I may not remember the details when we get back to this topic, let me add a few remarks. On Thu, Sep 21, 2017 at 6:00 PM, David Sommerseth wrote: > On 14/09/17 21:21, Selva wrote: >

Re: [Openvpn-devel] [PATCH v2] Check whether in pull_mode before warning about previous connection blocks

2017-09-30 Thread Selva
Hi, On Thu, Sep 21, 2017 at 12:58 PM, Antonio Quartulli wrote: > > > On 20/09/17 23:34, Selva wrote: > > Hi, > > > > On Fri, Sep 15, 2017 at 2:46 PM, wrote: > > > >> From: Selva Nair > >> > >> In particular, this eliminates the

Re: [Openvpn-devel] Too much output at --verb 0 (bug?)

2017-09-30 Thread Selva
ow ("why is your server pushing > it twice?"), but anyway. > Yes, muted when pushed. But such messages will still print at verb 0 if present outside connection blocks in the config file. > > > > do_ifconfig, tt->did_ifconfig_ipv6_setup=0 > > This one comes

Re: [Openvpn-devel] [PATCH 01/13] snwprintf() => _snwprintf()

2017-10-11 Thread Selva
on that and better continue the practice of explicit nul termination). Note that swprintf is like snprintf in that it takes the buffer size as an argument. Selva -- Chec

Re: [Openvpn-devel] [PATCH 05/13] Function prototypes are declared as "typedef ( *type_name)()" in MSVC.

2017-10-11 Thread Selva
ns of mingw that I use (gcc 4.9.3 or later) will build with those stripped but I can test again if you replace this patch with one removing those declarations. Selva -- Check out the vibrant tech community on one of the worl

Re: [Openvpn-devel] [PATCH 02/13] Mixing wide and regular strings in concatenations is not allowed in MSVC.

2017-10-11 Thread Selva
Hi, On Tue, Oct 10, 2017 at 7:11 PM, wrote: > From: Simon Rozman > > --- > src/openvpnserv/interactive.c | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c > index 9d473e4..4b08086 100644 > --- a/src/op

Re: [Openvpn-devel] [PATCH 05/13] Function prototypes are declared as "typedef ( *type_name)()" in MSVC.

2017-10-11 Thread Selva
ich never got much traction mainly because it was for an older version of MSVC which did not support C99 and thus included other changes. Selva -- Check out the vibrant tech community on one of the world's most engag

Re: [Openvpn-devel] [PATCH 01/13] snwprintf() => _snwprintf()

2017-10-11 Thread Selva
Hi On Wed, Oct 11, 2017 at 10:03 AM, Simon Rozman wrote: > Hi, > > > > I agree migration towards ISO-C's snwprintf() is better. > Just to be sure, ISO-C is 'swprintf' not 'snwprintf'. In spite of 'n' misisng from that name, it takes the buffer size argument and nul terminates even if output is

Re: [Openvpn-devel] [PATCH 04/13] Local functions are not supported in MSVC. Bummer.

2017-10-11 Thread Selva
Hi, On Tue, Oct 10, 2017 at 7:11 PM, wrote: > From: Simon Rozman > > --- > src/openvpnserv/interactive.c | 10 +- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c > index 2019d38..7ff45b1 100644 > --- a/src

Re: [Openvpn-devel] [PATCH 03/13] RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h

2017-10-11 Thread Selva
citly include it for RtlIpv4AddressToStringW etc. Anyway mingw is still happy at least with this order of includes, so looks good to me. ACK. Selva -- Check out the vibrant tech community on one of the world&

Re: [Openvpn-devel] [PATCH] Fix local #include to use quoted form

2017-10-12 Thread Selva
> +#include "validate.h" > + > /* > * These are necessary due to certain buggy implementations of > (v)snprintf, > * that don't guarantee null termination for size > 0. > In mingw builds it works either way as our Makefile i

Re: [Openvpn-devel] [PATCH 06/13] openvpnserv.vcxproj project file recreated using Visual Studio 2017

2017-10-12 Thread Selva
get to those before I may find time.. Thanks, Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_

Re: [Openvpn-devel] [PATCH] Uniform snwprintf() across MinGW and MSVC compilers

2017-10-12 Thread Selva
en neither build would depend on non-standard variants. That said its fine if you want to keep this as just an MSVC compliance patch.. > MSVC also provides _snwprintf(), however using it leads to > unportable code. > > After a discussion with Selva Nair on devel mailing list, an agreement

Re: [Openvpn-devel] [PATCH] Simplify iphlpapi.dll API calls

2017-10-12 Thread Selva
); > -static FlushIpNetTable2Fn flush_fn = NULL; > - > if (msg->family == AF_INET) > { > return FlushIpNetTable(msg->iface.index); > } > > -if (!flush_fn) > -{ > -HMODULE iphlpapi = GetModuleHandle(TEXT

Re: [Openvpn-devel] [PATCH] Uniform snwprintf() across MinGW and MSVC compilers

2017-10-13 Thread Selva
here this was broken --- I'll test your latest patch. That said, I would not depend on any of these for nul-termination, we should continue to append an explicit L'\0'. Selva -- Check out the vibrant t

Re: [Openvpn-devel] [PATCH] Uniform snwprintf() across MinGW and MSVC compilers

2017-10-16 Thread Selva
Hi, On Mon, Oct 16, 2017 at 4:05 AM, Samuli Seppänen wrote: > On 13/10/2017 20:48, Selva wrote: > > > @samuli: Which versions of mingw-w64 should we test against to ensure > > release and snapshot builds would succeed? > > Right now _we_ use Ubuntu 16.04 for buildin

Re: [Openvpn-devel] [PATCH] Uniform snwprintf() across MinGW and MSVC compilers

2017-10-16 Thread Selva
Hi On Mon, Oct 16, 2017 at 4:22 AM, Илья Шипицин wrote: > > > 2017-10-16 13:05 GMT+05:00 Samuli Seppänen : > >> On 13/10/2017 20:48, Selva wrote: >> >> > @samuli: Which versions of mingw-w64 should we test against to ensure >> > release and snapshot

Re: [Openvpn-devel] [PATCH] Uniform snwprintf() across MinGW and MSVC compilers

2017-10-16 Thread Selva
Hi, On Mon, Oct 16, 2017 at 12:57 PM, Gert Doering wrote: > Hi, > > On Mon, Oct 16, 2017 at 11:33:02AM -0400, Selva wrote: > > I did a quick test on ubuntu trusty (14.04.05 LTS), and as you pointed > > out, it fails while > > compiling block_dns.c because of some er

Re: [Openvpn-devel] [PATCH] Uniform swprintf() across MinGW and MSVC compilers

2017-10-17 Thread Selva
onst WCHAR > *fname, const settings_t *s) > /* convert fname to full path */ > if (PathIsRelativeW(fname) ) > { > -snwprintf(tmp, _countof(tmp), L"%s\\%s", workdir, fname); > +swprintf(tmp, _countof(tmp), L"%s\\%s", workdir, fname);

Re: [Openvpn-devel] [PATCH 0/1] add engine keys keys

2017-10-29 Thread Selva
27;cryptoapicert' implementation is already in need of a major re-write to support TLS 1.2 and newer. >From that point of view, instead of file-based wrapped keys, if a pkcs11 compatible API can be used to access TPM (that's possible isn't it?) TPM could be more widely usab

Re: [Openvpn-devel] OpenVPN Interactive Service Branding

2017-10-30 Thread Selva
Hi, On Mon, Oct 30, 2017 at 4:41 AM, Simon Rozman wrote: > Hi Selva, > > We are considering distributing a local copy of OpenVPN with eduVPN Client: > - To provide better app isolation; > - To allow eduVPN to manage and update own OpenVPN copy. This is fine, but I would lik

Re: [Openvpn-devel] OpenVPN Interactive Service Branding

2017-10-31 Thread Selva
vpnserviceinteractive as is. Does eduVPN really need its own instance of the service? That said, I like the idea of being able to run multiple (named) instances of the service each with its own service pipe. Selva --

Re: [Openvpn-devel] OpenVPN Interactive Service Branding

2017-11-01 Thread Selva
ifferent versions) of the service. > > Because of those issues, we would like to install local OpenVPN - and keep > it > up-to-date - using an MSI package. While openvpn.exe and its dependency > DLLs > can easily be m

Re: [Openvpn-devel] [PATCH 0/1] add engine keys keys

2017-11-01 Thread Selva
Hi, On Wed, Nov 1, 2017 at 2:18 PM, Steffan Karger wrote: > Hi, > > On 29-10-17 22:03, Selva wrote: > > I would like to see new features transparently supported on Windows > > as well without the need for too much extra code and associated > > maintenance

Re: [Openvpn-devel] Windows builds (was: OpenVPN Interactive Service Branding)

2017-11-02 Thread Selva
as Windows is not our primary build platform. The need for occasional patching to get MSVC build working again is going to continue. At least that's my view. Selva -- Check out the vibrant tech community on one

Re: [Openvpn-devel] [PATCH] openvpnserv: Add support for multi-instances

2017-11-02 Thread Selva
ServiceCtrlHandler()) does state that the name is not checked in case of OWN_PROCESS. Probably that got carried over to the ...Ex() though not documented as such. Cheers, Selva -- Check out the vibrant tech community on

Re: [Openvpn-devel] [PATCH 1/1] openssl: add engine method for loading the key

2017-11-04 Thread Selva
happen automatically in this particular case as the patch uses SSL_CTX_get_default_passwd_cb_userdata() which would result in openssl using to the password callback previously set in ssl_openssl.c ? And that callback is get_userpass() which should know whether to query the management, console or somethin

Re: [Openvpn-devel] [PATCH] openvpnserv: Add support for multi-instances

2017-11-04 Thread Selva
Hi Simon, On Thu, Nov 2, 2017 at 11:26 PM, Selva wrote: > Hi Simon, > > On Thu, Nov 2, 2017 at 3:21 PM, Simon Rozman wrote: > >> While openvpn.exe can run multiple concurrent processes, openvpnserv.exe >> is usually only one single globally unique running process.

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-11-05 Thread Selva
ith hostnames anonymized) > > This indeed is a regression, or a "non-handled special case in the > iservice" > (waking up Selva and Heiko). > 2.3 is calling route.exe, which seems to just handle this case fine > ("the given gateway address is present on two diff

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-11-05 Thread Selva
the first matching adapter and the number of matching adapters found. If the count is > 1 windows_route_find_if_index() in route.c sets the index to TUN_ADAPTER_INDEX_INVALID and route addition gets aborted. We could slightly modify adapter_index_o

Re: [Openvpn-devel] [PATCH 09/13] Signed/unsigned warnings of MSVC resolved

2017-11-05 Thread Selva
onvinced... > > what exactly are the warnings MSVC spits out here? > I think these are needed to silence signed/unsigned comparison warnings (== is ok, but < and > would warn). gcc also would warn if -Wextra or -Wsign-compare is used. Simon may have more to say. Selva -

Re: [Openvpn-devel] [PATCH 09/13] Signed/unsigned warnings of MSVC resolved

2017-11-05 Thread Selva
y interpret as valid result. This is hypothetical as Windows system err codes do not get that large. But then the original is as good as the replacement except for a C++-trained compiler being silenced. While most of the MSVC compiler warnings are false-alarms, one out of man

Re: [Openvpn-devel] [PATCH 09/13] Signed/unsigned warnings of MSVC resolved

2017-11-06 Thread Selva
antics. Apart from the ill-chosen -err as a return value, currently it returns 0 if automatic metric is in use, making it impossible to use it as a generic function to find the current metric of an interface. In fact I've a pending patch where such a change wou

Re: [Openvpn-devel] [PATCH v2] openvpnserv: Add support for multi-instances

2017-11-06 Thread Selva
tartAutomaticOwn }, > +{ NULL, NULL } > +}; Agreed this array has to live beyond the for loop, but why static? Statics live for ever while this need not exist beyond the function. Putting it at the top where dispatchTable_shared is defined (or anywhere before the

[Openvpn-devel] patchwork

2017-11-08 Thread Selva
out of the "Action Required" list, although Acked patches still need attention to get merged. Thanks, Selva -- Check out the vibrant tech community on one of the wor

Re: [Openvpn-devel] patchwork

2017-11-08 Thread Selva
Hi, On Wed, Nov 8, 2017 at 11:18 AM, Gert Doering wrote: > Hi, > > On Wed, Nov 08, 2017 at 11:07:16AM -0500, Selva wrote: > > Confused as to how patchwork works: > > Welcome to the club :-) > I already feel better :) > > I had some ideas how it should work

Re: [Openvpn-devel] [PATCH v2] openvpnserv: Add support for multi-instances

2017-11-08 Thread Selva
> PACKAGE_NAME/PACKAGE as the left part again, and only append the "" > service_instance for official OpenVPN and "$eduVPN" for named instance. > Not sure I follow, but will wait for the p

Re: [Openvpn-devel] [PATCH v2] openvpnserv: Add support for multi-instances

2017-11-09 Thread Selva
g to the latest [PATCH( v3 > missing)], one would need to start the default instance of the interactive > service only using the following service command line: > > openvpnserv.exe -instance interactive "" > Yes that would work in a pinch and, once installed, the use

Re: [Openvpn-devel] [PATCH 12/13] Memory size arithmetic reviewed according to 64-bit MSVC complaints

2017-11-11 Thread Selva
gt; > /* max cmdline length in wchars -- include room for worst case and > some */ > -int ncmdline = wcslen(fmt) + wcslen(if_name) + wcslen(addr) + 32 + 1; > +size_t ncmdline = wcslen(fmt) + wcslen(if_name) + wcslen(addr) + 32

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-12 Thread Selva
lines > at all and just responds as: > > SUCCESS: { ... } > One of the niceties of JSON is its readability which is greatly reduced if formatted without line breaks. Multi-line with the same format used for management and console would be nice. Exc

Re: [Openvpn-devel] [PATCH 12/13] Memory size arithmetic reviewed according to 64-bit MSVC complaints

2017-11-13 Thread Selva
uted it by an > explicit cast, so we can focus on more important warnings. Agreed, reducing compiler warnings is a useful side effect and we know the type coercion here is safe. cheers, Selva -- Check out the vibrant

Re: [Openvpn-devel] [PATCH v2] openvpnserv: Review MSVC down-casting warnings

2017-11-13 Thread Selva
} > - > -return find->cFileName[i] == '.' && !_tcsicmp(find->cFileName + i + > 1, ext); > +const TCHAR *p = _tcsrchr(find->cFileName, TEXT('.')); > +return p && p != find->cFileName && _tcsicmp(p + 1, ext) == 0; FWIW, ensu

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-13 Thread Selva
addition to "status" in > > management interface > > 3. do not print "END" marker any longer > I suppose that means no "END" as a part of the JSON output (ie., not written to console or file) but if the output is multi-line, management still needs to g

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-15 Thread Selva
from >> need to be encoded ") - and as long as we do not need to parse >> *incoming* JSON, a full-blown new library is mainly adding complications >> (like, configure flags, #ifdefs, library version dependencies, ...). >> >> But you knew that this respo

[Openvpn-devel] input validation for username, password etc.

2017-11-17 Thread Selva
management interface uses a line based protocol with '\n' as the delimiter, it can't be a part of input strings and breaks quoting. Is there any other character that should be disallowed? Thanks, Selva -- Chec

Re: [Openvpn-devel] input validation for username, password etc.

2017-11-18 Thread Selva
On Sun, Nov 19, 2017 at 12:06 AM, Илья Шипицин wrote: > > > 2017-11-18 8:25 GMT+05:00 Selva : > >> Hi, >> >> I want to add some form of validation for user input in the GUI so that >> the user can be alerted when username, password etc. contains characters &g

Re: [Openvpn-devel] [PATCH 1/2] plugin: Export base64 encode and decode functions

2017-11-19 Thread Selva
away and move on to patches that would benefit from it. Thanks, Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_

Re: [Openvpn-devel] [PATCH 1/2] plugin: Export base64 encode and decode functions

2017-11-20 Thread Selva
Hi David, On Mon, Nov 20, 2017 at 3:10 PM, David Sommerseth wrote: > On 19/11/17 22:21, Selva wrote: > > Hi David, > > > > On Fri, May 5, 2017 at 5:46 PM, David Sommerseth > <mailto:dav...@openvpn.net>> wrote: > > > > This patch builds on th

Re: [Openvpn-devel] ASLR/DEP -enabled 2.4.0 Windows installer available

2017-01-23 Thread Selva Nair
ng there was the flag in the header. Not so for the executables. >> >> We need to find some fix for this, else I fear this will be ASLR in name >> only. >> >> Selva >> > > So we need a small code change in OpenVPN to get ASLR actually working, > like in OpenVPN G

Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

2017-01-23 Thread Selva Nair
Hi, On Sat, Jan 14, 2017 at 4:16 PM, wrote: > From: Selva Nair > > Currently the username unqualified by the domain is used to validate > a user which fails for domain users. Instead authorize the user > > (i) if the built-in admin group or ovpn_admin group is in the process

Re: [Openvpn-devel] [PATCH] Resolving several travis-ci issues:

2017-01-27 Thread Selva Nair
reviews, but a bug fix may wait for ever and even lost under the pile. It all depends what catches our fancy, personal interest, expertise and mood. No point in trying to rationalize it beyond that. Selva --

Re: [Openvpn-devel] [PATCH] Resolve several travis-ci issues

2017-01-28 Thread Selva Nair
ol to set -rpath properly (and/or use a wrapper) so that uninstalled test programs pick up the library it was linked with. Else a developer building using custom libs gets wrong libraries loaded while running tests. A proper fix will eliminate the need for tweaking LD_LIBRARY_PATH in the first plac

Re: [Openvpn-devel] [PATCH] Resolve several travis-ci issues

2017-01-29 Thread Selva Nair
pleteness I will copy what I wrote before: While this patch is good enough for travis builds, there is a more general issue here. I think its the job of libtool to set -rpath properly (and/or use a wrapper) so that uninstalled test programs pick up the library it was linked with. Selva

Re: [Openvpn-devel] [PATCH] reload HTTP proxy credentials when moving to the next connection profile

2017-01-31 Thread Selva Nair
man page is to have proxy password work the same way as auth-user-pass with an implicit auth-nocache assumed. Then multiple credentials is not expected, but could still work if the proxy password is purged when an authentication error

Re: [Openvpn-devel] [PATCH] reload HTTP proxy credentials when moving to the next connection profile

2017-02-01 Thread Selva Nair
cached copy is available. With only one cache per password type, this expects passwords are not remote-specific. As we support only one auth-user-pass or one private key pass per config I think the intent was to support only one proxy password. Allowing http-proxy in block g

[Openvpn-devel] [PATCH] Make auth-nocache cooperate with auth-token

2017-02-08 Thread selva . nair
From: Selva Nair - Keep the username even if auth-nocache is specified so that any auth_token pushed by the server could be utilized - When auth-token is received, set nocache = false in user_pass Note: When handling of auth failure due to token expiry is fixed, remember to re-instate nocache

Re: [Openvpn-devel] [PATCH] Make auth-nocache cooperate with auth-token

2017-02-08 Thread Selva Nair
Hi, On Wed, Feb 8, 2017 at 10:01 PM, Antonio Quartulli wrote: > On Wed, Feb 08, 2017 at 02:25:44PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - Keep the username even if auth-nocache is specified so that > > any auth_token pushed by the server

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Selva Nair
smtpServer = smtp.gmail.com smtpUser = user.n...@gmail.com smtpServerPort = 587 No smtpsslcertpath specified, I suppose it verifies the cert using /etc/ssl/certs as the capath, which is the default. Possibly your /etc/ssl/cert.pem is to blame? I do not have such a

Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

2017-02-20 Thread Selva Nair
On Mon, Feb 20, 2017 at 7:18 AM, Gert Doering wrote: > On Sat, Jan 14, 2017 at 04:16:29PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > Currently the username unqualified by the domain is used to validate > > a user which fails for domain users.

Re: [Openvpn-devel] why "ifconfig" is required during build ?

2017-03-15 Thread Selva Nair
e do not >> rely on $PATH resolution at runtime. >> > > well, what if I will not change current (i.e. default behaviour), but > instead I will add a possibility to specify ifconfig explicitly > You can set custom path during conf

Re: [Openvpn-devel] [PATCH] Fix installation of IPv6 host route to VPN server when using iservice.

2017-03-20 Thread Selva Nair
> fe80::8 value. Only do this for "on tap adapter" routes. > > Pinpointed by Selva Nair. > > Trac #850 > > Signed-off-by: Gert Doering > --- > src/openvpn/route.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/r

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

2017-04-03 Thread Selva Nair
-- > $ time openssl gendh -out test 4096 > [...snip...] > > real35m40.098s > user35m38.922s > sys 0m0.367s > $ cat /proc/cpuinfo | grep model\

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

2017-04-04 Thread Selva Nair
means that if for some reason a non-ephemeral diffie-hellman > cipher suite is selected, you are at risk of these attacks. > Thanks for the clarification. Selva -- Check out the vibrant tech community on one of

Re: [Openvpn-devel] [PATCH v2] Delete the IPv6 route to the "connected" network on tun close

2017-04-15 Thread Selva Nair
While cleaning up my local branches this one came up.. Any comments? -- a NAK will do as well so that I can delete it :) Selva On Fri, Nov 25, 2016 at 12:21 AM, Selva Nair wrote: > This was missing on Windows when interactive service is in use. > > - Added route_ipv6_clear_host_bi

[Openvpn-devel] devel mailing list

2017-04-15 Thread Selva Nair
I did not get this mail https://sourceforge.net/p/openvpn/mailman/message/35789733/ Something up with the list or is it only me? Selva -- Check out the vibrant tech community on one of the world's most engaging

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread Selva Nair
as a foot note in plain text ? Thanks, Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___

Re: [Openvpn-devel] Windows 10 Creators Update broke --block-outside-dns

2017-04-25 Thread Selva Nair
x27;t include win32.h/c so I had to copy/paste code into it. How > could this be improved? > Code shared between to openvpn core and the service could go into block_dns.c and block_dns.h. Do not make the service code dependent on win32.h as that will pull-in a lot of unwanted

[Openvpn-devel] [PATCH 2/2] Parse static challenge response in auth-pam plugin

2017-05-05 Thread selva . nair
From: Selva Nair If static challenge is in use, the password passed to the plugin by openvpn is of the form "SCRV1:base64-pass:base64-response". Parse this string to separate it into password and response and use them to respond to queries in the pam conversation function. On

[Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

2017-05-05 Thread selva . nair
From: Selva Nair This adds a minimal secure_memzero() Signed-off-by: Selva Nair --- src/plugins/auth-pam/auth-pam.c | 2 ++ src/plugins/auth-pam/utils.h| 16 2 files changed, 18 insertions(+) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c

Re: [Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

2017-05-05 Thread Selva Nair
On Fri, May 5, 2017 at 3:01 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 05/05/17 20:28, Gert Doering wrote: > > Hi, > > > > On Fri, May 05, 2017 at 02:24:01PM -0400, selva.n...@gmail.com wrote: > >> From: Selva Nair > >

Re: [Openvpn-devel] [PATCH] Set a low interface metric for tap adapter when block-outside-dns is in use

2017-05-05 Thread Selva Nair
, setting low metric for the TAP interface solves this issue, > making Windows always pick with TAP adapter first. Well, I'm looking for to excuses to avoid the hard work of a careful review :) If reducing metric is indeed the right approach in this cat and mouse game with MS, I&#x

Re: [Openvpn-devel] [PATCH 1/2] plugin: Export base64 encode and decode functions

2017-05-07 Thread Selva Nair
t also refers to *type_mask instead of type_mask.which is not right either. . Am I missing something? Selva [*] By the way, this being an example, it may be best to show the correct type by casting the return value of calloc to (openvpn_plugin_handle_t)

Re: [Openvpn-devel] [PATCH 1/2] plugin: Export base64 encode and decode functions

2017-05-08 Thread Selva Nair
> correct type by casting the > > return value of calloc to (openvpn_plugin_handle_t) > > Yes, but shouldn't it be `(openvpn_plugin_handle_t *)` ? > I assumed the fix would be to change the struct. Thanks, Selva -

Re: [Openvpn-devel] [PATCH] plugin: Fix documentation typo for type_mask

2017-05-08 Thread Selva Nair
dle in this struct. Reference to *handle in line 390 needs correction too (comment only -- struct is fine). Thanks, Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashd

Re: [Openvpn-devel] [PATCH] Set a low interface metric for tap adapter when block-outside-dns is in use

2017-05-08 Thread Selva Nair
interface_data->metric > 0) > Here ">" should be ">=0", else automatic metric is not restored. > +{ > +set_interface_metric(interface_data->index, > AF_INET, > + interface_data->metric);

Re: [Openvpn-devel] [PATCH] plugin: Fix documentation typo for type_mask

2017-05-08 Thread Selva Nair
Hi, On Mon, May 8, 2017 at 10:57 AM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 08/05/17 16:38, Selva Nair wrote: > > Hi, > > > On Mon, May 8, 2017 at 10:19 AM, David Sommerseth >> wrote: >> * >> * STRUCT MEMBERS >> *

Re: [Openvpn-devel] [PATCH] plugin: Export secure_memzero() to plug-ins

2017-05-09 Thread Selva Nair
rc/openvpn/plugin.c > index 05cbae3e..a652d528 100644 > --- a/src/openvpn/plugin.c > +++ b/src/openvpn/plugin.c > @@ -410,7 +410,8 @@ plugin_log(openvpn_plugin_log_flags_t flags, const > char *name, const char *forma > > static struct openvpn_plugin_callbacks callbacks = { >

[Openvpn-devel] [PATCH 1/2 v2] In auth-pam plugin clear the password after use

2017-05-09 Thread selva . nair
From: Selva Nair v2: Change the plugin open to use v3 API so that openvpn_secure_memzero() exported from OpenVPN can be used. Note: context is cast as (openvpn_plugin_handle_t *) for consistency with the current plugin header. If/when the header is fixed, change this cast as well. Signed-off

Re: [Openvpn-devel] [PATCH 1/2 v2] In auth-pam plugin clear the password after use

2017-05-09 Thread Selva Nair
if future revisions is guaranteed not to reorder/remove items in the structs, a less strict check is definitely better. > The plug-ins in src/plugins should use, which ensures forward > compatibility against the OpenVPN binary: > >if (v3structver < OPENVPN_PLUGIN

Re: [Openvpn-devel] [PATCH] Always clear username/password from memory on error

2017-05-09 Thread Selva Nair
variables as initialization can hide errors. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot__

[Openvpn-devel] [PATCH 1/2 v3] In auth-pam plugin clear the password after use

2017-05-09 Thread selva . nair
From: Selva Nair v2: Change the plugin open to use v3 API so that secure_memzero() exported from OpenVPN can be used. v3: Relaxe API compatibility check: struct version 4 or higher will have secure_memzero exported. Note: context is cast as (openvpn_plugin_handle_t *) for consistency

Re: [Openvpn-devel] [PATCH v2] Document tls-crypt security considerations in man page

2017-05-09 Thread Selva Nair
same security as using > +.B \-\-tls\-auth\fR. > +That is, the control channel still benefits from the extra protection > against > +active man-in-the-middle-attacks and DoS attacks, but may no longer offe

Re: [Openvpn-devel] [PATCH] Set a low interface metric for tap adapter when block-outside-dns is in use

2017-05-10 Thread Selva Nair
I_ InitializeIpInterfaceEntry(PMIB_IPINTERFACE_ROW Row ); Do a test build for 32 bit to see now this function compiles without warnings and links without errors. 32 bit is a more stringent test because only in this case the linker will fail to find stdcall functions witho

Re: [Openvpn-devel] [PATCH v2] Set a low interface metric for tap adapter when block-outside-dns is in use

2017-05-10 Thread Selva Nair
any adverse effects except for the metric change which will also affect the metric of routes added. Cross compiles without issues for 32 bit and 64 bit -- tested on Debain 8.7 with mingw32-w64 included in the distribution. Selva ---

[Openvpn-devel] [PATCH] Pass correct buffer size to GetModuleFileNameW()

2017-05-11 Thread selva . nair
From: Selva Nair Fixes finding 5.6 of OSTIF/Quarkslab audit Signed-off-by: Selva Nair --- src/openvpn/win32.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 0cbf5fd..9a03681 100644 --- a/src/openvpn/win32.c +++ b/src

Re: [Openvpn-devel] [PATCH applied] Re: Pass correct buffer size to GetModuleFileNameW()

2017-05-13 Thread Selva Nair
ld add error checking there. If the buffer is too small we will get a truncated but null terminated name, so that's not too bad. But if the call fails the buffer may contain random bytes. Selva -- Check out the vibrant

[Openvpn-devel] [PATCH for 2.3] Check for errors in the return value of GetModuleFileNameW()

2017-05-14 Thread selva . nair
From: Selva Nair Also replace MAX_PATH by _countof(openvpnpath) as the latter is arguably more robust. Signed-off-by: Selva Nair --- src/openvpn/win32.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index b271597..56c3a1d

[Openvpn-devel] [PATCH] Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'

2017-05-15 Thread selva . nair
From: Selva Nair - This is an opaque pointer so the change should not affect existing plugins. But it makes the code consistent and clears up the documentation as the handle pointer is treated as of type "openvpn_plugin_handle_t" in the rest of the code. Signed-off-by:

Re: [Openvpn-devel] block-outside-dns and persist-tun

2017-05-28 Thread Selva Nair
see the client logs and any error event logged by the service when this happens. Can you get the user to open a ticket with logs? > > Works fine with persist-tun on client side. > Selva -- Check out the vibra

Re: [Openvpn-devel] [OpenVPN/openvpn-gui] better handling of interactive service failure (#168)

2017-05-31 Thread Selva Nair
1AM -0700, Selva Nair wrote: > > As I said, get openvpn to report route errors in the status and then we > can > > add a warning to the status popup, turn the icon red etc instead of the > > current misleading "successfully connected" behaviour. > > This is actu

Re: [Openvpn-devel] block-outside-dns and persist-tun

2017-06-03 Thread Selva Nair
due to fatal error Obviously "access denied" due to not running as admin and service not in use. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Sl

Re: [Openvpn-devel] [PATCH 2/2] Parse static challenge response in auth-pam plugin

2017-06-12 Thread Selva Nair
On Mon, Jun 12, 2017 at 2:14 PM, Gert Doering wrote: > Hi, > > wading through my heap of mails that did not get proper attention... > > On Fri, May 05, 2017 at 02:24:02PM -0400, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > If static challenge is i

Re: [Openvpn-devel] W10 Client assigns old AND new IPv6 address to TAP with GUI+Service but not with cmd prompt

2017-06-12 Thread Selva Nair
ion failed using > service: The object already exists. [status=5010 if_index=17] This is a known issue (route not deleted on termination so fails to recreate later) and is not a critical. FWIW, there is a patch on the ML to fix it. Selva ---

Re: [Openvpn-devel] W10 Client assigns old AND new IPv6 address to TAP with GUI+Service but not with cmd prompt

2017-06-13 Thread Selva Nair
ne interface cannot show up on another. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___

  1   2   3   4   5   6   7   8   9   10   >