From patchwork Wed May 12 03:15:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1804 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4Bt3BSbVm2DTdQAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:22 -0400 Received: from proxy6.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id WPM7BSbVm2ALcQAAovjBpQ (envelope-from ) for ; Wed, 12 May 2021 09:16:22 -0400 Received: from smtp26.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3b.rsapps.net with LMTPS id 4MQCOiXVm2A5UAAARawThA (envelope-from ) for ; Wed, 12 May 2021 09:16:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3de3f682-b324-11eb-b4bb-5254001088d3-1-1 Received: from [216.105.38.7] ([216.105.38.7:56880] helo=lists.sourceforge.net) by smtp26.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D6/23-32385-425DB906; Wed, 12 May 2021 09:16:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi5-0006XW-GD; Wed, 12 May 2021 13:15:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgoi1-0006WD-4h for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pzO48vPrTefVDm6M0ICUpjvJ5+fI2nTh404aER+XZ5g=; b=P8cZAVMFtkUnrRN5YQxfee4kz6 7V8PjOln8viYMJ/v+OQ2LdsU8+EUU+NZecqu5jBT1xdKRQDMnQnHUtl8PTXFyCFTbVjSPo6uK3IxL tYNBI9qEy4MJMaGl7Wfir/raIEEifu0E4f6UfAlveSmSPsKLKPFmCNgOBoJjikgkax1g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pzO48vPrTefVDm6M0ICUpjvJ5+fI2nTh404aER+XZ5g=; b=cG1sa7b63BoLrodygoRg9hUKkE whTiNPe1sz9KkR+0VJJR0qTyv5TnQIFrEbl6sa/2epTPIPUITt6cw6dudtjot2MkH5jzKagBegWMy jG3SmW87PvCxQFctu90dB+qKn8p84Yivh8GzDOK9ydR8PLvS0fRiCr0t7wJnfYDClFUQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lgoht-0008VB-Uk for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:28 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000Bz1-4Q for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309965 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:03 +0200 Message-Id: <20210512131511.1309914-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgoht-0008VB-Uk Subject: [Openvpn-devel] [PATCH 1/9] Remove explicit struct iovec check (HAVE_IOVEC) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This macro is currently used only in 3 places in syshead.h - EXTENDED_SOCKET_ERROR_CAPABILITY is linux specific anyway and starts with #if defined(HAVE_LINUX_TYPES_H) - port share and ip_pktinfo macros depends on sendmsg/recvmsg that implicitly also require iovec So in all three cases we can implicitly assume that iovec is present and do not need to make this explicit check Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- configure.ac | 1 - src/openvpn/syshead.h | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index f05faf991..dce7982cc 100644 --- a/configure.ac +++ b/configure.ac @@ -1141,7 +1141,6 @@ if test "${enable_x509_alt_username}" = "yes"; then AC_DEFINE([ENABLE_X509ALTUSERNAME], [1], [Enable --x509-username-field feature]) fi -test "${ac_cv_header_sys_uio_h}" = "yes" && AC_DEFINE([HAVE_IOVEC], [1], [struct iovec needed for IPv6 support]) test "${enable_management}" = "yes" && AC_DEFINE([ENABLE_MANAGEMENT], [1], [Enable management server capability]) test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debugging support]) test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size]) diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index a9680f72f..5e0176fb9 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -371,7 +371,7 @@ typedef int MIB_TCP_STATE; /* * Do we have the capability to report extended socket errors? */ -#if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) && defined(HAVE_IOVEC) +#if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) #define EXTENDED_SOCKET_ERROR_CAPABILITY 1 #else #define EXTENDED_SOCKET_ERROR_CAPABILITY 0 @@ -381,7 +381,7 @@ typedef int MIB_TCP_STATE; * Does this platform support linux-style IP_PKTINFO * or bsd-style IP_RECVDSTADDR ? */ -#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(HAVE_IOVEC) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) +#if ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) #define ENABLE_IP_PKTINFO 1 #else #define ENABLE_IP_PKTINFO 0 @@ -465,7 +465,7 @@ socket_defined(const socket_descriptor_t sd) /* * HTTPS port sharing capability */ -#if defined(ENABLE_PORT_SHARE) && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(HAVE_IOVEC) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) +#if defined(ENABLE_PORT_SHARE) && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) #define PORT_SHARE 1 #else #define PORT_SHARE 0 From patchwork Wed May 12 03:15:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1801 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id AImuNh/Vm2CldQAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:15 -0400 Received: from proxy5.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id sKpzNh/Vm2BDZQAAalYnBA (envelope-from ) for ; Wed, 12 May 2021 09:16:15 -0400 Received: from smtp6.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3b.rsapps.net with LMTPS id EDaZLx/Vm2D9FwAA13hMnw (envelope-from ) for ; Wed, 12 May 2021 09:16:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3a3b19d4-b324-11eb-b180-5254000d607e-1-1 Received: from [216.105.38.7] ([216.105.38.7:56670] helo=lists.sourceforge.net) by smtp6.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AE/53-32220-E15DB906; Wed, 12 May 2021 09:16:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi5-0006Xy-Ou; Wed, 12 May 2021 13:15:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgoi2-0006Wb-UZ for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pDoQO0gEc8So5tGxE5Mo3BzidSmYx0SDqJCJrcBa2qY=; b=Z3BQkMq7JcmFUCLfVA53+wZOcu +UfzKESLljTPc18Cf1GHLD1Xw3QOcBLJ5YGETabrroaayVspj352NqOh2vkUZZMW4HNb/gIXBLPKU 6djBKyF9c1lnqSfmow8wWtz1c0rhFUj0uJfBbfIJZwsVjyaAbBVM7AO60JDqwE7m8Hcg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pDoQO0gEc8So5tGxE5Mo3BzidSmYx0SDqJCJrcBa2qY=; b=HZLdUbQrzRSVlsHotoBRp3Ln0g HGZ1WE0tS739dCb7nMzXOh2au64jHMByGGdqzZJJSA30cKHPtwy6oiy4XtbJT21NkGhd4hlLH18zZ CQHapnSOgLYbOVeIP69Hj9X/ZT3iFBOOapIvx3O+vYAbRzVSvOLIraFsWRWdNYEwx7rE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lgoht-0008VC-Uk for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000Bz3-5h for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309968 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:04 +0200 Message-Id: <20210512131511.1309914-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgoht-0008VC-Uk Subject: [Openvpn-devel] [PATCH 2/9] Remove getpeername, getpid check X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox getpeername is part of SUSv3 and Windows also provides the function as part of winsocks. getpid is also provided by both Posix and windows and we do not even use getpid on Windows since we rather call GetCurrentProcessId. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- configure.ac | 4 ++-- src/openvpn/platform.c | 4 ---- src/openvpn/socket.c | 7 ------- 3 files changed, 2 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index dce7982cc..cc1dedbb9 100644 --- a/configure.ac +++ b/configure.ac @@ -619,10 +619,10 @@ AC_CHECK_DECLS( AC_FUNC_FORK AC_CHECK_FUNCS([ \ - daemon chroot getpwnam setuid nice system getpid dup dup2 \ + daemon chroot getpwnam setuid nice system dup dup2 \ syslog openlog mlockall getrlimit getgrnam setgid \ setgroups flock readv writev time gettimeofday \ - setsid chdir getpeername \ + setsid chdir \ chsize ftruncate execve getpeereid basename dirname access \ epoll_create strsep \ ]) diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index bf7b1aa0a..831cc46b1 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -184,11 +184,7 @@ platform_getpid(void) #ifdef _WIN32 return (unsigned int) GetCurrentProcessId(); #else -#ifdef HAVE_GETPID return (unsigned int) getpid(); -#else - return 0; -#endif #endif } diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 407e411c0..02a6a7db4 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1227,7 +1227,6 @@ socket_do_accept(socket_descriptor_t sd, CLEAR(*act); -#ifdef HAVE_GETPEERNAME if (nowait) { new_sd = getpeername(sd, &act->dest.addr.sa, &remote_len); @@ -1241,12 +1240,6 @@ socket_do_accept(socket_descriptor_t sd, new_sd = sd; } } -#else /* ifdef HAVE_GETPEERNAME */ - if (nowait) - { - msg(M_WARN, "TCP: this OS does not provide the getpeername() function"); - } -#endif else { new_sd = accept(sd, &act->dest.addr.sa, &remote_len); From patchwork Wed May 12 03:15:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1803 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kO/DLyDVm2CodQAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:16 -0400 Received: from proxy9.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id CLx1LyDVm2BufwAAvGGmqA (envelope-from ) for ; Wed, 12 May 2021 09:16:16 -0400 Received: from smtp10.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3b.rsapps.net with LMTPS id wLLtJiDVm2A6JQAAC4PSzw (envelope-from ) for ; Wed, 12 May 2021 09:16:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3afe6402-b324-11eb-9cfd-52540055034d-1-1 Received: from [216.105.38.7] ([216.105.38.7:41394] helo=lists.sourceforge.net) by smtp10.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 58/E2-28269-F15DB906; Wed, 12 May 2021 09:16:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi8-0002Ji-Re; Wed, 12 May 2021 13:15:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgoi1-0002J6-Hh for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RFDS09pMYcmy7ViZKbKZbO3j1C1Y9hT7Ww88DUWqRBo=; b=NLDOBsAa3MRr2OxYi9AEEm7QBj STBBg1N4WJGi1p37vAMKIAI2MtMnfPk8yhR92tyMgqXwXRXzdlzRLHT+UwcdORcUpAIOLcPgQGxcc 6LsaEq6rCj7jjRCnab+XSLwYdUlomIPISU5XJDfLgBA8a8ARFDDSkUW+gXEdzvAcn83k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RFDS09pMYcmy7ViZKbKZbO3j1C1Y9hT7Ww88DUWqRBo=; b=SvlDNIPwUT1oQXZRFnR86Z/INO vLI6Q18SsYMg412LVjVec/VJuwBj+1NibVERYLTS5ijT8NvLqnNYFz97fLQXQtESHxBaN2KtFhaH3 GHdPTp2Tr8kHfY7vT0Kwfbw5Yj0vMExqWz3NtQJScGgnI+asc22Or5Tmf4l2bW0Li8dM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lgohx-005SPu-12 for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000Bz8-8p for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309971 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:05 +0200 Message-Id: <20210512131511.1309914-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgohx-005SPu-12 Subject: [Openvpn-devel] [PATCH 3/9] Inline do_init_auth_token_key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The extra function does give really give a better understanding of the code or does give any other benefit, inline it to make the code more streamlined. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index fa10d3d4f..1d77a9d42 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2671,22 +2671,6 @@ do_init_tls_wrap_key(struct context *c) } -/* - * Initialise the auth-token key context - */ -static void -do_init_auth_token_key(struct context *c) -{ - if (!c->options.auth_token_generate) - { - return; - } - - auth_token_init_secret(&c->c1.ks.auth_token_key, - c->options.auth_token_secret_file, - c->options.auth_token_secret_file_inline); -} - /* * Initialize the persistent component of OpenVPN's TLS mode, * which is preserved across SIGUSR1 resets. @@ -2761,7 +2745,12 @@ do_init_crypto_tls_c1(struct context *c) do_init_tls_wrap_key(c); /* initialise auth-token crypto support */ - do_init_auth_token_key(c); + if (c->options.auth_token_generate) + { + auth_token_init_secret(&c->c1.ks.auth_token_key, + c->options.auth_token_secret_file, + c->options.auth_token_secret_file_inline); + } #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ if (options->priv_key_file_inline) From patchwork Wed May 12 03:15:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1806 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id YEkQKCrVm2CudQAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 Received: from proxy7.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id QNvBJyrVm2BEBQAAvGGmqA (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 Received: from smtp31.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3b.rsapps.net with LMTPS id UNUrIirVm2DHfAAAQkQ5tQ (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 40867d1a-b324-11eb-b8ec-52540005277f-1-1 Received: from [216.105.38.7] ([216.105.38.7:57028] helo=lists.sourceforge.net) by smtp31.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 86/8C-25173-925DB906; Wed, 12 May 2021 09:16:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi5-0006Xk-Jl; Wed, 12 May 2021 13:15:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgoi2-0006Wa-UZ for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=//DcjDCYYW9nnE4QNQGWRfe/3dzols4U+8+HhB/eTZI=; b=lT/RhuLYkiQfYrgZcdT3YPmEO/ EmD9G2+7bvXGOne1EBv8vR8Xuaj20FsiGkl8rLEP/qMgG0zcGpKGHVCQ7GQQn//bobq8AfXAvvzcX 25zmsFtWbZAGx0RL0SM1W34w4efV2FUe8H+kd60DJJ8EOlPCSMf6YIcIImlhacoyPFjw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=//DcjDCYYW9nnE4QNQGWRfe/3dzols4U+8+HhB/eTZI=; b=PgmxelJxy8MOQr04Vkmwq8FNV7 t+5ufVkUuCLyHygheVgUT8nkg+KAyeCjDJ2D7VuVg6Rx8Uqd7BWrbfPeF0yiMxyIPJs/oeKAe4rJG 5yqiXxlTT46gWJ2ezA4/Sle9j3pUsMgM7MqwJovXmu5e0LNhikLP2JQ0LOKAAdjpLZz8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lgoht-0008VE-Uj for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000BzB-BC for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309974 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:06 +0200 Message-Id: <20210512131511.1309914-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgoht-0008VE-Uj Subject: [Openvpn-devel] [PATCH 4/9] Add missing free_key_ctx for auth_token X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is is a small memory leak as this key is only leaked once per server start. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/init.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1d77a9d42..49c742928 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2520,6 +2520,7 @@ key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) { tls_ctx_free(&ks->ssl_ctx); + free_key_ctx(&ks->auth_token_key); } CLEAR(*ks); } From patchwork Wed May 12 03:15:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1805 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id RHMYNynVm2ASdgAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:25 -0400 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id mC64NSnVm2D+YgAAalYnBA (envelope-from ) for ; Wed, 12 May 2021 09:16:25 -0400 Received: from smtp7.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTPS id jfgXLynVm2DuWQAAvUvv+w (envelope-from ) for ; Wed, 12 May 2021 09:16:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 408772ba-b324-11eb-ac84-525400e292e5-1-1 Received: from [216.105.38.7] ([216.105.38.7:57026] helo=lists.sourceforge.net) by smtp7.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 69/5B-18178-925DB906; Wed, 12 May 2021 09:16:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi5-0006XM-D3; Wed, 12 May 2021 13:15:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgohz-0006Vm-Ja for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Ek885LbgkOPqKH91z25qR4HcxIoAFyIY4wDC+ImWiDQ=; b=WT1Z9HIW0RGZctdbEgXTGAAqmV JLAuao4MZ+egQTCQmcraTpMTeVIJSkKDuvzjm0jm4X2WnXgi9SUkqRcsimaM7f7HMKydhyZXSdO73 ZfRrK399YjWFBJIC3laaRksBa65g01YbAHlCzawIuRt5ENIuKUS4ljnEk+J+hrryKBME=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Ek885LbgkOPqKH91z25qR4HcxIoAFyIY4wDC+ImWiDQ=; b=L2CbcgqPIDY0dFmVHxlxVb/BUU Z8JvNg7+LzvLNsKGnM4eOqd2LS1WkkHcc/1rGHBXw2YNzQu8t1Z29SISXIn7+t54WTpjTyL0kGxVL /VEyPV9aFXg6iGporbudGPAwxH4oo6S03WapWhR3KkMDtVQkoLwU7KXricKrKA1QEj3w=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lgoht-0008VF-Uj for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000BzE-DU for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309977 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:07 +0200 Message-Id: <20210512131511.1309914-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgoht-0008VF-Uj Subject: [Openvpn-devel] [PATCH 5/9] Add ifdef guards to unit test X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox the unit tests do not compile under windows since they are missing the correct ifdef guards Signed-off-by: Arne Schwabe --- tests/unit_tests/openvpn/test_argv.c | 2 ++ tests/unit_tests/openvpn/test_auth_token.c | 2 ++ tests/unit_tests/openvpn/test_crypto.c | 4 ++++ tests/unit_tests/openvpn/test_misc.c | 2 ++ tests/unit_tests/openvpn/test_ncp.c | 2 ++ tests/unit_tests/openvpn/test_tls_crypt.c | 2 ++ 6 files changed, 14 insertions(+) diff --git a/tests/unit_tests/openvpn/test_argv.c b/tests/unit_tests/openvpn/test_argv.c index 3dc470a52..6ab9be53c 100644 --- a/tests/unit_tests/openvpn/test_argv.c +++ b/tests/unit_tests/openvpn/test_argv.c @@ -2,7 +2,9 @@ #include "syshead.h" #include +#ifdef HAVE_UNISTD_H #include +#endif #include #include #include diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests/openvpn/test_auth_token.c index dbde86318..b0fbd6dec 100644 --- a/tests/unit_tests/openvpn/test_auth_token.c +++ b/tests/unit_tests/openvpn/test_auth_token.c @@ -30,7 +30,9 @@ #include "syshead.h" #include +#ifdef HAVE_UNISTD_H #include +#endif #include #include #include diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index af83da689..edbee2c95 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -30,7 +30,11 @@ #include "syshead.h" #include + +#ifdef HAVE_UNISTD_H #include +#endif + #include #include #include diff --git a/tests/unit_tests/openvpn/test_misc.c b/tests/unit_tests/openvpn/test_misc.c index c3bea8fc8..f09ad4ba0 100644 --- a/tests/unit_tests/openvpn/test_misc.c +++ b/tests/unit_tests/openvpn/test_misc.c @@ -30,7 +30,9 @@ #include "syshead.h" #include +#ifdef HAVE_UNISTD_H #include +#endif #include #include #include diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 4077be5e8..5a886ca26 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -30,7 +30,9 @@ #include "syshead.h" #include +#ifdef HAVE_UNISTD_H #include +#endif #include #include #include diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c index 218772e8b..15788aa2f 100644 --- a/tests/unit_tests/openvpn/test_tls_crypt.c +++ b/tests/unit_tests/openvpn/test_tls_crypt.c @@ -30,7 +30,9 @@ #include "syshead.h" #include +#ifdef HAVE_UNISTD_H #include +#endif #include #include #include From patchwork Wed May 12 03:15:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1807 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 0EdMNyrVm2DQdQAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id mOgQNyrVm2CXAQAApN4f7A (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 Received: from smtp36.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTPS id iASSMSrVm2CfWQAAvUvv+w (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 40f019c8-b324-11eb-bdb7-5254003a7283-1-1 Received: from [216.105.38.7] ([216.105.38.7:48576] helo=lists.sourceforge.net) by smtp36.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 03/3A-04616-925DB906; Wed, 12 May 2021 09:16:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1lgoi7-0001rX-7X; Wed, 12 May 2021 13:15:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lgoi2-0001p5-NE for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=30oSx31VS3OfZnmVY2QQ+0RLZHT15hXRc+C/b9SQCYk=; b=eonQuMOTQRpbmNsdHKuavZjeGJ MH8HtN8C1njIe4Wt6NgjDypEFA+rMhef7zHy7+JFbgssHBxgKlQdCF3nRro0PB0xyaqwaHrx82jpn DsYCzbEnBTRHhn6R6Mu2cFr/hq/lsXSK9crmD7RJL0JBaH1jzZIgbcZOtJjLcDPsJRIA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=30oSx31VS3OfZnmVY2QQ+0RLZHT15hXRc+C/b9SQCYk=; b=l+QVDqlznX3ei4gAOBLLsKqZwh rTRVz3izM/Ohv2vM09HrcZrCnR25149C4RXgxMBDItuNdrPHIMzAUKL7tA8OwstPOFJcsmk8poO+s wlKNeQbJSJ4huMYs1BuioP5TmzkcEMsTHr6INHLkF7HJNvXXR11mZGKH+DUp+7TMQuxo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lgohx-005SPy-0d for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000BzH-Fr for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309980 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:08 +0200 Message-Id: <20210512131511.1309914-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgohx-005SPy-0d Subject: [Openvpn-devel] [PATCH 6/9] Add noreturn attribute for MSVC to assert_failed method. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/error.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1a5521654..469afe20a 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -202,8 +202,14 @@ FILE *msg_fp(const unsigned int flags); #define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, NULL);}} while (false) #endif +#ifdef _MSC_VER +__declspec(noreturn) +#endif void assert_failed(const char *filename, int line, const char *condition) -__attribute__((__noreturn__)); +#ifndef _MSC_VER +__attribute__((__noreturn__)) +#endif +; /* Poor-man's static_assert() for when not supplied by assert.h, taken from * Linux's sys/cdefs.h under GPLv2 */ From patchwork Wed May 12 03:15:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1810 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id MPRAGC3Vm2A2dgAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:29 -0400 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id uHUFGC3Vm2ADcQAAovjBpQ (envelope-from ) for ; Wed, 12 May 2021 09:16:29 -0400 Received: from smtp33.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTPS id IAU4ES3Vm2CTSQAARNREpw (envelope-from ) for ; Wed, 12 May 2021 09:16:29 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 42493a48-b324-11eb-979c-525400fb5834-1-1 Received: from [216.105.38.7] ([216.105.38.7:41514] helo=lists.sourceforge.net) by smtp33.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 71/74-18863-C25DB906; Wed, 12 May 2021 09:16:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi8-0002JV-LB; Wed, 12 May 2021 13:15:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgohz-0002Ix-Oq for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gCl9BOz/W1uQLbMBnWTY462kJydiVcpybBDDqu0z6EI=; b=VDz4OZ2f8dvM1zt2wP9fB4GpEF ZK1EIClOqL774aAZx7x4rnjxSTr2Q1AyTpYrLAUrt3CAYitlhwNEoMLA8HsLtszWDyZDEJHsO+8iO QImC+gj6gpdPdKrjJn7XovI7oO9NLbeW7IJ03I5A3nTsqszbQSZoHpMGyYw7jo2uxo4U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gCl9BOz/W1uQLbMBnWTY462kJydiVcpybBDDqu0z6EI=; b=dokXV5CzKdDvwseymJqkZCg8BB 7+AC5xHIcSWmMaUoiIYJywnmKPQRgwWGJKPDnoluGab6zQUZqQEYgmp0EDXiTcCfs4MuLfB1XMkqS AIycrz1ONd3bGpqSNSl1AKZuxpy55zAcl/ZS6utBgtjm4a80I3SVbsOYu19gW2Oxaw7I=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lgoht-0008VG-Ui for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:28 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000BzK-IE for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309983 invoked by uid 10006); Wed, 12 May 2021 13:15:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:09 +0200 Message-Id: <20210512131511.1309914-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgoht-0008VG-Ui Subject: [Openvpn-devel] [PATCH 7/9] Move utility function from win32.c to win32-util.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This done to allow to include parts win32.c when building unit tests as win32.c itself has too many dependencies and cannot be included in a small unit test. Also fix a missing Windows.h include in error.h that otherwise breaks complation when included from unit tests. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/Makefile.am | 1 + src/openvpn/error.h | 4 + src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 3 + src/openvpn/win32-util.c | 137 ++++++++++++++++++++++++++++ src/openvpn/win32-util.h | 41 +++++++++ src/openvpn/win32.c | 96 +------------------ src/openvpn/win32.h | 6 -- 8 files changed, 189 insertions(+), 101 deletions(-) create mode 100644 src/openvpn/win32-util.c create mode 100644 src/openvpn/win32-util.h diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index ec84929b0..dec304a06 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -130,6 +130,7 @@ openvpn_SOURCES = \ tun.c tun.h \ vlan.c vlan.h \ win32.h win32.c \ + win32-util.h win32-util.c \ cryptoapi.h cryptoapi.c openvpn_LDADD = \ $(top_builddir)/src/compat/libcompat.la \ diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 469afe20a..522a83e51 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -31,6 +31,10 @@ #include +#if _WIN32 +#include +#endif + /* #define ABORT_ON_ERROR */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 182722962..370345a1b 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -283,6 +283,7 @@ + @@ -374,6 +375,7 @@ + diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index e8aed2c58..a4dbb6cd4 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -207,6 +207,9 @@ Source Files + + Source Files + Source Files diff --git a/src/openvpn/win32-util.c b/src/openvpn/win32-util.c new file mode 100644 index 000000000..9e843dbdd --- /dev/null +++ b/src/openvpn/win32-util.c @@ -0,0 +1,137 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2018 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * Win32-specific OpenVPN code, targeted at the mingw + * development environment. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#ifdef _WIN32 + +#include "buffer.h" +#include "win32-util.h" + +WCHAR * +wide_string(const char *utf8, struct gc_arena *gc) +{ + int n = MultiByteToWideChar(CP_UTF8, 0, utf8, -1, NULL, 0); + WCHAR *ucs16 = gc_malloc(n * sizeof(WCHAR), false, gc); + MultiByteToWideChar(CP_UTF8, 0, utf8, -1, ucs16, n); + return ucs16; +} + + +/* + * Return true if filename is safe to be used on Windows, + * by avoiding the following reserved names: + * + * CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, + * LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9, and CLOCK$ + * + * See: http://msdn.microsoft.com/en-us/library/aa365247.aspx + * and http://msdn.microsoft.com/en-us/library/86k9f82k(VS.80).aspx + */ + +static bool +cmp_prefix(const char *str, const bool n, const char *pre) +{ + size_t i = 0; + + if (!str) + { + return false; + } + + while (true) + { + const int c1 = pre[i]; + int c2 = str[i]; + ++i; + if (c1 == '\0') + { + if (n) + { + if (isdigit(c2)) + { + c2 = str[i]; + } + else + { + return false; + } + } + return c2 == '\0' || c2 == '.'; + } + else if (c2 == '\0') + { + return false; + } + if (c1 != tolower(c2)) + { + return false; + } + } +} + +bool +win_safe_filename(const char *fn) +{ + if (cmp_prefix(fn, false, "con")) + { + return false; + } + if (cmp_prefix(fn, false, "prn")) + { + return false; + } + if (cmp_prefix(fn, false, "aux")) + { + return false; + } + if (cmp_prefix(fn, false, "nul")) + { + return false; + } + if (cmp_prefix(fn, true, "com")) + { + return false; + } + if (cmp_prefix(fn, true, "lpt")) + { + return false; + } + if (cmp_prefix(fn, false, "clock$")) + { + return false; + } + return true; +} +#endif /* _WIN32 */ \ No newline at end of file diff --git a/src/openvpn/win32-util.h b/src/openvpn/win32-util.h new file mode 100644 index 000000000..aec123efb --- /dev/null +++ b/src/openvpn/win32-util.h @@ -0,0 +1,41 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2018 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef _WIN32 +#ifndef OPENVPN_WIN32_UTIL_H +#define OPENVPN_WIN32_UTIL_H + +#include + +#include "mtu.h" +#include "openvpn-msg.h" +#include "argv.h" + +/* Convert a string from UTF-8 to UCS-2 */ +WCHAR *wide_string(const char *utf8, struct gc_arena *gc); + +/* return true if filename is safe to be used on Windows */ +bool win_safe_filename(const char *fn); + +#endif /* OPENVPN_WIN32_UTIL_H */ +#endif /* ifdef _WIN32 */ diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 7e9131657..629ebbd9b 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -41,6 +41,7 @@ #include "mtu.h" #include "run_command.h" #include "sig.h" +#include "win32-util.h" #include "win32.h" #include "openvpn-msg.h" @@ -879,92 +880,6 @@ netcmd_semaphore_release(void) semaphore_close(&netcmd_semaphore); } -/* - * Return true if filename is safe to be used on Windows, - * by avoiding the following reserved names: - * - * CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, - * LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9, and CLOCK$ - * - * See: http://msdn.microsoft.com/en-us/library/aa365247.aspx - * and http://msdn.microsoft.com/en-us/library/86k9f82k(VS.80).aspx - */ - -static bool -cmp_prefix(const char *str, const bool n, const char *pre) -{ - size_t i = 0; - - if (!str) - { - return false; - } - - while (true) - { - const int c1 = pre[i]; - int c2 = str[i]; - ++i; - if (c1 == '\0') - { - if (n) - { - if (isdigit(c2)) - { - c2 = str[i]; - } - else - { - return false; - } - } - return c2 == '\0' || c2 == '.'; - } - else if (c2 == '\0') - { - return false; - } - if (c1 != tolower(c2)) - { - return false; - } - } -} - -bool -win_safe_filename(const char *fn) -{ - if (cmp_prefix(fn, false, "con")) - { - return false; - } - if (cmp_prefix(fn, false, "prn")) - { - return false; - } - if (cmp_prefix(fn, false, "aux")) - { - return false; - } - if (cmp_prefix(fn, false, "nul")) - { - return false; - } - if (cmp_prefix(fn, true, "com")) - { - return false; - } - if (cmp_prefix(fn, true, "lpt")) - { - return false; - } - if (cmp_prefix(fn, false, "clock$")) - { - return false; - } - return true; -} - /* * Service functions for openvpn_execve */ @@ -1153,15 +1068,6 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in return ret; } -WCHAR * -wide_string(const char *utf8, struct gc_arena *gc) -{ - int n = MultiByteToWideChar(CP_UTF8, 0, utf8, -1, NULL, 0); - WCHAR *ucs16 = gc_malloc(n * sizeof(WCHAR), false, gc); - MultiByteToWideChar(CP_UTF8, 0, utf8, -1, ucs16, n); - return ucs16; -} - /* * call ourself in another process */ diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index da85ed4d7..235738356 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -272,9 +272,6 @@ void netcmd_semaphore_release(void); /* Set Win32 security attributes structure to allow all access */ bool init_security_attributes_allow_all(struct security_attributes *obj); -/* return true if filename is safe to be used on Windows */ -bool win_safe_filename(const char *fn); - /* add constant environmental variables needed by Windows */ struct env_set; @@ -291,9 +288,6 @@ void fork_to_self(const char *cmdline); /* Find temporary directory */ const char *win_get_tempdir(void); -/* Convert a string from UTF-8 to UCS-2 */ -WCHAR *wide_string(const char *utf8, struct gc_arena *gc); - bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel); bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel); From patchwork Wed May 12 03:15:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1808 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id APbFAivVm2ATdgAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:27 -0400 Received: from proxy6.mail.iad3b.rsapps.net ([172.31.255.6]) by director14.mail.ord1d.rsapps.net with LMTP id MA0vAivVm2C3dwAAeJ7fFg (envelope-from ) for ; Wed, 12 May 2021 09:16:27 -0400 Received: from smtp8.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3b.rsapps.net with LMTPS id 4MqcNSrVm2CvUAAARawThA (envelope-from ) for ; Wed, 12 May 2021 09:16:26 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 40ec4e38-b324-11eb-ad6d-5254005eee35-1-1 Received: from [216.105.38.7] ([216.105.38.7:41478] helo=lists.sourceforge.net) by smtp8.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A8/75-24752-A25DB906; Wed, 12 May 2021 09:16:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lgoi9-0002Jw-0C; Wed, 12 May 2021 13:15:37 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lgoi1-0002J5-Hh for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6DMFXJLP+kUFMcMfn1SrweiwzYNf5JueUnG0wE23Z7U=; b=l4jQd3xiLZD8VKSW7wWcslXLg1 peWCsAzayCFxLXBChhuxfn0fiqaZ3mimZ8wZiZXAl9dwN2LDoRMhkJ2s0tdgDhoVrgeLmEcbF2RE7 IjLui4xQPkLW4fxOz/Vb8mAUXvcdImAaCYsOrktmVWJK5P/OZ5/a2a9O4DX0w4trGOZg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6DMFXJLP+kUFMcMfn1SrweiwzYNf5JueUnG0wE23Z7U=; b=Kd1+ibGt24PUSqbSdWyFiBiouX MjqmI982KucjhvcZufyIawRG3bra/ytzZK/3mmR/VZTdsQeWaiwQKHVeLI5VQppkc7Tc67fH0ehdk WWxanO7X4hcn7qwOew4HtXivCsZK/EcuhGjw+YkOatgWLq0k+VkLckk31UqbPmE2DYd0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lgohw-005SQ1-WD for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000BzN-Kc for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309986 invoked by uid 10006); Wed, 12 May 2021 13:15:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:10 +0200 Message-Id: <20210512131511.1309914-9-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgohw-005SQ1-WD Subject: [Openvpn-devel] [PATCH 8/9] Document stub-v2 being basically an alias for no compression at all X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- doc/man-sections/protocol-options.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 4b6928c68..34d4255ee 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -96,6 +96,11 @@ configured in a compatible way between both the local and remote side. other variants always add one extra framing byte compared to no compression framing. + Especially :code:`stub-v2` is essentially identical to no compression and + no compression framing as its header indicates IP version 5 in a tun setup + and can (ab)used to complete disable compression to clients. (See the + :code:`migrate option below) + If the ``algorithm`` parameter is :code:`stub`, :code:`stub-v2` or empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. From patchwork Wed May 12 03:15:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1809 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id gD/XLCvVm2DQdQAAIUCqbw (envelope-from ) for ; Wed, 12 May 2021 09:16:27 -0400 Received: from proxy5.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id sJ6xLCvVm2CsAQAApN4f7A (envelope-from ) for ; Wed, 12 May 2021 09:16:27 -0400 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3b.rsapps.net with LMTPS id cKJzJCvVm2AgGAAA13hMnw (envelope-from ) for ; Wed, 12 May 2021 09:16:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 417f926a-b324-11eb-bf1a-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:48588] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 92/D0-19686-A25DB906; Wed, 12 May 2021 09:16:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1lgoi1-0001nb-OF; Wed, 12 May 2021 13:15:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lgohz-0001mc-Cw for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=4lOuhkM6efrgCajUsJ0LEwNLOkBpgTM5Bvt5eXMy/QM=; b=Cj5ElmTmEA9LbmBWYtyRYH4+sX em0gAFiJ4qYSTSOaMIGyyXE0VdTcNjKSZPjXeLqrPO3D9RemyD9dmz1CI9fplL3v97YrmvSUxvTuw MOr75FJx2yBaJOoZD9iBPw9zdgk7MmwXyeNMMTRX/7eOlphBydaql0WmLMos+QFBPzmc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4lOuhkM6efrgCajUsJ0LEwNLOkBpgTM5Bvt5eXMy/QM=; b=LI787VuoM57ohnHHhgnE+wQvdD SWD5JQ8uXn3zCXw6v+B9Eat5k2LlY+NHRJpxCps0G7y0MTtCwdark8JYa4LyccXUEkXqRnwNGt+LV FWXHmhk4xdd0ygOsw9iTDQLGoAp+Ob49OUj8e3D7iy4IE2pyC8BV0lPt1kVWYFp99ZR4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lgoht-0008VH-Ul for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 13:15:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lgohj-000BzQ-N9 for openvpn-devel@lists.sourceforge.net; Wed, 12 May 2021 15:15:11 +0200 Received: (nullmailer pid 1309989 invoked by uid 10006); Wed, 12 May 2021 13:15:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 May 2021 15:15:11 +0200 Message-Id: <20210512131511.1309914-10-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210512131511.1309914-1-arne@rfc2549.org> References: <20210512131511.1309914-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lgoht-0008VH-Ul Subject: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is meant to give new users a quickstart for a useable OpenVPN setup. Our own documentation is lacking in this regard and many often tutorials that can be found online are often questionable in some aspects. Linking the invidiaul RST file on github also give a tutorial in a nicely formatted way. Signed-off-by: Arne Schwabe --- Changes.rst | 4 + doc/Makefile.am | 1 + doc/man-sections/example-fingerprint.rst | 194 +++++++++++++++++++++++ 3 files changed, 199 insertions(+) create mode 100644 doc/man-sections/example-fingerprint.rst diff --git a/Changes.rst b/Changes.rst index 9185b55f7..f1c739f99 100644 --- a/Changes.rst +++ b/Changes.rst @@ -25,6 +25,10 @@ Certificate pinning/verify peer fingerprint fingerprint of the peer. The option takes use a number of allowed SHA256 certificate fingerprints. + See the man page section "Small OpenVPN setup with peer-fingerprint" + for a tutorial how to use this feature. This is also available online + under https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst + TLS mode with self-signed certificates When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` option become optional. This allows for small OpenVPN setups without setting up diff --git a/doc/Makefile.am b/doc/Makefile.am index e411f5f9d..e7022c085 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -25,6 +25,7 @@ dist_noinst_DATA = \ man-sections/connection-profiles.rst \ man-sections/encryption-options.rst \ man-sections/examples.rst \ + man-sections/examples.rst \ man-sections/generic-options.rst \ man-sections/inline-files.rst \ man-sections/link-options.rst \ diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst new file mode 100644 index 000000000..7d915aedb --- /dev/null +++ b/doc/man-sections/example-fingerprint.rst @@ -0,0 +1,194 @@ +Small OpenVPN setup with peer-fingerprint +========================================= +This section consists of instructions how to build a small OpenVPN setup with the +:code:`peer-fingerprint` option. This setup has the advantage to be easy to setup +and should for most small lab and home setups without the need to setup a PKI. +For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still recommended. + +Both server and client configuration can of course be further modified to individualise the +setup. + +Server setup +------------ +1. Install openvpn + + Compile from source-code (see `INSTALL` file) or install via a distribution (apt/yum/ports) + or via installer (Windows). + +2. Generate a self-signed certificate for the server: + :: + + openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout serverkey.pem -out server.pem -nodes -sha256 -days 3650 -subj '/CN=server' + +3. Generate SHA256 fingerprint of the server certificate + + Use the OpenSSL command line utility to view the fingerprint of just + created certificate: + :: + + openssl x509 -fingerprint -sha256 -in styx-win.pem -noout server.pem + + This output something similar to: + :: + + SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + + +3. Write a server configuration (`server.conf`): +:: + + # The server certificate we created in step 1 + cert server.pem + key serverkey.pem + + dh none + dev tun + + # Listen on IPv6+IPv4 simultaneously + proto udp6 + + # The ip address the server will distribute + server 192.168.234.0 255.255.255.0 + server-ipv6 fd00:6f76:706e::/64 + + # A tun-mtu of 1400 avoids problems of too big packets after VPN encapsulation + tun-mtu 1400 + + # The fingerprints of your clients. After adding/remvoing one here restart the + # server + + + + # Notify clients when you restart the server to reconnect quickly + explicit-exit-notify 1 + + # Ping every 60s, restart if no data received for 5 minutes + keepalive 60 300 + +4. Add at least one client as described in the client section. + +5. Start the server. + - On systemd based distributions move `server.pem`, `serverkey.pem` and + `server.conf` to :code:`/etc/openvpn/server` and start it via systemctl + + :: + + sudo mv server.conf server.pem /etc/openvpn + + sudo systemctl start openvpn-server@server + +Adding a client +--------------- +1. Install OpenVPN + +2. Generate a self-signed certificate for the client. In this example the client + name is alice. Each client should have a unique name. Replace alice with a + different name for each client. + :: + + openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice' + + This generate a certificate and a key for the client. The output of the command will look + something like this: + :: + + -----BEGIN PRIVATE KEY----- + [base64 content] + -----END PRIVATE KEY----- + ----- + -----BEGIN CERTIFICATE----- + [base 64 content] + -----END CERTIFICATE----- + +3. Create a new client configuration file. In this example we will name the file + `alice.ovpn`: + + :: + + # The name of your server to connect to + remote yourserver.example.net + client + # use a random source port instead the fixed 1194 + nobind + + # Uncomment the following line if you want to route + # all traffic via the VPN + # redirect-gateway def1 ipv6 + + # To set a a DNS server + # dhcp-option DNS 192.168.234.1 + + + -----BEGIN PRIVATE KEY----- + [Insert here the key created in step 2] + -----END PRIVATE KEY----- + + + -----BEGIN CERTIFICATE----- + [Insert here the certificate created in step 2] + -----END CERTIFICATE----- + + + # This the fingerprint of the server that we trust. We generated this fingerprint + # in step 2 of the server setup + peer-fingerprint 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + + # The tun-mtu of the client should match the server MTU + tun-mtu 1400 + dev tun + + +4. Generate the fingerprint of the client certificate. For that we will + let OpenSSL read the client configuration file as the x509 command will + ignore anything that is not between the begin and end markers of the certificate: + + :: + + openssl x509 -fingerprint -sha256 -noout -in ./focal-server-locked.ovpn + + This will again output something like + :: + + SHA256 Fingerprint=ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 + +5. Edit the `server.conf` configuration file and add this new client + fingerprint as additional line between :code:`` + and :code:`` + + After adding *two* clients the part of configuration would look like this: + + :: + + + ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 + 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 + + +6. (optional) if the client is an older client that does not support the + :code:`peer-fingerprint` (OpenVPN 2.5 and older, OpenVPN Connect 3.3 + and older), the config can be modified to still work with those. + + Remove the line starting with :code:`peer-fingerprint` line. Then + add a new :code:`` section at the end of the configuration file + with the contents of the :code:`server.pem` created in step 2 of the + server setup. The end of `alice.ovpn` file should like: + + :: + + [...] # Beginning of the file skipped + + + # The tun-mtu of the client should match the server MTU + tun-mtu 1400 + dev tun + + + [contents of the server.pem] + + + Note that we put the :code:`` section after the :code:`` section + to make the fingerprint generation from step 4 still work since it will + only use the first certificate its find. + +7. Import the file into the OpenVPN client or just use the + :code:`openvpn alice.ovpn` to start the VPN.