openvpn.git, branch beta/2.3 Copy of the official OpenVPN git repo Preparing for v2.3.0 2013-01-07T10:53:57+00:00 David Sommerseth davids@redhat.com 2013-01-02T19:13:37+00:00 d690047134a89b262f53a63afed76feb13fc85d0 Signed-off-by: David Sommerseth <davids@redhat.com> 
Signed-off-by: David Sommerseth <davids@redhat.com>
Fix client crash on double PUSH_REPLY. 2013-01-02T12:20:50+00:00 Gert Doering gert@greenie.muc.de 2012-12-25T12:41:50+00:00 2e3b853dd1070435d60a1f11ff4364631c83d6a9 Introduce an extra bool variable c2.pulled_options_md5_init_done to keep track of md5_init state of pulled_options_state - avoid accessing uninitialized state when a second PUSH_REPLY comes in (which only happens under very particular circumstances). Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 20121225124856.GT22465@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7216 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e) 
Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).

Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 1978db4b9657f0db134f1deaeb1e8400bf6a033e)
Fix parameter type for IP_TOS setsockopt on non-Linux systems. 2012-12-20T08:56:00+00:00 Gert Doering gert@greenie.muc.de 2012-12-19T21:12:41+00:00 a28048a20f46f718c3df3af95e230ab72234f915 Linux uses uint8_t, all BSD based stacks and Solaris use "int" (Windows documentation says "DWORD" and "do not use, use QoS API instead"). Bug reported and fix provided by Torsten Vielhak and Jeremie Le Hen. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 20121219212619.GN22465@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7207 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit d39f31d96378aa5eeade74670ffd9e08bf4c7234) 
Linux uses uint8_t, all BSD based stacks and Solaris use "int"  (Windows
documentation says "DWORD" and "do not use, use QoS API instead").

Bug reported and fix provided by Torsten Vielhak and Jeremie Le Hen.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20121219212619.GN22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7207
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit d39f31d96378aa5eeade74670ffd9e08bf4c7234)
Preparing for v2.3_rc2 2012-12-17T09:41:32+00:00 David Sommerseth davids@redhat.com 2012-12-17T09:41:32+00:00 a2f40aac86d0d005f7ae2da08ce6c22ac30a1bd5 Signed-off-by: David Sommerseth <davids@redhat.com> 
Signed-off-by: David Sommerseth <davids@redhat.com>
Fix option inconsistency warnings about "proto" and "tun-ipv6" 2012-12-17T09:36:07+00:00 Gert Doering gert@greenie.muc.de 2012-12-16T21:15:20+00:00 f21410729e68b553f391dc036c0372fd3690714e "tun-ipv6" is only sent in option string if running in point-to-point mode (= not --server and not --client or --pull), because in those scenarios it's usually pushed by the server, and the client does not yet have it when comparing options -> needless warning. Completely ignore "proto" values when comparing option strings - this is in preparation for removing proto from the option string in a future release, and to avoid warnings when 2.3 talks to this future release. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1355692520-24362-1-git-send-email-gert@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7194 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 3b860cf27b9374f6ebe67ff21011661f8ec391c6) 
"tun-ipv6" is only sent in option string if running in point-to-point
mode (= not --server and not --client or --pull), because in those
scenarios it's usually pushed by the server, and the client does not
yet have it when comparing options -> needless warning.

Completely ignore "proto" values when comparing option strings - this
is in preparation for removing proto from the option string in a future
release, and to avoid warnings when 2.3 talks to this future release.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1355692520-24362-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7194
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 3b860cf27b9374f6ebe67ff21011661f8ec391c6)
Implement --mssfix handling for IPv6 packets. 2012-12-13T15:46:01+00:00 Gert Doering gert@greenie.muc.de 2012-12-02T21:11:12+00:00 729c8464021ff7c41a7fbb03501465eca55909a3 Rename process_ipv4_header() to process_ip_header() and PIPV4_MSSFIX flag to PIP_MSSFIX, to make visible that it's no longer IPv4-only. Inside process_ip_header(), call out to mss_fixup_ipv6() if --mssfix is active and IPv6 packet seen. Rename mss_fixup() to mss_fixup_ipv4(), implement mss_fixup_ipv6(). Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: 1354482672-16136-2-git-send-email-gert@greenie.muc.de URL: http://article.gmane.org/gmane.network.openvpn.devel/7173 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit f0e8997a874a89b3fe1f82109c443232e8967b01) 
Rename process_ipv4_header() to process_ip_header() and PIPV4_MSSFIX
flag to PIP_MSSFIX, to make visible that it's no longer IPv4-only.

Inside process_ip_header(), call out to mss_fixup_ipv6() if --mssfix
is active and IPv6 packet seen.

Rename mss_fixup() to mss_fixup_ipv4(), implement mss_fixup_ipv6().

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1354482672-16136-2-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7173
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit f0e8997a874a89b3fe1f82109c443232e8967b01)
Fix the proto is used inconsistently warning 2012-12-13T15:46:01+00:00 Arne Schwabe arne@rfc2549.org 2012-12-04T19:42:54+00:00 34bc52d611deec62e7fe56622771b58921d52176 Fix the "WARNING: 'proto' is used inconsistently, local='proto UDP', remote='proto UDPv6'." message. Note that the on wire strings are now always TCPv4 and UDPv4 to be compatible to pre2.3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1354650174-25601-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7175 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 38727e09df35245ba0cfe335e23e6b43c817ce58) 
Fix the "WARNING: 'proto' is used inconsistently, local='proto UDP',
remote='proto UDPv6'." message.

Note that the on wire strings are now always TCPv4 and UDPv4 to be
compatible to pre2.3

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1354650174-25601-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7175
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 38727e09df35245ba0cfe335e23e6b43c817ce58)
Remove dnsflags_to_socktype, it is not used anywhere 2012-12-13T15:46:01+00:00 Arne Schwabe arne@rfc2549.org 2012-11-30T19:17:47+00:00 e99982218b5549894a94cc3c5f6209219d911ba1 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1354303076-13606-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7160 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 740137f6bb7b3565054c3a8e894ceca93f2ff0e4) 
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1354303076-13606-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7160
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 740137f6bb7b3565054c3a8e894ceca93f2ff0e4)
Avoid recursion in virtual_output_callback_func() 2012-11-29T20:47:57+00:00 David Sommerseth davids@redhat.com 2012-11-16T11:02:06+00:00 5541ea21691b5b39adc4bd3e1ff1af86a050c71d This solves a SEGV situation when using the management API while OpenVPN is closing down. The situation happens when the management socket has closed and OpenVPN tries to write an error about this to the management socket. What happens is that virtual_output_callback_func() is called, which then calls -> man_output_list_push_finalize() -> man_output_standalone() -> man_write() <-- this does the socket write -> man_io_error() -> x_msg() -> virtual_output_print() -> virtual_output_callback_func() (recursion start) virtual_output_callback_func() do have a mechanism to avoid recursion, but that did not keep the recurse counter when man_output_list_push_finalize() is called. This patch just reorganise the recursion block to also keep the counter while calling the other functions from virtual_output_callback_func() Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1353063726-25113-1-git-send-email-dazo@users.sourceforge.net URL: http://article.gmane.org/gmane.network.openvpn.devel/7130 (cherry picked from commit b2b66179f6dcc37de9582d5c3044f0357dda3df3) 
This solves a SEGV situation when using the management API while OpenVPN
is closing down.

The situation happens when the management socket has closed and OpenVPN
tries to write an error about this to the management socket.  What happens
is that

 virtual_output_callback_func() is called, which then calls
 -> man_output_list_push_finalize()
    -> man_output_standalone()
       -> man_write()  <-- this does the socket write
          -> man_io_error()
             -> x_msg()
                -> virtual_output_print()
                   -> virtual_output_callback_func() (recursion start)

virtual_output_callback_func() do have a mechanism to avoid recursion,
but that did not keep the recurse counter when
man_output_list_push_finalize()
is called.

This patch just reorganise the recursion block to also keep the counter
while
calling the other functions from virtual_output_callback_func()

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1353063726-25113-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7130
(cherry picked from commit b2b66179f6dcc37de9582d5c3044f0357dda3df3)
The get_default_gateway() function uses warn() instead of msg() 2012-11-29T20:47:57+00:00 David Sommerseth davids@redhat.com 2012-11-29T13:16:12+00:00 28d9e57638d66fde792a53a3eb6391ddb8bb426f A report on #openvpn pointed out that in his setup three warnings appeard on the console when starting up. $ sudo /usr/local/etc/rc.d/openvpn restart Stopping openvpn. Waiting for PIDS: 33031. Starting openvpn. openvpn: writing to routing socket: No such process openvpn: writing to routing socket: No such process openvpn: writing to routing socket: No such process $ This setup is on FreeBSD using jails with strict access to the routing table. After looking at the code path, this error was found in the BSD sections for get_default_gateway(). But it was using the warn() call instead of msg(M_WARN|M_ERRNO, ...) which causes these warnings to go to stderr instead of the log file. The warning string is also slightly modified to better explain what fails. Reported-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Tested-by: Thomas Steen Rasmussen <thomas@gibfest.dk> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1354194972-5388-1-git-send-email-dazo@users.sourceforge.net URL: http://article.gmane.org/gmane.network.openvpn.devel/7149 (cherry picked from commit b3f19cc4bec6978a128f5af3ab22d8cfa954b064) 
A report on #openvpn pointed out that in his setup three warnings
appeard on the console when starting up.

    $ sudo /usr/local/etc/rc.d/openvpn restart
    Stopping openvpn.
    Waiting for PIDS: 33031.
    Starting openvpn.
    openvpn: writing to routing socket: No such process
    openvpn: writing to routing socket: No such process
    openvpn: writing to routing socket: No such process
    $

This setup is on FreeBSD using jails with strict access to the
routing table.

After looking at the code path, this error was found in the BSD
sections for get_default_gateway().  But it was using the warn()
call instead of msg(M_WARN|M_ERRNO, ...) which causes these
warnings to go to stderr instead of the log file.

The warning string is also slightly modified to better explain
what fails.

Reported-by: Thomas Steen Rasmussen <thomas@gibfest.dk>
Tested-by: Thomas Steen Rasmussen <thomas@gibfest.dk>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1354194972-5388-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7149
(cherry picked from commit b3f19cc4bec6978a128f5af3ab22d8cfa954b064)