openvpn.git/src/openvpn/init.c, branch release/2.3 Copy of the official OpenVPN git repo Replace strdup() calls for string_alloc() calls 2015-10-04T19:58:06+00:00 Steffan Karger steffan@karger.me 2015-09-21T18:48:33+00:00 6d4920e9d36675ff515da17c1eb301d22d07b489 As reported by Bill Parker in trac #600, strdup() return values are not always correctly checked for failed allocations. This patch adds missing checks by using string_alloc(), which performs the required checks. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <561130FC.8090008@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10176 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit ddc7692d245017c71adc40ad5cc195617e39fce0) 
As reported by Bill Parker in trac #600, strdup() return values are not
always correctly checked for failed allocations.  This patch adds missing
checks by using string_alloc(), which performs the required checks.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <561130FC.8090008@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10176
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ddc7692d245017c71adc40ad5cc195617e39fce0)
fix regression: query password before becoming daemon 2015-07-13T19:15:24+00:00 Steffan Karger steffan@karger.me 2015-07-09T21:35:59+00:00 7bde2e1b19e66af22c26c90e1187a4365c9087fc The init sequence was changed to daemonize before the crypto init to fix issues on FreeBSD some commits ago. This introduced a regression where we would no longer query for passwords before daemonizing, as described in trac #574 and #576. This commit restores the correct order, and adds a bit of const correctness since we're touching this now code anyway. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1436477759-5884-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9901 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 315f6fbc7f657a7f1127628bd714f468709d5185) 
The init sequence was changed to daemonize before the crypto init to fix
issues on FreeBSD some commits ago.  This introduced a regression where
we would no longer query for passwords before daemonizing, as described
in trac #574 and #576.

This commit restores the correct order, and adds a bit of const
correctness since we're touching this now code anyway.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1436477759-5884-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9901
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 315f6fbc7f657a7f1127628bd714f468709d5185)
write pid file immediately after daemonizing 2015-06-21T12:29:46+00:00 Steffan Karger steffan@karger.me 2015-06-18T22:08:45+00:00 bce656d27fe06ed364a4acebd3c3d6d996750613 Since we split daemonizing from changing directory in commit da9b292 (f025de005d719201a69ad0313d545a1ddd244752 in release/2.3), we can now simply write the pid file immediately after daemonizing. This not only fixes the bug reported in trac #563, but also further simplifies the code. trac #563 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1434665325-3225-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9793 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 659eae7b79e5565bb0c93f6d6d04e2163fea1141) 
Since we split daemonizing from changing directory in commit da9b292
(f025de005d719201a69ad0313d545a1ddd244752 in release/2.3), we can
now simply write the pid file immediately after daemonizing.

This not only fixes the bug reported in trac #563, but also further
simplifies the code.

trac #563

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1434665325-3225-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9793
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 659eae7b79e5565bb0c93f6d6d04e2163fea1141)
Call daemon() before initializing crypto library 2015-05-26T14:10:08+00:00 Steffan Karger steffan@karger.me 2015-04-27T14:28:57+00:00 f025de005d719201a69ad0313d545a1ddd244752 But keep the chdir to / at the place where deamon() was before, to preserve the current behaviour wrt relative paths in the config. This should fix the issue reported in trac #480, without changing the behaviour visible to the end user. Note that by moving the daemon() call to an earlier stage of the init process, we no longer have to call platform_mlockall() again, or do a pkcs11_forkFixup(). Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1430144937-4149-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9609 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit da9b292733e929a2900dc32d37f0424c3d588366) 
But keep the chdir to / at the place where deamon() was before, to preserve
the current behaviour wrt relative paths in the config.

This should fix the issue reported in trac #480, without changing the
behaviour visible to the end user.

Note that by moving the daemon() call to an earlier stage of the init
process, we no longer have to call platform_mlockall() again, or do a
pkcs11_forkFixup().

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430144937-4149-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9609
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit da9b292733e929a2900dc32d37f0424c3d588366)
Re-read auth-user-pass file on (re)connect if required 2015-05-23T19:21:33+00:00 Steffan Karger steffan@karger.me 2015-05-23T13:02:25+00:00 6f789d2ec6b6aacb46ab27f1482222c6981faab6 Fixes trac #225 ('--auth-user-pass FILE' and '--auth-nocache' problem). This patch is based on the changes suggested by ye_olde_iron in the trac ticket. Also added a note to the manpage to inform people to use absolute paths when combining --auth-user-pass file and --auth-nocache. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1432386145-15045-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9717 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit ac1cb5bfbb9e09e79fd737bc57999d968d77c5ad) 
Fixes trac #225 ('--auth-user-pass FILE' and '--auth-nocache' problem).

This patch is based on the changes suggested by ye_olde_iron in the trac
ticket.  Also added a note to the manpage to inform people to use
absolute paths when combining --auth-user-pass file and --auth-nocache.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1432386145-15045-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9717
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ac1cb5bfbb9e09e79fd737bc57999d968d77c5ad)
include ifconfig_ environment variables in --up-restart env set 2015-05-23T11:39:36+00:00 Jan Just Keijser janjust@nikhef.nl 2015-05-20T02:33:20+00:00 30256bede8f7ef6c82f1c2ed0d9f6c2177002926 here's my patch for bug #93: missing ifconfig_* env vars after up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30 Document differences between --up-restart and --up in openvpn.8 See trac #93 and the discussion starting with <555BF270.3090706@nikhef.nl> on the openvpn-devel mailing list. fix trac #93 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <555BF270.3090706@nikhef.nl> URL: http://article.gmane.org/gmane.network.openvpn.devel/9705 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit db950be85d37eab40d8fffe0bc2060059f8a7e10) 
here's my patch for bug #93: missing ifconfig_* env vars after
up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30

Document differences between --up-restart and --up in openvpn.8

See trac #93 and the discussion starting with <555BF270.3090706@nikhef.nl>
on the openvpn-devel mailing list.

fix trac #93

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <555BF270.3090706@nikhef.nl>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9705
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit db950be85d37eab40d8fffe0bc2060059f8a7e10)
Print helpful error message on --mktun/--rmtun if not available. 2015-04-28T15:13:44+00:00 Gert Doering gert@greenie.muc.de 2015-04-28T11:04:23+00:00 1a7fc1ea2207580693b2801099f8a473f1c07828 OpenVPN only supports --mktun/--rmtun to create/destroy persistant tunnels on Linux. On BSD OSes, "ifconfig tun0 create" can do the same job, so we do not actually need to support it - but the previous error message ("unknown option") wasn't helpful. So always accept the option now, and on non-supported systems, direct user to manpage. Trac #85 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Message-Id: <1430219063-12291-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9617 (cherry picked from commit 4ad2b65d9deb3197d847d7dcc36715aa5394836f) 
OpenVPN only supports --mktun/--rmtun to create/destroy persistant
tunnels on Linux.  On BSD OSes, "ifconfig tun0 create" can do the
same job, so we do not actually need to support it - but the previous
error message ("unknown option") wasn't helpful.  So always accept
the option now, and on non-supported systems, direct user to manpage.

Trac #85

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1430219063-12291-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9617
(cherry picked from commit 4ad2b65d9deb3197d847d7dcc36715aa5394836f)
Remove unneeded parameter 'first_time' from possibly_become_daemon() 2015-04-13T19:17:21+00:00 Steffan Karger steffan@karger.me 2015-03-26T00:01:29+00:00 c7f3fd9c603bfd9cef600316d5e76210e6cf54a7 The static helper function possibly_become_daemon() is called only once, by do_init_first_time(), which checks 'first_time' to be true before calling possibly_become_daemon(). This makes the parameter useless. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9555 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576) 
The static helper function possibly_become_daemon() is called only once,
by do_init_first_time(), which checks 'first_time' to be true before
calling possibly_become_daemon().  This makes the parameter useless.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9555
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576)
New approach to handle peer-id related changes to link-mtu (2.3 version) 2015-02-27T17:36:46+00:00 Gert Doering gert@greenie.muc.de 2015-02-08T10:18:45+00:00 089d63b2d7ffa98bd40ed1d7eb0e625d37b63c1c Instead of statically increasing link-mtu by +3, keep the old value for OCC compatibility with old servers/clients, and only increase link-mtu if peer-id option is enabled (right now: is pushed by server). If link-mtu has been set in the config, keep configured value, and log warning (because the extra overhead has to decrease tun-mtu). Reserve extra +3 bytes in frame->extra_link. v2: use frame->extra_link, not frame->extra_buffer (receive path on server) introduce frame_add_to_link_mtu() to manipulate frame->link_mtu value rework comments to make more clear what is happening Adaption to 2.3: reserve +8 bytes in frame->extra_buffer - if compression is not enabled, the 2.3 code does not reserve space for compression overhead (2.4 code does), so the buffer ends up being too small. +3 is not sufficient because the buffer handling code also does some alignment tricks... This reverts commit 4ec70ca227370380011d072c09b739135e236183. Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 9e0963c11aa439deb382d7d6bc40b6ade999401c) Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1424031695-10218-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9458 
Instead of statically increasing link-mtu by +3, keep the old value for
OCC compatibility with old servers/clients, and only increase link-mtu
if peer-id option is enabled (right now: is pushed by server).

If link-mtu has been set in the config, keep configured value, and log
warning (because the extra overhead has to decrease tun-mtu).

Reserve extra +3 bytes in frame->extra_link.

v2: use frame->extra_link, not frame->extra_buffer (receive path on server)
    introduce frame_add_to_link_mtu() to manipulate frame->link_mtu value
    rework comments to make more clear what is happening

Adaption to 2.3: reserve +8 bytes in frame->extra_buffer - if compression
    is not enabled, the 2.3 code does not reserve space for compression
    overhead (2.4 code does), so the buffer ends up being too small.
    +3 is not sufficient because the buffer handling code also does some
    alignment tricks...

This reverts commit 4ec70ca227370380011d072c09b739135e236183.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9e0963c11aa439deb382d7d6bc40b6ade999401c)
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1424031695-10218-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9458
Add client-only support for peer-id. 2014-11-24T20:07:51+00:00 Gert Doering gert@greenie.muc.de 2014-11-23T19:17:30+00:00 0e1fd33247460bdfa65d306e8bcdd3cbafed8b73 This is a reduced version of the peer-id patch from Lev Stipakov implementing only the client side bits - send IV_PROTO=2, accept "peer-id <n>" as pushed option, support P_DATA_V2 packets. v2: remove addition of "struct tls_multi;" to options.h, not needed Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1416770250-92680-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9274 
This is a reduced version of the peer-id patch from Lev Stipakov
implementing only the client side bits - send IV_PROTO=2, accept
"peer-id <n>" as pushed option, support P_DATA_V2 packets.

v2: remove addition of "struct tls_multi;" to options.h, not needed

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416770250-92680-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9274