Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-22 Thread Samuli Seppänen 
Hi,

A new Windows installer based on release/2.2 branch with my easy-rsa
patches applied is now available here:



Also, a standalone version of fixed easy-rsa directory is available here:



It can be extracted to an existing OpenVPN 2.2* install directory - just
move old easy-rsa directory out of the way first. If you can, please
test that it works as excepted. Basic usage on WinXP seemed to work fine:

$ init-config
$ vars
$ clean-all
$ build-ca
$ build-key-server
$ build-key client1

If possible, please test "domake-win" builds and see if/how they break.
This is probably the most important fix for 2.2.1 which we hope to get
out on Friday. Use of easy-rsa is documented in the included README file
and here:



Samuli







> Hi all,
>
> I falsely assumed openssl.cnf was a default file from OpenSSL release
> packages, even though it was heavily modified for easy-rsa. The root
> cause of the issue seems to be that OpenSSL 1.0.0 does not like
> undefined variables in openssl.cnf.  I fixed the Windows side today,
> and a preliminary patch is available here:
>
> 
>
> This patch applies on top of "Fix a build-ca issue on Windows" in
> "master" and fixes Trac ticket #125. A few other things still need
> fixing :
>
> - Lack of file called "easy-rsa/2.0/openssl.cnf"  will probably break
> "domake-win" builds - or at least easy-rsa on installers generated
> with it.
> - openssl-1.0.0.cnf has not yet been tested on *NIX
> - changes to "easy-rsa/2.0/vars" script have not been tested
>
> The added environment variables should not have negative side-effects.
> I'll test Windows installer generation tomorrow to make sure easy-rsa
> works out of the box on Windows. Help with *NIX+OpenSSL 1.0.0 and
> "domake-win" would be appreciated.
>
> Samuli
>> On 20/06/11 12:30, Jan Just Keijser wrote:
>> [...snip...]
>> >> Samuli, can you please look closer into this?  I did a more
>> careful diff
>> >> from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite
>> >> different.  Can we please unite them?
>> >>
>> >> JJK: Do you know which differences are needed between Windows and
>> >> non-Windows?
>> >>
>> >>   
>> > I just checked that the openssl.cnf file shipped with the windows
>> version
>> > of  openvpn 2.1.4 is identical to the easy-rsa/2.0 version - is
>> there any
>> > reason not to do the same for openvpn 2.2?
>>
>>
>> Good question!
>>
>> Samuli, what do you think?  Could we actually just move the
>> 2.0/openssl.cnf
>> to a common directory where the installers will pick this config
>> file?  To
>> have the same file in more places in the source tree sounds chaotic
>> for me,
>> especially when 2.1.4 uses the same file everywhere.
>>
>> I'd suggest ./easy-rsa as a good common base.
>>
>> I'm also wondering if we need to still carry easy-rsa/1.0 in the source
>> tree.  It looks rather dead ...
>>
>> $ git log --follow --oneline ./easy-rsa/1.0/
>> 3c7f2f5 version 2.1_beta1
>>
>> Compared to this:
>>
>> $ git log --follow --oneline ./easy-rsa/2.0/
>> 6dc6019 pkitool lacks expected option "--help"
>> 2d4e768 bash->bourne script cleanup
>> 564a210 Updated copyright date to 2010.
>> 9f4725e pkitool lacks expected option "--help"
>> d7fa38f Update copyright to 2009.
>> 2534aa4 Fixed revoke-full to deal with issue arising from addition ...
>> dbec0a2 Modified pkitool to allow flexibility in separating the Com...
>> d56dec6 Change to pkitool/openssl.cnf so that calling scripts can s...
>> 367ed08 Copyright notice changed to reflect change in name of Telet...
>> 1c0cc4a Copyright change OpenVPN Solutions LLC -> Telethra, Inc.
>> eca8691 Updated copyright notice to 2008.
>> 4d90d73 Updated version & changelog.
>> d4fb6d4 Set tool defaults in pkitool.
>> eba4632 Added note about alternative version of easy-rsa that suppo...
>> 8d54351 Clean up configure on FreeBSD for recent autotool versions ...
>> acb567c A few more updates: -r 1015:1025 https://svn.openvpn.net/pr...
>> a8105c6 Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev). ...
>> 513baee Small fixes: * Fixed variable declaration in crypto.c that ...
>> 411e89a Merged --remote-cert-ku, --remote-cert-eku, and --remote-ce...
>> 8810c26 Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible...
>>
>> $ git log --follow --oneline ./easy-rsa/Windows/
>> 54c739e Revert "Add new openssl.cnf to easy-rsa/Windows"
>> 663860a Add new openssl.cnf to easy-rsa/Windows
>> 3810843 Fix a build-ca issue on Windows
>> 6b2883a Change all CRLF linefeeds to LF linefeeds
>> d0b4271 In Windows build, package a statically linked openssl.exe t...
>> 4030142 The easy-rsa directory installed by the windows installer c...
>> 6fbf66f This is the start of the BETA21 branch. It includes the --t...
>>
>>
>> kind regards,
>>

Re: [Openvpn-devel] [PATCH 0/8] OpenVPN Doxygen patches

2011-06-22 Thread Adriaan de Jong 
> One immediate comment, though.  Is there a reason the doc_*.[ch] files
> are
> not in a separate sub-directory?  Would it be possible to move all the
> new
> doxygen related files into, say, a ./doxygen directory?  This is just
> to
> isolate all which is purely doxygen stuff in one place.

Good idea, I've sent out a patch that does exactly that!

Adriaan

[Openvpn-devel] [PATCH 3/8] Added control channel crypto docs

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 doc_control_tls.h|  105 ++
 doc_key_generation.h |  148 ++
 ssl.c|  303 ++---
 ssl.h|  528 +-
 4 files changed, 841 insertions(+), 243 deletions(-)
 create mode 100644 doc_control_tls.h
 create mode 100644 doc_key_generation.h

diff --git a/doc_control_tls.h b/doc_control_tls.h
new file mode 100644
index 000..dd3a41c
--- /dev/null
+++ b/doc_control_tls.h
@@ -0,0 +1,105 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2010 Fox Crypto B.V. 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/**
+ * @file
+ * Control Channel TLS module documentation file.
+ */
+
+/**
+ * @defgroup control_tls Control Channel TLS module
+ * 
+ * This module provides secure encapsulation of control channel messages
+ * exchanged between OpenVPN peers.
+ * 
+ * The Control Channel TLS module uses the Transport Layer Security (TLS)
+ * protocol to provide an encrypted communication channel between the
+ * local OpenVPN process and a remote peer.  This protocol simultaneously
+ * offers certificate-based authentication of the communicating parties.
+ * 
+ * @par This module's roles
+ * The Control Channel TLS module is essential for the security of any
+ * OpenVPN-based system.  On the one hand, it performs the security
+ * operations necessary to protect control channel messages exchanged
+ * between OpenVPN peers.  On the other hand, before the control and data
+ * channels are even setup, it controls the exchange of certificates and
+ * verification of the remote's identity during negotiation of VPN
+ * tunnels.
+ * 
+ * @par
+ * The former role is described below.  The latter is described in the
+ * documentation for the \c verify_callback() function.
+ * 
+ * @par
+ * In other words, this module takes care of the confidentiality and
+ * integrity of data channel communications, and the authentication of
+ * both the communicating parties and the control channel messages
+ * exchanged.
+ * 
+ * @par Initialization and cleanup
+ * Because of the one-to-one relationship between control channel TLS
+ * state and \c key_state structures, the initialization and cleanup of an
+ * instance of the Control Channel TLS module's state happens within the
+ * \c key_state_init() and \c key_state_free() functions.  In other words,
+ * each \c key_state object contains exactly one OpenSSL SSL-BIO object,
+ * which is initialized and cleaned up together with the rest of the \c
+ * key_state object.
+ * 
+ * @par Packet processing functions
+ * This object behaves somewhat like a black box with a ciphertext and a
+ * plaintext I/O port. Its interaction with OpenVPN's control channel
+ * during operation takes place within the \c tls_process() function of
+ * the \link control_processor Control Channel Processor\endlink.  The
+ * following functions are available for processing packets:
+ * - If ciphertext received from the remote peer is available in the \link
+ *   reliable Reliability Layer\endlink:
+ *   - Insert it into the ciphertext-side of the SSL-BIO.
+ *   - Use function: \c key_state_write_ciphertext()
+ * - If ciphertext can be extracted from the ciphertext-side of the
+ *   SSL-BIO:
+ *   - Pass it to the \link reliable Reliability Layer\endlink for sending
+ * to the remote peer.
+ *   - Use function: \c key_state_read_ciphertext()
+ * - If plaintext can be extracted from the plaintext-side of the SSL-BIO:
+ *   - Pass it on to the \link control_processor Control Channel
+ * Processor\endlink for local processing.
+ *   - Use function: \c key_state_read_plaintext()
+ * - If plaintext from the \link control_processor Control Channel
+ *   Processor\endlink is available to be sent to the remote peer:
+ *   - Insert it into the plaintext-side of the SSL-BIO.
+ *   - Use function: \c key_state_write_plaintext() or \c
+ * key_state_write_plaintext_const()
+ * 
+ * @par

[Openvpn-devel] [PATCH 8/8] Added main/control docs

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 doc_control_processor.h|  189 +
 doc_data_control.h |  103 +++
 doc_eventloop.h|   67 +++
 doc_external_multiplexer.h |   46 ++
 doc_internal_multiplexer.h |   44 ++
 doc_mainpage.h |  162 +++
 doc_protocol_overview.h|  199 
 doc_tunnel_state.h |  155 ++
 forward.h  |  163 +++-
 mtcp.h |9 ++
 mtu.h  |   68 ---
 mudp.c |   14 +++-
 mudp.h |   29 +++
 multi.h|  161 
 openvpn.c  |   31 +++
 openvpn.h  |  153 --
 16 files changed, 1476 insertions(+), 117 deletions(-)
 create mode 100644 doc_control_processor.h
 create mode 100644 doc_data_control.h
 create mode 100644 doc_eventloop.h
 create mode 100644 doc_external_multiplexer.h
 create mode 100644 doc_internal_multiplexer.h
 create mode 100644 doc_mainpage.h
 create mode 100644 doc_protocol_overview.h
 create mode 100644 doc_tunnel_state.h

diff --git a/doc_control_processor.h b/doc_control_processor.h
new file mode 100644
index 000..506f8ab
--- /dev/null
+++ b/doc_control_processor.h
@@ -0,0 +1,189 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2010 Fox Crypto B.V. 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/**
+ * @file
+ * Control Channel Processor module documentation file.
+ */
+
+/**
+ * @defgroup control_processor Control Channel Processor module
+ * 
+ * This module controls the setup and maintenance of VPN tunnels and the
+ * associated security parameters.
+ * 
+ * @par This module's role
+ * The Control Channel Processor module lies at the core of OpenVPN's
+ * activities.  It handles the setup of new VPN tunnels, the negotiation
+ * of data channel security parameters, the managing of active VPN
+ * tunnels, and finally the cleanup of expired VPN tunnels.
+ * 
+ * @par State structures
+ * A large amount of VPN tunnel state information must be stored within an
+ * OpenVPN process.  A wide variety of container structures are used by
+ * this module for that purpose.  Several of these structures are listed
+ * below, and the function of the first three VPN tunnel state containers
+ * is described in more detail later.
+ *  - VPN tunnel state containers:
+ * - \c tls_multi, security parameter state for a single VPN tunnel.
+ *   Contains three instances of the \c tls_session structure.
+ * - \c tls_session, security parameter state of a single session
+ *   within a VPN tunnel.  Contains two instances of the \c key_state
+ *   structure.
+ * - \c key_state, security parameter state of one TLS and data
+ *   channel %key set.
+ *  - Data channel security parameter containers:
+ * - \c key_ctx_bi, container for two sets of OpenSSL cipher and/or
+ *   HMAC context (both directions).  Contains two instances of the \c
+ *   key_ctx structure.
+ * - \c key_ctx, container for one set of OpenSSL cipher and/or HMAC
+ *   context (one directions.
+ *  - Key material containers:
+ * - \c key2, container for two sets of cipher and/or HMAC %key
+ *   material (both directions).  Contains two instances of the \c key
+ *   structure.
+ * - \c key, container for one set of cipher and/or HMAC %key material
+ *   (one direction).
+ * - \c key_direction_state, ordering of %key material within the \c
+ *   key2.key array.
+ *  - Key method 2 random material containers:
+ * - \c key_source2, container for both halves of random material used
+ *   for %key method 2.  Contains two instances of the \c key_source
+ *   structure.
+ * - \c

[Openvpn-devel] [PATCH 4/8] Added compression docs

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 doc_compression.h |   92 ++
 lzo.c |   19 ++--
 lzo.h |  279 +
 3 files changed, 341 insertions(+), 49 deletions(-)
 create mode 100644 doc_compression.h

diff --git a/doc_compression.h b/doc_compression.h
new file mode 100644
index 000..0296b27
--- /dev/null
+++ b/doc_compression.h
@@ -0,0 +1,92 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2010 Fox Crypto B.V. 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/**
+ * @file Data Channel Compression module documentation file.
+ */
+
+/**
+ * @defgroup compression Data Channel Compression module
+ * 
+ * This module offers compression of data channel packets.
+ * 
+ * @par State structures
+ * The Data Channel Compression module stores its internal state in a \c
+ * lzo_compress_workspace structure.  This state includes flags which
+ * control the module's behavior and preallocated working memory.  One
+ * such structure is present for each VPN tunnel, and is stored in the \c
+ * context.c2.lzo_compwork of the \c context associated with that VPN
+ * tunnel.
+ * 
+ * @par Initialization and cleanup
+ * Every time a new \c lzo_compress_workspace is needed, it must be
+ * initialized using the \c lzo_compress_init() function.  Similarly,
+ * every time a \c lzo_compress_workspace is no longer needed, it must be
+ * cleaned up using the \c lzo_compress_uninit() function.  These
+ * functions take care of the allocation and freeing of internal working
+ * memory, but not of the \c lzo_compress_workspace structures themselves.
+ * 
+ * @par
+ * Because of the one-to-one relationship between \c
+ * lzo_compress_workspace structures and VPN tunnels, the above-mentioned
+ * initialization and cleanup functions are called directly from the \c
+ * init_instance() and \c close_instance() functions, which control the
+ * initialization and cleanup of VPN tunnel instances and their associated
+ * \c context structures.
+ * 
+ * @par Packet processing functions
+ * This module receives data channel packets from the \link data_control
+ * Data Channel Control module\endlink and processes them according to the
+ * settings of the packet's VPN tunnel.  The \link data_control Data
+ * Channel Control module\endlink uses the following interface functions:
+ * - For packets which will be sent to a remote OpenVPN peer: \c
+ *   lzo_compress()
+ * - For packets which have been received from a remote OpenVPN peer: \c
+ *   lzo_decompress()
+ * 
+ * @par Settings that control this module's activity
+ * Whether or not the Data Channel Compression module is active depends on
+ * the compile-time \c USE_LZO preprocessor macro and the runtime flags
+ * stored in \c lzo_compress_workspace.flags of the associated VPN tunnel.
+ * The latter are initialized from \c options.lzo, which gets its value
+ * from the process's configuration sources, such as its configuration
+ * file or command line %options.
+ * 
+ * @par Adaptive compression
+ * The compression module supports adaptive compression.  If this feature
+ * is enabled, the compression routines monitor their own performance and
+ * turn compression on or off depending on whether it is leading to
+ * significantly reduced payload size.
+ * 
+ * @par Compression algorithms
+ * This module uses the Lempel-Ziv-Oberhumer (LZO) compression algorithms.
+ * These offer lossless compression and are designed for high-performance
+ * decompression.  This module uses the external \c lzo library's
+ * implementation of the algorithms.
+ * 
+ * @par
+ * For more information on the LZO library, see:\n
+ * http://www.oberhumer.com/opensource/lzo/
+ */
diff --git a/lzo.c b/lzo.c
index 3d6aa5a..64945d0 100644
--- a/lzo.c
+++ b/lzo.c
@@ -22,6 +22,10 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */

+/**
+ * @file Data Channel Compression module function definitions.
+ */
+
 #include "syshead.h"

 #ifdef

[Openvpn-devel] [PATCH 7/8] Added data channel fragmentation docs

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 doc_fragmentation.h |   96 +++
 fragment.h  |  439 ++-
 2 files changed, 461 insertions(+), 74 deletions(-)
 create mode 100644 doc_fragmentation.h

diff --git a/doc_fragmentation.h b/doc_fragmentation.h
new file mode 100644
index 000..e7e9c1e
--- /dev/null
+++ b/doc_fragmentation.h
@@ -0,0 +1,96 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2010 Fox Crypto B.V. 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/**
+ * @file
+ * Data Channel Fragmentation module documentation file.
+ */
+
+/**
+ * @defgroup fragmentation Data Channel Fragmentation module
+ * 
+ * The Data Channel Fragmentation module offers fragmentation of data
+ * channel packets.
+ * 
+ * @par State structures
+ * The Data Channel Fragmentation module stores its internal state in a \c
+ * fragment_master structure.  One such structure is present for each VPN
+ * tunnel, and is stored in \c context.c2.fragment of the \c context
+ * associated with that VPN tunnel.
+ * 
+ * @par
+ * The \c fragment_master structure contains one \c fragment_list
+ * structure \c fragment_master.incoming.  This is a list of \c fragment
+ * structures, each of which can store the parts of one fragmented packet
+ * while it is being reassembled.  The \c fragment_master structure also
+ * contains one \c buffer called \c fragment_master.outgoing, in which a
+ * data channel large packet to be sent to a remote OpenVPN peer can be
+ * broken up into parts to be sent one by one.
+ * 
+ * @par Initialization and cleanup
+ * Every time a new \c fragment_master is needed, it must be allocated and
+ * initialized by the \c fragment_init() function.  Similarly, every time
+ * a \c fragment_master is no longer needed, it must be cleaned up using
+ * the \c fragment_free() function.  These functions take care of the
+ * allocation and freeing of the \c fragment_master structure itself and
+ * all internal memory required for the use of that structure.  Note that
+ * this behavior is different from that displayed by the \link compression
+ * Data Channel Compression module\endlink.
+ * 
+ * @par
+ * Because of the one-to-one relationship between \c fragment_master
+ * structures and VPN tunnels, the above-mentioned initialization and
+ * cleanup functions are called directly from the \c init_instance() and
+ * \c close_instance() functions, which control the initialization and
+ * cleanup of VPN tunnel instances and their associated \c context
+ * structures.
+ * 
+ * @par Packet processing functions
+ * This module receives data channel packets from the \link data_control
+ * Data Channel Control module\endlink and processes them according to the
+ * settings of the packet's VPN tunnel.  The \link data_control Data
+ * Channel Control module\endlink uses the following interface functions:
+ * - For packets which will be sent to a remote OpenVPN peer: \c
+ *   fragment_outgoing() \n This function inspects data channel packets as
+ *   they are being made ready to be sent as VPN tunnel packets to a
+ *   remote OpenVPN peer.  If a packet's size is larger than its
+ *   destination VPN tunnel's maximum transmission unit (MTU), then this
+ *   module breaks that packet up into smaller parts, each of which is
+ *   smaller than or equal to the VPN tunnel's MTU.  See \c
+ *   fragment_outgoing() for details.
+ * - For packets which have been received from a remote OpenVPN peer: \c
+ *   fragment_incoming() \n This function inspects data channel packets
+ *   that have been received from a remote OpenVPN peer through a VPN
+ *   tunnel.  It reads the fragmentation header of the packet, and
+ *   depending on its value performs the appropriate action.  See \c
+ *   fragment_incoming() for details.
+ * 
+ * @par Settings that control this module's activity
+ * Whether the Data Channel Fragmentation module is active or not depends
+ * on the compile-time \c ENABLE_FRAGMENT

[Openvpn-devel] [PATCH 6/8] Added memory management documentation

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 buffer.h|   57 +++
 doc_memory_management.h |   99 +++
 2 files changed, 147 insertions(+), 9 deletions(-)
 create mode 100644 doc_memory_management.h

diff --git a/buffer.h b/buffer.h
index 1fe3c08..06d5e84 100644
--- a/buffer.h
+++ b/buffer.h
@@ -42,14 +42,30 @@
 #define BUF_INIT_TRACKING
 #endif

-/* basic buffer class for OpenVPN */
-
+/**/
+/**
+ * Wrapper structure for dynamically allocated memory.
+ * 
+ * The actual content stored in a \c buffer structure starts at the memory
+ * location \c buffer.data \c + \c buffer.offset, and has a length of \c
+ * buffer.len bytes.  This, together with the space available before and
+ * after the content, is represented in the pseudocode below:
+@code
+uint8_t *content_start= buffer.data + buffer.offset;
+uint8_t *content_end  = buffer.data + buffer.offset + buffer.len;
+int  prepend_capacity = buffer.offset;
+int  append_capacity  = buffer.capacity - (buffer.offset + buffer.len);
+@endcode
+ */
 struct buffer
 {
-  int capacity;   /* size of buffer allocated by malloc */
-  int offset; /* data starts at data + offset, offset > 0 to allow for 
efficient prepending */
-  int len;/* length of data that starts at data + offset */
-  uint8_t *data;
+  int capacity; /**< Size in bytes of memory allocated by
+ *   \c malloc(). */
+  int offset;   /**< Offset in bytes of the actual content
+ *   within the allocated memory. */
+  int len;  /**< Length in bytes of the actual content
+ *   within the allocated memory. */
+  uint8_t *data;/**< Pointer to the allocated memory. */

 #ifdef BUF_INIT_TRACKING
   const char *debug_file;
@@ -57,18 +73,41 @@ struct buffer
 #endif
 };

-/* for garbage collection */

+/**/
+/**
+ * Garbage collection entry for one dynamically allocated block of memory.
+ * 
+ * This structure represents one link in the linked list contained in a \c
+ * gc_arena structure.  Each time the \c gc_malloc() function is called,
+ * it allocates \c sizeof(gc_entry) + the requested number of bytes.  The
+ * \c gc_entry is then stored as a header in front of the memory address
+ * returned to the caller.
+ */
 struct gc_entry
 {
-  struct gc_entry *next;
+  struct gc_entry *next;/**< Pointer to the next item in the
+ *   linked list. */
 };

+
+/**
+ * Garbage collection arena used to keep track of dynamically allocated
+ * memory.
+ * 
+ * This structure contains a linked list of \c gc_entry structures.  When
+ * a block of memory is allocated using the \c gc_malloc() function, the
+ * allocation is registered in the function's \c gc_arena argument.  All
+ * the dynamically allocated memory registered in a \c gc_arena can be
+ * freed using the \c gc_free() function.
+ */
 struct gc_arena
 {
-  struct gc_entry *list;
+  struct gc_entry *list;/**< First element of the linked list of
+ *   \c gc_entry structures. */
 };

+
 #define BPTR(buf)  (buf_bptr(buf))
 #define BEND(buf)  (buf_bend(buf))
 #define BLAST(buf) (buf_blast(buf))
diff --git a/doc_memory_management.h b/doc_memory_management.h
new file mode 100644
index 000..4549498
--- /dev/null
+++ b/doc_memory_management.h
@@ -0,0 +1,99 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2010 Fox Crypto B.V. 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/**
+ * @file
+ * Memory management strategies documentation file.
+ */
+
+/**
+ * @page memory_management OpenVPN's memory management strategies
+ * 
+ * This section describes several implementation details relating to
+ *

[Openvpn-devel] [PATCH 2/8] Added data channel crypto docs

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 crypto.h  |  168 +
 doc_data_crypto.h |   75 
 2 files changed, 218 insertions(+), 25 deletions(-)
 create mode 100644 doc_data_crypto.h

diff --git a/crypto.h b/crypto.h
index fcd4661..973677d 100644
--- a/crypto.h
+++ b/crypto.h
@@ -22,6 +22,12 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */

+
+/**
+ * @file
+ */
+
+
 #ifndef CRYPTO_H
 #define CRYPTO_H
 #ifdef USE_CRYPTO
@@ -199,72 +205,118 @@ struct key_type
   const EVP_MD *digest;
 };

-/*
- * A random key.
+
+/**
+ * Container for unidirectional cipher and HMAC %key material.
+ * @ingroup control_processor
  */
 struct key
 {
   uint8_t cipher[MAX_CIPHER_KEY_LENGTH];
+/**< %Key material for cipher operations. */
   uint8_t hmac[MAX_HMAC_KEY_LENGTH];
+/**< %Key material for HMAC operations. */
 };

 #define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */
 #define KEY_DIRECTION_NORMAL1 /* encrypt with keys[0], decrypt with 
keys[1] */
 #define KEY_DIRECTION_INVERSE   2 /* encrypt with keys[1], decrypt with 
keys[0] */

-/*
- * Dual random keys (for encrypt/decrypt)
+/**
+ * Container for bidirectional cipher and HMAC %key material.
+ * @ingroup control_processor
  */
 struct key2
 {
-  int n;
-  struct key keys[2];
+  int n;/**< The number of \c key objects stored
+ *   in the \c key2.keys array. */
+  struct key keys[2];   /**< Two unidirectional sets of %key
+ *   material. */
 };

-/*
- * Used for controlling bidirectional keys
- * vs. a separate key for each direction.
+/**
+ * %Key ordering of the \c key2.keys array.
+ * @ingroup control_processor
+ * 
+ * This structure takes care of correct ordering when using unidirectional
+ * or bidirectional %key material, and allows the same shared secret %key
+ * file to be loaded in the same way by client and server by having one of
+ * the hosts use an reversed ordering.
  */
 struct key_direction_state
 {
-  int out_key;
-  int in_key;
-  int need_keys;
+  int out_key;  /**< Index into the \c key2.keys array for
+ *   the sending direction. */
+  int in_key;   /**< Index into the \c key2.keys array for
+ *   the receiving direction. */
+  int need_keys;/**< The number of key objects necessary
+ *   to support both sending and
+ *   receiving.
+ *   
+ *   This will be 1 if the same keys are
+ *   used in both directions, or 2 if
+ *   there are two sets of unidirectional
+ *   keys. */
 };

-/*
- * A key context for cipher and/or HMAC.
+/**
+ * Container for one set of OpenSSL cipher and/or HMAC contexts.
+ * @ingroup control_processor
  */
 struct key_ctx
 {
-  EVP_CIPHER_CTX *cipher;
-  HMAC_CTX *hmac;
+  EVP_CIPHER_CTX *cipher;   /**< OpenSSL cipher %context. */
+  HMAC_CTX *hmac;   /**< OpenSSL HMAC %context. */
 };

-/*
- * Cipher/HMAC key context for both sending and receiving
- * directions.
+/**
+ * Container for two sets of OpenSSL cipher and/or HMAC contexts for both
+ * sending and receiving directions.
+ * @ingroup control_processor
  */
 struct key_ctx_bi
 {
-  struct key_ctx encrypt;
-  struct key_ctx decrypt;
+  struct key_ctx encrypt;   /**< OpenSSL cipher and/or HMAC contexts
+ *   for sending direction. */
+  struct key_ctx decrypt;   /**< OpenSSL cipher and/or HMAC contexts
+ *   for receiving direction. */
 };

-/*
- * Options for encrypt/decrypt.
+/**
+ * Security parameter state for processing data channel packets.
+ * @ingroup data_crypto
  */
 struct crypto_options
 {
   struct key_ctx_bi *key_ctx_bi;
-  struct packet_id *packet_id;
+/**< OpenSSL cipher and HMAC contexts for
+ *   both sending and receiving
+ *   directions. */
+  struct packet_id *packet_id;  /**< Current packet ID state for both
+ *   sending and receiving directions. */
   struct packet_id_persist *pid_persist;
+/**< Persistent packet ID state for
+ *   keeping state between successive
+ *   OpenVPN process startups. */

 # define CO_PACKET_ID_LONG_FORM  (1<<0)
+/**< Bit-flag indicating whether to use
+ *   OpenVPN's long packet ID format. */
 # define CO_USE_IV

[Openvpn-devel] [PATCH 1/8] Added Doxygen doxyfile

2011-06-22 Thread Adriaan de Jong 
Signed-off-by: Adriaan de Jong 
---
 openvpn.doxyfile |  279 ++
 1 files changed, 279 insertions(+), 0 deletions(-)
 create mode 100644 openvpn.doxyfile

diff --git a/openvpn.doxyfile b/openvpn.doxyfile
new file mode 100644
index 000..be06bfb
--- /dev/null
+++ b/openvpn.doxyfile
@@ -0,0 +1,279 @@
+# Doxyfile 1.5.5
+
+#---
+# Project related configuration options
+#---
+DOXYFILE_ENCODING  = UTF-8
+PROJECT_NAME   = "OpenVPN"
+PROJECT_NUMBER = 
+OUTPUT_DIRECTORY   = doxygen/output
+CREATE_SUBDIRS = NO
+OUTPUT_LANGUAGE= English
+BRIEF_MEMBER_DESC  = YES
+REPEAT_BRIEF   = YES
+ABBREVIATE_BRIEF   = "The $name class" \
+ "The $name widget" \
+ "The $name file" \
+ is \
+ provides \
+ specifies \
+ contains \
+ represents \
+ a \
+ an \
+ the
+ALWAYS_DETAILED_SEC= NO
+INLINE_INHERITED_MEMB  = NO
+FULL_PATH_NAMES= YES
+STRIP_FROM_PATH= ""
+STRIP_FROM_INC_PATH= 
+SHORT_NAMES= NO
+JAVADOC_AUTOBRIEF  = YES # NO
+QT_AUTOBRIEF   = NO
+MULTILINE_CPP_IS_BRIEF = NO
+DETAILS_AT_TOP = NO
+INHERIT_DOCS   = YES
+SEPARATE_MEMBER_PAGES  = NO
+TAB_SIZE   = 8
+ALIASES= 
+OPTIMIZE_OUTPUT_FOR_C  = YES
+OPTIMIZE_OUTPUT_JAVA   = NO
+OPTIMIZE_FOR_FORTRAN   = NO
+OPTIMIZE_OUTPUT_VHDL   = NO
+BUILTIN_STL_SUPPORT= NO
+CPP_CLI_SUPPORT= NO
+SIP_SUPPORT= NO
+DISTRIBUTE_GROUP_DOC   = NO
+SUBGROUPING= YES
+TYPEDEF_HIDES_STRUCT   = NO
+#---
+# Build related configuration options
+#---
+EXTRACT_ALL= YES
+EXTRACT_PRIVATE= YES
+EXTRACT_STATIC = YES
+EXTRACT_LOCAL_CLASSES  = YES
+EXTRACT_LOCAL_METHODS  = YES
+EXTRACT_ANON_NSPACES   = YES
+HIDE_UNDOC_MEMBERS = NO
+HIDE_UNDOC_CLASSES = NO
+HIDE_FRIEND_COMPOUNDS  = NO
+HIDE_IN_BODY_DOCS  = NO
+INTERNAL_DOCS  = NO
+CASE_SENSE_NAMES   = NO
+HIDE_SCOPE_NAMES   = NO
+SHOW_INCLUDE_FILES = YES
+INLINE_INFO= YES
+SORT_MEMBER_DOCS   = YES
+SORT_BRIEF_DOCS= NO
+SORT_GROUP_NAMES   = NO
+SORT_BY_SCOPE_NAME = NO
+GENERATE_TODOLIST  = YES
+GENERATE_TESTLIST  = YES
+GENERATE_BUGLIST   = YES
+GENERATE_DEPRECATEDLIST= YES
+ENABLED_SECTIONS   = 
+MAX_INITIALIZER_LINES  = 30
+SHOW_USED_FILES= YES
+SHOW_DIRECTORIES   = NO
+FILE_VERSION_FILTER= 
+#---
+# configuration options related to warning and progress messages
+#---
+QUIET  = NO
+WARNINGS   = YES
+WARN_IF_UNDOCUMENTED   = YES
+WARN_IF_DOC_ERROR  = YES
+WARN_NO_PARAMDOC   = NO
+WARN_FORMAT= "$file:$line: $text"
+WARN_LOGFILE   = 
+#---
+# configuration options related to the input files
+#---
+INPUT  = .
+INPUT_ENCODING = UTF-8
+FILE_PATTERNS  = *.c \
+ *.cc \
+ *.cxx \
+ *.cpp \
+ *.c++ \
+ *.d \
+ *.java \
+ *.ii \
+ *.ixx \
+ *.ipp \
+ *.i++ \
+ *.inl \
+ *.h \
+ *.hh \
+ *.hxx \
+ *.hpp \
+ *.h++ \
+ *.idl \
+ *.odl \
+ *.cs \
+ *.php \
+ *.php3 \
+ *.inc \
+ *.m \
+ *.mm \
+ *.dox \
+ *.py \
+ *.f90 \
+ *.f \
+ *.vhd \
+ *.vhdl
+RECURSIVE  = YES
+EXCLUDE= 
+EXCLUDE_SYMLINKS   = NO
+EXCLUDE_PATTERNS   = 
+EXCLUDE_SYMBOLS= 
+EXAMPLE_PATH   = 
+EXAMPLE_PATTERNS   = *
+EXAMPLE_RECURSIVE  = NO
+IMAGE_PATH = 
+INPUT_FILTER