[Openvpn-devel] [PATCH] options: don't leak inline'd key material in logfile

2020-07-17 Thread Antonio Quartulli 
With the conversion of the introduction of a bool variable to signal
when a certain string is a filename or the actual (inline'd) key
material, the SHOW_STR() macro is now leaking the inline'd material to
the log file.

This happens because SHOW_STR will just print the content of the passed
argument without any check. With the new logic this should not happen
anymore.

A new macro SHOW_STR_INLINE() is therefore introduced which will check
the appropriate bool member before deciding to print the actual string
content or not.

Trac: #1304
Reported-by: Richard Bonhomme 
Signed-off-by: Antonio Quartulli 
---
 src/openvpn/options.c | 26 +++---
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index b6b8d769..8e9d845a 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -973,6 +973,10 @@ pull_filter_type_name(int type)
 
 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, "  " #name " = " 
format, (value))
 #define SHOW_STR(var)   SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), 
"'%s'")
+#define SHOW_STR_INLINE(var)SHOW_PARM(var, \
+  o->var ## _inline ? "[INLINE]" : \
+  (o->var ? o->var : "[UNDEF]"), \
+  "'%s'")
 #define SHOW_INT(var)   SHOW_PARM(var, o->var, "%d")
 #define SHOW_UINT(var)  SHOW_PARM(var, o->var, "%u")
 #define SHOW_UNSIGNED(var)  SHOW_PARM(var, o->var, "0x%08x")
@@ -1322,7 +1326,7 @@ show_p2mp_parms(const struct options *o)
 SHOW_BOOL(auth_user_pass_verify_script_via_file);
 SHOW_BOOL(auth_token_generate);
 SHOW_INT(auth_token_lifetime);
-SHOW_STR(auth_token_secret_file);
+SHOW_STR_INLINE(auth_token_secret_file);
 #if PORT_SHARE
 SHOW_STR(port_share_host);
 SHOW_STR(port_share_port);
@@ -1494,11 +1498,11 @@ show_connection_entry(const struct connection_entry *o)
 SHOW_INT(explicit_exit_notification);
 #endif
 
-SHOW_STR(tls_auth_file);
+SHOW_STR_INLINE(tls_auth_file);
 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
   "%s");
-SHOW_STR(tls_crypt_file);
-SHOW_STR(tls_crypt_v2_file);
+SHOW_STR_INLINE(tls_crypt_file);
+SHOW_STR_INLINE(tls_crypt_v2_file);
 }
 
 
@@ -1697,7 +1701,7 @@ show_settings(const struct options *o)
 }
 #endif
 
-SHOW_STR(shared_secret_file);
+SHOW_STR_INLINE(shared_secret_file);
 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, 
true), "%s");
 SHOW_STR(ciphername);
 SHOW_BOOL(ncp_enabled);
@@ -1722,7 +1726,7 @@ show_settings(const struct options *o)
 SHOW_BOOL(tls_server);
 SHOW_BOOL(tls_client);
 SHOW_INT(key_method);
-SHOW_STR(ca_file);
+SHOW_STR_INLINE(ca_file);
 SHOW_STR(ca_path);
 SHOW_STR(dh_file);
 #ifdef ENABLE_MANAGEMENT
@@ -1732,8 +1736,8 @@ show_settings(const struct options *o)
 }
 else
 #endif
-SHOW_STR(cert_file);
-SHOW_STR(extra_certs_file);
+SHOW_STR_INLINE(cert_file);
+SHOW_STR_INLINE(extra_certs_file);
 
 #ifdef ENABLE_MANAGEMENT
 if ((o->management_flags & MF_EXTERNAL_KEY))
@@ -1742,9 +1746,9 @@ show_settings(const struct options *o)
 }
 else
 #endif
-SHOW_STR(priv_key_file);
+SHOW_STR_INLINE(priv_key_file);
 #ifndef ENABLE_CRYPTO_MBEDTLS
-SHOW_STR(pkcs12_file);
+SHOW_STR_INLINE(pkcs12_file);
 #endif
 #ifdef ENABLE_CRYPTOAPI
 SHOW_STR(cryptoapi_cert);
@@ -1756,7 +1760,7 @@ show_settings(const struct options *o)
 SHOW_STR(tls_export_cert);
 SHOW_INT(verify_x509_type);
 SHOW_STR(verify_x509_name);
-SHOW_STR(crl_file);
+SHOW_STR_INLINE(crl_file);
 SHOW_INT(ns_cert_type);
 {
 int i;
-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

2020-07-17 Thread Gert Doering 
Your patch has been applied to the master branch.

commit 83d6da5097f79c698500f638ee3c54309b982e03
Author: Matthias Andree
Date:   Fri Jul 17 19:19:18 2020 +0200

 Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

 Signed-off-by: Matthias Andree 
 Acked-by: David Sommerseth 
 Message-Id: <20200717171918.230727-1-matthias.and...@gmx.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20462.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

2020-07-17 Thread Matthias Andree 
Am 17.07.20 um 22:15 schrieb David Sommerseth:
> On 17/07/2020 19:19, Matthias Andree wrote:
>> Else one location overwrites options from the other.
>>
>> Signed-off-by: Matthias Andree 
>> ---
>>  Makefile.am  | 3 ---
>>  configure.ac | 4 +++-
>>  2 files changed, 3 insertions(+), 4 deletions(-)
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index 439120e4..d1c10fc5 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -23,9 +23,6 @@
>>  #  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>>  #
>>
>> -# This option prevents autoreconf from overriding our COPYING and
>> -# INSTALL targets:
>> -AUTOMAKE_OPTIONS = foreign 1.9
>>  ACLOCAL_AMFLAGS = -I m4
>>
>>  MAINTAINERCLEANFILES = \
>> diff --git a/configure.ac b/configure.ac
>> index 45148892..8ed83bc2 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -54,7 +54,9 @@ m4_define([serial_tests], [
>>  awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { 
>> print "serial-tests" }}'
>>  ])
>>  ])
>> -AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this 
>> parameter.
>> +# This foreign option prevents autoreconf from overriding our COPYING and
>> +# INSTALL targets:
>> +AM_INIT_AUTOMAKE(foreign serial_tests 1.9) dnl NB: Do not [quote] this 
>> parameter.
>>  AC_CANONICAL_HOST
>>  AC_USE_SYSTEM_EXTENSIONS
>>
> Acked-By: David Sommerseth 
>
> This works better than the previous attempt, this also passes 'make 
> distcheck'.
>
> I see this patch does not have the subdir-objects flag in the automake
> options; which seems to be the reason why it failed on my RHEL-7 box last
> round.  I'll try to see if I can better understand why.
Without digging too deeply, to me it seems that subdir-objects doesn't
cope too well with the various places that code absolute source file
paths into Makefile.am, and I am always testing out-of-source builds but
figured that I received tons of .deps in the source directory even if
the build directory was outside... so I'll leave subdir-objects rest for
openvpn for now.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

2020-07-17 Thread David Sommerseth 
On 17/07/2020 19:19, Matthias Andree wrote:
> Else one location overwrites options from the other.
> 
> Signed-off-by: Matthias Andree 
> ---
>  Makefile.am  | 3 ---
>  configure.ac | 4 +++-
>  2 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/Makefile.am b/Makefile.am
> index 439120e4..d1c10fc5 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -23,9 +23,6 @@
>  #  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>  #
> 
> -# This option prevents autoreconf from overriding our COPYING and
> -# INSTALL targets:
> -AUTOMAKE_OPTIONS = foreign 1.9
>  ACLOCAL_AMFLAGS = -I m4
> 
>  MAINTAINERCLEANFILES = \
> diff --git a/configure.ac b/configure.ac
> index 45148892..8ed83bc2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -54,7 +54,9 @@ m4_define([serial_tests], [
>  awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { 
> print "serial-tests" }}'
>  ])
>  ])
> -AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this parameter.
> +# This foreign option prevents autoreconf from overriding our COPYING and
> +# INSTALL targets:
> +AM_INIT_AUTOMAKE(foreign serial_tests 1.9) dnl NB: Do not [quote] this 
> parameter.
>  AC_CANONICAL_HOST
>  AC_USE_SYSTEM_EXTENSIONS
> 

Acked-By: David Sommerseth 

This works better than the previous attempt, this also passes 'make distcheck'.

I see this patch does not have the subdir-objects flag in the automake
options; which seems to be the reason why it failed on my RHEL-7 box last
round.  I'll try to see if I can better understand why.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths

2020-07-17 Thread Gert Doering 
Hi,

On Fri, Jul 17, 2020 at 09:08:01PM +0200, Gert Doering wrote:
> This is a new "samples" plugin which does not do many useful things,
> besides
>  - show how a plugin is programmed
>  - how the various messages get dispatched
>  - how to pass back information from a client-connect/v2 plugin
>  - how to do async-cc plugins  [not yet implemented]
> 
> the operation of the plugin is controlled by UV_WANT_* environment variables
> controlled by the client ("--setenv UV_WANT_CC_FAIL 1 --push-peer-info"),
> to "fail CLIENT_CONNECT" or "use async-cc for CLIENT_CONNECT_V2" or
> "send 'disable' back from ...") - which is useful for automated testing
> of server success/defer/fail code paths for the CLIENT_CONNECT_* functions.

This is not yet finished - all the async/deferred versions are not there
yet, and I think it wants a "Makefile" to be built properly :-)

It is working nicely though and has already uncovered bugs in current
master.  So, out there for people that want to play with it.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths

2020-07-17 Thread Gert Doering 
This is a new "samples" plugin which does not do many useful things,
besides
 - show how a plugin is programmed
 - how the various messages get dispatched
 - how to pass back information from a client-connect/v2 plugin
 - how to do async-cc plugins  [not yet implemented]

the operation of the plugin is controlled by UV_WANT_* environment variables
controlled by the client ("--setenv UV_WANT_CC_FAIL 1 --push-peer-info"),
to "fail CLIENT_CONNECT" or "use async-cc for CLIENT_CONNECT_V2" or
"send 'disable' back from ...") - which is useful for automated testing
of server success/defer/fail code paths for the CLIENT_CONNECT_* functions.

See samples/sample-plugins/client-connect/README for details how to do this.
---
 sample/sample-plugins/client-connect/README   |  33 ++
 sample/sample-plugins/client-connect/build|  15 +
 .../client-connect/sample-client-connect.c| 375 ++
 3 files changed, 423 insertions(+)
 create mode 100644 sample/sample-plugins/client-connect/README
 create mode 100755 sample/sample-plugins/client-connect/build
 create mode 100644 sample/sample-plugins/client-connect/sample-client-connect.c

diff --git a/sample/sample-plugins/client-connect/README 
b/sample/sample-plugins/client-connect/README
new file mode 100644
index ..2dd10dc3
--- /dev/null
+++ b/sample/sample-plugins/client-connect/README
@@ -0,0 +1,33 @@
+OpenVPN plugin examples.
+
+Examples provided:
+
+sample-client-connect.c
+
+  - hook to all plugin hooks that openvpn offers
+  - log which hook got called
+  - on CLIENT_CONNECT or CLIENT_CONNECT_V2 set some config variables
+(push "route 192.0.2.x" and other easy recognizeable things)
+
+  - if the environment variable UV_WANT_CC_FAIL is set, fail
+  - if the environment variable UV_WANT_CC_DISABLE is set, reject ("disable")
+  - if the environment variable UV_WANT_CC_ASYNC is set, go to 
+asynchronous/deferred mode on CLIENT_CONNECT, and sleep for 
+${UV_WANT_CC_ASYNC} seconds
+
+  - if the environment variable UV_WANT_CC2_FAIL is set, fail CC2
+  - if the environment variable UV_WANT_CC2_DISABLE is set, reject ("disable")
+  - if the environment variable UV_WANT_CC2_ASYNC is set, go to 
+asynchronous/deferred mode on CLIENT_CONNECT_V2, and sleep for 
+${UV_WANT_CC2_ASYNC} seconds
+
+(this can be client-controlled with --setenv UV_WANT_CC_ASYNC nnn
+ etc. --> for easy testing server code paths)
+
+To build:
+
+  ./build sample-client-connect (Linux/BSD/etc.)
+
+To use in OpenVPN, add to config file:
+
+  plugin sample-client-connect.so (Linux/BSD/etc.)
diff --git a/sample/sample-plugins/client-connect/build 
b/sample/sample-plugins/client-connect/build
new file mode 100755
index ..3f93aa4f
--- /dev/null
+++ b/sample/sample-plugins/client-connect/build
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix.  The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../../include}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -Wno-unused-variable -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/client-connect/sample-client-connect.c 
b/sample/sample-plugins/client-connect/sample-client-connect.c
new file mode 100644
index ..36dad4b9
--- /dev/null
+++ b/sample/sample-plugins/client-connect/sample-client-connect.c
@@ -0,0 +1,375 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2002-2018 OpenVPN Inc 
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will log the calls made, and send back some config statements
+ * when called on the CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks.
+ *
+ * it can be asked to fail or go to async/deferred mode by setting
+ * environment variables (UV_WANT_CC_FAIL, UV_WANT_CC_ASYNC,
+ * UV_WANT_CC2_ASYNC) - mostly used as a testing vehicle for the
+ * server side code to handle these c

Re: [Openvpn-devel] [PATCH 2/2] Permit make dist* targets without py*-docutils

2020-07-17 Thread Matthias Andree 
Am 17.07.20 um 17:05 schrieb Matthias Andree:
> Signed-off-by: Matthias Andree 
> ---
>  doc/Makefile.am | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> index add92198..80cb2cb8 100644
> --- a/doc/Makefile.am
> +++ b/doc/Makefile.am
> @@ -59,8 +59,9 @@ else
>  endif
>
>  if HAVE_PYDOCUTILS
> -dist_noinst_DATA += openvpn.8
> -dist_html_DATA = openvpn.8.html
> +nodist_noinst_DATA = openvpn.8
> +nodist_html_DATA = openvpn.8.html
> +EXTRA_DIST = openvpn.8 $(nodist_html_DATA)

NAK - reject - superseded by newer patch.




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] Automake options: add subdir-objects, and clean up

2020-07-17 Thread Matthias Andree 
Am 17.07.20 um 17:05 schrieb Matthias Andree:
> Signed-off-by: Matthias Andree 
> ---
>  Makefile.am  | 1 -
>  configure.ac | 2 +-
>  2 files changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/Makefile.am b/Makefile.am
> index 439120e4..e4125447 100644
> --- a/Makefile.am
> +++ b/Makefile.am


NAK - reject - superseded by newer patch.



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

2020-07-17 Thread Matthias Andree 
Am 17.07.20 um 19:09 schrieb Matthias Andree:
> +LT_INIT()
> +

This guy escaped, so NAK on the first version of the patch.



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix stack buffer overruns in NEXTADDR() macro:

2020-07-17 Thread Matthias Andree 
Am 17.07.20 um 19:09 schrieb Matthias Andree:
> @@ -3727,6 +3727,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info 
> *rgi6,
>  msg(M_WARN, "GDG6: socket #1 failed");
>  goto done;
>  }
> +errno = 0;
>  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
>  {
>  msg(M_WARN, "GDG6: problem writing to routing socket");

This line escaped, so NAK on the first version of the patch.

New patch was sent.



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

2020-07-17 Thread Matthias Andree 
Else one location overwrites options from the other.

Signed-off-by: Matthias Andree 
---
 Makefile.am  | 3 ---
 configure.ac | 4 +++-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 439120e4..d1c10fc5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,9 +23,6 @@
 #  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-# This option prevents autoreconf from overriding our COPYING and
-# INSTALL targets:
-AUTOMAKE_OPTIONS = foreign 1.9
 ACLOCAL_AMFLAGS = -I m4

 MAINTAINERCLEANFILES = \
diff --git a/configure.ac b/configure.ac
index 45148892..8ed83bc2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,7 +54,9 @@ m4_define([serial_tests], [
 awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { print 
"serial-tests" }}'
 ])
 ])
-AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this parameter.
+# This foreign option prevents autoreconf from overriding our COPYING and
+# INSTALL targets:
+AM_INIT_AUTOMAKE(foreign serial_tests 1.9) dnl NB: Do not [quote] this 
parameter.
 AC_CANONICAL_HOST
 AC_USE_SYSTEM_EXTENSIONS

--
2.25.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Fix stack buffer overruns in NEXTADDR() macro:

2020-07-17 Thread Matthias Andree 
copy first, then round up the length when adding padding
to the advance.

Found by: GCC 9.3.0 (FreeBSD)

Signed-off-by: Matthias Andree 
---
 src/openvpn/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index b57da5dd..24563ed6 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -3436,7 +3436,7 @@ struct rtmsg {
 #else  /* if defined(TARGET_SOLARIS) */
 #define NEXTADDR(w, u) \
 if (rtm_addrs & (w)) { \
-l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); 
cp += l; \
+l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += 
ROUNDUP(l); \
 }

 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
--
2.25.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Remove --no-iv

2020-07-17 Thread David Sommerseth 
This finializes the depreacation started in OpenVPN 2.4, where --no-iv
was made into a NOOP option.

Signed-off-by: David Sommerseth 
---
 Changes.rst  | 3 +++
 doc/man-sections/server-options.rst  | 2 +-
 doc/man-sections/unsupported-options.rst | 2 +-
 src/openvpn/options.c| 5 -
 4 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index e279d360..7d4fdec6 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -39,6 +39,9 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
 adds a security weakness.  This was also highlighted during the
 `OpenVPN 2.4 security audit 
`_.
 
+- ``no-iv`` has been removed
+  This option was made into a NOOP option with OpenVPN 2.4.  This has now
+  been completely removed.
 
 Overview of changes in 2.4
 ==
diff --git a/doc/man-sections/server-options.rst 
b/doc/man-sections/server-options.rst
index 2381f5c8..75d174ea 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -399,7 +399,7 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
   ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
   ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``,
   ``auth``, ``keysize``, ``secret``,
-  ``no-iv``, ``tls-auth``, ``key-method``, ``tls-server``
+  ``tls-auth``, ``key-method``, ``tls-server``
   and ``tls-client``.
 
   This option requires that ``--disable-occ`` NOT be used.
diff --git a/doc/man-sections/unsupported-options.rst 
b/doc/man-sections/unsupported-options.rst
index 8aff5dd9..05ba3ca2 100644
--- a/doc/man-sections/unsupported-options.rst
+++ b/doc/man-sections/unsupported-options.rst
@@ -19,7 +19,7 @@ longer supported
 
 --no-iv
   Removed in OpenVPN 2.5.  This option should not be used as it weakens the
-  VPN tunnel security.
+  VPN tunnel security.  This has been a NOOP option since OpenVPN 2.4.
 
 --no-replay
   Removed in OpenVPN 2.5.  This option should not be used as it weakens the
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e1658472..0f0b37d1 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -7985,11 +7985,6 @@ add_option(struct options *options,
 VERIFY_PERMISSION(OPT_P_GENERAL);
 options->mute_replay_warnings = true;
 }
-else if (streq(p[0], "no-iv") && !p[1])
-{
-msg(msglevel,
-"--no-iv is no longer supported. Remove it from client and server 
configs.");
-}
 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
 {
 VERIFY_PERMISSION(OPT_P_GENERAL);
-- 
2.26.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.

2020-07-17 Thread Matthias Andree 
Else one location overwrites options from the other.

Signed-off-by: Matthias Andree 
---
 Makefile.am  | 3 ---
 configure.ac | 6 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 439120e4..d1c10fc5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,9 +23,6 @@
 #  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-# This option prevents autoreconf from overriding our COPYING and
-# INSTALL targets:
-AUTOMAKE_OPTIONS = foreign 1.9
 ACLOCAL_AMFLAGS = -I m4

 MAINTAINERCLEANFILES = \
diff --git a/configure.ac b/configure.ac
index 45148892..717b374a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,10 +54,14 @@ m4_define([serial_tests], [
 awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { print 
"serial-tests" }}'
 ])
 ])
-AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this parameter.
+# This foreign option prevents autoreconf from overriding our COPYING and
+# INSTALL targets:
+AM_INIT_AUTOMAKE(foreign serial_tests 1.9) dnl NB: Do not [quote] this 
parameter.
 AC_CANONICAL_HOST
 AC_USE_SYSTEM_EXTENSIONS

+LT_INIT()
+
 AC_ARG_ENABLE(
[lzo],
[AS_HELP_STRING([--disable-lzo], [disable LZO compression support 
@<:@default=yes@:>@])],
--
2.25.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Remove --no-replay

2020-07-17 Thread David Sommerseth 
The --no-replay feature is considered to be a security weakness, which
was also highlighed during the OpenVPN 2.4 security audit [0].  This
option was added to the DeprecatedOptions[1] list and has been reported
as deprecated since OpenVPN 2.4.

Now we remove it.

URL: [0] 
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits#OVPN-03-3:Insecureconfigurationoptions:--no-replay
URL: [1] 
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--no-replay
Signed-off-by: David Sommerseth 
---
 Changes.rst |  5 
 doc/man-sections/link-options.rst   |  3 +--
 doc/man-sections/server-options.rst |  2 +-
 src/openvpn/crypto.c| 21 ++--
 src/openvpn/crypto.h|  5 +---
 src/openvpn/init.c  | 38 +
 src/openvpn/options.c   | 25 +--
 src/openvpn/options.h   |  1 -
 src/openvpn/ssl.c   | 13 --
 src/openvpn/ssl_common.h|  1 -
 10 files changed, 27 insertions(+), 87 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 18b03e47..e279d360 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -34,6 +34,11 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
 With the improved and matured data channel cipher negotiation, the use
 of ``ncp-disable`` should not be necessary anymore.
 
+- ``-no-replay`` has been removed
+This has been listed as a deprecated option since OpenVPN 2.4 and
+adds a security weakness.  This was also highlighted during the
+`OpenVPN 2.4 security audit 
`_.
+
 
 Overview of changes in 2.4
 ==
diff --git a/doc/man-sections/link-options.rst 
b/doc/man-sections/link-options.rst
index c132a623..a4239644 100644
--- a/doc/man-sections/link-options.rst
+++ b/doc/man-sections/link-options.rst
@@ -311,8 +311,7 @@ the local and the remote host.
   order they were received to the TCP/IP protocol stack, provided they
   satisfy several constraints.
 
-  (a)   The packet cannot be a replay (unless ``--no-replay`` is
-specified, which disables replay protection altogether).
+  (a)   The packet cannot be a replay.
 
   (b)   If a packet arrives out of order, it will only be accepted if
 the difference between its sequence number and the highest sequence
diff --git a/doc/man-sections/server-options.rst 
b/doc/man-sections/server-options.rst
index c24aec0b..2381f5c8 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -398,7 +398,7 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
   Options that will be compared for compatibility include ``dev-type``,
   ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
   ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``,
-  ``auth``, ``keysize``, ``secret``, ``no-replay``,
+  ``auth``, ``keysize``, ``secret``,
   ``no-iv``, ``tls-auth``, ``key-method``, ``tls-server``
   and ``tls-client``.
 
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 1ce98184..58d7980a 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -340,7 +340,7 @@ crypto_check_replay(struct crypto_options *opt,
 if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS))
 {
 msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- "
-"see the man page entry for --no-replay and --replay-window 
for "
+"see the man page entry for --replay-window for "
 "more info or silence this warning with 
--mute-replay-warnings",
 error_prefix, packet_id_net_print(pin, true, gc));
 }
@@ -697,15 +697,9 @@ openvpn_decrypt(struct buffer *buf, struct buffer work,
 void
 crypto_adjust_frame_parameters(struct frame *frame,
const struct key_type *kt,
-   bool packet_id,
bool packet_id_long_form)
 {
-unsigned int crypto_overhead = 0;
-
-if (packet_id)
-{
-crypto_overhead += packet_id_size(packet_id_long_form);
-}
+unsigned int crypto_overhead = packet_id_size(packet_id_long_form);
 
 if (kt->cipher)
 {
@@ -1013,17 +1007,6 @@ fixup_key(struct key *key, const struct key_type *kt)
 gc_free(&gc);
 }
 
-void
-check_replay_consistency(const struct key_type *kt, bool packet_id)
-{
-ASSERT(kt);
-
-if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher)
-   || cipher_kt_mode_aead(kt->cipher)))
-{
-msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode 
cipher");
-}
-}
 
 /*
  * Generate a random key.  If key_type is provided, make
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 999f643e..ea1ba5b1 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/

[Openvpn-devel] [PATCH] Fix stack buffer overruns in NEXTADDR() macro:

2020-07-17 Thread Matthias Andree 
copy first, then round up the length when adding padding
to the advance.

Found by: GCC 9.3.0 (FreeBSD)

Signed-off-by: Matthias Andree 
---
 src/openvpn/route.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index b57da5dd..7f760e9d 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -3436,7 +3436,7 @@ struct rtmsg {
 #else  /* if defined(TARGET_SOLARIS) */
 #define NEXTADDR(w, u) \
 if (rtm_addrs & (w)) { \
-l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); 
cp += l; \
+l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += 
ROUNDUP(l); \
 }

 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
@@ -3727,6 +3727,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info 
*rgi6,
 msg(M_WARN, "GDG6: socket #1 failed");
 goto done;
 }
+errno = 0;
 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
 {
 msg(M_WARN, "GDG6: problem writing to routing socket");
--
2.25.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

2020-07-17 Thread Gert Doering 
Your patch has been applied to the master branch.

Tested on the test rig, stared-at-code by antonio, and commit-message-adjusted
by me :-) (a few "defferred" and integrating the new call convention).

Pushed, then went out to write a plugin to excercise this a bit more... and
lo and behold, breakage!

If I run a server that has *both* a plugin with the connect handler configured 
(which succeeds) and a client-connect script (which fails), it will sort of 
"stare 
into nothingness".

With only the client-connect script configured, I get:

2020-07-17 18:35:10 us=536817 ... WARNING: Failed running command 
(--client-connect): external program exited with error status: 10
2020-07-17 18:35:11 us=751714 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:35:11 us=751860 ... SENT CONTROL [cron2-freebsd-tc-amd64]: 
'AUTH_FAILED' (status=1)

"all good"

with both configured, I get:

2020-07-17 18:32:34 us=478215 PLUGIN_CALL: POST 
/root/t_server/tun-udp-p2mp-112-mask/sample-client-connect.so/PLUGIN_CLIENT_CONNECT
 status=0
2020-07-17 18:32:34 us=478331 OPTIONS IMPORT: reading client specific options 
from: /tmp/openvpn_cc_36b55f67d059a540483662f8e736189.tmp
2020-07-17 18:32:34 us=478562 PLUGIN sample-cc: OPENVPN_PLUGIN_CLIENT_CONNECT_V2
2020-07-17 18:32:34 us=478670 PLUGIN_CALL: POST 
/root/t_server/tun-udp-p2mp-112-mask/sample-client-connect.so/PLUGIN_CLIENT_CONNECT
 status=0
2020-07-17 18:32:34 us=490057 WARNING: Failed running command 
(--client-connect): external program exited with error status: 10
2020-07-17 18:32:35 us=618131 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:32:40 us=801869 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:32:45 us=948480 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:32:50 us=990555 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:32:56 us=51592 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:01 us=311645 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:06 us=612242 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:11 us=811682 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:17 us=11695 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:22 us=151679 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:27 us=311636 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:32 us=351693 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:33:47 us=513879 MULTI: multi_create_instance called
2020-07-17 18:33:47 us=514020 194.97.140.21:51169 Re-using SSL/TLS context

(client retrying after timeout)


Now, if I make the *plugin* fail, it works as requested...

2020-07-17 18:47:21 us=372780 PLUGIN sample-cc: env has UV_WANT_CC_FAIL=10 -> 
fail
2020-07-17 18:47:21 us=372800 PLUGIN_CALL: POST 
/root/t_server/tun-udp-p2mp-112-mask/sample-client-connect.so/PLUGIN_CLIENT_CONNECT
 status=1
2020-07-17 18:47:21 us=372812 PLUGIN_CALL: plugin function 
PLUGIN_CLIENT_CONNECT failed with status 1: 
/root/t_server/tun-udp-p2mp-112-mask/sample-client-connect.so
2020-07-17 18:47:21 us=372824 WARNING: client-connect plugin call failed
2020-07-17 18:47:22 us=479574 ... PUSH: Received control message: 'PUSH_REQUEST'
2020-07-17 18:47:22 us=479634 ... Delayed exit in 5 seconds
2020-07-17 18:47:22 us=479661 ... SENT CONTROL [cron2-freebsd-tc-amd64]: 
'AUTH_FAILED' (status=1)

- so it seems something in the chain of things is not good if "more than one" 
is there.


commit dfb40edc4acae5f17b0062ecb13ad1fa760ed529
Author: Arne Schwabe
Date:   Thu Jul 16 15:43:10 2020 +0200

 client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

 Signed-off-by: Fabian Knittel 
 Signed-off-by: Arne Schwabe 
 Acked-by: Antonio Quartulli 
 Message-Id: <20200716134315.17742-1-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20395.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] Permit make dist* targets without py*-docutils

2020-07-17 Thread David Sommerseth 
On 17/07/2020 17:36, David Sommerseth wrote:
> On 17/07/2020 17:05, Matthias Andree wrote:
>> Signed-off-by: Matthias Andree 
>> ---
>>  doc/Makefile.am | 5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/doc/Makefile.am b/doc/Makefile.am
>> index add92198..80cb2cb8 100644
>> --- a/doc/Makefile.am
>> +++ b/doc/Makefile.am
>> @@ -59,8 +59,9 @@ else
>>  endif
>>
>>  if HAVE_PYDOCUTILS
>> -dist_noinst_DATA += openvpn.8
>> -dist_html_DATA = openvpn.8.html
>> +nodist_noinst_DATA = openvpn.8
>> +nodist_html_DATA = openvpn.8.html
>> +EXTRA_DIST = openvpn.8 $(nodist_html_DATA)
>>
>>  # Failsafe - do not delete these files unless we can recreate them
>>  CLEANFILES = \
> 
> 
> Thanks!  This fixes the 'make distdir', which should also fix the 'make check'
> issues Gert found [1].
> 
> Acked-By: David Sommerseth 
> 
> 
> [1] Message-Id: 20200717131607.gs1...@greenie.muc.de
> 
> 
So I'm just retracting the Acked-By ... as this isn't needed.

We were just confused by some failing tests on one of the buildslaves and
realised to late it failed with 'make dist' - not 'make check'.  And then this
change makes things worse by not distributing generated man/html files if
py-docutils is not present.

All the 'make dist*' targets _should_ fail if py-docutils is not present and
the doc/openvpn.8 and doc/openvpn.8.html files are missing.  Running 'make
check' should not fail in any if these cases.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] t_net.sh: drop hard dependency on t_client.rc

2020-07-17 Thread Antonio Quartulli 
Right now t_net.sh depends on t_client.rc in order to source the
RUN_SUDO variable only.
However, t_client.rc is something that a few people only have configured
and thus this would result in t_net.sh almost never executed even if it
just could.

Drop dependency on t_client.rc by falling back to RUN_SUDO=sudo when the
file is missing.

The assignment is made as conditional so that a user can still override
RUN_SUDO by speciying an alternate string on the command line.

While at it, reword the error message to better match the current logic
flow.

Signed-off-by: Antonio Quartulli 
---
 tests/t_net.sh | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/tests/t_net.sh b/tests/t_net.sh
index c67c3df2..63732db9 100755
--- a/tests/t_net.sh
+++ b/tests/t_net.sh
@@ -77,9 +77,7 @@ if [ -r "${top_builddir}"/t_client.rc ]; then
 elif [ -r "${srcdir}"/t_client.rc ]; then
 . "${srcdir}"/t_client.rc
 else
-echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2
-echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2
-exit 77
+RUN_SUDO="${RUN_SUDO:-sudo}"
 fi
 
 if [ ! -x "$openvpn" ]; then
@@ -117,8 +115,7 @@ else
 
 if [ -z "$RUN_SUDO" ]
 then
-echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
-echo "  must be set correctly in 't_client.rc'. SKIP." >&2
+echo "$0: using t_client.rc, but RUN_SUDO=... is not defined 
correctly. SKIP. " >&2
 exit 77
 else
 # check that we can run the unit-test binary with sudo
-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] Automake options: add subdir-objects, and clean up

2020-07-17 Thread David Sommerseth 
On 17/07/2020 17:05, Matthias Andree wrote:
> diff --git a/Makefile.am b/Makefile.am
> index 439120e4..e4125447 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -25,7 +25,6 @@
> 
>  # This option prevents autoreconf from overriding our COPYING and
>  # INSTALL targets:
> -AUTOMAKE_OPTIONS = foreign 1.9
>  ACLOCAL_AMFLAGS = -I m4
> 
>  MAINTAINERCLEANFILES = \
> diff --git a/configure.ac b/configure.ac
> index 45148892..9d6510ca 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -54,7 +54,7 @@ m4_define([serial_tests], [
>  awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { 
> print "serial-tests" }}'
>  ])
>  ])
> -AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this parameter.
> +AM_INIT_AUTOMAKE(foreign serial_tests subdir-objects 1.9) dnl NB: Do not 
> [quote] this parameter.
>  AC_CANONICAL_HOST
>  AC_USE_SYSTEM_EXTENSIONS

This looks trivial, but I'll have to NAK it in the current shape.  It breaks 
building on at least RHEL-7.

When applying this patch, this happens:

Making all in openvpnmsica
make[3]: Entering directory 
`/home/davids/devel/OpenVPN/openvpn/src/openvpnmsica'
Makefile:548: ../../src/tapctl/.deps/libopenvpnmsica_la-error.Plo: No such file 
or directory
Makefile:549: ../../src/tapctl/.deps/libopenvpnmsica_la-tap.Plo: No such file 
or directory
make[3]: *** No rule to make target 
`../../src/tapctl/.deps/libopenvpnmsica_la-tap.Plo'.  Stop.
make[3]: Leaving directory `/home/davids/devel/OpenVPN/openvpn/src/openvpnmsica'

This needs more work to avoid this issue.  It's also interesting that Windows
code is suddenly being pulled into the dependency tracking on a plain Linux
box.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] Permit make dist* targets without py*-docutils

2020-07-17 Thread David Sommerseth 
On 17/07/2020 17:05, Matthias Andree wrote:
> Signed-off-by: Matthias Andree 
> ---
>  doc/Makefile.am | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> index add92198..80cb2cb8 100644
> --- a/doc/Makefile.am
> +++ b/doc/Makefile.am
> @@ -59,8 +59,9 @@ else
>  endif
> 
>  if HAVE_PYDOCUTILS
> -dist_noinst_DATA += openvpn.8
> -dist_html_DATA = openvpn.8.html
> +nodist_noinst_DATA = openvpn.8
> +nodist_html_DATA = openvpn.8.html
> +EXTRA_DIST = openvpn.8 $(nodist_html_DATA)
> 
>  # Failsafe - do not delete these files unless we can recreate them
>  CLEANFILES = \


Thanks!  This fixes the 'make distdir', which should also fix the 'make check'
issues Gert found [1].

Acked-By: David Sommerseth 


[1] Message-Id: 20200717131607.gs1...@greenie.muc.de




-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] Automake options: add subdir-objects, and clean up

2020-07-17 Thread Matthias Andree 
Signed-off-by: Matthias Andree 
---
 Makefile.am  | 1 -
 configure.ac | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 439120e4..e4125447 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -25,7 +25,6 @@

 # This option prevents autoreconf from overriding our COPYING and
 # INSTALL targets:
-AUTOMAKE_OPTIONS = foreign 1.9
 ACLOCAL_AMFLAGS = -I m4

 MAINTAINERCLEANFILES = \
diff --git a/configure.ac b/configure.ac
index 45148892..9d6510ca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,7 +54,7 @@ m4_define([serial_tests], [
 awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { print 
"serial-tests" }}'
 ])
 ])
-AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this parameter.
+AM_INIT_AUTOMAKE(foreign serial_tests subdir-objects 1.9) dnl NB: Do not 
[quote] this parameter.
 AC_CANONICAL_HOST
 AC_USE_SYSTEM_EXTENSIONS

--
2.25.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2] Permit make dist* targets without py*-docutils

2020-07-17 Thread Matthias Andree 
Signed-off-by: Matthias Andree 
---
 doc/Makefile.am | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/Makefile.am b/doc/Makefile.am
index add92198..80cb2cb8 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -59,8 +59,9 @@ else
 endif

 if HAVE_PYDOCUTILS
-dist_noinst_DATA += openvpn.8
-dist_html_DATA = openvpn.8.html
+nodist_noinst_DATA = openvpn.8
+nodist_html_DATA = openvpn.8.html
+EXTRA_DIST = openvpn.8 $(nodist_html_DATA)

 # Failsafe - do not delete these files unless we can recreate them
 CLEANFILES = \
--
2.25.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Wiki: PluginOverview

2020-07-17 Thread Gert Doering 
Hi,

On Fri, Jul 17, 2020 at 02:05:50PM +, André via Openvpn-devel wrote:
> Regarding radius plugin: 
> https://community.openvpn.net/openvpn/wiki/PluginOverview
> The source is here: https://www.nongnu.org/radiusplugin/

Thanks.

Is this the most well maintained version?  I know that there are a few
forks flying around, which have received their own fixes.

Wo *is* the maintainer of radiusplugin these days, anyway?

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Wiki: PluginOverview

2020-07-17 Thread André via Openvpn-devel 
Hi,

Regarding radius plugin: 
https://community.openvpn.net/openvpn/wiki/PluginOverview
The source is here: https://www.nongnu.org/radiusplugin/

Edited Wiki page.

W.k.r
Pippin



Sent with ProtonMail Secure Email.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/9] Indicate that a client is in pull mode in IV_PROTO

2020-07-17 Thread Antonio Quartulli 
Hi,

On 17/07/2020 15:47, Arne Schwabe wrote:
> This allows us to skip waiting for the first PUSH_REQUEST message from
> the client to send the response.
> 
> Signed-off-by: Arne Schwabe 
> ---
>  src/openvpn/multi.c | 12 ++--
>  src/openvpn/ssl.c   | 15 +--
>  src/openvpn/ssl.h   |  7 +++
>  3 files changed, 30 insertions(+), 4 deletions(-)
> 
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 0095c871..88ba9db2 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -1795,10 +1795,18 @@ multi_client_set_protocol_options(struct context *c)
>  {
>  int proto = 0;
>  int r = sscanf(optstr, "IV_PROTO=%d", &proto);
> -if ((r == 1) && (proto >= 2))
> +if (r == 1)
>  {
> -tls_multi->use_peer_id = true;
> +if (proto >= 2)


I thought it was agreed (but I may be wrong) to substitute this check
with a bitwise AND, since this variable is now treated as a bitfield.

Regards,




> +{
> +tls_multi->use_peer_id = true;
> +}
> +if (proto & IV_PROTO_REQUEST_PUSH)
> +{
> +c->c2.push_request_received = true;
> +}
>  }
> +
>  }
>  
>  /* Select cipher if client supports Negotiable Crypto Parameters */
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 54a23011..04d78a81 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -2299,8 +2299,19 @@ push_peer_info(struct buffer *buf, struct tls_session 
> *session)
>  buf_printf(&out, "IV_PLAT=win\n");
>  #endif
>  
> -/* support for P_DATA_V2 */
> -buf_printf(&out, "IV_PROTO=2\n");
> +/* support for P_DATA_V2*/
> +int iv_proto = IV_PROTO_DATA_V2;
> +
> +/* support for receiving push_reply before sending
> + * push request, also signal that the client wants
> + * to get push-reply messages without without requiring a round
> + * trip for a push request message*/
> +if(session->opt->pull)
> +{
> +iv_proto |= IV_PROTO_REQUEST_PUSH;
> +}
> +
> +buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
>  
>  /* support for Negotiable Crypto Parameters */
>  if (session->opt->ncp_enabled
> diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
> index 58a9b0d4..86fb6853 100644
> --- a/src/openvpn/ssl.h
> +++ b/src/openvpn/ssl.h
> @@ -99,6 +99,13 @@
>  /* Maximum length of OCC options string passed as part of auth handshake */
>  #define TLS_OPTIONS_LEN 512
>  
> +/* Definitions of the bits in the IV_PROTO bitfield */
> +#define IV_PROTO_DATA_V2(1<<1)  /**< Support P_DATA_V2 */
> +#define IV_PROTO_REQUEST_PUSH   (1<<2)  /**< Assume client will send a push
> +  * request and server does not need
> +  * to wait for a push-request to 
> send
> +  * a push-reply */
> +
>  /* Default field in X509 to be username */
>  #define X509_USERNAME_FIELD_DEFAULT "CN"
>  
> 

-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v7 2/6] client-connect: Add deferred support to the client-connect script handler

2020-07-17 Thread Antonio Quartulli 



On 16/07/2020 15:43, Arne Schwabe wrote:
> From: Fabian Knittel 
> 
> This patch introduces the concept of a return value file for the 
> client-connect
> handlers. (This is very similar to the auth value file used during deferred
> authentication.)  The file name is stored in the client_connect_state struct.
> 
> In addition, the patch also allows the storage of the client config file name
> in struct client_connect_state.
> 
> Both changes are used by the client-connect script handler to support deferred
> client-connection handling.  The deferred return value file 
> (deferred_ret_file)
> is passed to the actual script via the environment.  If the script succeeds 
> and
> writes the value for deferral into the deferred_ret_file, the handler knows to
> indicate deferral.  Later on, the deferred handler checks whether the value of
> the deferred_ret_file has been updated to success or failure.
> 
> Signed-off-by: Fabian Knittel 
> Signed-off-by: Arne Schwabe 
> ---
>  src/openvpn/multi.c | 226 +---
>  src/openvpn/multi.h |  12 +++
>  2 files changed, 225 insertions(+), 13 deletions(-)
> 
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 9128798d..e26daeea 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -1854,6 +1854,168 @@ multi_client_set_protocol_options(struct context *c)
>  }
>  }
>  
> +/**
> + * Delete the temporary file for the return value of client connect
> + * It also removes it from it from client_connect_defer_state and
> + * environment
> + */
> +static void
> +ccs_delete_deferred_ret_file(struct multi_instance *mi)
> +{
> +struct client_connect_defer_state *ccs = 
> &(mi->client_connect_defer_state);
> +if (ccs->deferred_ret_file)
> +{
> +setenv_del(mi->context.c2.es, "client_connect_deferred_file");
> +if (!platform_unlink(ccs->deferred_ret_file))
> +{
> +msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
> +ccs->deferred_ret_file);
> +}
> +free(ccs->deferred_ret_file);
> +ccs->deferred_ret_file = NULL;
> +}

As discussed on IRC, previous patches (already applied) changed the
style of many of our functions from:


if (x)
{
 do something
}



to:



if (!x)
{
  return
}


Now this patch is unfortunately introducing a set of functions all
implemented using the old pattern.

I suggest them to be converted before we merge this patch.

I don't really have other comments about this patch, therefore it may go
in once we get the code style right.


Regards,

-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 8/9] Rename ncp-ciphers to data-ciphers

2020-07-17 Thread Arne Schwabe 
The change in name signals that data-ciphers is the preferred way to
configure data channel (and not --cipher). The data prefix is chosen
to avoid ambiguity and make it distinct from tls-cipher for the TLS
ciphers.

Signed-off-by: Arne Schwabe 
---
 Changes.rst| 13 ++---
 doc/man-sections/protocol-options.rst  | 11 +++
 doc/man-sections/server-options.rst|  4 ++--
 sample/sample-config-files/client.conf |  2 +-
 src/openvpn/multi.c|  4 ++--
 src/openvpn/options.c  |  5 +++--
 src/openvpn/ssl_ncp.c  |  4 ++--
 7 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 6e283270..2158c8e7 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -14,12 +14,19 @@ ChaCha20-Poly1305 cipher support
 channel.
 
 Improved Data channel cipher negotiation
+The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
+The old name is still accepted. The change in name signals that
+``data-ciphers`` is the preferred way to configure data channel
+ciphers and the data prefix is chosen to avoid the ambiguity that
+exists with ``--cipher`` for the data cipher and ``tls-cipher``
+for the TLS ciphers.
+
 OpenVPN clients will now signal all supported ciphers from the
-``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
-servers will select the first common cipher from the ``ncp-ciphers``
+``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
+servers will select the first common cipher from the ``data-ciphers``
 list instead of blindly pushing the first cipher of the list. This
 allows to use a configuration like
-``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
+``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
 prefers ChaCha20-Poly1305 but uses it only if the client supports it.
 
 Asynchronous (deferred) authentication support for auth-pam plugin.
diff --git a/doc/man-sections/protocol-options.rst 
b/doc/man-sections/protocol-options.rst
index 923d2da0..051f1d32 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -62,7 +62,7 @@ configured in a compatible way between both the local and 
remote side.
   The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
   Block Chaining mode. When cipher negotiation (NCP) is allowed,
   OpenVPN 2.4 and newer on both client and server side will automatically
-  upgrade to :code:`AES-256-GCM`.  See ``--ncp-ciphers`` and
+  upgrade to :code:`AES-256-GCM`.  See ``--data-ciphers`` and
   ``--ncp-disable`` for more details on NCP.
 
   Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
@@ -169,7 +169,7 @@ configured in a compatible way between both the local and 
remote side.
   non-standard key lengths, and a larger key may offer no real guarantee
   of greater security, or may even reduce security.
 
---ncp-ciphers cipher-list
+--data-ciphers cipher-list
   Restrict the allowed ciphers to be negotiated to the ciphers in
   ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
   and defaults to :code:`AES-256-GCM:AES-128-GCM`.
@@ -189,9 +189,9 @@ configured in a compatible way between both the local and 
remote side.
   Additionally, to allow for more smooth transition, if NCP is enabled,
   OpenVPN will inherit the cipher of the peer if that cipher is different
   from the local ``--cipher`` setting, but the peer cipher is one of the
-  ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3,
+  ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3,
   or with --ncp-disabled set) connecting to a NCP server (v2.4+) with
-  ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can
+  ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can
   either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both
   will work.
 
@@ -201,6 +201,9 @@ configured in a compatible way between both the local and 
remote side.
   This list is restricted to be 127 chars long after conversion to OpenVPN
   ciphers.
 
+  This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed
+  to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning.
+
 --ncp-disable
   Disable "Negotiable Crypto Parameters". This completely disables cipher
   negotiation.
diff --git a/doc/man-sections/server-options.rst 
b/doc/man-sections/server-options.rst
index c24aec0b..74ad5e18 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -473,8 +473,8 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
 *AES-GCM-128* and *AES-GCM-256*.
 
   :code:`IV_CIPHERS=`
-The client pushes the list of configured ciphers with the
-``--ciphers`` option to the server.
+The client announces the list of supported ciph

[Openvpn-devel] [PATCH 9/9] Rework NCP compability logic and drop BF-CBC support by default

2020-07-17 Thread Arne Schwabe 
This reworks the NCP logic to be more strict about what is
considered an acceptable result of an NCP negotiation. It also
us to finally drop BF-CBC support by default.

All new behaviour is currently limited to server/client
mode with pull enabled. P2p mode without pull does not change.

New Server behaviour:
- when a client announces its supported ciphers through either
  OCC or IV_CIPHER/IV_NCP we reject the client with a
  AUTH_FAILED message if we have no common cipher.

- When a client does not announce any cipher in either
  OCC or NCP we by reject it unless fallback-cipher is
  specified in either ccd or config.

New client behaviour:
- When no cipher is pushed (or a cipher we refused to support)
  and we also cannot support the server's server announced in
  OCC we fail the connection and log why

- If fallback-cipher is specified we will in the case that
  cipher is missing from occ use the fallback cipher instead
  of failing the connection

Both client and server behaviour:
- We only announce --cipher xyz in occ if we are willing
  to support that cipher.

  It means that we only announce the fallback-cipher if
  it is also contained in --data-ciphers

Compatiblity behaviour:

In 2.5 both client and server will automatically set
fallback-cipher xyz if --cipher xyz is in the config and
also add append the cipher to the end of data-ciphers.

We log a warn user about this and point to --data-ciphers and
--fallback-cipher. This also happens if the configuration
contains an explicit --cipher BF-CBC.

If --cipher is not set, we only warn that previous versions
allowed BF-CBC and point how to reenable BF-CBC. This might
break very few config where someone connects a very old
client to a 2.5 server but at some point we need to drop
the BF-CBC and those affected use will already have a the
scary SWEET32 warning in their logs.

In short: If --cipher is explicitly set 2.6 will work the same as
2.4 did. When --cipher is not set, BF-CBC support is dropped and
we warn about it.

Examples how breaking the default BF-CBC will be logged:

Client side:
 - Client connecting to server that does not push cipher but
   has --cipher in OCC

OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's 
cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-CBC') if 
you want to connect to this server.

 - Client connecting to a server that does not support OCC:

   OPTIONS ERROR: failed to negotioate cipher with server. Configure 
--fallback-cipher if you want connect to this server.

Server Side:

- Server has a client only supporting BF-CBC connecting:

  styx/IP PUSH: No common cipher between server and client. Server 
data-ciphers: 
'CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-256-CBC:AES-128-CBC', client 
supports cipher 'BF-CBC'.

 - Client without OCC:

   styx/IP PUSH:No NCP or OCC cipher data received from peer.
   styx/IP Use --fallback-cipher with the cipher the client is using if you 
want to allow the client to connect

In all reject cases on the client:

   AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation 
failed (no shared cipher)

Signed-off-by: Arne Schwabe 
---
 doc/man-sections/protocol-options.rst |  16 ++-
 src/openvpn/crypto.c  |   3 +-
 src/openvpn/init.c|  25 -
 src/openvpn/multi.c   | 136 --
 src/openvpn/options.c | 109 +
 src/openvpn/options.h |   2 +
 src/openvpn/ssl.c |  11 ++-
 src/openvpn/ssl_ncp.c |  20 ++--
 src/openvpn/ssl_ncp.h |  10 +-
 tests/unit_tests/openvpn/test_ncp.c   |  26 +++--
 10 files changed, 253 insertions(+), 105 deletions(-)

diff --git a/doc/man-sections/protocol-options.rst 
b/doc/man-sections/protocol-options.rst
index 051f1d32..1b53400b 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -57,6 +57,9 @@ configured in a compatible way between both the local and 
remote side.
   http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
 
 --cipher alg
+  This option is deprecated for server-client mode and ``--data-ciphers``
+  or rarely `--fallback-cipher`` should be used instead.
+
   Encrypt data channel packets with cipher algorithm ``alg``.
 
   The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
@@ -183,8 +186,9 @@ configured in a compatible way between both the local and 
remote side.
   ``--server`` ), or if ``--pull`` is specified (client-side, implied by
   setting --client).
 
-  If both peers support and do not disable NCP, the negotiated cipher will
-  override the cipher specified by ``--cipher``.
+  If no common cipher is found is found during cipher negotiation, the
+  connection is terminated. To support old clients/server that do not
+  provide any cipher support see ``fallback-cipher``.
 
   Additionally, to allow for more smooth transition, if NCP is enab

[Openvpn-devel] [PATCH 6/9] Remove ENABLE_OCC #define

2020-07-17 Thread Arne Schwabe 
Commit 037669f3dd already made occ being unconditionally on. This commit
only removes the #ifdefs

Signed-off-by: Arne Schwabe 
---
 src/openvpn/forward.c|  8 
 src/openvpn/init.c   | 16 +---
 src/openvpn/occ.c|  9 -
 src/openvpn/occ.h|  3 ---
 src/openvpn/openvpn.h|  7 +--
 src/openvpn/options.c| 30 --
 src/openvpn/options.h|  8 
 src/openvpn/sig.c|  6 --
 src/openvpn/sig.h|  3 ---
 src/openvpn/ssl.c| 21 +
 src/openvpn/ssl_common.h |  4 
 src/openvpn/syshead.h|  5 -
 12 files changed, 3 insertions(+), 117 deletions(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 698451d1..3d462d0a 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -822,7 +822,6 @@ process_coarse_timers(struct context *c)
 }
 #endif
 
-#ifdef ENABLE_OCC
 /* Should we send an OCC_REQUEST message? */
 check_send_occ_req(c);
 
@@ -834,7 +833,6 @@ process_coarse_timers(struct context *c)
 {
 process_explicit_exit_notification_timer_wakeup(c);
 }
-#endif
 
 /* Should we ping the remote? */
 check_ping_send(c);
@@ -983,14 +981,12 @@ read_incoming_link(struct context *c)
 }
 else
 {
-#ifdef ENABLE_OCC
 if 
(event_timeout_defined(&c->c2.explicit_exit_notification_interval))
 {
 msg(D_STREAM_ERRORS, "Connection reset during exit 
notification period, ignoring [%d]", status);
 management_sleep(1);
 }
 else
-#endif
 {
 register_signal(c, SIGUSR1, "connection-reset"); /* 
SOFT-SIGUSR1 -- TCP connection reset */
 msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", 
status);
@@ -1214,13 +1210,11 @@ process_incoming_link_part2(struct context *c, struct 
link_socket_info *lsi, con
 c->c2.buf.len = 0; /* drop packet */
 }
 
-#ifdef ENABLE_OCC
 /* Did we just receive an OCC packet? */
 if (is_occ_msg(&c->c2.buf))
 {
 process_received_occ_msg(c);
 }
-#endif
 
 buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, 
&c->c2.buffers->read_link_buf);
 
@@ -1992,10 +1986,8 @@ pre_select(struct context *c)
 /* check for incoming configuration info on the control channel */
 check_incoming_control_channel(c);
 
-#ifdef ENABLE_OCC
 /* Should we send an OCC message? */
 check_send_occ_msg(c);
-#endif
 
 #ifdef ENABLE_FRAGMENT
 /* Should we deliver a datagram fragment to remote? */
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b96d1471..1ea4735d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1419,7 +1419,6 @@ do_init_timers(struct context *c, bool deferred)
 /* initialize connection establishment timer */
 event_timeout_init(&c->c2.wait_for_connect, 1, now);
 
-#ifdef ENABLE_OCC
 /* initialize occ timers */
 
 if (c->options.occ
@@ -1433,7 +1432,6 @@ do_init_timers(struct context *c, bool deferred)
 {
 event_timeout_init(&c->c2.occ_mtu_load_test_interval, 
OCC_MTU_LOAD_INTERVAL_SECONDS, now);
 }
-#endif
 
 /* initialize packet_id persistence timer */
 if (c->options.packet_id_file)
@@ -2279,7 +2277,6 @@ do_deferred_options(struct context *c, const unsigned int 
found)
 msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
 }
 
-#ifdef ENABLE_OCC
 if (found & OPT_P_EXPLICIT_NOTIFY)
 {
 if (!proto_is_udp(c->options.ce.proto) && 
c->options.ce.explicit_exit_notification)
@@ -2292,7 +2289,6 @@ do_deferred_options(struct context *c, const unsigned int 
found)
 msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
 }
 }
-#endif
 
 #ifdef USE_COMP
 if (found & OPT_P_COMP)
@@ -2901,9 +2897,7 @@ do_init_crypto_tls(struct context *c, const unsigned int 
flags)
 to.xmit_hold = true;
 }
 
-#ifdef ENABLE_OCC
 to.disable_occ = !options->occ;
-#endif
 
 to.verify_command = options->tls_verify;
 to.verify_export_cert = options->tls_export_cert;
@@ -3193,7 +3187,7 @@ do_init_frame(struct context *c)
 c->c2.frame_fragment_initial = c->c2.frame_fragment;
 #endif
 
-#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
+#if defined(ENABLE_FRAGMENT)
 /*
  * MTU advisories
  */
@@ -3478,7 +3472,6 @@ do_print_data_channel_mtu_parms(struct context *c)
 #endif
 }
 
-#ifdef ENABLE_OCC
 /*
  * Get local and remote options compatibility strings.
  */
@@ -3510,7 +3503,6 @@ do_compute_occ_strings(struct context *c)
 
 gc_free(&gc);
 }
-#endif /* ifdef ENABLE_OCC */
 
 /*
  * These things can only be executed once per program instantiation.
@@ -3586,7 +3578,6 @@ do_close_tls(struct context *c)
 c->c2.tls_multi = NULL;
 }
 
-#ifdef ENABLE_OCC
 /* f

[Openvpn-devel] [PATCH 3/9] Require AEAD support in the crypto library

2020-07-17 Thread Arne Schwabe 
All supported crypto libraries have AEAD support and with our
ncp/de facto default cipher AES-256-GCM we do not want to support
the obscure corner case of a library with disabled AEAD.

Signed-off-by: Arne Schwabe 
---
 configure.ac |  7 ++-
 src/openvpn/crypto.c | 11 ---
 src/openvpn/crypto_mbedtls.c | 14 --
 src/openvpn/crypto_openssl.c | 16 
 src/openvpn/crypto_openssl.h |  4 
 src/openvpn/options.c|  6 --
 6 files changed, 2 insertions(+), 56 deletions(-)

diff --git a/configure.ac b/configure.ac
index d9ad80b1..a8535b70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -905,11 +905,10 @@ if test "${with_crypto_library}" = "openssl"; then
AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support 
available])
fi
 
-   have_crypto_aead_modes="yes"
AC_CHECK_FUNC(
[EVP_aes_256_gcm],
,
-   [have_crypto_aead_modes="no"]
+   [AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
)
 
 # All supported OpenSSL version (>= 1.0.2)
@@ -1003,14 +1002,13 @@ elif test "${with_crypto_library}" = "mbedtls"; then
[AC_MSG_ERROR([mbed TLS 2.y.z required])]
)
 
-   have_crypto_aead_modes="yes"
AC_CHECK_FUNCS(
[ \
mbedtls_cipher_write_tag \
mbedtls_cipher_check_tag \
],
,
-   [have_crypto_aead_modes="no"; break]
+   [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
)
 
have_export_keying_material="yes"
@@ -1225,7 +1223,6 @@ test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], 
[1], [Enable internal pack
 test "${enable_strict_options}" = "yes" && 
AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check 
between peers])
 
 test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], 
[1], [Enable OFB and CFB cipher modes])
-test "${have_crypto_aead_modes}" = "yes" && 
AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library])
 if test "${have_export_keying_material}" = "yes"; then
AC_DEFINE(
[HAVE_EXPORT_KEYING_MATERIAL], [1],
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index bbf47ef7..e92a0dc1 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -64,7 +64,6 @@ static void
 openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
  struct crypto_options *opt)
 {
-#ifdef HAVE_AEAD_CIPHER_MODES
 struct gc_arena gc;
 int outlen = 0;
 const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
@@ -152,9 +151,6 @@ err:
 buf->len = 0;
 gc_free(&gc);
 return;
-#else /* HAVE_AEAD_CIPHER_MODES */
-ASSERT(0);
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */
 }
 
 static void
@@ -361,7 +357,6 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
  struct crypto_options *opt, const struct frame *frame,
  const uint8_t *ad_start)
 {
-#ifdef HAVE_AEAD_CIPHER_MODES
 static const char error_prefix[] = "AEAD Decrypt error";
 struct packet_id_net pin = { 0 };
 const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
@@ -482,10 +477,6 @@ error_exit:
 buf->len = 0;
 gc_free(&gc);
 return false;
-#else /* HAVE_AEAD_CIPHER_MODES */
-ASSERT(0);
-return false;
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */
 }
 
 /*
@@ -1104,7 +1095,6 @@ test_crypto(struct crypto_options *co, struct frame 
*frame)
 /* init work */
 ASSERT(buf_init(&work, FRAME_HEADROOM(frame)));
 
-#ifdef HAVE_AEAD_CIPHER_MODES
 /* init implicit IV */
 {
 const cipher_kt_t *cipher =
@@ -1126,7 +1116,6 @@ test_crypto(struct crypto_options *co, struct frame 
*frame)
 co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len;
 }
 }
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */
 
 msg(M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode.");
 for (i = 1; i <= TUN_MTU_SIZE(frame); ++i)
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index bb752557..19a87eb4 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -530,12 +530,10 @@ cipher_kt_block_size(const mbedtls_cipher_info_t 
*cipher_kt)
 int
 cipher_kt_tag_size(const mbedtls_cipher_info_t *cipher_kt)
 {
-#ifdef HAVE_AEAD_CIPHER_MODES
 if (cipher_kt && cipher_kt_mode_aead(cipher_kt))
 {
 return OPENVPN_AEAD_TAG_LENGTH;
 }
-#endif
 return 0;
 }
 
@@ -632,7 +630,6 @@ cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx)
 int
 cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len)
 {
-#ifdef HAVE_AEAD_CIPHER_MODES
 if (tag_len > SIZE_MAX)
 {
 return 0;
@@ -644,9 +641,6 @@ cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int 
tag_len)
 }
 
 return 1;
-#else  /* ifdef HAVE_AEAD_CIPHER_MODES */
-ASSERT(0);
-#en

[Openvpn-devel] [PATCH v2 2/9] Drop support for OpenSSL 1.0.1

2020-07-17 Thread Arne Schwabe 
OpenSSL 1.0.1 was supported until 2016-12-31. Rhel6/Centos6 still
use this version but considering that RHEL7 and RHEL8 are already
out, these versions can also stay with OpenVPN 2.4.

All the supported Debian based distributions also come with at
least 1.0.2.

We (accidently) unconditionally compiled some key exporter code on
OpenSSL 1.0.2+ without problems. So always compile the whole
key exporter feature for OpenSSL.

This also allows the tls groups commit to be applied without
adding ifdefs to disable that functionality on OpenSSL 1.0.1

Signed-off-by: Arne Schwabe 
---
 .travis.yml  |  8 -
 Changes.rst  |  2 ++
 INSTALL  |  9 +++---
 configure.ac | 14 +++--
 src/openvpn/crypto.c |  7 -
 src/openvpn/openssl_compat.h | 14 -
 src/openvpn/options.c|  2 +-
 src/openvpn/ssl_mbedtls.c|  2 +-
 src/openvpn/ssl_openssl.c| 60 ++--
 9 files changed, 16 insertions(+), 102 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 925d09ea..101ff096 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -35,10 +35,6 @@ jobs:
   env: SSLLIB="openssl" RUN_COVERITY="1"
   os: linux
   compiler: gcc
-- name: gcc | openssl-1.0.1u
-  env: SSLLIB="openssl" OPENSSL_VERSION="1.0.1u"
-  os: linux
-  compiler: gcc
 - name: gcc | openssl-1.1.1d
   env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d"
   os: linux
@@ -87,10 +83,6 @@ jobs:
   env: SSLLIB="mbedtls"
   os: osx
   compiler: clang
-- name: mingw64 | openssl-1.0.1u
-  env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.0.1u"
-  os: linux
-  compiler: ": Win64 build only"
 - name: mingw64 | openssl-1.1.1d
   env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.1.1d"
   os: linux
diff --git a/Changes.rst b/Changes.rst
index 18b03e47..6e283270 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -34,6 +34,8 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
 With the improved and matured data channel cipher negotiation, the use
 of ``ncp-disable`` should not be necessary anymore.
 
+- Support for building with OpenSSL 1.0.1 has been removed. The minimum
+  supported OpenSSL version is now 1.0.2.
 
 Overview of changes in 2.4
 ==
diff --git a/INSTALL b/INSTALL
index de0eb518..fde0b7cd 100644
--- a/INSTALL
+++ b/INSTALL
@@ -71,12 +71,13 @@ REQUIRES:
   (1) TUN and/or TAP driver to allow user-space programs to control
   a virtual point-to-point IP or Ethernet device.  See
   TUN/TAP Driver Configuration section below for more info.
-
-OPTIONAL (but recommended):
-  (1) OpenSSL library, necessary for encryption, version 1.0.1 or higher
+  (2) OpenSSL library, necessary for encryption, version 1.0.2 or higher
   required, available from http://www.openssl.org/
-  (2) mbed TLS library, an alternative for encryption, version 2.0 or higher
+  or
+  (3) mbed TLS library, an alternative for encryption, version 2.0 or higher
   required, available from https://tls.mbed.org/
+
+OPTIONAL:  
   (3) LZO real-time compression library, required for link compression,
   available from http://www.oberhumer.com/opensource/lzo/
   OpenBSD users can use ports or packages to install lzo, but remember
diff --git a/configure.ac b/configure.ac
index 45148892..d9ad80b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -846,7 +846,7 @@ if test "${with_crypto_library}" = "openssl"; then
# if the user did not explicitly specify flags, try to 
autodetect
PKG_CHECK_MODULES(
[OPENSSL],
-   [openssl >= 1.0.1],
+   [openssl >= 1.0.2],
[have_openssl="yes"],
[] # If this fails, we will do another test next
)
@@ -861,7 +861,7 @@ if test "${with_crypto_library}" = "openssl"; then
# If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars
# are used, check the version directly in the OpenSSL include file
if test "${have_openssl}" != "yes"; then
-   AC_MSG_CHECKING([additionally if OpenSSL is available and 
version >= 1.0.1])
+   AC_MSG_CHECKING([additionally if OpenSSL is available and 
version >= 1.0.2])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
@@ -869,7 +869,7 @@ if test "${with_crypto_library}" = "openssl"; then
]],
[[
 /*  Version encoding: MNNFFPPS - see opensslv.h for details */
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
 #error OpenSSL too old
 #endif
]]
@@ -912,12 +912,9 @@ if test "${with_crypto_library}" = "openssl"; then
[have_crypto_aead_modes="no"]
)

[Openvpn-devel] [PATCH v5 4/9] Implement tls-groups option to specify eliptic curves/groups

2020-07-17 Thread Arne Schwabe 
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.

However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.

The tls-groups  option allows to modify the group list to account
for these corner cases.

Patch V2: Uses local gc_arena instead of malloc/free, reword commit
  message. Fix other typos/clarify messages

Patch V3: Style fixes, adjust code to changes from mbed tls session
  fix

Patch V5: Fix compilation with OpenSSL 1.0.2

Signed-off-by: Arne Schwabe 
---
 README.ec   |  7 ++--
 configure.ac|  1 +
 doc/man-sections/encryption-options.rst |  6 +--
 doc/man-sections/tls-options.rst| 27 +++-
 src/openvpn/openssl_compat.h|  6 +++
 src/openvpn/options.c   | 10 -
 src/openvpn/options.h   |  1 +
 src/openvpn/ssl.c   |  6 +++
 src/openvpn/ssl_backend.h   | 10 +
 src/openvpn/ssl_mbedtls.c   | 46 +
 src/openvpn/ssl_mbedtls.h   |  1 +
 src/openvpn/ssl_openssl.c   | 55 -
 12 files changed, 167 insertions(+), 9 deletions(-)

diff --git a/README.ec b/README.ec
index 32938017..61f23b2e 100644
--- a/README.ec
+++ b/README.ec
@@ -12,14 +12,15 @@ OpenVPN 2.4.0 and newer automatically initialize ECDH 
parameters. When ECDSA is
 used for authentication, the curve used for the server certificate will be used
 for ECDH too. When autodetection fails (e.g. when using RSA certificates)
 OpenVPN lets the crypto library decide if possible, or falls back to the
-secp384r1 curve.
+secp384r1 curve. The list of groups/curves that the crypto library will choose
+from can be set with the --tls-groups  option.
 
 An administrator can force an OpenVPN/OpenSSL server to use a specific curve
 using the --ecdh-curve  option with one of the curves listed as
-available by the --show-curves option. Clients will use the same curve as
+available by the --show-groups option. Clients will use the same curve as
 selected by the server.
 
-Note that not all curves listed by --show-curves are available for use with 
TLS;
+Note that not all curves listed by --show-groups are available for use with 
TLS;
 in that case connecting will fail with a 'no shared cipher' TLS error.
 
 Authentication (ECDSA)
diff --git a/configure.ac b/configure.ac
index a8535b70..dee2c4f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -927,6 +927,7 @@ if test "${with_crypto_library}" = "openssl"; then
OpenSSL_version \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
+   SSL_CTX_set1_groups \
SSL_CTX_set_security_level \
X509_get0_notBefore \
X509_get0_notAfter \
diff --git a/doc/man-sections/encryption-options.rst 
b/doc/man-sections/encryption-options.rst
index a59f636c..ee34f14e 100644
--- a/doc/man-sections/encryption-options.rst
+++ b/doc/man-sections/encryption-options.rst
@@ -27,9 +27,9 @@ SSL Library information
   (Standalone) Show currently available hardware-based crypto acceleration
   engines supported by the OpenSSL library.
 
---show-curves
-  (Standalone) Show all available elliptic curves to use with the
-  ``--ecdh-curve`` option.
+--show-groups
+  (Standalone) Show all available elliptic curves/groups to use with the
+  ``--ecdh-curve`` and ``tls-groups`` options.
 
 Generating key material
 ---
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 92b832cd..ccc90ac9 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -338,6 +338,31 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
   Use ``--tls-crypt`` instead if you want to use the key file to not only
   authenticate, but also encrypt the TLS control channel.
 
+--tls-groups list
+A list of allowable groups/curves in order of preference.
+
+Set the allowed elictipic curves/groups for the TLS session.
+These groups are  allowed to be used in signatures and key exchange.
+
+mbed TLS currently allows all known curves per default.
+
+OpenSSL 1.1+ restricts the list per default to
+::
+
+  "X25519:secp256r1:X448:secp521r1:secp384r1".
+
+If you use certificates that use non-standard curves, you
+might need to add them here. If you do not force the ecdh curve
+by using ``--ecdh-curve``, the groups for ecdh will also be picked
+from this list.
+
+OpenVPN maps the curve na

[Openvpn-devel] [PATCH 7/9] Avoid sending --cipher to clients not supporting NCP

2020-07-17 Thread Arne Schwabe 
The NCP rework introduced a regression of sending a --cipher
command as part of the push message when the client does not
support NCP. This is is more a cosmetic issue since the client
will log that as warning in the log and ignore it.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/push.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 2183b74a..1c4f2033 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -472,9 +472,15 @@ prepare_push_reply(struct context *c, struct gc_arena *gc,
 
 /*
  * Push the selected cipher, at this point the cipher has been
- * already negotiated and been fixed
+ * already negotiated and been fixed.
+ *
+ * We avoid pushing the cipher to clients not supporting NCP
+ * to avoid error messages in their logs
  */
-push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+if (tls_peer_supports_ncp(c->c2.tls_multi->peer_info))
+{
+push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+}
 
 return true;
 }
-- 
2.26.2



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 5/9] Remove key-method 1

2020-07-17 Thread Arne Schwabe 
Key-method 1 is only needed to talk to pre OpenVPN 2.0 clients.

Patch V2: Fix style. Make V1 op codes illegal, remove all code handling
  v1 op codes and give a good warning message if we encounter
  them in the legal op codes pre-check.

Signed-off-by: Arne Schwabe 
---
 doc/doxygen/doc_control_processor.h |   6 +-
 doc/doxygen/doc_key_generation.h|   6 +-
 doc/doxygen/doc_protocol_overview.h |   2 +-
 src/openvpn/forward.c   |   2 +-
 src/openvpn/helper.c|   5 -
 src/openvpn/init.c  |   1 -
 src/openvpn/options.c   |  35 +
 src/openvpn/options.h   |   4 -
 src/openvpn/ssl.c   | 230 
 src/openvpn/ssl.h   |  19 +--
 src/openvpn/ssl_common.h|   1 -
 11 files changed, 42 insertions(+), 269 deletions(-)

diff --git a/doc/doxygen/doc_control_processor.h 
b/doc/doxygen/doc_control_processor.h
index f87324cc..1bbf2d2d 100644
--- a/doc/doxygen/doc_control_processor.h
+++ b/doc/doxygen/doc_control_processor.h
@@ -175,11 +175,7 @@
  *appropriate messages to be sent.
  *
  * @par Functions which control data channel key generation
- *  - Key method 1 key exchange functions:
- * - \c key_method_1_write(), generates and processes key material to
- *   be sent to the remote OpenVPN peer.
- * - \c key_method_1_read(), processes key material received from the
- *   remote OpenVPN peer.
+ *  - Key method 1 key exchange functions were removed from OpenVPN 2.5
  *  - Key method 2 key exchange functions:
  * - \c key_method_2_write(), generates and processes key material to
  *   be sent to the remote OpenVPN peer.
diff --git a/doc/doxygen/doc_key_generation.h b/doc/doxygen/doc_key_generation.h
index efe61155..4bb9c708 100644
--- a/doc/doxygen/doc_key_generation.h
+++ b/doc/doxygen/doc_key_generation.h
@@ -131,11 +131,7 @@ S_ACTIVE   
 S_ACTIVE
  * control_processor Control Channel Processor module's\endlink \c
  * tls_process() function and control the %key generation and exchange
  * process as follows:
- * - %Key method 1:
- *   - \c key_method_1_write(): generate random material locally, and load
- * as "sending" keys.
- *   - \c key_method_1_read(): read random material received from remote
- * peer, and load as "receiving" keys.
+ * - %Key method 1 has been removed in OpenVPN 2.5
  * - %Key method 2:
  *   - \c key_method_2_write(): generate random material locally, and if
  * in server mode generate %key expansion.
diff --git a/doc/doxygen/doc_protocol_overview.h 
b/doc/doxygen/doc_protocol_overview.h
index 3f48b18a..08212223 100644
--- a/doc/doxygen/doc_protocol_overview.h
+++ b/doc/doxygen/doc_protocol_overview.h
@@ -150,7 +150,7 @@
  *
  * @subsection network_protocol_control_plaintext Structure of plaintext 
control channel messages
  *
- *  - %Key method 1:
+ *  - %Key method 1 (support removed in OpenVPN 2.5):
  * - Cipher %key length in bytes (1 byte).
  * - Cipher %key (n bytes).
  * - HMAC %key length in bytes (1 byte).
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 5c4370a8..698451d1 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1100,7 +1100,7 @@ process_incoming_link_part1(struct context *c, struct 
link_socket_info *lsi, boo
 floated, &ad_start))
 {
 /* Restore pre-NCP frame parameters */
-if (is_hard_reset(opcode, c->options.key_method))
+if (is_hard_reset_method2(opcode))
 {
 c->c2.frame = c->c2.frame_initial;
 #ifdef ENABLE_FRAGMENT
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 6e9cc63c..a1d03070 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -490,11 +490,6 @@ helper_client_server(struct options *o)
  */
 if (o->client)
 {
-if (o->key_method != 2)
-{
-msg(M_USAGE, "--client requires --key-method 2");
-}
-
 o->pull = true;
 o->tls_client = true;
 }
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e9c01629..b96d1471 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2852,7 +2852,6 @@ do_init_crypto_tls(struct context *c, const unsigned int 
flags)
 to.ssl_ctx = c->c1.ks.ssl_ctx;
 to.key_type = c->c1.ks.key_type;
 to.server = options->tls_server;
-to.key_method = options->key_method;
 to.replay = options->replay;
 to.replay_window = options->replay_window;
 to.replay_time = options->replay_time;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 15173db2..0025c526 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -881,7 +881,6 @@ init_options(struct options *o, const bool init_gc)
 #ifdef ENABLE_PREDICTION_RESISTANCE
 o->use_prediction_resistance = false;
 #endif
-o->key_method = 2;
 o-

[Openvpn-devel] [PATCH 1/9] Indicate that a client is in pull mode in IV_PROTO

2020-07-17 Thread Arne Schwabe 
This allows us to skip waiting for the first PUSH_REQUEST message from
the client to send the response.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/multi.c | 12 ++--
 src/openvpn/ssl.c   | 15 +--
 src/openvpn/ssl.h   |  7 +++
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 0095c871..88ba9db2 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1795,10 +1795,18 @@ multi_client_set_protocol_options(struct context *c)
 {
 int proto = 0;
 int r = sscanf(optstr, "IV_PROTO=%d", &proto);
-if ((r == 1) && (proto >= 2))
+if (r == 1)
 {
-tls_multi->use_peer_id = true;
+if (proto >= 2)
+{
+tls_multi->use_peer_id = true;
+}
+if (proto & IV_PROTO_REQUEST_PUSH)
+{
+c->c2.push_request_received = true;
+}
 }
+
 }
 
 /* Select cipher if client supports Negotiable Crypto Parameters */
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 54a23011..04d78a81 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2299,8 +2299,19 @@ push_peer_info(struct buffer *buf, struct tls_session 
*session)
 buf_printf(&out, "IV_PLAT=win\n");
 #endif
 
-/* support for P_DATA_V2 */
-buf_printf(&out, "IV_PROTO=2\n");
+/* support for P_DATA_V2*/
+int iv_proto = IV_PROTO_DATA_V2;
+
+/* support for receiving push_reply before sending
+ * push request, also signal that the client wants
+ * to get push-reply messages without without requiring a round
+ * trip for a push request message*/
+if(session->opt->pull)
+{
+iv_proto |= IV_PROTO_REQUEST_PUSH;
+}
+
+buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
 
 /* support for Negotiable Crypto Parameters */
 if (session->opt->ncp_enabled
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 58a9b0d4..86fb6853 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -99,6 +99,13 @@
 /* Maximum length of OCC options string passed as part of auth handshake */
 #define TLS_OPTIONS_LEN 512
 
+/* Definitions of the bits in the IV_PROTO bitfield */
+#define IV_PROTO_DATA_V2(1<<1)  /**< Support P_DATA_V2 */
+#define IV_PROTO_REQUEST_PUSH   (1<<2)  /**< Assume client will send a push
+  * request and server does not need
+  * to wait for a push-request to send
+  * a push-reply */
+
 /* Default field in X509 to be username */
 #define X509_USERNAME_FIELD_DEFAULT "CN"
 
-- 
2.26.2



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: doc/man: Replace old man page with generated man page

2020-07-17 Thread Gert Doering 
Hi,

On Fri, Jul 17, 2020 at 12:04:30PM +0200, David Sommerseth wrote:
> On 17/07/2020 10:02, Gert Doering wrote:
> > Acked-by: Gert Doering 
> > 
> > I have not tested the actual docutils / openvpn.8 generation (Samuli will 
> > complain loudly if tarball making doesn't work anymore, so that *will* 
> > see testing).  Generally it looks sane.
> > 
> > This condition looks a bit fishy, though...
> > 
> >  +AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"])
> > 
> > not sure what that will do in a POSIX shell.
> 
> Hmm ... whoops.  That should probably have been
> 
> test -n "${RST2MAN}" -a -n "${RST2HTML}"
> 
> Not sure how that passed during my own tests.  I tested it on a various of
> boxes, but I only have Linux distros easily available.

OK, there is something else - the buildbots are now failing with

Missing python-docutils - skipping man/html page generation
Missing python-docutils - skipping man page generation
cp: cannot stat './openvpn.8.html': No such file or directory
Makefile:686: recipe for target 'distdir' failed


"if it knows that it's not doing these, it shouldn't try to copy it
somewhere"

Can you have a look please, while fixing the "test" thing above?

> > Maybe this shouldn't be conditional either
> > 
> >  +if HAVE_PYDOCUTILS
> >   dist_noinst_DATA += openvpn.8
> > 
> > because it will lead to "tarballs randomly contain openvpn.8 or not, 
> > depending on whether docutils are around" - "make dist" should behave
> > consistently, and if there are no docutils, I think it should fail, not
> > silently leave out files.
> 
> The intention is that the tarball contains prebuilt openvpn.8 and openvpn.html
> files, which is generated by "make {dist,distcheck}".  

Yes.  In full agreement.

What I worry is that if you run a "make dist" on a host that has no 
docutils, configure will notice this, and not add "openvpn.8" to 
"dist_noinst_DATA" - so it won't be built, not included in the tarball,
and the tarball is incomplete.

> If these files exists,
> they will not be rebuilt unless explicitly removed.  So most users building
> from the source tarball should not notice any difference from prioer OpenVPN
> releases.  This is what the additional dist-hook rule in doc/Makefile.am does;
> this is run right before the copied source tree is put into a tarball.
> 
> The challenge is that it must be a conditional to actually pass ./configure -
> even when built from source tarballs.  

Not sure I understand this.  If openvpn.8 is there, because it was tarball'ed,
why would this line above create a new dependency?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

2020-07-17 Thread Gert Doering 
Your patch has been applied to the master branch.

Tested on the test rig, stared-at-code by antonio, and commit-message-adjusted
by me :-) (a few "defferred" and integrating the new call convention)

commit dfb40edc4acae5f17b0062ecb13ad1fa760ed529
Author: Arne Schwabe
Date:   Thu Jul 16 15:43:10 2020 +0200

 client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

 Signed-off-by: Fabian Knittel 
 Signed-off-by: Arne Schwabe 
 Acked-by: Antonio Quartulli 
 Message-Id: <20200716134315.17742-1-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20395.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Convert cc_check_return to switch/case

2020-07-17 Thread David Sommerseth 
On 17/07/2020 13:29, Arne Schwabe wrote:
> The return false/return true is the result of
> running uncrustify.
> 
> Signed-off-by: Arne Schwabe 
> ---
>  src/openvpn/multi.c | 24 +---
>  1 file changed, 9 insertions(+), 15 deletions(-)
> 
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 97b7df16..1fdf6ce5 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -2229,22 +2229,16 @@ static inline bool
>  cc_check_return(int *cc_succeeded_count,
>  enum client_connect_return ret)
>  {
> -if (ret == CC_RET_SUCCEEDED)
> +switch (ret)
>  {
> -(*cc_succeeded_count)++;
> -return true;
> -}
> -else if (ret == CC_RET_FAILED)
> -{
> -return false;
> -}
> -else if (ret == CC_RET_SKIPPED)
> -{
> -return true;
> -}
> -else
> -{
> -ASSERT(0);
> +case CC_RET_SUCCEEDED: (*cc_succeeded_count)++;
> +return true;
> +
> +case CC_RET_FAILED: return false;
> +
> +case CC_RET_SKIPPED: return true;
> +
> +default: ASSERT(0);

Code style police  Even though it is not clearly defined, but based on the
example here

...

... it should be more like:

   switch (ret)
   {
case CC_RET_SUCCEEDED:
(*cc_succeeded_count)++;
return true;

case CC_RET_FAILED:
return false;

case CC_RET_SKIPPED:
return true;

default:
ASSERT(0);
   }


I generally find this approach more readable.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Convert cc_check_return to switch/case

2020-07-17 Thread Arne Schwabe 
The return false/return true is the result of
running uncrustify.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/multi.c | 24 +---
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 97b7df16..1fdf6ce5 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2229,22 +2229,16 @@ static inline bool
 cc_check_return(int *cc_succeeded_count,
 enum client_connect_return ret)
 {
-if (ret == CC_RET_SUCCEEDED)
+switch (ret)
 {
-(*cc_succeeded_count)++;
-return true;
-}
-else if (ret == CC_RET_FAILED)
-{
-return false;
-}
-else if (ret == CC_RET_SKIPPED)
-{
-return true;
-}
-else
-{
-ASSERT(0);
+case CC_RET_SUCCEEDED: (*cc_succeeded_count)++;
+return true;
+
+case CC_RET_FAILED: return false;
+
+case CC_RET_SKIPPED: return true;
+
+default: ASSERT(0);
 }
 }
 
-- 
2.26.2



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Add misssing renegotiation.rst to Makefile.am

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

Your patch has been applied to the master branch.

commit ee6830c34818bf4dc30cf7f0959ea0c9246bab8d
Author: David Sommerseth
Date:   Fri Jul 17 13:01:36 2020 +0200

 doc/man: Add misssing renegotiation.rst to Makefile.am

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200717110136.11579-1-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20431.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] doc/man: Add misssing renegotiation.rst to Makefile.am

2020-07-17 Thread David Sommerseth 
This file did not get added to Makefile.am by a mistake during the
man-page overhaul, and the issue this causes is not easily spotted.

If a consumer of a tarball (created with 'make dist' from the git
tree) tries runs 'make clean' and 'make dist' plus have
python-docutils installed from such a tarball, it will explode and
complain about this missing file.

Signed-off-by: David Sommerseth 
---
 doc/Makefile.am | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/Makefile.am b/doc/Makefile.am
index a1ac02f6..add92198 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -31,6 +31,7 @@ dist_doc_DATA = \
man-sections/plugin-options.rst \
man-sections/protocol-options.rst \
man-sections/proxy-options.rst \
+   man-sections/renegotiation.rst \
man-sections/signals.rst \
man-sections/script-options.rst \
man-sections/server-options.rst \
-- 
2.26.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Documentation for --bind-dev / VRFs on Linux

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

New and not-yet-merged documentation from the --bind-dev patch.  
Thanks.

Your patch has been applied to the master branch.

commit 8d0b1def830d20410b6648f615ad3ddb5c2797fa
Author: David Sommerseth
Date:   Fri Jul 17 12:54:53 2020 +0200

 doc/man: Documentation for --bind-dev / VRFs on Linux

 Signed-off-by: Maximilian Wilhelm 
 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200717105453.10718-1-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20429.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] doc/man: Documentation for --bind-dev / VRFs on Linux

2020-07-17 Thread David Sommerseth 
Signed-off-by: Maximilian Wilhelm 
Signed-off-by: David Sommerseth 

---

v2 - Added missing entry into Makefile.am
---
 doc/Makefile.am   |  1 +
 doc/man-sections/network-config.rst   |  1 +
 .../virtual-routing-and-forwarding.rst| 78 +++
 doc/man-sections/vpn-network-options.rst  |  4 +
 4 files changed, 84 insertions(+)
 create mode 100644 doc/man-sections/virtual-routing-and-forwarding.rst

diff --git a/doc/Makefile.am b/doc/Makefile.am
index ca3ba9de..a1ac02f6 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -36,6 +36,7 @@ dist_doc_DATA = \
man-sections/server-options.rst \
man-sections/tls-options.rst \
man-sections/unsupported-options.rst \
+   man-sections/virtual-routing-and-forwarding.rst \
man-sections/vpn-network-options.rst \
man-sections/windows-options.rst
 
diff --git a/doc/man-sections/network-config.rst 
b/doc/man-sections/network-config.rst
index 12a6e960..04b30aa3 100644
--- a/doc/man-sections/network-config.rst
+++ b/doc/man-sections/network-config.rst
@@ -7,3 +7,4 @@ network adapter* (tun/tap device).
 
 .. include:: link-options.rst
 .. include:: vpn-network-options.rst
+.. include:: virtual-routing-and-forwarding.rst
diff --git a/doc/man-sections/virtual-routing-and-forwarding.rst 
b/doc/man-sections/virtual-routing-and-forwarding.rst
new file mode 100644
index ..28c13eee
--- /dev/null
+++ b/doc/man-sections/virtual-routing-and-forwarding.rst
@@ -0,0 +1,78 @@
+Virtual Routing and Forwarding
+--
+
+Options in this section relates to configuration of virtual routing and
+forwarding in combination with the underlying operating system.
+
+As of today this is only supported on Linux, a kernel >= 4.9 is
+recommended.
+
+This could come in handy when for example the external network should be
+only used as a means to connect to some VPN endpoints and all regular
+traffic should only be routed through any tunnel(s).  This could be
+achieved by setting up a VRF and configuring the interface connected to
+the external network to be part of the VRF. The examples below will cover
+this setup.
+
+Another option would be to put the tun/tap interface into a VRF. This could
+be done by an up-script which uses the :code:`ip link set` command shown
+below.
+
+
+VRF setup with iproute2
+```
+
+Create VRF :code:`vrf_external` and map it to routing table :code:`1023`
+::
+
+  ip link add vrf_external type vrf table 1023
+
+Move :code:`eth0` into :code:`vrf_external`
+::
+
+  ip link set master vrf_external dev eth0
+
+Any prefixes configured on :code:`eth0` will be moved from the :code`main`
+routing table into routing table `1023`
+
+
+VRF setup with ifupdown
+```
+
+For Debian based Distributions :code:`ifupdown2` provides an almost drop-in
+replacement for :code:`ifupdown` including VRFs and other features.
+A configuration for an interface :code:`eth0` being part of VRF
+code:`vrf_external` could look like this:
+::
+
+  auto eth0
+  iface eth0
+  address 192.0.2.42/24
+  address 2001:db8:08:15::42/64
+  gateway 192.0.2.1
+  gateway 2001:db8:08:15::1
+  vrf vrf_external
+
+  auto vrf_external
+  iface vrf_external
+  vrf-table 1023
+
+
+OpenVPN configuration
+`
+The OpenVPN configuration needs to contain this line:
+::
+
+  bind-dev vrf_external
+
+
+Further reading
+```
+
+Wikipedia has nice page one VRFs: 
https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding
+
+This talk from the Network Track of FrOSCon 2018 provides an overview about
+advanced layer 2 and layer 3 features of Linux
+
+  - Slides: 
https://www.slideshare.net/BarbarossaTM/l2l3-fr-fortgeschrittene-helle-und-dunkle-magie-im-linuxnetzwerkstack
+  - Video (german): 
https://media.ccc.de/v/froscon2018-2247-l2\_l3\_fur\_fortgeschrittene\_-\_helle\_und\_dunkle\_magie\_im\_linux-netzwerkstack
diff --git a/doc/man-sections/vpn-network-options.rst 
b/doc/man-sections/vpn-network-options.rst
index 78c00674..7100c1ae 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -5,6 +5,10 @@ Options in this section relates to configuration of the 
virtual tun/tap
 network interface, including setting the VPN IP address and network
 routing.
 
+--bind-dev device
+  (Linux only) Set ``device`` to bind the server socket to a
+  `Virtual Routing and Forwarding`_ device
+
 --block-ipv6
   On the client, instead of sending IPv6 packets over the VPN tunnel, all
   IPv6 packets are answered with an ICMPv6 no route host message. On the
-- 
2.26.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: doc/man: Replace old man page with generated man page

2020-07-17 Thread David Sommerseth 
On 17/07/2020 10:02, Gert Doering wrote:
> Acked-by: Gert Doering 
> 
> I have not tested the actual docutils / openvpn.8 generation (Samuli will 
> complain loudly if tarball making doesn't work anymore, so that *will* 
> see testing).  Generally it looks sane.
> 
> This condition looks a bit fishy, though...
> 
>  +AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"])
> 
> not sure what that will do in a POSIX shell.

Hmm ... whoops.  That should probably have been

test -n "${RST2MAN}" -a -n "${RST2HTML}"

Not sure how that passed during my own tests.  I tested it on a various of
boxes, but I only have Linux distros easily available.

> Maybe this shouldn't be conditional either
> 
>  +if HAVE_PYDOCUTILS
>   dist_noinst_DATA += openvpn.8
> 
> because it will lead to "tarballs randomly contain openvpn.8 or not, 
> depending on whether docutils are around" - "make dist" should behave
> consistently, and if there are no docutils, I think it should fail, not
> silently leave out files.

The intention is that the tarball contains prebuilt openvpn.8 and openvpn.html
files, which is generated by "make {dist,distcheck}".  If these files exists,
they will not be rebuilt unless explicitly removed.  So most users building
from the source tarball should not notice any difference from prioer OpenVPN
releases.  This is what the additional dist-hook rule in doc/Makefile.am does;
this is run right before the copied source tree is put into a tarball.

The challenge is that it must be a conditional to actually pass ./configure -
even when built from source tarballs.  Otherwise python-docutils will be a
build dependency.  We discussed this at the Trento Hackathon and you where
skeptic to require a Python stack to be installed to build OpenVPN (as that
stack is not a common system dependency in the non-Linux world).  So we agreed
we will ship pre-built man/html files in the source tarballs.

However, to do the "make {dist,distcheck}" from the *git repo*,
python-docutils need to be a mandatory dependency - because we don't check in
the prebuilt openvpn.8 and openvpn.html files into the git repo.

This logic could probably contains some flaws and can be further improved, but
I figured we need to get this tested on a broader set of use cases and
OS/distros to better see which annoyances which hits us.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Update --txqueuelen default setting (Now OS default)

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

"Because it's true!"

Your patch has been applied to the master branch.

commit 5c5544d42fbbd346034d05a38b5efe421ea1f911
Author: Richard Bonhomme
Date:   Fri Jul 17 00:53:37 2020 +0200

 doc/man: Update --txqueuelen default setting (Now OS default)

 Signed-off-by: Richard Bonhomme 
 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-8-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20415.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Adopt compression documentation

2020-07-17 Thread Gert Doering 
(oops, sent this one too quickly - resending)

Acked-by: Gert Doering 

I have seen these changes before (in the compression patch), they make
sense, so of course we want to have them in .rst as well.

Your patch has been applied to the master branch.

commit ed593e651db20446daa0e494d6018cb65c0efe22
Author: David Sommerseth
Date:   Fri Jul 17 00:53:36 2020 +0200

 doc/man: Adopt compression documentation

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-7-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20414.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Adopt compression documentation

2020-07-17 Thread Gert Doering 
Your patch has been applied to the master branch.

commit ed593e651db20446daa0e494d6018cb65c0efe22
Author: David Sommerseth
Date:   Fri Jul 17 00:53:36 2020 +0200

 doc/man: Adopt compression documentation

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-7-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20414.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Mark compression options as deprecated

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

"By general agreement".

Your patch has been applied to the master branch.

commit 850fd5fab76403bb1a8e21b8d4272b138ce19934
Author: David Sommerseth
Date:   Fri Jul 17 00:53:35 2020 +0200

 doc/man: Mark compression options as deprecated

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-6-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20417.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: doc/man: Complete openvpn.8.rst splitting

2020-07-17 Thread Gert Doering 
Hi,

On Fri, Jul 17, 2020 at 10:22:25AM +0200, Gert Doering wrote:
> Acked-by: Gert Doering 
> 
> "And then all the new and huge file is gone again".  I'd really like to 
> squash 01, 03 and 04 - no good to have 230k openvpn.rst file in our git 
> repo forever (even if compression helps) if we never actually need or
> want it as "one single file".  So make this "introduce split-up files
> right away".

This is what I've done now, as agreed on IRC.

Due to conflicts and general laziness on my side, I've squashed 01...04 
into one big "remove openvpn.8, introduce small .rst fragments included 
by openvpn.rst" patch, which has just been pushed.  Out with it!

commit f500c49c8e0a77ce665b11f6adbea4029cf3b85f
Author: David Sommerseth 
Date:   Fri Jul 17 00:53:31 2020 +0200

doc/man: convert openvpn.8 to split-up .rst files

To avoid keeping around a full-size openvpn.rst file which is never
needed but will take space in the repo forever, patches 01...04
of the big documentation overhaul projects were squashed togehter,
keeping the individual commit logs and URL references below.

Signed-off-by: Gert Doering 

* This is a combination of 4 commits.
* This is the 1st commit message:
...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Complete openvpn.8.rst splitting

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

"And then all the new and huge file is gone again".  I'd really like to 
squash 01, 03 and 04 - no good to have 230k openvpn.rst file in our git 
repo forever (even if compression helps) if we never actually need or
want it as "one single file".  So make this "introduce split-up files
right away".

Your patch has been applied to the master branch.

commit a44d0ab612796e73c48f204e6663113520775f2a
Author: David Sommerseth
Date:   Fri Jul 17 00:53:34 2020 +0200

 doc/man: Complete openvpn.8.rst splitting

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-5-dav...@openvpn.net>
 URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Split up and reorganize main man page

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

"Seems to be all the same content, now spread to multiple files".

Your patch has been applied to the master branch.

commit f3ebfe9ef31c9d03a344aef41f54ab8a37f7e88f
Author: David Sommerseth
Date:   Fri Jul 17 00:53:33 2020 +0200

 doc/man: Split up and reorganize main man page

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-4-dav...@openvpn.net>
 URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 3/3] Remove key-method 1

2020-07-17 Thread Arne Schwabe 
Am 15.07.20 um 16:34 schrieb Steffan Karger:
> Hi
> 
> On 13-07-2020 11:46, Arne Schwabe wrote:
>> @@ -1100,7 +1100,7 @@ process_incoming_link_part1(struct context *c, struct 
>> link_socket_info *lsi, boo
>>  floated, &ad_start))
>>  {
>>  /* Restore pre-NCP frame parameters */
>> -if (is_hard_reset(opcode, c->options.key_method))
>> +if (is_hard_reset(opcode, KEY_METHOD_2))
>>  {
> 
> Can't we just remove the key_method parameter from is_hard_reset()?

Some code still checks if it is a general hard reset or if it is a v2
hard reset. I agree that we can do more cleanup in this area but that
would make more code changes. Should we pull that into this change?

>> @@ -3817,10 +3803,9 @@ options_string(const struct options *o,
>>   * tls-auth/tls-crypt does not match.  Removing tls-auth here 
>> would
>>   * break stuff, so leaving that in place. */
>>  
>> -if (o->key_method > 1)
>> -{
>> -buf_printf(&out, ",key-method %d", o->key_method);
>> -}
>> +
>> +
>> +buf_printf(&out, ",key-method %d", 2);
> 
> This could do with one less newline.
> 
>> @@ -2404,7 +2348,7 @@ key_method_2_write(struct buffer *buf, struct 
>> tls_session *session)
>>  }
>>  
>>  /* write key_method + flags */
>> -if (!buf_write_u8(buf, (session->opt->key_method & KEY_METHOD_MASK)))
>> +if (!buf_write_u8(buf, (KEY_METHOD_2 & KEY_METHOD_MASK)))
>>  {
>>  goto error;
>>  }
> 
> The masking looks a bit silly now. Maybe replace with a static_assert()
> if you want to be sure that no "wrong" bits are set?

Yeah I think the mask is silly here. I will just remove it.

> 
>>  static bool
>>  key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct 
>> tls_session *session)
>>  {
>>  struct key_state *ks = &session->key[KS_PRIMARY];  /* primary key */
>>  
>> -int key_method_flags;
>>  bool username_status, password_status;
>>  
>>  struct gc_arena gc = gc_new();
>> @@ -2582,8 +2464,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
>> *multi, struct tls_sessio
>>  /* allocate temporary objects */
>>  ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
>>  
>> -ASSERT(session->opt->key_method == 2);
>> -
>>  /* discard leading uint32 */
>>  if (!buf_advance(buf, 4))
>>  {
>> @@ -2593,7 +2473,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
>> *multi, struct tls_sessio
>>  }
>>  
>>  /* get key method */
>> -key_method_flags = buf_read_u8(buf);
>> +int key_method_flags = buf_read_u8(buf);
> 
> This variable declaration is now *after* a "goto error" jump. Currently
> not harmful, because the variable isn't used after the error label, but
> static analyzers might complain about "jump past initialization".
> 
> Otherwise this looks good based on stare-at-code. Didn't have time to
> test yet.

Clang/gcc will already complain/error out if you actually jump past
initialisation. So I think we are good here. Static analyzer are
hopefully not that broken.

Arne



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Replace old man page with generated man page

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

I have not tested the actual docutils / openvpn.8 generation (Samuli will 
complain loudly if tarball making doesn't work anymore, so that *will* 
see testing).  Generally it looks sane.

This condition looks a bit fishy, though...

 +AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"])

not sure what that will do in a POSIX shell.

Maybe this shouldn't be conditional either

 +if HAVE_PYDOCUTILS
  dist_noinst_DATA += openvpn.8

because it will lead to "tarballs randomly contain openvpn.8 or not, 
depending on whether docutils are around" - "make dist" should behave
consistently, and if there are no docutils, I think it should fail, not
silently leave out files.


URL pointed to SF again due to patch size.

Your patch has been applied to the master branch.

commit 51f2e4b0a4e09382dbc1b10b6a8b08febc8d293f
Author: David Sommerseth
Date:   Fri Jul 17 00:53:32 2020 +0200

 doc/man: Replace old man page with generated man page

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-3-dav...@openvpn.net>
 URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: doc/man: Add an .rst formatted version of the man page

2020-07-17 Thread Gert Doering 
Acked-by: Gert Doering 

I have not really "reviewed" this (this would require a full side-by-
side reading of old and new manpage, and nobody ever reads the 
openvpn manpage from top to bottom...) - but I've skimmed through
it, and it made me laugh... :-)  ("OpenVPN ... lightweight footprint").

File sizes are similar, and there is no obvious "mistakes" in the rst
(like, duplications, or random garbage).

-rw-r--r--  1 gert  users  243522 Jun 26 14:33 openvpn.8
-rw-r--r--  1 gert  users  225588 Jul 17 09:29 openvpn.8.rst

$ wc -w openvpn.8 openvpn.8.rst
   35162 openvpn.8
   31700 openvpn.8.rst


There are (at least) two whitespace errors, where an alt-space (0xA0)
shows up at the end of a line, after a ^A character.  I have not changed
these, because it gets split into individual files anyway, and then
I have to re-do it.

Your patch has been applied to the master branch.

For the URL reference, I had to switch to the sourceforge archive as 
mail-archive.org does not accept such big mails.

commit d47b928d4e0501acdf1e449ad59951a19dd154a2
Author: David Sommerseth
Date:   Fri Jul 17 00:53:31 2020 +0200

 doc/man: Add an .rst formatted version of the man page

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20200716225338.611-2-dav...@openvpn.net>
 URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel