[Openvpn-devel] [PATCH applied] Re: doc: fix misc documentation issues
Your patch has been applied to the master branch. commit fe340a9c1ee1b04b17e7fb367043ff575763b91c Author: Frank Lichtenheld Date: Mon Feb 14 18:33:42 2022 +0100 doc: fix misc documentation issues Signed-off-by: Frank Lichtenheld Acked-by: David Sommerseth Message-Id: <20220214173342.12655-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23788.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/3 v3] doc/options: clean up documentation for --proto and related options
The family specific options were generally omitted. Cc: David Sommerseth Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 10 ++ doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 23 insertions(+), 9 deletions(-) v2: move #define around v3: reword --proto-force with input from David diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index c7cec176..e53b5262 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -199,6 +199,16 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only filters by the transport layer + protocol, i.e. UDP or TCP. This does not affect whether IPv4 or + IPv6 is used as IP protocol. + + For implementation reasons the option accepts the :code:`4` and :code:`6` + suffixes when specifying the protocol + (i.e. :code:`udp4` / :code:`udp6` / :code:`tcp4` / :code:`tcp6`). + However, these behave the same as without the suffix and should be avoided + to prevent confusion. + --pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 52df843d..782aa738 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -289,7 +289,10 @@ the local and the remote host. --proto p Use protocol ``p`` for communicating with remote host. ``p`` can be - :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. + :code:`udp`, :code:`tcp-client`, or :code:`tcp-server`. You can also + limit OpenVPN to use only IPv4 or only IPv6 by specifying ``p`` as + :code:`udp4`, :code:`tcp4-client`, :code:`tcp4-server` or :code:`udp6`, + :code:`tcp6-client`, :code:`tcp6-server`, respectively. The default protocol is :code:`udp` when ``--proto`` is not specified. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 92aeba3d..7ce0ba61 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -126,9 +126,11 @@ static const char usage_message[] = "--remote-random-hostname : Add a random string to remote DNS name.\n" "--mode m: Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n" "--proto p : Use protocol p for communicating with peer.\n" -" p = udp (default), tcp-server, or tcp-client\n" +" p = udp (default), tcp-server, tcp-client\n" +" udp4, tcp4-server, tcp4-client\n" +" udp6, tcp6-server, tcp6-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" -" p = udp6, tcp6-server, or tcp6-client (ipv6)\n" +" p = udp or tcp\n" "--connect-retry n [m] : For client, number of seconds to wait between\n" " connection retries (default=%d). On repeated retries\n" " the wait time is exponentially increased to a maximum of m\n" @@ -2300,6 +2302,8 @@ options_postprocess_verify_ce(const struct options *options, */ if (options->mode == MODE_SERVER) { +#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ + "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" #ifdef TARGET_ANDROID msg(M_FATAL, "--mode server not supported on Android"); #endif @@ -2317,15 +2321,14 @@ options_postprocess_verify_ce(const struct options *options, } if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { -msg(M_USAGE, "--mode server currently only supports " -"--proto udp or --proto tcp-server or proto tcp6-server"); +msg(M_USAGE, USAGE_VALID_SERVER_PROTOS); } #if PORT_SHARE if ((options->port_share_host || options->port_share_port) && (ce->proto != PROTO_TCP_SERVER)) { msg(M_USAGE, "--port-share only works in TCP server mode " -"(--proto tcp-server or tcp6-server)"); +"(--proto values of tcp-server, tcp4-server, or tcp6-server)"); } #endif if (!options->tls_server) @@ -2369,9 +2372,7 @@ options_postprocess_verify_ce(const struct options *options, } if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { -msg(M_USAGE, -"--mode server currently only supports --proto udp or --proto " -"tcp-server or --proto tcp6-server"); +msg(M_USAGE, USAGE_VALID_SERVER_PROTOS); } if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) { -- 2.30.2
Re: [Openvpn-devel] [PATCH] Fix checks of SHA256 in tls-crypt and auth-token
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 May as well attribute this correctly. * tincant...@protonmail.com Protonmail, now so badly mangles mail on reply that I may have to go back to gmail. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiC7VvACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2jFAgAjHPRhyMsY1JJuJjt7ePXPcve39xSF46BDUZyMQYXoEVC/pMC Zrlg5SUtASqxBTis3qI8A8t1aCi+8PdYgM+e2GdSuFLwYYGHDsBMBxlohr0V tHEVz4eaLtA5h/vQ5a5aki5g/rkPFP7Zedx1jgO7VNxF1EAmfbGK3ch1F/67 o23TePBzlNOPJLrGNPouU58msG8lv5+kB0PRSOUlNGLIN4TA86ynr9ThqvNY NLP+IXFkmFasizioI5sFZ8wqaLyMFfiSQbUiTXu5yD2DQjuarxwqUsLP2lZv in8LULOk9Vx+L2RWrmv/LOdCgmRNWppAOs+VN4K1P9EcU+y0P4mRjA== =d1PC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3 v2] doc: fix misc documentation issues
On 14/02/2022 18:33, Frank Lichtenheld wrote: - Broken/missing formatting - Make it obvious which arguments are optional Only the files touched have been reviewed, all other files likely have similar issues. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 4 ++-- doc/man-sections/generic-options.rst | 34 doc/man-sections/link-options.rst| 26 + src/openvpn/options.c| 2 +- 4 files changed, 43 insertions(+), 23 deletions(-) v2: remove some changes David disliked. Not that important. > Regards, -- Frank Lichtenheld Thanks! This time I've only glared at the changes in diff format, but they all look sane and good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3 v2] doc/options: clean up documentation for --proto and related options
On 14/02/2022 13:41, Frank Lichtenheld wrote: David Sommerseth hat am 11.02.2022 21:39 geschrieben: On 10/02/2022 11:21, Frank Lichtenheld wrote: The family specific options were generally omitted. Signed-off-by: Frank Lichtenheld --- doc/man-sections/client-options.rst | 5 + doc/man-sections/link-options.rst | 5 - src/openvpn/options.c | 17 + 3 files changed, 18 insertions(+), 9 deletions(-) v2: move #define around diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 73f1ea51..4c4a8707 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -198,6 +198,11 @@ configuration. When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). + Note that this specifically only affects the protocol, not the inet + family (i.e. IPv4 vs. IPv6). While the option actually accepts + values like :code:`udp6`, there is no difference to specifying + :code:`udp`. + [...] Perhaps something like the suggestion below might be somewhat clearer? Note that this specifically only affects the TCP/IP transport layer protocol (UDP/TCP), not the TCP/IP network layers (IPv4/IPv6). In practice it means it will only consider connection profiles using either TCP or UDP. This does not affect whether IPv4 or IPv6 is used as IP protocols. In this context, :code:`udp`, :code:`udp4` and :code:`udp6` are all considered the same. And similar with :code:`tcp`, :code:`tcp4` and :code:`tcp6` Thanks, I hate it ;) Seriously though, I find this too clunky. Yes, TCP/IP is technically the correct name, but isn't that even more confusing? Maybe we can find a compromise: Note that this specifically only filters by the transport layer protocol, i.e. UDP or TCP. This does not affect whether IPv4 or IPv6 is used as IP protocol. For implementation reasons the option accepts the :code:`4` and :code:`6` suffixes when specifying the protocol (i.e. :code:`udp4` / :code:`udp6` / :code:`tcp4` / :code:`tcp6`). However, these behave the same as without the suffix and should be avoided to prevent confusion. Thanks, that's better! Let's roll with that. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] auth_token/tls_crypt: fix usage of md_valid()
Am 15.02.22 um 13:31 schrieb Antonio Quartulli: With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. At the same time, add '!' (negation) when validating the digest algorithm in the tls-crypt code, in order to restore the proper logic. Cc: Arne Schwabe Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] auth_token/tls_crypt: fix usage of md_valid()
With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. At the same time, add '!' (negation) when validating the digest algorithm in the tls-crypt code, in order to restore the proper logic. Cc: Arne Schwabe Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme Signed-off-by: Antonio Quartulli --- Changes from v1: * fixed doc for md_valid() src/openvpn/auth_token.c | 2 +- src/openvpn/crypto_backend.h | 3 +-- src/openvpn/tls_crypt.c | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ceae68f6..10c9dde6 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -38,7 +38,7 @@ auth_token_kt(void) kt.cipher = "none"; kt.digest = "SHA256"; -if (!kt.digest) +if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index abf1b876..6d89b9e5 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -520,8 +520,7 @@ static inline bool md_defined(const char* mdname) * * @param digestName of the digest to verify, e.g. \c MD5). * - * @return A statically allocated structure containing parameters - * for the given message digest. + * @return Whether a digest of the given name is available */ bool md_valid(const char *digest); diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 610168b0..aae2a917 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -59,7 +59,7 @@ tls_crypt_kt(void) msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } -if (cipher_valid(kt.digest)) +if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] auth_token/tls_crypt: fix usage of md_valid()
Am 15.02.22 um 11:26 schrieb Antonio Quartulli: With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. At the same time, add '!' (negation) when validating the digest algorithm in the tls-crypt code, in order to restore the proper logic. Cc: Arne Schwabe Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix checks of SHA256 in tls-crypt and auth-token
These checks were not correctly updated. The check in auth-token did nothing at all and the check in tls-crypt was the wrong check but that was hidden by the condition being inverted as well. Reported-By: tincnt...@protonmail.com --- src/openvpn/auth_token.c | 2 +- src/openvpn/crypto_backend.h | 3 +-- src/openvpn/tls_crypt.c | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ceae68f6..10c9dde6 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -38,7 +38,7 @@ auth_token_kt(void) kt.cipher = "none"; kt.digest = "SHA256"; -if (!kt.digest) +if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index abf1b876..78260057 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -520,8 +520,7 @@ static inline bool md_defined(const char* mdname) * * @param digestName of the digest to verify, e.g. \c MD5). * - * @return A statically allocated structure containing parameters - * for the given message digest. + * @return the availability of the digest of the given name. */ bool md_valid(const char *digest); diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 610168b0..aae2a917 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -59,7 +59,7 @@ tls_crypt_kt(void) msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } -if (cipher_valid(kt.digest)) +if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; -- 2.33.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] auth_token/tls_crypt: fix usage of md_valid()
With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. At the same time, add '!' (negation) when validating the digest algorithm in the tls-crypt code, in order to restore the proper logic. Cc: Arne Schwabe Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme Signed-off-by: Antonio Quartulli --- src/openvpn/auth_token.c | 2 +- src/openvpn/tls_crypt.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ceae68f6..10c9dde6 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -38,7 +38,7 @@ auth_token_kt(void) kt.cipher = "none"; kt.digest = "SHA256"; -if (!kt.digest) +if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 610168b0..aae2a917 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -59,7 +59,7 @@ tls_crypt_kt(void) msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } -if (cipher_valid(kt.digest)) +if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel