[Openvpn-devel] [PATCH applied] Re: Print a more user-friendly error when tls-crypt-v2 client auth fails
Acked-by: Gert Doering I find this a useful addition - with all these crypto stuff it can be quite hard to figure out what particular detail is not right. The patch is trivial, just adding a msg(), so I did not really test it beyond "compile?" and "does it have a space before or after the wrap?" (it has). Your patch has been applied to the master branch. commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b (master) commit 66f51e80b981f08ebc3c38f3fac7d0c88caeb85d (release/2.6) Author: Arne Schwabe Date: Mon May 22 11:12:31 2023 +0200 Print a more user-friendly error when tls-crypt-v2 client auth fails Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20230522091231.2837468-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Fwd: [PATCH] tun.c: enclose DNS domain in single quotes in WMIC call
Hi, On Mon, Jul 10, 2023 at 7:22 AM Lev Stipakov wrote: > From: Lev Stipakov > > This is needed to support domains with hyphens. > > Not using double quotes here, since our code replaces > them with underbars (see > https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980). > > Fixes https://github.com/OpenVPN/openvpn/issues/363 > > Change-Id: Iab536922d0731635cef529b5caf542f637b8d491 > Signed-off-by: Lev Stipakov > --- > src/openvpn/tun.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c > index d1fd6def..60974208 100644 > --- a/src/openvpn/tun.c > +++ b/src/openvpn/tun.c > @@ -333,7 +333,7 @@ do_dns_domain_wmic(bool add, const struct tuntap *tt) > } > > struct argv argv = argv_new(); > -argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call > SetDNSDomain %s", > +argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call > SetDNSDomain '%s'", > get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, > add ? tt->options.domain : ""); > exec_command("WMIC", , 1, M_WARN); > Quoting is required as wmic interprets characters such as hyphen and /. Double quotes would have been better (as in interactive.c) as there are some cases where characters within single quotes get interpreted special (like 'foo>bar' vs "foo>bar"). That said, for valid domain names, the only expected characters are alpha-numeric, hyphen and period, and single quotes should work. I have only tested this using wmic command line, not the resulting openvpn.exe. Acked-by: Selva Nair P.S. We probably need to sanitize the user-supplied domain name before passing it to wmic. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] show extra info for OpenSSL errors
Hi, On Fri, Jul 07, 2023 at 08:58:11PM +0200, Arne Schwabe wrote: > This also shows the extra data from the OpenSSL error function that > can contain extra information. For example, the command > > openvpn --providers vollbit > > will print out (on macOS): > > OpenSSLerror:12800067:DSO support routines::could not load the shared > library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): > > dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, > 0x0002): tried: > '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no > such file), > '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' > (no such file), > '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no > such file) Feature-ACK on providing more detail, because otherwise these errors can get really hard to track down. Your example above is somewhat excessive on repeating paths, but I do not see this on my FreeBSD test case $ src/openvpn/openvpn --providers legacyXX default --show-tls 2023-07-10 17:44:27 OpenSSLerror:12800067:DSO support routines::could not load the shared library:filename(/usr/lib/ossl-modules/legacyXX.so): /usr/lib/ossl-modules/legacyXX.so: Undefined symbol "ossl_md4_functions" 2023-07-10 17:44:27 OpenSSLerror:12800067:DSO support routines::could not load the shared library: 2023-07-10 17:44:27 OpenSSLerror:07880025:common libcrypto routines::reason(524325):name=legacyXX "this is just the right amount of details" :-) - for something that does not exist, I get 2023-07-10 17:45:17 OpenSSLerror:12800067:DSO support routines::could not load the shared library:filename(/usr/lib/ossl-modules/legacyYY.so): Cannot open "/usr/lib/ossl-modules/legacyYY.so" Code-wise, I would prefer to have someone who understands OpenSSL give this another look... Selva, Antonio? Thanks :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Introduce get_key_by_management_key_id helper function
This function allows us to map from a management key id to a key structure and also allows this function to be reused. Patch v2: add message when key is not found. Patch v3: only consider valid keys Change-Id: I42d8785959c24bf688190965e58b9b98251b8557 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_common.h | 20 src/openvpn/ssl_verify.c | 23 +-- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b029479..be0f18746 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -722,4 +722,24 @@ get_primary_key(const struct tls_multi *multi) return >session[TM_ACTIVE].key[KS_PRIMARY]; } +#ifdef ENABLE_MANAGEMENT +/** + * Gets the \c key_state object that belong to the management key id or + * return NULL if not found. + */ +static inline struct key_state * +get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id) +{ +for (int i = 0; i < KEY_SCAN_SIZE; ++i) +{ +struct key_state *ks = get_key_scan(multi, i); +if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF) +{ +return ks; +} +} +return NULL; +} +#endif + #endif /* SSL_COMMON_H_ */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 90416b69e..2395e55c8 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1266,22 +1266,25 @@ tls_authentication_status(struct tls_multi *multi) bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason) { -bool ret = false; +struct key_state *ks = NULL; if (multi) { -int i; + auth_set_client_reason(multi, client_reason); -for (i = 0; i < KEY_SCAN_SIZE; ++i) +ks = get_key_by_management_key_id(multi, mda_key_id); + +if (ks) { -struct key_state *ks = get_key_scan(multi, i); -if (ks->mda_key_id == mda_key_id) -{ -ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; -ret = true; -} +ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; } +else +{ +msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id " +"%d", __func__, mda_key_id); +} + } -return ret; +return (bool) ks; } #endif /* ifdef ENABLE_MANAGEMENT */ -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] tun.c: enclose DNS domain in single quotes in WMIC call
From: Lev Stipakov This is needed to support domains with hyphens. Not using double quotes here, since our code replaces them with underbars (see https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980). Fixes https://github.com/OpenVPN/openvpn/issues/363 Change-Id: Iab536922d0731635cef529b5caf542f637b8d491 Signed-off-by: Lev Stipakov --- src/openvpn/tun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index d1fd6def..60974208 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -333,7 +333,7 @@ do_dns_domain_wmic(bool add, const struct tuntap *tt) } struct argv argv = argv_new(); -argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain %s", +argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain '%s'", get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, add ? tt->options.domain : ""); exec_command("WMIC", , 1, M_WARN); -- 2.38.1.windows.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel