[Openvpn-devel] [PATCH applied] Re: Print a more user-friendly error when tls-crypt-v2 client auth fails
Acked-by: Gert Doering I find this a useful addition - with all these crypto stuff it can be quite hard to figure out what particular detail is not right. The patch is trivial, just adding a msg(), so I did not really test it beyond "compile?" and "does it have a space before or after the wrap?" (it has). Your patch has been applied to the master branch. commit 7a477c16a7c2a7016c7b15ea98fe3c40e8ef675b (master) commit 66f51e80b981f08ebc3c38f3fac7d0c88caeb85d (release/2.6) Author: Arne Schwabe Date: Mon May 22 11:12:31 2023 +0200 Print a more user-friendly error when tls-crypt-v2 client auth fails Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20230522091231.2837468-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26718.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Fwd: [PATCH] tun.c: enclose DNS domain in single quotes in WMIC call
Hi,
On Mon, Jul 10, 2023 at 7:22 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> This is needed to support domains with hyphens.
>
> Not using double quotes here, since our code replaces
> them with underbars (see
> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).
>
> Fixes https://github.com/OpenVPN/openvpn/issues/363
>
> Change-Id: Iab536922d0731635cef529b5caf542f637b8d491
> Signed-off-by: Lev Stipakov
> ---
> src/openvpn/tun.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index d1fd6def..60974208 100644
> --- a/src/openvpn/tun.c
> +++ b/src/openvpn/tun.c
> @@ -333,7 +333,7 @@ do_dns_domain_wmic(bool add, const struct tuntap *tt)
> }
>
> struct argv argv = argv_new();
> -argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call
> SetDNSDomain %s",
> +argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call
> SetDNSDomain '%s'",
> get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index,
> add ? tt->options.domain : "");
> exec_command("WMIC", , 1, M_WARN);
>
Quoting is required as wmic interprets characters such as hyphen and /.
Double quotes would have been better (as in interactive.c) as there are
some cases where characters within single quotes get interpreted special
(like 'foo>bar' vs "foo>bar").
That said, for valid domain names, the only expected characters are
alpha-numeric, hyphen and period, and single quotes should work. I have
only tested this using wmic command line, not the resulting openvpn.exe.
Acked-by: Selva Nair
P.S.
We probably need to sanitize the user-supplied domain name before passing
it to wmic.
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] show extra info for OpenSSL errors
Hi, On Fri, Jul 07, 2023 at 08:58:11PM +0200, Arne Schwabe wrote: > This also shows the extra data from the OpenSSL error function that > can contain extra information. For example, the command > > openvpn --providers vollbit > > will print out (on macOS): > > OpenSSLerror:12800067:DSO support routines::could not load the shared > library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): > > dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, > 0x0002): tried: > '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no > such file), > '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' > (no such file), > '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no > such file) Feature-ACK on providing more detail, because otherwise these errors can get really hard to track down. Your example above is somewhat excessive on repeating paths, but I do not see this on my FreeBSD test case $ src/openvpn/openvpn --providers legacyXX default --show-tls 2023-07-10 17:44:27 OpenSSLerror:12800067:DSO support routines::could not load the shared library:filename(/usr/lib/ossl-modules/legacyXX.so): /usr/lib/ossl-modules/legacyXX.so: Undefined symbol "ossl_md4_functions" 2023-07-10 17:44:27 OpenSSLerror:12800067:DSO support routines::could not load the shared library: 2023-07-10 17:44:27 OpenSSLerror:07880025:common libcrypto routines::reason(524325):name=legacyXX "this is just the right amount of details" :-) - for something that does not exist, I get 2023-07-10 17:45:17 OpenSSLerror:12800067:DSO support routines::could not load the shared library:filename(/usr/lib/ossl-modules/legacyYY.so): Cannot open "/usr/lib/ossl-modules/legacyYY.so" Code-wise, I would prefer to have someone who understands OpenSSL give this another look... Selva, Antonio? Thanks :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Introduce get_key_by_management_key_id helper function
This function allows us to map from a management key id to a key structure
and also allows this function to be reused.
Patch v2: add message when key is not found.
Patch v3: only consider valid keys
Change-Id: I42d8785959c24bf688190965e58b9b98251b8557
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_common.h | 20
src/openvpn/ssl_verify.c | 23 +--
2 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 27b029479..be0f18746 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -722,4 +722,24 @@ get_primary_key(const struct tls_multi *multi)
return >session[TM_ACTIVE].key[KS_PRIMARY];
}
+#ifdef ENABLE_MANAGEMENT
+/**
+ * Gets the \c key_state object that belong to the management key id or
+ * return NULL if not found.
+ */
+static inline struct key_state *
+get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id)
+{
+for (int i = 0; i < KEY_SCAN_SIZE; ++i)
+{
+struct key_state *ks = get_key_scan(multi, i);
+if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF)
+{
+return ks;
+}
+}
+return NULL;
+}
+#endif
+
#endif /* SSL_COMMON_H_ */
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 90416b69e..2395e55c8 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1266,22 +1266,25 @@ tls_authentication_status(struct tls_multi *multi)
bool
tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id,
const bool auth, const char *client_reason)
{
-bool ret = false;
+struct key_state *ks = NULL;
if (multi)
{
-int i;
+
auth_set_client_reason(multi, client_reason);
-for (i = 0; i < KEY_SCAN_SIZE; ++i)
+ks = get_key_by_management_key_id(multi, mda_key_id);
+
+if (ks)
{
-struct key_state *ks = get_key_scan(multi, i);
-if (ks->mda_key_id == mda_key_id)
-{
-ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
-ret = true;
-}
+ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
}
+else
+{
+msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id
"
+"%d", __func__, mda_key_id);
+}
+
}
-return ret;
+return (bool) ks;
}
#endif /* ifdef ENABLE_MANAGEMENT */
--
2.39.2 (Apple Git-143)
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] tun.c: enclose DNS domain in single quotes in WMIC call
From: Lev Stipakov
This is needed to support domains with hyphens.
Not using double quotes here, since our code replaces
them with underbars (see
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/win32.c#L980).
Fixes https://github.com/OpenVPN/openvpn/issues/363
Change-Id: Iab536922d0731635cef529b5caf542f637b8d491
Signed-off-by: Lev Stipakov
---
src/openvpn/tun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index d1fd6def..60974208 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -333,7 +333,7 @@ do_dns_domain_wmic(bool add, const struct tuntap *tt)
}
struct argv argv = argv_new();
-argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call
SetDNSDomain %s",
+argv_printf(, "%s%s nicconfig where (InterfaceIndex=%ld) call
SetDNSDomain '%s'",
get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, add ?
tt->options.domain : "");
exec_command("WMIC", , 1, M_WARN);
--
2.38.1.windows.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
