Re: [Openvpn-devel] OpenVPN 3 Linux client - v8 beta released

2020-02-12 Thread David Sommerseth 
On 10/02/2020 23:32, David Sommerseth wrote:
> 
> Hi,
> 
> The OpenVPN 3 Linux v8 beta is now released.
> 
> This is available in our git repositories [0] and URLs for source tarballs
> are listed later in this e-mail.  We have pre-built binaries for the
> following Linux distributions:
> 
> * Fedora 30, 31 and Rawhide(via Fedora Copr: x86_64, ppc64le, aarch64)
> * RHEL/CentOS 7 and 8  (via Fedora Copr: x86_64, ppc64le, aarch64)
> * Debian 9 and 10 (amd64)
> * Ubuntu 16.04, 18.04, 19.04 and 19.10 (amd64)
> 
> But there is an annoying detail with this release.  Cloudflare is doing
> its best to ensure that the .deb package repositories are corrupt, invalid,
> missing or not seeing the new files.  I've tried to do the magic steps
> required to clean up this, with no results.

This issue should now be resolved.  If you have issues with the openvpn3
Debian or Ubuntu packages, please get in touch so we can figure it out.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4 2/2] Allow unicode search string in --cryptoapicert option

2020-02-12 Thread selva . nair 
From: Selva Nair 

Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().

Signed-off-by: Selva Nair 
---
v4: matched to v4 of 1/2 

 src/openvpn/cryptoapi.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index b9f1328..1bf74fc 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -51,6 +51,7 @@
 
 #include "buffer.h"
 #include "openssl_compat.h"
+#include "win32.h"
 
 /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while
  * MinGW32-w64 defines all macros used. This is a hack around that problem.
@@ -746,12 +747,13 @@ find_certificate_in_store(const char *cert_prop, 
HCERTSTORE cert_store)
 const void *find_param;
 unsigned char hash[255];
 CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
+struct gc_arena gc = gc_new();
 
 if (!strncmp(cert_prop, "SUBJ:", 5))
 {
 /* skip the tag */
-find_param = cert_prop + 5;
-find_type = CERT_FIND_SUBJECT_STR_A;
+find_param = wide_string(cert_prop + 5, );
+find_type = CERT_FIND_SUBJECT_STR_W;
 }
 else if (!strncmp(cert_prop, "THUMB:", 6))
 {
@@ -779,7 +781,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 if (!*++p)  /* unexpected end of string */
 {
 msg(M_WARN, "WARNING: cryptoapicert: error parsing 
.", cert_prop);
-return NULL;
+goto out;
 }
 if (*p >= '0' && *p <= '9')
 {
@@ -803,7 +805,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 }
 else {
 msg(M_WARN, "WARNING: cryptoapicert: unsupported certificate 
specification <%s>", cert_prop);
-return NULL;
+goto out;
 }
 
 while(true)
@@ -824,6 +826,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 validity < 0 ? "not yet valid" : "that has expired");
 }
 
+out:
+gc_free();
 return rv;
 }
 
-- 
2.1.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4 1/2] Skip expired certificates in Windows certificate store

2020-02-12 Thread selva . nair 
From: Selva Nair 

Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.

This makes it possible to update certifiates in store without having
to delete old ones. As a side effect, if only expired certificates are
found, the connection fails.

Also remove some unnecessary casts.

Tested on Windows 10.
Trac #966

v4: Handle the case when an unknown certificate specification is passed
to find_certificate_in_store().

Note: Warnings printed from find_certificate_in_store() could show up
multiple times as its called for each certificate store. This could
be improved in a future patch.

Signed-off-by: Selva Nair 
---
 src/openvpn/cryptoapi.c | 46 ++
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 2f2eee7..b9f1328 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop, 
HCERTSTORE cert_store)
  * SUBJ:
  * THUMB:, e.g.
  * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+ * The first matching certificate that has not expired is returned.
  */
 const CERT_CONTEXT *rv = NULL;
+DWORD find_type;
+const void *find_param;
+unsigned char hash[255];
+CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
 
 if (!strncmp(cert_prop, "SUBJ:", 5))
 {
 /* skip the tag */
-cert_prop += 5;
-rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | 
PKCS_7_ASN_ENCODING,
-0, CERT_FIND_SUBJECT_STR_A, cert_prop, 
NULL);
-
+find_param = cert_prop + 5;
+find_type = CERT_FIND_SUBJECT_STR_A;
 }
 else if (!strncmp(cert_prop, "THUMB:", 6))
 {
-unsigned char hash[255];
-char *p;
+const char *p;
 int i, x = 0;
-CRYPT_HASH_BLOB blob;
+find_type = CERT_FIND_HASH;
+find_param = 
 
 /* skip the tag */
 cert_prop += 6;
-for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
+for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
 {
 if (*p >= '0' && *p <= '9')
 {
@@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE 
cert_store)
 }
 if (!*++p)  /* unexpected end of string */
 {
-break;
+msg(M_WARN, "WARNING: cryptoapicert: error parsing 
.", cert_prop);
+return NULL;
 }
 if (*p >= '0' && *p <= '9')
 {
@@ -796,10 +800,28 @@ find_certificate_in_store(const char *cert_prop, 
HCERTSTORE cert_store)
 }
 }
 blob.cbData = i;
-blob.pbData = (unsigned char *) 
-rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | 
PKCS_7_ASN_ENCODING,
-0, CERT_FIND_HASH, , NULL);
+}
+else {
+msg(M_WARN, "WARNING: cryptoapicert: unsupported certificate 
specification <%s>", cert_prop);
+return NULL;
+}
 
+while(true)
+{
+int validity = 1;
+/* this frees previous rv, if not NULL */
+rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | 
PKCS_7_ASN_ENCODING,
+0, find_type, find_param, rv);
+if (rv)
+{
+validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+}
+if (!rv || validity == 0)
+{
+break;
+}
+msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store 
%s.",
+validity < 0 ? "not yet valid" : "that has expired");
 }
 
 return rv;
-- 
2.1.4



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] openssl: alternative names support for --verify-x509-name CN checks

2020-02-12 Thread David Sommerseth 
On 12/02/2020 15:39, Arne Schwabe wrote:
>> +bool
>> +x509v3_is_host_in_alternative_names(mbedtls_x509_crt *cert, const char
>> *host, bool *has_alt_names)
>> +{
>> +    msg(M_WARN, "Missing support for subject alternative names in
>> mbedtls.");

I'm not happy about this at all.  This should be possible to achieve with
mbed TLS as well:


One starting point for this can probably found here:



-- 
kind regards,

David Sommerseth
OpenVPN Inc



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] openssl: alternative names support for --verify-x509-name CN checks

2020-02-12 Thread Arne Schwabe 
Am 10.02.20 um 18:59 schrieb Mateusz Markowicz via Openvpn-devel:
> when using "--verify-x509-name [hostname] name" hostname will now be
> accepted
> also when matched against one of the X509v3 Subject Alternative Name IP
> or DNS
> entries (instead of just Subject's CN).
> 
> see also: https://github.com/OpenVPN/openvpn/pull/136/
> 
> Signed-off-by: Mateusz Markowicz  >


If this should have a chance of being included it needs to cover mbed
TLS as well.


Also documentation in the man page is missing.

> ---
> src/openvpn/options.c    |  4 +++
> src/openvpn/ssl_verify.c | 18 +++---
> src/openvpn/ssl_verify.h |  1 +
> src/openvpn/ssl_verify_backend.h |  7 ++
> src/openvpn/ssl_verify_mbedtls.c | 11 +
> src/openvpn/ssl_verify_openssl.c | 42 
> 6 files changed, 80 insertions(+), 3 deletions(-)
> 
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 173a1eea..438dfff0 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -8144,6 +8144,10 @@ add_option(struct options *options,
>  {
>  type = VERIFY_X509_SUBJECT_RDN_PREFIX;
>  }
> +    else if (streq(p[2], "subject-alt-name"))
> +    {
> +    type = VERIFY_X509_SAN;
> +    }
>  else
>  {
>  msg(msglevel, "unknown X.509 name type: %s", p[2]);
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index 65188d23..6480b5eb 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
> @@ -390,15 +390,27 @@ verify_peer_cert(const struct tls_options *opt,
> openvpn_x509_cert_t *peer_cert,
>  /* verify X509 name or username against --verify-x509-[user]name */
>  if (opt->verify_x509_type != VERIFY_X509_NONE)
>  {
> -    if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
> +    bool match;
> +    if (opt->verify_x509_type == VERIFY_X509_SAN)
> +    {
> +    bool have_alt_names;
> +    match = x509v3_is_host_in_alternative_names(peer_cert,
> opt->verify_x509_name, _alt_names)
> +    || (!have_alt_names &&
> strcmp(opt->verify_x509_name, common_name) == 0);

I know that this technically correct C but setting a variable in the
first part of via & and then using it in the second part feels like not
good style. I would rather like too a bit more verbose and less clever
code that is easier to understand.


> +    }
> +    else
> +    {
> +    match = (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
>    && strcmp(opt->verify_x509_name, subject) == 0)
>   || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN
>   && strcmp(opt->verify_x509_name, common_name) == 0)
>   || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX
>   && strncmp(opt->verify_x509_name, common_name,
> -    strlen(opt->verify_x509_name)) == 0) )
> +    strlen(opt->verify_x509_name)) == 0);
> +    }
> +
> +    if (match)
>  {
> -    msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
> +    msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s",
> opt->verify_x509_name);

This changes the log message. If you want to verify that the cert prefix
with OVPN-client or something you don't get to see what certificate you
accepted anymore. If you want to log opt->verify_x509_name that needs to
be in addition.

>  }
>  else
>  {
> diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
> index c54b89a6..1295e76b 100644
> --- a/src/openvpn/ssl_verify.h
> +++ b/src/openvpn/ssl_verify.h
> @@ -64,6 +64,7 @@ struct cert_hash_set {
> #define VERIFY_X509_SUBJECT_DN  1
> #define VERIFY_X509_SUBJECT_RDN 2
> #define VERIFY_X509_SUBJECT_RDN_PREFIX  3
> +#define VERIFY_X509_SAN 4
> 
> #define TLS_AUTHENTICATION_SUCCEEDED  0
> #define TLS_AUTHENTICATION_FAILED 1
> diff --git a/src/openvpn/ssl_verify_backend.h
> b/src/openvpn/ssl_verify_backend.h
> index d6b31bfa..927a5a29 100644
> --- a/src/openvpn/ssl_verify_backend.h
> +++ b/src/openvpn/ssl_verify_backend.h
> @@ -268,4 +268,11 @@ result_t x509_write_pem(FILE *peercert_file,
> openvpn_x509_cert_t *peercert);
>   */
> bool tls_verify_crl_missing(const struct tls_options *opt);
> 
> +/**
> + * Return true iff {host} was found in {cert} Subject Alternative Names
> DNS or IP entries.
> + * If {has_alt_names} != NULL it'll return true iff Subject Alternative
> Names were defined
> + * for {cert}.
> + */
> +bool x509v3_is_host_in_alternative_names(openvpn_x509_cert_t *cert,
> const char *host, bool *has_alt_names);
> +
> #endif /* SSL_VERIFY_BACKEND_H_ */
> diff --git a/src/openvpn/ssl_verify_mbedtls.c
> b/src/openvpn/ssl_verify_mbedtls.c
> index fd31bbbd..2f2e04be 100644
> --- a/src/openvpn/ssl_verify_mbedtls.c
>

Re: [Openvpn-devel] [PATCH 2/4] argv: do fewer memory re-allocations

2020-02-12 Thread Arne Schwabe 
Am 06.02.20 um 14:21 schrieb David Sommerseth:
> From: Heiko Hund 
> 
> Prevent the re-allocations of memory when the internal argv grows
> beyond 2 and 4 arguments by initially allocating argv to hold up to
> 7 (+ trailing NULL) pointers.
> 
> While at it rename argv_reset to argv_free to actually express
> what's going on. Redo the argv_reset functionality so that it can
> be used to actually reset the argv without re-allocation.
> 
> Signed-off-by: Heiko Hund 
> Signed-off-by: David Sommerseth 
> ---

Acked-By: Arne Schwabe 





signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 3/4] Add gc_arena to struct argv to save allocations

2020-02-12 Thread Arne Schwabe 
Am 06.02.20 um 14:21 schrieb David Sommerseth:
> From: Heiko Hund 
> 
> With the private gc_arena we do not have to allocate the strings
> found during parsing again, since we know the arena they are
> allocated in is valid as long as the argv vector is.
> 
> Signed-off-by: Heiko Hund 
> Signed-off-by: David Sommerseth 

Acked-By: Arne Schwabe 

I don't feel it is really necessary but it is slight improvement and
this been too many revisions already, so get it in.





signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 4/4] Documented all the argv related code with minor refactoring

2020-02-12 Thread Arne Schwabe 
Am 06.02.20 um 14:21 schrieb David Sommerseth:
> Added doxygen comments for all the functions in argv.c.
> 
> There are some slight refactoring, renaming a few variables to make
> their use case more obvious and ensure lines do not break our 80-chars
> per line coding style limit.
> 
> Signed-off-by: David Sommerseth 

Acked-By: Arne Schwabe 
more doxygen is always good!



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/4] re-implement argv_printf_*()

2020-02-12 Thread Arne Schwabe 
Am 06.02.20 um 14:21 schrieb David Sommerseth:
> From: Heiko Hund 
> 
> The previous implementation had the problem that it was not fully
> compatible with printf() and could only detect % format directives
> following a space character (0x20).
> 
> It modifies the format string and inserts marks to separate groups
> before passing it to the regular printf in libc. The marks are
> later used to separate the output string into individual command
> line arguments.
> 
> The choice of 0x1D as the argument delimiter is based on the
> assumption that no "regular" string passed to argv_printf_*() will
> ever have to contain that byte (and the fact that it actually is
> the ASCII "group separator" control character, which fits its
> purpose).
> 
> This commit has been updated by David Sommerseth based on Arne
> Schwabe and his own feedback on the mailing list.
> 

Acked-By: Arne Schwabe 



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] Skip DNS address validation

2020-02-12 Thread Domagoj Pensa 
Hi!

My I ask if there is anything else I can (or should) do regarding this 
patch? Perhaps send patch again with revised/updated description as 
suggested by Simon?

Thank you!

Regards,
Domagoj


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel