Re: [Openvpn-devel] coverity issue 1 - MF_EXTERNAL_KEY

[Gert Doering]

Hi,

On Fri, Dec 14, 2012 at 07:14:27PM +0100, Gert Doering wrote:
> coverity scanned our source tree, found 201 false positives (they do not
> like msg(M_ERR, ...), msg(M_WARN, ...) or msg(M_FATAL, ...)), and 3
> actual code confusions.

Small correction: in the most recent run, they only found 201+3 things, of
which only 2 are really relevant.

Unfortunately, there's much more stuff - 24 issues tagged as "high!", 
some of them confusion about ASSERT() inside coverity, but some could
need some reviewing... volunteers?

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgprVwzpLjFus.pgp
Description: PGP signature

[Openvpn-devel] coverity issue 2 - dead default / code cleanup in mtcp.c

[Gert Doering]

Hi,

next one: mtcp.c, about line 470:

  unsigned int flags = MTP_NONE;

  if (TUN_OUT(c))
flags |= MTP_TUN_OUT;
  if (LINK_OUT(c))
flags |= MTP_LINK_OUT;

  switch (flags)
{
case MTP_TUN_OUT|MTP_LINK_OUT:
case MTP_TUN_OUT:
  newaction = TA_TUN_WRITE;
  break;
case MTP_LINK_OUT:
  newaction = TA_SOCKET_WRITE;
  break;
case MTP_NONE:
  if (mi && socket_read_residual (c->c2.link_socket))
newaction = TA_SOCKET_READ_RESIDUAL;
  else
multi_tcp_set_global_rw_flags (m, mi);
  break;
default:
  {
struct gc_arena gc = gc_new ();
msg (M_FATAL, "MULTI TCP: multi_tcp_post bad state, mi=%s flags=%d",
 multi_instance_string (mi, false, ),
 flags);
gc_free ();
break;
  }
}



coverity is complaining that the "default:" clause can never be reached,
as all the possible values for "flags" are covered - and it's obviously
right.  It's not something critical, more a "code cleanup" thing.

(The whole usage of switch/case here reeks a bit, given that I think the 
code would be simpler by directly setting "newaction" depending on
"if (TUN_OUT(c))" etc., not bothering with "flags" in the first place)

Cleanup in 2.4?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpH1RfgWrXJS.pgp
Description: PGP signature

[Openvpn-devel] coverity issue 1 - MF_EXTERNAL_KEY

[Gert Doering]

Hi,

coverity scanned our source tree, found 201 false positives (they do not
like msg(M_ERR, ...), msg(M_WARN, ...) or msg(M_FATAL, ...)), and 3
actual code confusions.

I'm now going to post them here, to elicit comments on whether we want 
to fix 'em, just ignore 'em, or throw out all the source and go drink
a beer.

Issue #1:  "logical dead code", in options.c, line 2277:

  else
{
  notnull (options->cert_file, "certificate file (--cert) or 
PKCS#12 file (--pkcs12)");
#ifdef MANAGMENT_EXTERNAL_KEY
  if (!options->management_flags & MF_EXTERNAL_KEY)
#endif
  notnull (options->priv_key_file, "private key file (--key) or 
PKCS#12 file (--pkcs12)");
}

... if I read this right, this is "operator precedence again", and there
need to be brackets 

#ifdef MANAGMENT_EXTERNAL_KEY
  if (! (options->management_flags & MF_EXTERNAL_KEY) )
#endif


... Arne?

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpAFTOXE8Pgh.pgp
Description: PGP signature

Re: [Openvpn-devel] Looking to hire consultant - help us disguise OpenVPN traffic from Chinese firewall

[Samuli Seppänen]

Also take a look here:



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> This isn't really the correct list for this.  You should have posted to 
> -users, instead.  Check out obfsproxy: 
> https://www.torproject.org/projects/obfsproxy.html.en
>
> Cheers
> -
> Eric F Crist
>
>
>
> On Dec 14, 2012, at 09:10:49, Ben  wrote:
>
>> To whom it may concern,
>>
>> I am running a VPN service and have customers located in China who cannot 
>> connect via OpenVPN due to recent changes in their firewall. We are looking 
>> for solutions to disguise the traffic so the connections won't be reset by 
>> the Chinese firewall.
>> If you are interested in working with us as a consultant on this project, 
>> please reply to this email.
>>
>> Thanks
>> Ben
>> --
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d___
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
> --
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Looking to hire consultant - help us disguise OpenVPN traffic from Chinese firewall

[Eric Crist]

This isn't really the correct list for this.  You should have posted to -users, 
instead.  Check out obfsproxy: 
https://www.torproject.org/projects/obfsproxy.html.en

Cheers
-
Eric F Crist



On Dec 14, 2012, at 09:10:49, Ben  wrote:

> To whom it may concern,
> 
> I am running a VPN service and have customers located in China who cannot 
> connect via OpenVPN due to recent changes in their firewall. We are looking 
> for solutions to disguise the traffic so the connections won't be reset by 
> the Chinese firewall.
> If you are interested in working with us as a consultant on this project, 
> please reply to this email.
> 
> Thanks
> Ben
> --
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Looking to hire consultant - help us disguise OpenVPN traffic from Chinese firewall

[Ben]

To whom it may concern,

I am running a VPN service and have customers located in China who cannot 
connect via OpenVPN due to recent changes in their firewall. We are looking for 
solutions to disguise the traffic so the connections won't be reset by the 
Chinese firewall.
If you are interested in working with us as a consultant on this project, 
please reply to this email.

Thanks
Ben

[Openvpn-devel] [PATCH] Add a basic --management-external-key client to contrib/

[Joachim Schipper]

A very simple client for --management-external-key based on an on-disk keyfile.
Useful for testing.

Signed-off-by: Joachim Schipper 
---
 .gitignore |1 +
 contrib/management-external-key-client/Makefile|   12 +
 contrib/management-external-key-client/README  |   12 +
 .../management_external_key.c  |  349 
 4 files changed, 374 insertions(+)
 create mode 100644 contrib/management-external-key-client/Makefile
 create mode 100644 contrib/management-external-key-client/README
 create mode 100644 
contrib/management-external-key-client/management_external_key.c

diff --git a/.gitignore b/.gitignore
index a04afff..a8fb8a6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,6 +48,7 @@ version.sh
 msvc-env-local.bat
 config-msvc-local.h
 config-msvc-version.h
+contrib/management-external-key-client/management_external_key
 doc/openvpn.8.html
 distro/rpm/openvpn.spec
 tests/t_client.sh
diff --git a/contrib/management-external-key-client/Makefile 
b/contrib/management-external-key-client/Makefile
new file mode 100644
index 000..bad83b0
--- /dev/null
+++ b/contrib/management-external-key-client/Makefile
@@ -0,0 +1,12 @@
+.PHONY: clean
+
+#POLARSSL_INCLUDES?=-I/usr/local/include
+#POLARSSL_LDFLAGS?=-L/usr/local/lib -static
+CFLAGS=-O2 -g -W -Wall -Wextra -Wdeclaration-after-statement 
${POLARSSL_INCLUDES}
+LDFLAGS=${POLARSSL_LDFLAGS}
+
+management_external_key: management_external_key.c
+   ${CC} ${CFLAGS} ${LDFLAGS} -o management_external_key 
management_external_key.c -lpolarssl
+
+clean:
+   rm -f management_external_key
diff --git a/contrib/management-external-key-client/README 
b/contrib/management-external-key-client/README
new file mode 100644
index 000..78df077
--- /dev/null
+++ b/contrib/management-external-key-client/README
@@ -0,0 +1,12 @@
+When given the --management-external-key option, OpenVPN does not use a private
+key to sign SSL handshakes, but instead requests a signature over the
+management interface.
+
+This is a simple client for the management interface that uses a private key
+stored in a PEM file to create the signatures.
+
+You'll need PolarSSL to compile this code. Run management_external_key for
+instructions.
+
+Note that this is not production-ready code. It may, however, be useful for
+testing purposes.
diff --git a/contrib/management-external-key-client/management_external_key.c 
b/contrib/management-external-key-client/management_external_key.c
new file mode 100644
index 000..f57a084
--- /dev/null
+++ b/contrib/management-external-key-client/management_external_key.c
@@ -0,0 +1,349 @@
+/*
+ *  A simple client for openvpn --management-external-key.
+ *
+ *  Copyright (C) 2012 Fox Crypto B.V. 
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/*
+ * This code depends only on PolarSSL.
+ */
+
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+
+#define USAGE ("Usage: %s [-l] [-H host] port key\n" \
+"Client for openvpn --management-external-key\n" \
+"\n" \
+"  -H host  connect to host instead of localhost\n" \
+"  -l   request OpenVPN logs\n" \
+"  port port of the OpenVPN management interface\n" \
+"  key  keyfile (in PEM format) to use\n")
+
+/* Management interface requesting a signature */
+#define RSA_PROMPT_PREFIX ">RSA_SIGN:"
+#define RSA_RESP_PREFIX "rsa-sig\r\n"
+#define RSA_RESP_SUFFIX "\r\nEND\r\n"
+
+#ifndef __GNUC__
+#define __attribute__(x) /* gcc only */
+#endif
+
+int main(int argc, char **argv);
+/* Connect to management interface; returns socket or terminates program */
+static inline int open_sock(const char *host, const char *port);
+/* Communicate with OpenVPN */
+static inline void management_client(int management_sock, const char *keyfile,
+int request_logs) __attribute__((noreturn));
+/*
+ * Write some initial commands requesting logs etc. Returns 0 on success, or
+ * nonzero and sets errno.
+ */
+static inline int write_initial_commands(int management_sock,
+int request_logs);
+/*
+ * Handle a line of line_len characters; if partial, line is an incomplete