Re: [Openvpn-devel] [PATCH 5/6] Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.
Hi, Attached a v2 of the patch below, that removes the else to make the diff a lot smaller and changes a //-style comment to /* */-style. -Steffan On 01-01-14 21:10, Steffan Karger wrote: > This diff look like a lot has changed, but this just adds some ifs to check > for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export > ciphers by default in OpenVPN 2.4+. > > Signed-off-by: Steffan Karger> --- > src/openvpn/ssl.c | 5 +- > src/openvpn/ssl_backend.h | 5 +- > src/openvpn/ssl_openssl.c | 130 > ++--- > src/openvpn/ssl_polarssl.c | 7 ++- > 4 files changed, 85 insertions(+), 62 deletions(-) > > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index bd19d75..93222c4 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -543,10 +543,7 @@ init_ssl (const struct options *options, struct > tls_root_ctx *new_ctx) > } > >/* Allowable ciphers */ > - if (options->cipher_list) > -{ > - tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); > -} > + tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); > > #ifdef ENABLE_CRYPTO_POLARSSL >/* Personalise the random by mixing in the certificate */ > diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h > index 54383fe..a6fc3bd 100644 > --- a/src/openvpn/ssl_backend.h > +++ b/src/openvpn/ssl_backend.h > @@ -167,8 +167,9 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, > unsigned int ssl_flags); > /** > * Restrict the list of ciphers that can be used within the TLS context. > * > - * @param ctxTLS context to restrict > - * @param ciphersString containing : delimited cipher names. > + * @param ctxTLS context to restrict, must be valid. > + * @param ciphersString containing : delimited cipher names, or NULL to > use > + * sane defaults. > */ > void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 08327a1..5f6c270 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -217,71 +217,91 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned > int ssl_flags) > void > tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) > { > - size_t begin_of_cipher, end_of_cipher; > - > - const char *current_cipher; > - size_t current_cipher_len; > + if (ciphers == NULL) > +{ > + /* Nothing to do */ > + return; > +} > + else > +{ > + /* Parse supplied cipher list and pass on to OpenSSL */ > + size_t begin_of_cipher, end_of_cipher; > > - const tls_cipher_name_pair *cipher_pair; > + const char *current_cipher; > + size_t current_cipher_len; > > - char openssl_ciphers[4096]; > - size_t openssl_ciphers_len = 0; > - openssl_ciphers[0] = '\0'; > + const tls_cipher_name_pair *cipher_pair; > > - ASSERT(NULL != ctx); > + char openssl_ciphers[4096]; > + size_t openssl_ciphers_len = 0; > + openssl_ciphers[0] = '\0'; > > - // Translate IANA cipher suite names to OpenSSL names > - begin_of_cipher = end_of_cipher = 0; > - for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) > { > - end_of_cipher += strcspn([begin_of_cipher], ":"); > - cipher_pair = tls_get_cipher_name_pair([begin_of_cipher], > end_of_cipher - begin_of_cipher); > + ASSERT(NULL != ctx); > > - if (NULL == cipher_pair) > + // Translate IANA cipher suite names to OpenSSL names > + begin_of_cipher = end_of_cipher = 0; > + for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = > end_of_cipher) > { > - // No translation found, use original > - current_cipher = [begin_of_cipher]; > - current_cipher_len = end_of_cipher - begin_of_cipher; > - > - // Issue warning on missing translation > - // %.*s format specifier expects length of type int, so guarantee > - // that length is small enough and cast to int. > - msg (M_WARN, "No valid translation found for TLS cipher '%.*s'", > - constrain_int(current_cipher_len, 0, 256), current_cipher); > -} > - else > - { > - // Use OpenSSL name > - current_cipher = cipher_pair->openssl_name; > - current_cipher_len = strlen(current_cipher); > - > - if (end_of_cipher - begin_of_cipher == current_cipher_len && > - 0 == memcmp ([begin_of_cipher], > cipher_pair->openssl_name, end_of_cipher - begin_of_cipher)) > - { > - // Non-IANA name used, show warning > - msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA > name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); > - } > - } > - > - // Make sure new cipher name fits in cipher string > - if
Re: [Openvpn-devel] [PATCH 2/2] Provide LZ4 sources in src/compat/ and use if no system lz4 library found.
Am 01.01.14 22:57, schrieb Gert Doering: > Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as > src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4) > if autoconf cannot find lz4.h or -llz4 in the system. ACK from me. Also: plaisthos: one of the problems with lz4 is that no distribution is shipping a liblz4 yet, and that the original tarball also doesn't even try to build a library, it just builds an executable - so "installing a library" is more painful than for snappy or lzo
Re: [Openvpn-devel] [PATCH 1/2] Implement LZ4 compression.
Am 01.01.14 22:57, schrieb Gert Doering: > Implement LZ4 compression, similar to the existing snappy / push-peer-info > model: a LZ4 capable client will send IV_LZ4=1 to the server, and the > algorithm is selected by pushing "compress lz4" back. > > LZ4 does not compress as well as LZO or Snappy, but needs far less CPU > and is much faster, thus better suited for mobile devices. See > https://code.google.com/p/lz4/ for more details. > > LZ4 include and library path can be specified by specifying LZ4_LIBS=... > and LZ4_CFLAGS=... on the configure command line. ACK. To the patch. I have only lightly tested it but it work in my test setup. Before commiting you should fix the LX4 typo. Arne
[Openvpn-devel] [PATCH] Don’t show the connection profile store in options->ce if there is a connection_list defined.
Entries in options->ce are never used and overwritten by the first usable connection profile on initialisation. --- src/openvpn/options.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 26d5aec..aa06c0a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1406,8 +1406,6 @@ show_connection_entry (const struct connection_entry *o) static void show_connection_entries (const struct options *o) { - msg (D_SHOW_PARMS, "Connection profiles [default]:"); - show_connection_entry (>ce); if (o->connection_list) { const struct connection_list *l = o->connection_list; @@ -1418,6 +1416,11 @@ show_connection_entries (const struct options *o) show_connection_entry (l->array[i]); } } + else + { + msg (D_SHOW_PARMS, "Connection profiles [default]:"); + show_connection_entry (>ce); + } msg (D_SHOW_PARMS, "Connection profiles END"); } -- 1.8.3.4 (Apple Git-47)
[Openvpn-devel] [PATCH applied] Re: Update IPv6 related readme files
ACK. Your patch has been applied to the master branch, with two minor fixes ("OpenVPN 2.4.0" and we have 2014 :) ). commit 36a844e59f7af2d79e4a7c8e83f82fc49f79d51a (master) Author: Arne Schwabe List-Post: openvpn-devel@lists.sourceforge.net Date: Fri Jan 3 15:49:40 2014 +0100 Update IPv6 related readme files Acked-by: Gert DoeringMessage-Id: <1388760580-7548-1-git-send-email-a...@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8167 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH] Update IPv6 related readme files
--- README.IPv6 | 29 ++--- TODO.IPv6 | 11 +-- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/README.IPv6 b/README.IPv6 index 56c97ab..3d8fbeb 100644 --- a/README.IPv6 +++ b/README.IPv6 @@ -35,31 +35,22 @@ over an IPv6 network ("OpenVPN over IPv6"). The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante, formerly located at http://github.com/jjo/openvpn-ipv6 +Android 2.4.0 includes a big overhaul of the IPv6 transport patches +originally implemented for the Android client (ics-openvpn) -Use the following options to select IPv6 transport: +IPv4/IPv6 transport is automatically is selected when resolving addresses. +Use a 6 or 4 suffix to force IPv6/IPv4: --proto udp6 + --proto tcp4 --proto tcp6-client - --proto tcp6-server + --proto tcp4-server --proto tcp6 --client / --proto tcp6 --server -On systems that permit IPv4 connections on IPv6 sockets (Linux by -default, FreeBSD and NetBSD if you turn off the "v6only" sysctl by -running "sysctl -w net.inet6.ip6.v6only=0"), an OpenVPN server can +On systems that allow IPv4 connections on IPv6 sockets +(all systems supporting IPV6_V6ONLY setsockopt), an OpenVPN server can handle IPv4 connections on the IPv6 socket as well, making it a true -dual-stacked server. +dual-stacked server. Use bind ipv6only to disable this behaviour. On other systems, as of 2.3.0, you need to run separate server instances -for IPv4 and IPv6. - -The client side code is not really "dual-stacked" yet, as it does not -automatically try both address families when connecting to a dual-stacked -server. For now, you can achieve this with stanzas in your -openvpn config: - - - remote my.dual.stack.server 1194 udp6 - - - remote my.dual.stack.server 1194 udp - +for IPv4 and IPv6. \ No newline at end of file diff --git a/TODO.IPv6 b/TODO.IPv6 index 29d7554..378358c 100644 --- a/TODO.IPv6 +++ b/TODO.IPv6 @@ -183,7 +183,7 @@ tun0: flags=8051mtu 1500 TODO for IPv6 transport support --- -[ Last updated: 10-Jun-2012. ] +[ Last updated: 03-01-2013. ] * All platforms: o mgmt console: as currently passes straight in_addr_t bits around @@ -191,19 +191,26 @@ TODO for IPv6 transport support o make possible to get AF from getaddrinfo() answer, ie allow openvpn to use ipv4/6 if DNS returns A/ without specifying protocol. Hard: requires deep changes in initialization/calling logic +- Done by dual stack patches o use AI_PASSIVE +- Done by dual stack patches o the getaddr()/getaddr6() interface is not prepared for handling socktype "tagging", currently I abuse the sockflags bits for getting the ai_socktype downstream. +- Still done by flags, seems clean enough. o implement comparison for mapped addesses: server in dual stack listening IPv6 must permit incoming streams from allowed IPv4 peer, currently you need to pass eg: --remote ::1.2.3.4 - +- OpenVPN will compare all address of a remote + but will still fail on mapped addresses * win32: o find out about mapped addresses, as I can't make it work with bound at ::1 and connect to 127.0.0.1 +- Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual socket on all platform" + + -- 1.8.3.4 (Apple Git-47)
Re: [Openvpn-devel] [PATCH v3] Floating: Add support for floating in TLS mode
Hi, On Fri, Jan 03, 2014 at 02:28:51PM +0100, Arne Schwabe wrote: > > 2) What you mean by "hack"? Do you mean new packet format or something else? > The byte juggling the compress does. Actually the "compress byte swap hack" is for the de-crypted material, while *this* discussion is concernced about the encrypted material, which is also unaligned and also wants a byte swap hack :-) What I'd like to see is a definition of the new data frame format from James (with and without session ID), and then we can go and hack that in - but before we agree on the frame format, we don't really know what to implement. Meeting topic... (Samuli, are you listening?). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpFDMooLgVTA.pgp Description: PGP signature
[Openvpn-devel] [PATCH applied] Re: Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.
Your patch has been applied to the master branch. commit 813aa55754c27bdae5380dce415497a574b47e1b Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Jan 1 21:10:24 2014 +0100 Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS. Signed-off-by: Steffan KargerAcked-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <1388607026-12297-5-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8152 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: If --tls-cipher is supplied, make --show-tls parse the list.
Your patch has been applied to the master and release/2.3 branches. commit cb03dca83e37fd65666bf776f39da902fb10acbc (master) commit 5690c525e58769a72fb5dbe63b5f6af78dff92ad (release/2.3) Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Jan 1 21:10:23 2014 +0100 If --tls-cipher is supplied, make --show-tls parse the list. Signed-off-by: Steffan KargerAcked-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <1388607026-12297-4-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8150 Signed-off-by: Gert Doering -- kind regards, Gert Doering
Re: [Openvpn-devel] [PATCH 4/6] Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.
Am 01.01.14 21:10, schrieb Steffan Karger: > This code would not really generate ephemeral keys every time it is called, > but a single key that would be reused during process lifetime and returned > each time the function was called; probably not what users would expect. > > TLS allowes ephemeral keys to be used only when no other key exchange, such > as (ephemeral) Diffie-Hellman, is performed. The end result is that it was > only used by a number of (weak) export ciphers, which could give users a > false sense of security. > > So, instead of fixing a weak cipher mode, we'll just remove support for it > completely. Plenty of better alternatives are available in TLS. > ACK. (reading SSL_CTX_set_tmp_rsa_callback is scary btw). Arne
Re: [Openvpn-devel] [PATCH 3/6] If --tls-cipher is supplied, make --show-tls parse the list.
Am 01.01.14 21:10, schrieb Steffan Karger: > This allows to check the available TLS ciphers for a specific configuration > by supplying both --tls-cipher and --show-tls options. > > ACK. Arne
Re: [Openvpn-devel] [PATCH v3] Floating: Add support for floating in TLS mode
Am 03.01.14 12:58, schrieb Lev Stipakov: > Hi Arne, > > I am researching how "session id" can be added to packet. Could you please > clarify the statement "If we choose the session id to be 3 or 7 byte we > would not need the "hack" for the packets with > session id." ? > > I am currently at very beginning, so questions might look odd. > > 1) "3 or 7" - does it mean byte's ordinal number in packet or length of > session id in bytes? One header byte +3 byte or +7 byte = 32 bit aligment. > > 2) What you mean by "hack"? Do you mean new packet format or something else? The byte juggling the compress does. > 3) I am trying to comprehend protocol format reading > http://openvpn.net/index.php/open-source/documentation/security- > overview.html and looking at wireshark capture results. Where exactly > session id field should be placed? Not yet decided :) Arne
Re: [Openvpn-devel] [PATCH 6/6] Disable export ciphers by default for OpenSSL builds.
Am 01.01.14 21:10, schrieb Steffan Karger: > Export ciphers are deliberately weak ciphers, and not fully supported by > OpenVPN since ephemeral RSA support has been removed a few commits ago. > This commit removes them from the default cipher list to avoid confusion. > > PolarSSL does not support export ciphers, so no action required there. > ACK. But isn't is better to use good to do the !EXP just in case and for consistency for PolarSSL as well. Arne
Re: [Openvpn-devel] [PATCH v3] Floating: Add support for floating in TLS mode
Hi! On 30.12.2013 18:31, Arne Schwabe wrote: For negoating the packet format the client would submit something like IV_CLNT_SUPPORT 1 or similar (look at the IV_SNAPPY, IV_LZO for compression) to tell the server the supported format and the server would push a packet-format 1 or something similar like that. For a first prototype implementation having only the packet-format 1 is probably good enough. I'm sorry, but this a bit too much for me to help in this case. If support for testing is needed, I will do that! -- With kind regards, André Valentin Projektkoordination / Systemadministration MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld Fon: +49 (521) 95945-0 | Fax -18 URL: http://www.marcant.net | http://www.global-m2m.com Geschäftsführer: Thorsten Hojas Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238 ___ CONFIDENTIALITY NOTICE The contents of this email are confidential to the ordinary user of the email address to which it was addressed and may also be privileged. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please email the sender by replying to this message.
Re: [Openvpn-devel] [PATCH v3] Floating: Add support for floating in TLS mode
Hi Arne, I am researching how "session id" can be added to packet. Could you please clarify the statement "If we choose the session id to be 3 or 7 byte we would not need the "hack" for the packets with session id." ? I am currently at very beginning, so questions might look odd. 1) "3 or 7" - does it mean byte's ordinal number in packet or length of session id in bytes? 2) What you mean by "hack"? Do you mean new packet format or something else? 3) I am trying to comprehend protocol format reading http://openvpn.net/index.php/open-source/documentation/security- overview.html and looking at wireshark capture results. Where exactly session id field should be placed? -Lev
[Openvpn-devel] [PATCH applied] Re: Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
ACK. Your patch has been applied to the master and release/2.3 branches. commit 441be9f4f91a16218d40b401384ead51b5aac0cc (master) commit dce118c833433cc0300cbcfe6b2d0cc3d5c34a3d (release/2.3) Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Jan 1 21:10:22 2014 +0100 Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98 Signed-off-by: Steffan KargerAcked-by: Gert Doering Message-Id: <1388607026-12297-3-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: Also update TLSv1_method() calls in support code to SSLv23_method() calls.
ACK. Patch has been applied to the master and release/2.3 branches. commit dd3e319c1d66c7da51b8555d745a1139e0b322f2 (master) commit 191af656f84dbb83a338ded5a72e1a23427837a5 (master) Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Jan 1 21:10:21 2014 +0100 Also update TLSv1_method() calls in support code to SSLv23_method() calls. Signed-off-by: Steffan KargerAcked-by: Gert Doering Message-Id: <1388607026-12297-2-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8148 Signed-off-by: Gert Doering -- kind regards, Gert Doering