[Openvpn-devel] [PATCH applied] Re: Modernize sample keys and sample configs
Your patch has been applied to the master branch. commit 335bbe615a03dad9087d754c9dea330e801ee3c3 Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Thu Oct 23 00:14:29 2014 +0200 Modernize sample keys and sample configs Signed-off-by: Steffan KargerAcked-by: Samuli Seppänen Message-Id: URL: http://article.gmane.org/gmane.network.openvpn.devel/9226 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH 1/2] fix compilation on Windows
The local member in struct lick_socket_address went away a while ago. Fixing the code to compile again under Windows. While there, also fix the code to deal with struct link_socket_info.af == AF_UNSPEC Signed-off-by: Heiko Hund--- src/openvpn/socket.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index c649d62..9ed8a5a 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2916,6 +2916,7 @@ link_socket_read_udp_posix (struct link_socket *sock, #endif buf->len = recvfrom (sock->sd, BPTR (buf), maxsize, 0, >dest.addr.sa, ); + /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ if (buf->len >= 0 && expectedlen && fromlen != expectedlen) bad_address_length (fromlen, expectedlen); return buf->len; @@ -3060,10 +3061,7 @@ socket_recv_queue (struct link_socket *sock, int maxsize) if (proto_is_udp(sock->info.proto)) { sock->reads.addr_defined = true; - if (sock->info.af == AF_INET) - sock->reads.addrlen = sizeof (sock->reads.addr); - else - sock->reads.addrlen = sizeof (sock->reads.addr6); + sock->reads.addrlen = sizeof (sock->reads.addr6); status = WSARecvFrom( sock->sd, wsabuf, @@ -3095,9 +3093,10 @@ socket_recv_queue (struct link_socket *sock, int maxsize) if (!status) /* operation completed immediately? */ { - int addrlen = af_addr_size(sock->info.lsa->local.addr.sa.sa_family); - if (sock->reads.addr_defined && sock->reads.addrlen != addrlen) - bad_address_length (sock->reads.addrlen, addrlen); + /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ + int af_len = af_addr_size (sock->info.af); + if (sock->reads.addr_defined && af_len && sock->reads.addrlen != af_len) + bad_address_length (sock->reads.addrlen, af_len); sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN; /* since we got an immediate return, we must signal the event object ourselves */ @@ -3159,7 +3158,7 @@ socket_send_queue (struct link_socket *sock, struct buffer *buf, const struct li { /* set destination address for UDP writes */ sock->writes.addr_defined = true; - if (sock->info.af == AF_INET6) + if (to->dest.addr.sa.sa_family == AF_INET6) { sock->writes.addr6 = to->dest.addr.in6; sock->writes.addrlen = sizeof (sock->writes.addr6); -- 1.9.1
[Openvpn-devel] [PATCH 2/2] fix warnings on Windows
Just add a few valid casts that shut up mingw gcc. Signed-off-by: Heiko Hund--- src/openvpn/mtu.c| 5 ++--- src/openvpn/route.c | 2 +- src/openvpn/socket.c | 4 ++-- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 13f3f6c..3665a34 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -158,8 +158,7 @@ set_mtu_discover_type (int sd, int mtu_type) if (mtu_type >= 0) { #if defined(HAVE_SETSOCKOPT) && defined(SOL_IP) && defined(IP_MTU_DISCOVER) - if (setsockopt - (sd, SOL_IP, IP_MTU_DISCOVER, _type, sizeof (mtu_type))) + if (setsockopt (sd, SOL_IP, IP_MTU_DISCOVER, (void *) _type, sizeof (mtu_type))) msg (M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", mtu_type); #else @@ -288,7 +287,7 @@ void set_sock_extended_error_passing (int sd) { int on = 1; - if (setsockopt (sd, SOL_IP, IP_RECVERR, , sizeof (on))) + if (setsockopt (sd, SOL_IP, IP_RECVERR, (void *) , sizeof (on))) msg (M_WARN | M_ERRNO, "Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR)"); } diff --git a/src/openvpn/route.c b/src/openvpn/route.c index e76c2bd..5d18213 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -277,7 +277,7 @@ init_route (struct route_ipv4 *r, /* get_special_addr replaces specialaddr with a special ip addr like gw. getaddrinfo is called to convert a a addrinfo struct */ - if(get_special_addr (rl, ro->network, _addr, )) + if(get_special_addr (rl, ro->network, (in_addr_t *) _addr, )) { special.s_addr = htonl(special.s_addr); ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL, diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 9ed8a5a..2499ab0 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -729,7 +729,7 @@ static inline void socket_set_mark (int sd, int mark) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK - if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, , sizeof (mark)) != 0) + if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, (void *) , sizeof (mark)) != 0) msg (M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark); #endif } @@ -1117,7 +1117,7 @@ socket_bind (socket_descriptor_t sd, int v6only = ipv6only ? 1: 0;/* setsockopt must have an "int" */ msg (M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only); - if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, , sizeof(v6only))) + if (setsockopt (sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) , sizeof(v6only))) { msg (M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only); } -- 1.9.1
Re: [Openvpn-devel] [PATCH] Modernize sample keys and sample configs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Steffan, I tested the key generation script with /bin/bash and /bin/dash on Linux, and using /bin/sh on FreeBSD. The rest of the patch looked fine, too. ACK. Samuli > Attached a v2 of this patch that adds an extra check whether openssl is > actually available. > > -Steffan > > On Thu, Oct 23, 2014 at 12:16 AM, Steffan Karger> wrote: > > I kept most of the certificate properties equal to the old > certs, since some people's test scripts might rely on them (and > it does not require any creativity from my part). > > Changes: > * Add script to generate fresh test/sample keys >(but keep sample keys in git for simple testing) > * Switch from 1024 to 4096 bits RSA CA > * Switch from 1024 to 2048 bits client/server RSA keys > * Switch from 1024 to 2048 bits Diffie-Hellman parameters > * Generate EC client and server cert, but sign with RSA CA >(lets us test EC <-> RSA interoperability) > * Remove 3DES cipher from 'sample' config > * Add 'remote-cert-tls server' to client config > * Update config files to deprecate nsCertType in favour of the >keyUsage and extendedKeyUsage extensions. > * Make naming more consistent > > Signed-off-by: Steffan Karger > > --- > sample/sample-config-files/client.conf | 17 ++-- > sample/sample-config-files/loopback-client | 2 +- > sample/sample-config-files/loopback-server | 3 +- > sample/sample-config-files/server.conf | 6 +- > sample/sample-config-files/tls-office.conf | 2 +- > sample/sample-keys/.gitignore | 1 + > sample/sample-keys/README | 17 ++-- > sample/sample-keys/ca.crt | 48 ++ > sample/sample-keys/ca.key | 67 ++ > sample/sample-keys/client-ec.crt | 85 ++ > sample/sample-keys/client-ec.key | 5 ++ > sample/sample-keys/client-pass.key | 30 +++ > sample/sample-keys/client.crt | 126 +- > sample/sample-keys/client.key | 43 + > sample/sample-keys/client.p12 | Bin 0 -> 4533 bytes > sample/sample-keys/dh1024.pem | 5 -- > sample/sample-keys/dh2048.pem | 8 ++ > sample/sample-keys/ec-ca.crt | 13 --- > sample/sample-keys/ec-ca.key | 6 -- > sample/sample-keys/ec-client.crt | 61 - > sample/sample-keys/ec-client.key | 6 -- > sample/sample-keys/ec-server.crt | 61 - > sample/sample-keys/ec-server.key | 6 -- > sample/sample-keys/gen-sample-keys.sh | 74 +++ > sample/sample-keys/openssl.cnf | 139 + > sample/sample-keys/pass.crt| 65 -- > sample/sample-keys/pass.key| 18 > sample/sample-keys/pkcs12.p12 | Bin 2685 -> 0 bytes > sample/sample-keys/server-ec.crt | 96 > sample/sample-keys/server-ec.key | 5 ++ > sample/sample-keys/server.crt | 130 ++- > sample/sample-keys/server.key | 43 + > 32 files changed, 778 insertions(+), 410 deletions(-) > create mode 100644 sample/sample-keys/.gitignore > create mode 100644 sample/sample-keys/client-ec.crt > create mode 100644 sample/sample-keys/client-ec.key > create mode 100644 sample/sample-keys/client-pass.key > create mode 100644 sample/sample-keys/client.p12 > delete mode 100644 sample/sample-keys/dh1024.pem > create mode 100644 sample/sample-keys/dh2048.pem > delete mode 100644 sample/sample-keys/ec-ca.crt > delete mode 100644 sample/sample-keys/ec-ca.key > delete mode 100644 sample/sample-keys/ec-client.crt > delete mode 100644 sample/sample-keys/ec-client.key > delete mode 100644 sample/sample-keys/ec-server.crt > delete mode 100644 sample/sample-keys/ec-server.key > create mode 100755 sample/sample-keys/gen-sample-keys.sh > create mode 100644 sample/sample-keys/openssl.cnf > delete mode 100644 sample/sample-keys/pass.crt > delete mode 100644 sample/sample-keys/pass.key > delete mode 100644 sample/sample-keys/pkcs12.p12 > create mode 100644 sample/sample-keys/server-ec.crt > create mode 100644 sample/sample-keys/server-ec.key > > diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf > index 58b2038..050ef60 100644 > --- a/sample/sample-config-files/client.conf > +++ b/sample/sample-config-files/client.conf > @@ -89,18 +89,19
Re: [Openvpn-devel] [PATCH] Modernize sample keys and sample configs
Attached a v2 of this patch that adds an extra check whether openssl is actually available. -Steffan On Thu, Oct 23, 2014 at 12:16 AM, Steffan Kargerwrote: > I kept most of the certificate properties equal to the old > certs, since some people's test scripts might rely on them (and > it does not require any creativity from my part). > > Changes: > * Add script to generate fresh test/sample keys >(but keep sample keys in git for simple testing) > * Switch from 1024 to 4096 bits RSA CA > * Switch from 1024 to 2048 bits client/server RSA keys > * Switch from 1024 to 2048 bits Diffie-Hellman parameters > * Generate EC client and server cert, but sign with RSA CA >(lets us test EC <-> RSA interoperability) > * Remove 3DES cipher from 'sample' config > * Add 'remote-cert-tls server' to client config > * Update config files to deprecate nsCertType in favour of the >keyUsage and extendedKeyUsage extensions. > * Make naming more consistent > > Signed-off-by: Steffan Karger > --- > sample/sample-config-files/client.conf | 17 ++-- > sample/sample-config-files/loopback-client | 2 +- > sample/sample-config-files/loopback-server | 3 +- > sample/sample-config-files/server.conf | 6 +- > sample/sample-config-files/tls-office.conf | 2 +- > sample/sample-keys/.gitignore | 1 + > sample/sample-keys/README | 17 ++-- > sample/sample-keys/ca.crt | 48 ++ > sample/sample-keys/ca.key | 67 ++ > sample/sample-keys/client-ec.crt | 85 ++ > sample/sample-keys/client-ec.key | 5 ++ > sample/sample-keys/client-pass.key | 30 +++ > sample/sample-keys/client.crt | 126 > +- > sample/sample-keys/client.key | 43 + > sample/sample-keys/client.p12 | Bin 0 -> 4533 bytes > sample/sample-keys/dh1024.pem | 5 -- > sample/sample-keys/dh2048.pem | 8 ++ > sample/sample-keys/ec-ca.crt | 13 --- > sample/sample-keys/ec-ca.key | 6 -- > sample/sample-keys/ec-client.crt | 61 - > sample/sample-keys/ec-client.key | 6 -- > sample/sample-keys/ec-server.crt | 61 - > sample/sample-keys/ec-server.key | 6 -- > sample/sample-keys/gen-sample-keys.sh | 74 +++ > sample/sample-keys/openssl.cnf | 139 > + > sample/sample-keys/pass.crt| 65 -- > sample/sample-keys/pass.key| 18 > sample/sample-keys/pkcs12.p12 | Bin 2685 -> 0 bytes > sample/sample-keys/server-ec.crt | 96 > sample/sample-keys/server-ec.key | 5 ++ > sample/sample-keys/server.crt | 130 > ++- > sample/sample-keys/server.key | 43 + > 32 files changed, 778 insertions(+), 410 deletions(-) > create mode 100644 sample/sample-keys/.gitignore > create mode 100644 sample/sample-keys/client-ec.crt > create mode 100644 sample/sample-keys/client-ec.key > create mode 100644 sample/sample-keys/client-pass.key > create mode 100644 sample/sample-keys/client.p12 > delete mode 100644 sample/sample-keys/dh1024.pem > create mode 100644 sample/sample-keys/dh2048.pem > delete mode 100644 sample/sample-keys/ec-ca.crt > delete mode 100644 sample/sample-keys/ec-ca.key > delete mode 100644 sample/sample-keys/ec-client.crt > delete mode 100644 sample/sample-keys/ec-client.key > delete mode 100644 sample/sample-keys/ec-server.crt > delete mode 100644 sample/sample-keys/ec-server.key > create mode 100755 sample/sample-keys/gen-sample-keys.sh > create mode 100644 sample/sample-keys/openssl.cnf > delete mode 100644 sample/sample-keys/pass.crt > delete mode 100644 sample/sample-keys/pass.key > delete mode 100644 sample/sample-keys/pkcs12.p12 > create mode 100644 sample/sample-keys/server-ec.crt > create mode 100644 sample/sample-keys/server-ec.key > > diff --git a/sample/sample-config-files/client.conf > b/sample/sample-config-files/client.conf > index 58b2038..050ef60 100644 > --- a/sample/sample-config-files/client.conf > +++ b/sample/sample-config-files/client.conf > @@ -89,18 +89,19 @@ ca ca.crt > cert client.crt > key client.key > > -# Verify server certificate by checking > -# that the certicate has the nsCertType > -# field set to "server". This is an > -# important precaution to protect against > +# Verify server certificate by checking that the > +# certicate has the correct key usage set. > +# This is an important precaution to protect against > # a potential attack discussed here: > # http://openvpn.net/howto.html#mitm > # > # To use this feature, you will need to generate > -# your server certificates with the nsCertType > -# field set
[Openvpn-devel] [PATCH] Peer-id patch v5
Added new packet format P_DATA_V2, which includes peer-id. If server supports, client sends all data packets in the new format. When data packet arrives, server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in internal structs. Changes in v5: Protection agains replay attack by commiting float changes only after existing packet processing flow has completed. If peer floats to an address which is already taken by another active session, drop float packet, otherwise disconnect existing session. Changes in v4: Handles correctly float to an address which is used by another peer. This also has fixed crash on assert in multi_client_disconnect. Changes in v3: Bugfix: If float happens after TLS renegotiation and there are no data packets between reneg and float, server will not recognize floated client. --- src/openvpn/forward.c| 57 src/openvpn/forward.h| 2 + src/openvpn/init.c | 10 - src/openvpn/mudp.c | 54 +++ src/openvpn/mudp.h | 2 +- src/openvpn/multi.c | 97 ++-- src/openvpn/multi.h | 2 + src/openvpn/options.c| 9 - src/openvpn/options.h| 8 +++- src/openvpn/push.c | 16 +++- src/openvpn/ssl.c| 75 + src/openvpn/ssl.h| 12 +- src/openvpn/ssl_common.h | 4 ++ 13 files changed, 300 insertions(+), 48 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 27b775f..d373231 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -722,20 +722,12 @@ read_incoming_link (struct context *c) perf_pop (); } -/* - * Input: c->c2.buf - * Output: c->c2.to_tun - */ - -void -process_incoming_link (struct context *c) +bool +process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, bool floated) { struct gc_arena gc = gc_new (); bool decrypt_status; - struct link_socket_info *lsi = get_link_socket_info (c); - const uint8_t *orig_buf = c->c2.buf.data; - - perf_push (PERF_PROC_IN_LINK); + bool res = false; if (c->c2.buf.len > 0) { @@ -805,7 +797,7 @@ process_incoming_link (struct context *c) * will load crypto_options with the correct encryption key * and return false. */ - if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, >c2.crypto_options)) + if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, >c2.crypto_options, floated)) { interval_action (>c2.tmp_int); @@ -824,6 +816,14 @@ process_incoming_link (struct context *c) #endif #endif /* ENABLE_SSL */ + /* + * Good, non-zero length packet received. + * Commence multi-stage processing of packet, + * such as authenticate, decrypt, decompress. + * If any stage fails, it sets buf.len to 0 or -1, + * telling downstream stages to ignore the packet. + */ + /* authenticate and decrypt the incoming packet */ decrypt_status = openvpn_decrypt (>c2.buf, c->c2.buffers->decrypt_buf, >c2.crypto_options, >c2.frame); @@ -832,11 +832,25 @@ process_incoming_link (struct context *c) /* decryption errors are fatal in TCP mode */ register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */ msg (D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting"); - goto done; } - + else + res = true; #endif /* ENABLE_CRYPTO */ +} + else +{ + buf_reset (>c2.to_tun); +} + gc_free (); + + return res; +} +void +process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf) +{ + if (c->c2.buf.len > 0) +{ #ifdef ENABLE_FRAGMENT if (c->c2.fragment) fragment_incoming (c->c2.fragment, >c2.buf, >c2.frame_fragment); @@ -903,9 +917,20 @@ process_incoming_link (struct context *c) { buf_reset (>c2.to_tun); } - done: +} + +void +process_incoming_link (struct context *c) +{ + perf_push (PERF_PROC_IN_LINK); + + struct link_socket_info *lsi = get_link_socket_info (c); + const uint8_t *orig_buf = c->c2.buf.data; + + process_incoming_link_part1(c, lsi, false); + process_incoming_link_part2(c, lsi, orig_buf); + perf_pop (); - gc_free (); } /* diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 1830a00..b9dfeea 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -161,6 +161,8 @@ void read_incoming_link (struct context *c); */ void process_incoming_link (struct context *c); +bool process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, bool floated); +void process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); /** * Write a packet to the external