date:20141115

[Openvpn-devel] [PATCH applied] Re: Modernize sample keys and sample configs

2014-11-15 Thread Gert Doering

Your patch has been applied to the master branch.

commit 335bbe615a03dad9087d754c9dea330e801ee3c3
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Oct 23 00:14:29 2014 +0200

 Modernize sample keys and sample configs

 Signed-off-by: Steffan Karger 
 Acked-by: Samuli SeppÃ¤nen 
 Message-Id: 

 URL: http://article.gmane.org/gmane.network.openvpn.devel/9226
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH 1/2] fix compilation on Windows

2014-11-15 Thread Heiko Hund

The local member in struct lick_socket_address went away a while ago.
Fixing the code to compile again under Windows. While there, also
fix the code to deal with struct link_socket_info.af == AF_UNSPEC

Signed-off-by: Heiko Hund 
---
 src/openvpn/socket.c | 15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index c649d62..9ed8a5a 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2916,6 +2916,7 @@ link_socket_read_udp_posix (struct link_socket *sock,
 #endif
 buf->len = recvfrom (sock->sd, BPTR (buf), maxsize, 0,
 >dest.addr.sa, );
+  /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */
   if (buf->len >= 0 && expectedlen && fromlen != expectedlen)
 bad_address_length (fromlen, expectedlen);
   return buf->len;
@@ -3060,10 +3061,7 @@ socket_recv_queue (struct link_socket *sock, int maxsize)
   if (proto_is_udp(sock->info.proto))
{
  sock->reads.addr_defined = true;
- if (sock->info.af == AF_INET)
-   sock->reads.addrlen = sizeof (sock->reads.addr);
- else
-   sock->reads.addrlen = sizeof (sock->reads.addr6);
+ sock->reads.addrlen = sizeof (sock->reads.addr6);
  status = WSARecvFrom(
   sock->sd,
   wsabuf,
@@ -3095,9 +3093,10 @@ socket_recv_queue (struct link_socket *sock, int maxsize)

   if (!status) /* operation completed immediately? */
{
- int addrlen = af_addr_size(sock->info.lsa->local.addr.sa.sa_family);
- if (sock->reads.addr_defined && sock->reads.addrlen != addrlen)
-   bad_address_length (sock->reads.addrlen, addrlen);
+ /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */
+ int af_len = af_addr_size (sock->info.af);
+ if (sock->reads.addr_defined && af_len && sock->reads.addrlen != 
af_len)
+   bad_address_length (sock->reads.addrlen, af_len);
  sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN;

  /* since we got an immediate return, we must signal the event object 
ourselves */
@@ -3159,7 +3158,7 @@ socket_send_queue (struct link_socket *sock, struct 
buffer *buf, const struct li
{
  /* set destination address for UDP writes */
  sock->writes.addr_defined = true;
- if (sock->info.af == AF_INET6)
+ if (to->dest.addr.sa.sa_family == AF_INET6)
{
  sock->writes.addr6 = to->dest.addr.in6;
  sock->writes.addrlen = sizeof (sock->writes.addr6);
-- 
1.9.1

[Openvpn-devel] [PATCH 2/2] fix warnings on Windows

2014-11-15 Thread Heiko Hund

Just add a few valid casts that shut up mingw gcc.

Signed-off-by: Heiko Hund 
---
 src/openvpn/mtu.c| 5 ++---
 src/openvpn/route.c  | 2 +-
 src/openvpn/socket.c | 4 ++--
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c
index 13f3f6c..3665a34 100644
--- a/src/openvpn/mtu.c
+++ b/src/openvpn/mtu.c
@@ -158,8 +158,7 @@ set_mtu_discover_type (int sd, int mtu_type)
   if (mtu_type >= 0)
 {
 #if defined(HAVE_SETSOCKOPT) && defined(SOL_IP) && defined(IP_MTU_DISCOVER)
-  if (setsockopt
- (sd, SOL_IP, IP_MTU_DISCOVER, _type, sizeof (mtu_type)))
+  if (setsockopt (sd, SOL_IP, IP_MTU_DISCOVER, (void *) _type, sizeof 
(mtu_type)))
msg (M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket",
 mtu_type);
 #else
@@ -288,7 +287,7 @@ void
 set_sock_extended_error_passing (int sd)
 {
   int on = 1;
-  if (setsockopt (sd, SOL_IP, IP_RECVERR, , sizeof (on)))
+  if (setsockopt (sd, SOL_IP, IP_RECVERR, (void *) , sizeof (on)))
 msg (M_WARN | M_ERRNO,
 "Note: enable extended error passing on TCP/UDP socket failed 
(IP_RECVERR)");
 }
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index e76c2bd..5d18213 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -277,7 +277,7 @@ init_route (struct route_ipv4 *r,
   /* get_special_addr replaces specialaddr with a special ip addr
  like gw. getaddrinfo is called to convert a a addrinfo struct */

-  if(get_special_addr (rl, ro->network, _addr, ))
+  if(get_special_addr (rl, ro->network, (in_addr_t *) _addr, 
))
 {
   special.s_addr = htonl(special.s_addr);
   ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL,
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 9ed8a5a..2499ab0 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -729,7 +729,7 @@ static inline void
 socket_set_mark (int sd, int mark)
 {
 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
-  if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, , sizeof (mark)) != 0)
+  if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, (void *) , sizeof 
(mark)) != 0)
 msg (M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark);
 #endif
 }
@@ -1117,7 +1117,7 @@ socket_bind (socket_descriptor_t sd,
   int v6only = ipv6only ? 1: 0;/* setsockopt must have an "int" */

   msg (M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only);
-  if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, , sizeof(v6only)))
+  if (setsockopt (sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) , 
sizeof(v6only)))
{
  msg (M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only);
}
-- 
1.9.1

Re: [Openvpn-devel] [PATCH] Modernize sample keys and sample configs

2014-11-15 Thread Samuli Seppänen


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Steffan,

I tested the key generation script with /bin/bash and /bin/dash on
Linux, and using /bin/sh on FreeBSD. The rest of the patch looked fine, too.

ACK.

Samuli

> Attached a v2 of this patch that adds an extra check whether openssl is 
> actually available.
>
> -Steffan
>
> On Thu, Oct 23, 2014 at 12:16 AM, Steffan Karger > wrote:
>
> I kept most of the certificate properties equal to the old
> certs, since some people's test scripts might rely on them (and
> it does not require any creativity from my part).
>
> Changes:
>  * Add script to generate fresh test/sample keys
>(but keep sample keys in git for simple testing)
>  * Switch from 1024 to 4096 bits RSA CA
>  * Switch from 1024 to 2048 bits client/server RSA keys
>  * Switch from 1024 to 2048 bits Diffie-Hellman parameters
>  * Generate EC client and server cert, but sign with RSA CA
>(lets us test EC <-> RSA interoperability)
>  * Remove 3DES cipher from 'sample' config
>  * Add 'remote-cert-tls server' to client config
>  * Update config files to deprecate nsCertType in favour of the
>keyUsage and extendedKeyUsage extensions.
>  * Make naming more consistent
>
> Signed-off-by: Steffan Karger >
> ---
>  sample/sample-config-files/client.conf |  17 ++--
>  sample/sample-config-files/loopback-client |   2 +-
>  sample/sample-config-files/loopback-server |   3 +-
>  sample/sample-config-files/server.conf |   6 +-
>  sample/sample-config-files/tls-office.conf |   2 +-
>  sample/sample-keys/.gitignore  |   1 +
>  sample/sample-keys/README  |  17 ++--
>  sample/sample-keys/ca.crt  |  48 ++
>  sample/sample-keys/ca.key  |  67 ++
>  sample/sample-keys/client-ec.crt   |  85 ++
>  sample/sample-keys/client-ec.key   |   5 ++
>  sample/sample-keys/client-pass.key |  30 +++
>  sample/sample-keys/client.crt  | 126
+-
>  sample/sample-keys/client.key  |  43 +
>  sample/sample-keys/client.p12  | Bin 0 -> 4533 bytes
>  sample/sample-keys/dh1024.pem  |   5 --
>  sample/sample-keys/dh2048.pem  |   8 ++
>  sample/sample-keys/ec-ca.crt   |  13 ---
>  sample/sample-keys/ec-ca.key   |   6 --
>  sample/sample-keys/ec-client.crt   |  61 -
>  sample/sample-keys/ec-client.key   |   6 --
>  sample/sample-keys/ec-server.crt   |  61 -
>  sample/sample-keys/ec-server.key   |   6 --
>  sample/sample-keys/gen-sample-keys.sh  |  74 +++
>  sample/sample-keys/openssl.cnf | 139
+
>  sample/sample-keys/pass.crt|  65 --
>  sample/sample-keys/pass.key|  18 
>  sample/sample-keys/pkcs12.p12  | Bin 2685 -> 0 bytes
>  sample/sample-keys/server-ec.crt   |  96 
>  sample/sample-keys/server-ec.key   |   5 ++
>  sample/sample-keys/server.crt  | 130
++-
>  sample/sample-keys/server.key  |  43 +
>  32 files changed, 778 insertions(+), 410 deletions(-)
>  create mode 100644 sample/sample-keys/.gitignore
>  create mode 100644 sample/sample-keys/client-ec.crt
>  create mode 100644 sample/sample-keys/client-ec.key
>  create mode 100644 sample/sample-keys/client-pass.key
>  create mode 100644 sample/sample-keys/client.p12
>  delete mode 100644 sample/sample-keys/dh1024.pem
>  create mode 100644 sample/sample-keys/dh2048.pem
>  delete mode 100644 sample/sample-keys/ec-ca.crt
>  delete mode 100644 sample/sample-keys/ec-ca.key
>  delete mode 100644 sample/sample-keys/ec-client.crt
>  delete mode 100644 sample/sample-keys/ec-client.key
>  delete mode 100644 sample/sample-keys/ec-server.crt
>  delete mode 100644 sample/sample-keys/ec-server.key
>  create mode 100755 sample/sample-keys/gen-sample-keys.sh
>  create mode 100644 sample/sample-keys/openssl.cnf
>  delete mode 100644 sample/sample-keys/pass.crt
>  delete mode 100644 sample/sample-keys/pass.key
>  delete mode 100644 sample/sample-keys/pkcs12.p12
>  create mode 100644 sample/sample-keys/server-ec.crt
>  create mode 100644 sample/sample-keys/server-ec.key
>
> diff --git a/sample/sample-config-files/client.conf
b/sample/sample-config-files/client.conf
> index 58b2038..050ef60 100644
> --- a/sample/sample-config-files/client.conf
> +++ b/sample/sample-config-files/client.conf
> @@ -89,18 +89,19

Re: [Openvpn-devel] [PATCH] Modernize sample keys and sample configs

2014-11-15 Thread Steffan Karger

Attached a v2 of this patch that adds an extra check whether openssl is
actually available.

-Steffan

On Thu, Oct 23, 2014 at 12:16 AM, Steffan Karger  wrote:

> I kept most of the certificate properties equal to the old
> certs, since some people's test scripts might rely on them (and
> it does not require any creativity from my part).
>
> Changes:
>  * Add script to generate fresh test/sample keys
>(but keep sample keys in git for simple testing)
>  * Switch from 1024 to 4096 bits RSA CA
>  * Switch from 1024 to 2048 bits client/server RSA keys
>  * Switch from 1024 to 2048 bits Diffie-Hellman parameters
>  * Generate EC client and server cert, but sign with RSA CA
>(lets us test EC <-> RSA interoperability)
>  * Remove 3DES cipher from 'sample' config
>  * Add 'remote-cert-tls server' to client config
>  * Update config files to deprecate nsCertType in favour of the
>keyUsage and extendedKeyUsage extensions.
>  * Make naming more consistent
>
> Signed-off-by: Steffan Karger 
> ---
>  sample/sample-config-files/client.conf |  17 ++--
>  sample/sample-config-files/loopback-client |   2 +-
>  sample/sample-config-files/loopback-server |   3 +-
>  sample/sample-config-files/server.conf |   6 +-
>  sample/sample-config-files/tls-office.conf |   2 +-
>  sample/sample-keys/.gitignore  |   1 +
>  sample/sample-keys/README  |  17 ++--
>  sample/sample-keys/ca.crt  |  48 ++
>  sample/sample-keys/ca.key  |  67 ++
>  sample/sample-keys/client-ec.crt   |  85 ++
>  sample/sample-keys/client-ec.key   |   5 ++
>  sample/sample-keys/client-pass.key |  30 +++
>  sample/sample-keys/client.crt  | 126
> +-
>  sample/sample-keys/client.key  |  43 +
>  sample/sample-keys/client.p12  | Bin 0 -> 4533 bytes
>  sample/sample-keys/dh1024.pem  |   5 --
>  sample/sample-keys/dh2048.pem  |   8 ++
>  sample/sample-keys/ec-ca.crt   |  13 ---
>  sample/sample-keys/ec-ca.key   |   6 --
>  sample/sample-keys/ec-client.crt   |  61 -
>  sample/sample-keys/ec-client.key   |   6 --
>  sample/sample-keys/ec-server.crt   |  61 -
>  sample/sample-keys/ec-server.key   |   6 --
>  sample/sample-keys/gen-sample-keys.sh  |  74 +++
>  sample/sample-keys/openssl.cnf | 139
> +
>  sample/sample-keys/pass.crt|  65 --
>  sample/sample-keys/pass.key|  18 
>  sample/sample-keys/pkcs12.p12  | Bin 2685 -> 0 bytes
>  sample/sample-keys/server-ec.crt   |  96 
>  sample/sample-keys/server-ec.key   |   5 ++
>  sample/sample-keys/server.crt  | 130
> ++-
>  sample/sample-keys/server.key  |  43 +
>  32 files changed, 778 insertions(+), 410 deletions(-)
>  create mode 100644 sample/sample-keys/.gitignore
>  create mode 100644 sample/sample-keys/client-ec.crt
>  create mode 100644 sample/sample-keys/client-ec.key
>  create mode 100644 sample/sample-keys/client-pass.key
>  create mode 100644 sample/sample-keys/client.p12
>  delete mode 100644 sample/sample-keys/dh1024.pem
>  create mode 100644 sample/sample-keys/dh2048.pem
>  delete mode 100644 sample/sample-keys/ec-ca.crt
>  delete mode 100644 sample/sample-keys/ec-ca.key
>  delete mode 100644 sample/sample-keys/ec-client.crt
>  delete mode 100644 sample/sample-keys/ec-client.key
>  delete mode 100644 sample/sample-keys/ec-server.crt
>  delete mode 100644 sample/sample-keys/ec-server.key
>  create mode 100755 sample/sample-keys/gen-sample-keys.sh
>  create mode 100644 sample/sample-keys/openssl.cnf
>  delete mode 100644 sample/sample-keys/pass.crt
>  delete mode 100644 sample/sample-keys/pass.key
>  delete mode 100644 sample/sample-keys/pkcs12.p12
>  create mode 100644 sample/sample-keys/server-ec.crt
>  create mode 100644 sample/sample-keys/server-ec.key
>
> diff --git a/sample/sample-config-files/client.conf
> b/sample/sample-config-files/client.conf
> index 58b2038..050ef60 100644
> --- a/sample/sample-config-files/client.conf
> +++ b/sample/sample-config-files/client.conf
> @@ -89,18 +89,19 @@ ca ca.crt
>  cert client.crt
>  key client.key
>
> -# Verify server certificate by checking
> -# that the certicate has the nsCertType
> -# field set to "server".  This is an
> -# important precaution to protect against
> +# Verify server certificate by checking that the
> +# certicate has the correct key usage set.
> +# This is an important precaution to protect against
>  # a potential attack discussed here:
>  #  http://openvpn.net/howto.html#mitm
>  #
>  # To use this feature, you will need to generate
> -# your server certificates with the nsCertType
> -# field set

[Openvpn-devel] [PATCH] Peer-id patch v5

2014-11-15 Thread Lev Stipakov

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.

Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.

If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.

Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.

Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated client.
---
 src/openvpn/forward.c| 57 
 src/openvpn/forward.h|  2 +
 src/openvpn/init.c   | 10 -
 src/openvpn/mudp.c   | 54 +++
 src/openvpn/mudp.h   |  2 +-
 src/openvpn/multi.c  | 97 ++--
 src/openvpn/multi.h  |  2 +
 src/openvpn/options.c|  9 -
 src/openvpn/options.h|  8 +++-
 src/openvpn/push.c   | 16 +++-
 src/openvpn/ssl.c| 75 +
 src/openvpn/ssl.h| 12 +-
 src/openvpn/ssl_common.h |  4 ++
 13 files changed, 300 insertions(+), 48 deletions(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 27b775f..d373231 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -722,20 +722,12 @@ read_incoming_link (struct context *c)
   perf_pop ();
 }

-/*
- * Input:  c->c2.buf
- * Output: c->c2.to_tun
- */
-
-void
-process_incoming_link (struct context *c)
+bool
+process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, 
bool floated)
 {
   struct gc_arena gc = gc_new ();
   bool decrypt_status;
-  struct link_socket_info *lsi = get_link_socket_info (c);
-  const uint8_t *orig_buf = c->c2.buf.data;
-
-  perf_push (PERF_PROC_IN_LINK);
+  bool res = false;

   if (c->c2.buf.len > 0)
 {
@@ -805,7 +797,7 @@ process_incoming_link (struct context *c)
   * will load crypto_options with the correct encryption key
   * and return false.
   */
- if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, 
>c2.crypto_options))
+ if (tls_pre_decrypt (c->c2.tls_multi, >c2.from, >c2.buf, 
>c2.crypto_options, floated))
{
  interval_action (>c2.tmp_int);

@@ -824,6 +816,14 @@ process_incoming_link (struct context *c)
 #endif
 #endif /* ENABLE_SSL */

+  /*
+   * Good, non-zero length packet received.
+   * Commence multi-stage processing of packet,
+   * such as authenticate, decrypt, decompress.
+   * If any stage fails, it sets buf.len to 0 or -1,
+   * telling downstream stages to ignore the packet.
+   */
+   
   /* authenticate and decrypt the incoming packet */
   decrypt_status = openvpn_decrypt (>c2.buf, 
c->c2.buffers->decrypt_buf, >c2.crypto_options, >c2.frame);

@@ -832,11 +832,25 @@ process_incoming_link (struct context *c)
  /* decryption errors are fatal in TCP mode */
  register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- 
decryption error in TCP mode */
  msg (D_STREAM_ERRORS, "Fatal decryption error 
(process_incoming_link), restarting");
- goto done;
}
-
+  else
+   res = true;
 #endif /* ENABLE_CRYPTO */
+}
+  else
+{
+  buf_reset (>c2.to_tun);
+}
+  gc_free ();
+
+  return res;
+}

+void
+process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, 
const uint8_t *orig_buf)
+{
+  if (c->c2.buf.len > 0)
+{
 #ifdef ENABLE_FRAGMENT
   if (c->c2.fragment)
fragment_incoming (c->c2.fragment, >c2.buf, >c2.frame_fragment);
@@ -903,9 +917,20 @@ process_incoming_link (struct context *c)
 {
   buf_reset (>c2.to_tun);
 }
- done:
+}
+
+void
+process_incoming_link (struct context *c)
+{
+  perf_push (PERF_PROC_IN_LINK);
+
+  struct link_socket_info *lsi = get_link_socket_info (c);
+  const uint8_t *orig_buf = c->c2.buf.data;
+
+  process_incoming_link_part1(c, lsi, false);   
+  process_incoming_link_part2(c, lsi, orig_buf);
+
   perf_pop ();
-  gc_free ();
 }

 /*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 1830a00..b9dfeea 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -161,6 +161,8 @@ void read_incoming_link (struct context *c);
  */
 void process_incoming_link (struct context *c);

+bool process_incoming_link_part1 (struct context *c, struct link_socket_info 
*lsi, bool floated);
+void process_incoming_link_part2 (struct context *c, struct link_socket_info 
*lsi, const uint8_t *orig_buf);

 /**
  * Write a packet to the external

[Openvpn-devel] [PATCH applied] Re: Modernize sample keys and sample configs

[Openvpn-devel] [PATCH 1/2] fix compilation on Windows

[Openvpn-devel] [PATCH 2/2] fix warnings on Windows

Re: [Openvpn-devel] [PATCH] Modernize sample keys and sample configs

Re: [Openvpn-devel] [PATCH] Modernize sample keys and sample configs

[Openvpn-devel] [PATCH] Peer-id patch v5

6 matches

Site Navigation

Mail list logo

Footer information