[Openvpn-devel] [PATCH applied] Re: Remove count_netmask_bits(), convert users to use netmask_to_netbits2()
Your patch has been applied to the master branch. commit ec2fbf374f018366c18644d271cd4d793d04244b Author: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Sat Dec 27 21:59:43 2014 +0100 Remove count_netmask_bits(), convert users to use netmask_to_netbits2() Signed-off-by: Gert DoeringAcked-by: Steffan Karger Message-Id: <1419713983-16272-1-git-send-email-g...@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9360 -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: Fix incorrect use of get_ipv6_addr() for iroute options.
Patch has been applied to the master and release/2.3 branch. commit e8562d5531277ee4dd7c517ef68e87af077ac948 (master) commit 5f5e49762ccd267af6b82e6bb600fe329d18463e (release/2.3) Author: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Sun Mar 8 13:56:41 2015 +0100 Fix incorrect use of get_ipv6_addr() for iroute options. Signed-off-by: Gert DoeringAcked-by: Steffan Karger Message-Id: <1425819401-18465-1-git-send-email-g...@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9532 -- kind regards, Gert Doering
Re: [Openvpn-devel] [PATCH] Fix incorrect use of get_ipv6_addr() for iroute options.
On 08-03-15 13:56, Gert Doering wrote: get_ipv6_addr() returns "bool/false", not "int < 0" to signal error. Signed-off-by: Gert Doering--- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 20b37db..df9a641 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1254,7 +1254,7 @@ option_iroute_ipv6 (struct options *o, ALLOC_OBJ_GC (ir, struct iroute_ipv6, >gc); - if ( get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel ) < 0 ) + if ( !get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel )) { msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str); ACK -Steffan
[Openvpn-devel] [PATCH] Fix incorrect use of get_ipv6_addr() for iroute options.
get_ipv6_addr() returns "bool/false", not "int < 0" to signal error. Signed-off-by: Gert Doering--- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 20b37db..df9a641 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1254,7 +1254,7 @@ option_iroute_ipv6 (struct options *o, ALLOC_OBJ_GC (ir, struct iroute_ipv6, >gc); - if ( get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel ) < 0 ) + if ( !get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel )) { msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str); -- 2.0.5
[Openvpn-devel] [PATCH applied] Re: Change float log message to include common name, if available.
Your patch has been applied to the master branch. commit bacd640f57c935fb8de4efa71be0e8601c48f26f Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Sat Mar 7 17:23:11 2015 +0100 Change float log message to include common name, if available. Signed-off-by: Steffan KargerAcked-by: Lev Stipakov Message-Id: <1425745391-8069-1-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9526 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] Remove support for key-method 1 from master/2.4
Hi, To create keys for the data channel, OpenVPN currently supports two mechanisms, 'Key method 1' and the newer 'Key method 2'. Key method 2 is supported since OpenVPN 1.5, and has been the default from OpenVPN 2.0. See the manpage and/or http://openvpn.net/index.php/open-source/documentation/security-overview.html for a short recap of both methods. I think the time has come to remove support for key method 1 from OpenVPN. This will allow us to remove quite some legacy code, and will probably allow us to simplify some of the surrounding code. However, before investing time in preparing a patch for this, I would like to hear if there are objections to this proposal. So, if you have a setup that uses key method 1, and you want to use that setup with OpenVPN 2.4, or have other reasons to believe we should keep supporting key method 1 in OpenVPN 2.4, please speak up. -Steffan
[Openvpn-devel] [PATCH 2/2] polarssl: Improve PolarSSL logging
Use the new polar_log_err() and polar_ok() functions introduced in the previous commit to provide more log/debug output for polarssl errors. Signed-off-by: Steffan Karger--- src/openvpn/crypto_polarssl.c | 35 --- src/openvpn/ssl_polarssl.c| 92 +-- src/openvpn/ssl_verify_polarssl.c | 26 +++ 3 files changed, 66 insertions(+), 87 deletions(-) diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c index 263b4dc..c038f8e 100644 --- a/src/openvpn/crypto_polarssl.c +++ b/src/openvpn/crypto_polarssl.c @@ -261,7 +261,8 @@ ctr_drbg_context * rand_ctx_get() /* Initialise PolarSSL RNG, and built-in entropy sources */ entropy_init(); - if (0 != ctr_drbg_init(_ctx, entropy_func, , BPTR(_string), BLEN(_string))) + if (!polar_ok(ctr_drbg_init(_ctx, entropy_func, , + BPTR(_string), BLEN(_string msg (M_FATAL, "Failed to initialize random generator"); gc_free(); @@ -472,10 +473,10 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len, CLEAR (*ctx); - if (0 != cipher_init_ctx(ctx, kt)) + if (!polar_ok(cipher_init_ctx(ctx, kt))) msg (M_FATAL, "PolarSSL cipher context init #1"); - if (0 != cipher_setkey(ctx, key, key_len*8, enc)) + if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc))) msg (M_FATAL, "PolarSSL cipher set key"); /* make sure we used a big enough key */ @@ -484,7 +485,7 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len, void cipher_ctx_cleanup (cipher_context_t *ctx) { - cipher_free_ctx(ctx); + polar_ok(cipher_free_ctx(ctx)); } int cipher_ctx_iv_length (const cipher_context_t *ctx) @@ -514,36 +515,38 @@ cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) { - int retval = cipher_reset(ctx); + if (!polar_ok(cipher_reset(ctx))) +return 0; - if (0 == retval) -retval = cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size); + if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) +return 0; - return 0 == retval; + return 1; } int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len) { - int retval = 0; size_t s_dst_len = *dst_len; - retval = cipher_update(ctx, src, (size_t)src_len, dst, _dst_len); + if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, _dst_len))) +return 0; *dst_len = s_dst_len; - return 0 == retval; + return 1; } int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len) { - int retval = 0; size_t s_dst_len = *dst_len; - retval = cipher_finish(ctx, dst, _dst_len); + if (!polar_ok(cipher_finish(ctx, dst, _dst_len))) +return 0; + *dst_len = s_dst_len; - return 0 == retval; + return 1; } void @@ -553,8 +556,8 @@ cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], { des_context ctx; -des_setkey_enc(, key); -des_crypt_ecb(, src, dst); +ASSERT (polar_ok(des_setkey_enc(, key))); +ASSERT (polar_ok(des_crypt_ecb(, src, dst))); } diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index 8cb328e..d024e13 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -218,13 +218,13 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, { if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline) { - if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, - strlen(dh_inline))) + if (!polar_ok(dhm_parse_dhm(ctx->dhm_ctx, + (const unsigned char *) dh_inline, strlen(dh_inline msg (M_FATAL, "Cannot read inline DH parameters"); } else { -if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)) +if (!polar_ok(dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))) msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); } @@ -268,18 +268,15 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) { - if (0 != x509_crt_parse(ctx->crt_chain, - (const unsigned char *) cert_inline, strlen(cert_inline))) + if (!polar_ok(x509_crt_parse(ctx->crt_chain, + (const unsigned char *) cert_inline, strlen(cert_inline msg (M_FATAL, "Cannot load inline certificate file"); } else { - int retval = x509_crt_parse_file(ctx->crt_chain, cert_file); - if (0 != retval) + if (!polar_ok(x509_crt_parse_file(ctx->crt_chain, cert_file))) { - char errstr[128]; - polarssl_strerror(retval, errstr, sizeof(errstr)); - msg (M_FATAL, "Cannot load certificate file %s (%s)", cert_file, errstr); + msg (M_FATAL, "Cannot load certificate file %s", cert_file); } } } @@ -317,7 +314,7 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const
[Openvpn-devel] [PATCH 1/2] polarssl: add easy logging for PolarSSL errors
Add the functions polar_log_err(), polar_log_func_line() and a macro polar_ok(), to easily log human-readable PolarSSL errors from polarssl-specific code. This does not provide the full logging interface as msg(), because I would have to add a lot more of macro-magic to achieve that on the various supported compilers and platforms, and this suffices too (for now at least). Signed-off-by: Steffan Karger--- src/openvpn/crypto_polarssl.c | 27 +++ src/openvpn/crypto_polarssl.h | 40 2 files changed, 67 insertions(+) diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c index e083398..263b4dc 100644 --- a/src/openvpn/crypto_polarssl.c +++ b/src/openvpn/crypto_polarssl.c @@ -46,6 +46,7 @@ #include "misc.h" #include +#include #include #include #include @@ -86,6 +87,32 @@ crypto_clear_error (void) { } +bool polar_log_err(unsigned int flags, int errval, const char *prefix) +{ + if (0 != errval) +{ + char errstr[256]; + polarssl_strerror(errval, errstr, sizeof(errstr)); + + if (NULL == prefix) prefix = "PolarSSL error"; + msg (flags, "%s: %s", prefix, errstr); +} + + return 0 == errval; +} + +bool polar_log_func_line(unsigned int flags, int errval, const char *func, +int line) +{ + char prefix[256]; + + if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) +return polar_log_err(flags, errval, func); + + return polar_log_err(flags, errval, prefix); +} + + #ifdef DMALLOC void crypto_init_dmalloc (void) diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_polarssl.h index b6da436..bd0f8b8 100644 --- a/src/openvpn/crypto_polarssl.h +++ b/src/openvpn/crypto_polarssl.h @@ -91,4 +91,44 @@ ctr_drbg_context * rand_ctx_get(); void rand_ctx_enable_prediction_resistance(); #endif +/** + * Log the supplied PolarSSL error, prefixed by supplied prefix. + * + * @param flagsFlags to indicate error type and priority. + * @param errval PolarSSL error code to convert to error message. + * @param prefix Prefix to PolarSSL error message. + * + * @returns true if no errors are detected, false otherwise. + */ +bool polar_log_err(unsigned int flags, int errval, const char *prefix); + +/** + * Log the supplied PolarSSL error, prefixed by function name and line number. + * + * @param flagsFlags to indicate error type and priority. + * @param errval PolarSSL error code to convert to error message. + * @param func Function name where error was reported. + * @param line Line number where error was reported. + * + * @returns true if no errors are detected, false otherwise. + */ +bool polar_log_func_line(unsigned int flags, int errval, const char *func, +int line); + +/** + * Check errval and log on error. + * + * Convenience wrapper to put around polarssl library calls, e.g. + * if (!polar_ok(polarssl_func())) return 0; + * or + * ASSERT (polar_ok(polarssl_func())); + * + * @param errval PolarSSL error code to convert to error message. + * + * @returns true if no errors are detected, false otherwise. + */ +#define polar_ok(errval) \ + polar_log_func_line(D_CRYPT_ERRORS, errval, __func__, __LINE__) + + #endif /* CRYPTO_POLARSSL_H_ */ -- 2.1.0
Re: [Openvpn-devel] [PATCH] Change float log message to include common name, if available.
ACK 2015-03-07 18:23 GMT+02:00 Steffan Karger: > Makes it a lot easier to see which client is floating. > > Signed-off-by: Steffan Karger > --- > src/openvpn/multi.c | 7 +-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index 4412491..b0f66ca 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -2151,8 +2151,11 @@ void multi_process_float (struct multi_context* m, > struct multi_instance* mi) >multi_close_instance(m, ex_mi, false); > } > > -msg (D_MULTI_MEDIUM, "peer %" PRIu32 " floated from %s to %s", > mi->context.c2.tls_multi->peer_id, > -mroute_addr_print (>real, ), print_link_socket_actual > (>top.c2.from, )); > +msg (D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", > + mi->context.c2.tls_multi->peer_id, > + tls_common_name (mi->context.c2.tls_multi, false), > + mroute_addr_print (>real, ), > + print_link_socket_actual (>top.c2.from, )); > > ASSERT (hash_remove(m->hash, >real)); > ASSERT (hash_remove(m->iter, >real)); > -- > 2.1.0 > > > -- > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- -Lev