[Openvpn-devel] [PATCH applied] Re: Remove count_netmask_bits(), convert users to use netmask_to_netbits2()

[Gert Doering]

Your patch has been applied to the master branch.

commit ec2fbf374f018366c18644d271cd4d793d04244b
Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Dec 27 21:59:43 2014 +0100

 Remove count_netmask_bits(), convert users to use netmask_to_netbits2()

 Signed-off-by: Gert Doering 
 Acked-by: Steffan Karger 
 Message-Id: <1419713983-16272-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9360


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Fix incorrect use of get_ipv6_addr() for iroute options.

[Gert Doering]

Patch has been applied to the master and release/2.3 branch.

commit e8562d5531277ee4dd7c517ef68e87af077ac948 (master)
commit 5f5e49762ccd267af6b82e6bb600fe329d18463e (release/2.3)

Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Mar 8 13:56:41 2015 +0100

 Fix incorrect use of get_ipv6_addr() for iroute options.

 Signed-off-by: Gert Doering 
 Acked-by: Steffan Karger 
 Message-Id: <1425819401-18465-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9532


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH] Fix incorrect use of get_ipv6_addr() for iroute options.

[Steffan Karger]

On 08-03-15 13:56, Gert Doering wrote:

get_ipv6_addr() returns "bool/false", not "int < 0" to signal error.

Signed-off-by: Gert Doering 
---
  src/openvpn/options.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 20b37db..df9a641 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1254,7 +1254,7 @@ option_iroute_ipv6 (struct options *o,

ALLOC_OBJ_GC (ir, struct iroute_ipv6, >gc);

-  if ( get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel ) 
< 0 )
+  if ( !get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel 
))
  {
msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
   prefix_str);


ACK

-Steffan

[Openvpn-devel] [PATCH] Fix incorrect use of get_ipv6_addr() for iroute options.

[Gert Doering]

get_ipv6_addr() returns "bool/false", not "int < 0" to signal error.

Signed-off-by: Gert Doering 
---
 src/openvpn/options.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 20b37db..df9a641 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1254,7 +1254,7 @@ option_iroute_ipv6 (struct options *o,

   ALLOC_OBJ_GC (ir, struct iroute_ipv6, >gc);

-  if ( get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel ) 
< 0 )
+  if ( !get_ipv6_addr (prefix_str, >network, >netbits, NULL, msglevel 
))
 {
   msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
   prefix_str);
-- 
2.0.5

[Openvpn-devel] [PATCH applied] Re: Change float log message to include common name, if available.

[Gert Doering]

Your patch has been applied to the master branch.

commit bacd640f57c935fb8de4efa71be0e8601c48f26f

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Mar 7 17:23:11 2015 +0100

 Change float log message to include common name, if available.

 Signed-off-by: Steffan Karger 
 Acked-by: Lev Stipakov 
 Message-Id: <1425745391-8069-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9526
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] Remove support for key-method 1 from master/2.4

[Steffan Karger]

Hi,

To create keys for the data channel, OpenVPN currently supports two 
mechanisms, 'Key method 1' and the newer 'Key method 2'.  Key method 2 
is supported since OpenVPN 1.5, and has been the default from OpenVPN 
2.0.  See the manpage and/or 
http://openvpn.net/index.php/open-source/documentation/security-overview.html 
for a short recap of both methods.


I think the time has come to remove support for key method 1 from 
OpenVPN.  This will allow us to remove quite some legacy code, and will 
probably allow us to simplify some of the surrounding code.


However, before investing time in preparing a patch for this, I would 
like to hear if there are objections to this proposal.  So, if you have 
a setup that uses key method 1, and you want to use that setup with 
OpenVPN 2.4, or have other reasons to believe we should keep supporting 
key method 1 in OpenVPN 2.4, please speak up.


-Steffan

[Openvpn-devel] [PATCH 2/2] polarssl: Improve PolarSSL logging

[Steffan Karger]

Use the new polar_log_err() and polar_ok() functions introduced in the
previous commit to provide more log/debug output for polarssl errors.

Signed-off-by: Steffan Karger 
---
 src/openvpn/crypto_polarssl.c | 35 ---
 src/openvpn/ssl_polarssl.c| 92 +--
 src/openvpn/ssl_verify_polarssl.c | 26 +++
 3 files changed, 66 insertions(+), 87 deletions(-)

diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
index 263b4dc..c038f8e 100644
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -261,7 +261,8 @@ ctr_drbg_context * rand_ctx_get()
   /* Initialise PolarSSL RNG, and built-in entropy sources */
   entropy_init();

-  if (0 != ctr_drbg_init(_ctx, entropy_func, , BPTR(_string), 
BLEN(_string)))
+  if (!polar_ok(ctr_drbg_init(_ctx, entropy_func, ,
+   BPTR(_string), BLEN(_string
 msg (M_FATAL, "Failed to initialize random generator");

   gc_free();
@@ -472,10 +473,10 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int 
key_len,

   CLEAR (*ctx);

-  if (0 != cipher_init_ctx(ctx, kt))
+  if (!polar_ok(cipher_init_ctx(ctx, kt)))
 msg (M_FATAL, "PolarSSL cipher context init #1");

-  if (0 != cipher_setkey(ctx, key, key_len*8, enc))
+  if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc)))
 msg (M_FATAL, "PolarSSL cipher set key");

   /* make sure we used a big enough key */
@@ -484,7 +485,7 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int 
key_len,

 void cipher_ctx_cleanup (cipher_context_t *ctx)
 {
-  cipher_free_ctx(ctx);
+  polar_ok(cipher_free_ctx(ctx));
 }

 int cipher_ctx_iv_length (const cipher_context_t *ctx)
@@ -514,36 +515,38 @@ cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx)

 int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
 {
-  int retval = cipher_reset(ctx);
+  if (!polar_ok(cipher_reset(ctx)))
+return 0;

-  if (0 == retval)
-retval = cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
+  if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size)))
+return 0;

-  return 0 == retval;
+  return 1;
 }

 int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
 uint8_t *src, int src_len)
 {
-  int retval = 0;
   size_t s_dst_len = *dst_len;

-  retval = cipher_update(ctx, src, (size_t)src_len, dst, _dst_len);
+  if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, _dst_len)))
+return 0;

   *dst_len = s_dst_len;

-  return 0 == retval;
+  return 1;
 }

 int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len)
 {
-  int retval = 0;
   size_t s_dst_len = *dst_len;

-  retval = cipher_finish(ctx, dst, _dst_len);
+  if (!polar_ok(cipher_finish(ctx, dst, _dst_len)))
+return 0;
+
   *dst_len = s_dst_len;

-  return 0 == retval;
+  return 1;
 }

 void
@@ -553,8 +556,8 @@ cipher_des_encrypt_ecb (const unsigned char 
key[DES_KEY_LENGTH],
 {
 des_context ctx;

-des_setkey_enc(, key);
-des_crypt_ecb(, src, dst);
+ASSERT (polar_ok(des_setkey_enc(, key)));
+ASSERT (polar_ok(des_crypt_ecb(, src, dst)));
 }


diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index 8cb328e..d024e13 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -218,13 +218,13 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const 
char *dh_file,
 {
   if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
 {
-  if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
- strlen(dh_inline)))
+  if (!polar_ok(dhm_parse_dhm(ctx->dhm_ctx,
+ (const unsigned char *) dh_inline, strlen(dh_inline
msg (M_FATAL, "Cannot read inline DH parameters");
   }
 else
   {
-if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
+if (!polar_ok(dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)))
   msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
   }

@@ -268,18 +268,15 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const 
char *cert_file,

   if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
 {
-  if (0 != x509_crt_parse(ctx->crt_chain,
- (const unsigned char *) cert_inline, strlen(cert_inline)))
+  if (!polar_ok(x509_crt_parse(ctx->crt_chain,
+ (const unsigned char *) cert_inline, strlen(cert_inline
 msg (M_FATAL, "Cannot load inline certificate file");
 }
   else
 {
-  int retval = x509_crt_parse_file(ctx->crt_chain, cert_file);
-  if (0 != retval)
+  if (!polar_ok(x509_crt_parse_file(ctx->crt_chain, cert_file)))
{
- char errstr[128];
- polarssl_strerror(retval, errstr, sizeof(errstr));
- msg (M_FATAL, "Cannot load certificate file %s (%s)", cert_file, 
errstr);
+ msg (M_FATAL, "Cannot load certificate file %s", cert_file);
}
 }
 }
@@ -317,7 +314,7 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const 

[Openvpn-devel] [PATCH 1/2] polarssl: add easy logging for PolarSSL errors

[Steffan Karger]

Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.

This does not provide the full logging interface as msg(), because I
would have to add a lot more of macro-magic to achieve that on the
various supported compilers and platforms, and this suffices too (for
now at least).

Signed-off-by: Steffan Karger 
---
 src/openvpn/crypto_polarssl.c | 27 +++
 src/openvpn/crypto_polarssl.h | 40 
 2 files changed, 67 insertions(+)

diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
index e083398..263b4dc 100644
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -46,6 +46,7 @@
 #include "misc.h"

 #include 
+#include 
 #include 
 #include 
 #include 
@@ -86,6 +87,32 @@ crypto_clear_error (void)
 {
 }

+bool polar_log_err(unsigned int flags, int errval, const char *prefix)
+{
+  if (0 != errval)
+{
+  char errstr[256];
+  polarssl_strerror(errval, errstr, sizeof(errstr));
+
+  if (NULL == prefix) prefix = "PolarSSL error";
+  msg (flags, "%s: %s", prefix, errstr);
+}
+
+  return 0 == errval;
+}
+
+bool polar_log_func_line(unsigned int flags, int errval, const char *func,
+int line)
+{
+  char prefix[256];
+
+  if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line))
+return polar_log_err(flags, errval, func);
+
+  return polar_log_err(flags, errval, prefix);
+}
+
+
 #ifdef DMALLOC
 void
 crypto_init_dmalloc (void)
diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_polarssl.h
index b6da436..bd0f8b8 100644
--- a/src/openvpn/crypto_polarssl.h
+++ b/src/openvpn/crypto_polarssl.h
@@ -91,4 +91,44 @@ ctr_drbg_context * rand_ctx_get();
 void rand_ctx_enable_prediction_resistance();
 #endif

+/**
+ * Log the supplied PolarSSL error, prefixed by supplied prefix.
+ *
+ * @param flagsFlags to indicate error type and priority.
+ * @param errval   PolarSSL error code to convert to error message.
+ * @param prefix   Prefix to PolarSSL error message.
+ *
+ * @returns true if no errors are detected, false otherwise.
+ */
+bool polar_log_err(unsigned int flags, int errval, const char *prefix);
+
+/**
+ * Log the supplied PolarSSL error, prefixed by function name and line number.
+ *
+ * @param flagsFlags to indicate error type and priority.
+ * @param errval   PolarSSL error code to convert to error message.
+ * @param func Function name where error was reported.
+ * @param line Line number where error was reported.
+ *
+ * @returns true if no errors are detected, false otherwise.
+ */
+bool polar_log_func_line(unsigned int flags, int errval, const char *func,
+int line);
+
+/**
+ * Check errval and log on error.
+ *
+ * Convenience wrapper to put around polarssl library calls, e.g.
+ *   if (!polar_ok(polarssl_func())) return 0;
+ * or
+ *   ASSERT (polar_ok(polarssl_func()));
+ *
+ * @param errval   PolarSSL error code to convert to error message.
+ *
+ * @returns true if no errors are detected, false otherwise.
+ */
+#define polar_ok(errval) \
+  polar_log_func_line(D_CRYPT_ERRORS, errval, __func__, __LINE__)
+
+
 #endif /* CRYPTO_POLARSSL_H_ */
-- 
2.1.0

Re: [Openvpn-devel] [PATCH] Change float log message to include common name, if available.

[Lev Stipakov]

ACK

2015-03-07 18:23 GMT+02:00 Steffan Karger :
> Makes it a lot easier to see which client is floating.
>
> Signed-off-by: Steffan Karger 
> ---
>  src/openvpn/multi.c | 7 +--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 4412491..b0f66ca 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -2151,8 +2151,11 @@ void multi_process_float (struct multi_context* m, 
> struct multi_instance* mi)
>multi_close_instance(m, ex_mi, false);
>  }
>
> -msg (D_MULTI_MEDIUM, "peer %" PRIu32 " floated from %s to %s", 
> mi->context.c2.tls_multi->peer_id,
> -mroute_addr_print (>real, ), print_link_socket_actual 
> (>top.c2.from, ));
> +msg (D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
> +   mi->context.c2.tls_multi->peer_id,
> +   tls_common_name (mi->context.c2.tls_multi, false),
> +   mroute_addr_print (>real, ),
> +   print_link_socket_actual (>top.c2.from, ));
>
>  ASSERT (hash_remove(m->hash, >real));
>  ASSERT (hash_remove(m->iter, >real));
> --
> 2.1.0
>
>
> --
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



-- 
-Lev