Re: [Openvpn-devel] [PATCH applied] Add support for Keying Material Exporter [RFC 5705]
On 26/05/14 15:25, Daniel Kubec wrote: > Add support for TLS Keying Material Exporters [RFC 5705]. > > Keying Material Exporter allow additional keying material to be derived from > existing TLS channel. > This exported keying material can then be used for a variety of purposes. These patches have been applied to the git master branch: * openvpn-rfc5705-v3.patch commit 685e486e8b8f70c25f09590c24762ff734f94a51 Author: Daniel KubecList-Post: openvpn-devel@lists.sourceforge.net Date: Thu Mar 12 15:14:20 2015 +0100 Added support for TLS Keying Material Exporters [RFC-5705] Signed-off-by: Daniel Kubec Signed-off-by: David Sommerseth Acked-by: Steffan Karger * openvpn-rfc5705-doc-v3.patch commit 84604e0bae7216b46642d5a1a443b86f712d53aa Author: Daniel Kubec List-Post: openvpn-devel@lists.sourceforge.net Date: Thu Mar 12 15:25:42 2015 +0100 Added document for TLS Keying Material Exporters [RFC-5705] [DS: Fixed option prefix from '-' to '--'] Signed-off-by: Daniel Kubec Signed-off-by: David Sommerseth Acked-by: Steffan Karger * openvpn-rfc5705-sample.patch commit f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec Author: Daniel Kubec List-Post: openvpn-devel@lists.sourceforge.net Date: Sun Apr 5 00:10:37 2015 +0200 sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in Signed-off-by: Daniel Kubec Signed-off-by: David Sommerseth Acked-by: David Sommerseth -- kind regards, David Sommerseth
Re: [Openvpn-devel] [PATCH] Fast recovery when host is in unreachable network
Am 02.03.15 um 18:58 schrieb Lev Stipakov: > When client connects to the server which is in unreachable network (for > example hostname got resolved into ipv6 address and client has no ipv6), > throw SIGUSR1 and connect to the next server without waiting 60 seconds > for "TLS key negotiation failed". ACK. It works for me and code looks good. Arne
Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]
On 09/10/15 17:54, daniel kubec wrote: > Hi David, > > Thank You for your comments. It makes sense to me. > Can you apply your fixes into patches or it's up to me ? > As this has been lingering just way too long, I can do these changes this weekend and get it apply. -- kind regards, David Sommerseth > > On 9 October 2015 at 17:27, David Sommerseth >wrote: >> On 23/02/15 17:02, daniel kubec wrote: >>> -- Forwarded message -- >>> From: Daniel Kubec >>> Date: 23 February 2015 at 16:51 >>> Subject: Add support for Keying Material Exporter [RFC 5705] >>> To: openvpn-devel@lists.sourceforge.net >>> >>> >>> Hi David, >>> >>> Keying Material Exporter [RFC 5705] Patch rebased to actual master >>> branch. >>> >>> Daniel >> >> Hi, >> >> I've finally had time to do some review. Your patches work, but I have a few >> comments. >> >> >> * openvpn-rfc5705-sample.patch >> - The client config is missing a 'pull'. I tried running this with a server >> running in a VM, and the client running outside of the server VM had no IP >> address or routing configured. Adding 'pull' to the client config solved >> it. >> - You've called the plug-in and 'sso'. I'd try to avoid such a vague name, >> as >> it may be misunderstood to do something else. I'd suggest using a more >> related name, for example 'keying-material-exporter-demo'. >> >> >> * openvpn-rfc5705-doc-v3.patch >> - The 'OpenVPN Configuration' example is missing a leading dash. It now says >> -keying-material-exporter, but should say --keying-material-exporter. >> >> >> * openvpn-rfc5705-v3.patch >> The code looks good to me, I share the same comment to the man page as >> Steffan had too, to also document the upper bound of 4095 bytes. >> >> >> If we can agree on these changes, I'll ensure it gets applied fairly quickly. >> >> >> -- >> kind regards, >> >> David Sommerseth >
Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]
Ok, Thank You for these changes :) Daniel On 9 October 2015 at 18:09, David Sommersethwrote: > On 09/10/15 17:54, daniel kubec wrote: >> Hi David, >> >> Thank You for your comments. It makes sense to me. >> Can you apply your fixes into patches or it's up to me ? >> > > As this has been lingering just way too long, I can do these changes this > weekend and get it apply. > > > -- > kind regards, > > David Sommerseth > >> >> On 9 October 2015 at 17:27, David Sommerseth >> wrote: >>> On 23/02/15 17:02, daniel kubec wrote: -- Forwarded message -- From: Daniel Kubec Date: 23 February 2015 at 16:51 Subject: Add support for Keying Material Exporter [RFC 5705] To: openvpn-devel@lists.sourceforge.net Hi David, Keying Material Exporter [RFC 5705] Patch rebased to actual master branch. Daniel >>> >>> Hi, >>> >>> I've finally had time to do some review. Your patches work, but I have a >>> few >>> comments. >>> >>> >>> * openvpn-rfc5705-sample.patch >>> - The client config is missing a 'pull'. I tried running this with a server >>> running in a VM, and the client running outside of the server VM had no IP >>> address or routing configured. Adding 'pull' to the client config solved >>> it. >>> - You've called the plug-in and 'sso'. I'd try to avoid such a vague name, >>> as >>> it may be misunderstood to do something else. I'd suggest using a more >>> related name, for example 'keying-material-exporter-demo'. >>> >>> >>> * openvpn-rfc5705-doc-v3.patch >>> - The 'OpenVPN Configuration' example is missing a leading dash. It now >>> says >>> -keying-material-exporter, but should say --keying-material-exporter. >>> >>> >>> * openvpn-rfc5705-v3.patch >>> The code looks good to me, I share the same comment to the man page as >>> Steffan had too, to also document the upper bound of 4095 bytes. >>> >>> >>> If we can agree on these changes, I'll ensure it gets applied fairly >>> quickly. >>> >>> >>> -- >>> kind regards, >>> >>> David Sommerseth >> >
Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]
On 23/02/15 17:02, daniel kubec wrote: > -- Forwarded message -- > From: Daniel Kubec> Date: 23 February 2015 at 16:51 > Subject: Add support for Keying Material Exporter [RFC 5705] > To: openvpn-devel@lists.sourceforge.net > > > Hi David, > > Keying Material Exporter [RFC 5705] Patch rebased to actual master > branch. > > Daniel Hi, I've finally had time to do some review. Your patches work, but I have a few comments. * openvpn-rfc5705-sample.patch - The client config is missing a 'pull'. I tried running this with a server running in a VM, and the client running outside of the server VM had no IP address or routing configured. Adding 'pull' to the client config solved it. - You've called the plug-in and 'sso'. I'd try to avoid such a vague name, as it may be misunderstood to do something else. I'd suggest using a more related name, for example 'keying-material-exporter-demo'. * openvpn-rfc5705-doc-v3.patch - The 'OpenVPN Configuration' example is missing a leading dash. It now says -keying-material-exporter, but should say --keying-material-exporter. * openvpn-rfc5705-v3.patch The code looks good to me, I share the same comment to the man page as Steffan had too, to also document the upper bound of 4095 bytes. If we can agree on these changes, I'll ensure it gets applied fairly quickly. -- kind regards, David Sommerseth
Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]
Hi David, Thank You for your comments. It makes sense to me. Can you apply your fixes into patches or it's up to me ? King Regards Daniel On 9 October 2015 at 17:27, David Sommersethwrote: > On 23/02/15 17:02, daniel kubec wrote: >> -- Forwarded message -- >> From: Daniel Kubec >> Date: 23 February 2015 at 16:51 >> Subject: Add support for Keying Material Exporter [RFC 5705] >> To: openvpn-devel@lists.sourceforge.net >> >> >> Hi David, >> >> Keying Material Exporter [RFC 5705] Patch rebased to actual master >> branch. >> >> Daniel > > Hi, > > I've finally had time to do some review. Your patches work, but I have a few > comments. > > > * openvpn-rfc5705-sample.patch > - The client config is missing a 'pull'. I tried running this with a server > running in a VM, and the client running outside of the server VM had no IP > address or routing configured. Adding 'pull' to the client config solved > it. > - You've called the plug-in and 'sso'. I'd try to avoid such a vague name, as > it may be misunderstood to do something else. I'd suggest using a more > related name, for example 'keying-material-exporter-demo'. > > > * openvpn-rfc5705-doc-v3.patch > - The 'OpenVPN Configuration' example is missing a leading dash. It now says > -keying-material-exporter, but should say --keying-material-exporter. > > > * openvpn-rfc5705-v3.patch > The code looks good to me, I share the same comment to the man page as > Steffan had too, to also document the upper bound of 4095 bytes. > > > If we can agree on these changes, I'll ensure it gets applied fairly quickly. > > > -- > kind regards, > > David Sommerseth
[Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options V4
These DHCP options will be added on the client to the (Windows) tun adapter and will be available to other applications. This allows the server to push out a TFTP address to use for applications like Cisco's IP Phone. WPAD stands for Windows Proxy Auto Detection and it allows Internet Explorer to automatically pick up a proxy address via the URL http:///wpad.dat --- doc/openvpn.8 |8 src/openvpn/options.c | 14 ++ src/openvpn/tun.c | 20 src/openvpn/tun.h |9 - 4 files changed, 50 insertions(+), 1 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e213f5a..87ac26c 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -5481,6 +5481,14 @@ is pushed via to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}". + +.B TFTP addr -- +Set TFTP server address (Trivial File Transer Protocol). +This option sets both the RFC2132 DHCP option (66) and the Cisco option (150). + +.B WPAD url -- +Set the WPAD url (Windows Proxy Auto Detection) for proxy autodetection. +The URL should be of the format "http://example.org/wpad.dat;. .\"* .TP .B \-\-tap\-sleep n diff --git a/src/openvpn/options.c b/src/openvpn/options.c index de4fa38..fb0cd71 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -674,11 +674,13 @@ static const char usage_message[] = "DNS addr: Set domain name server address(es)\n" "NTP : Set NTP server address(es)\n" "NBDD: Set NBDD server address(es)\n" + "TFTP: Set TFTP server address(es)\n" "WINS addr : Set WINS server address(es)\n" "NBT type: Set NetBIOS over TCP/IP Node type\n" " 1: B, 2: P, 4: M, 8: H\n" "NBS id : Set NetBIOS scope ID\n" "DISABLE-NBT : Disable Netbios-over-TCP/IP.\n" + "WPAD url: Set WebProxy AutoDiscovery url\n" "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n" "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" @@ -1098,11 +1100,13 @@ show_tuntap_options (const struct tuntap_options *o) SHOW_STR (netbios_scope); SHOW_INT (netbios_node_type); SHOW_BOOL (disable_nbt); + SHOW_STR (wpad_url); show_dhcp_option_addrs ("DNS", o->dns, o->dns_len); show_dhcp_option_addrs ("WINS", o->wins, o->wins_len); show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len); show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len); + show_dhcp_option_addrs ("TFTP", o->tftp, o->tftp_len); } #endif @@ -5282,6 +5286,8 @@ add_option (struct options *options, { if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */ { + struct tuntap_options *o = >tuntap_options; + options->route_default_gateway = p[1]; } else @@ -6079,6 +6085,14 @@ add_option (struct options *options, { o->disable_nbt = 1; } + else if (streq (p[1], "TFTP") && p[2]) + { + dhcp_option_address_parse ("TFTP", p[2], o->tftp, >tftp_len, msglevel); + } + else if (streq (p[1], "WPAD") && p[2]) + { + o->wpad_url = p[2]; + } else { msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 24a61ec..21e0138 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -4967,6 +4967,11 @@ static bool build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o) { bool error = false; + const char *tftp_str = NULL; + int i; + + struct gc_arena gc = gc_new (); + if (o->domain) write_dhcp_str (buf, 15, o->domain, ); @@ -4997,6 +5002,21 @@ build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o) buf_write_u8 (buf, 4); /* length of the vendor specified field */ buf_write_u32 (buf, 0x002); } + + /* Set both the RFC2132 and Cisco DHCP options for a TFTP server */ + if (o->tftp_len > 0) + { + tftp_str = print_in_addr_t (o->tftp[0], 0, ); + write_dhcp_str (buf, 66, tftp_str, ); + } + write_dhcp_u32_array (buf, 150, (uint32_t*)o->tftp, o->tftp_len, ); + + /* IE6 seems to requires an extra character at the end of the URL */ + if (o->wpad_url) +write_dhcp_str (buf, 252, o->wpad_url, ); + + gc_free (); + return !error; } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 65bacac..93be13e 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -78,7 +78,6 @@ struct tuntap_options {
[Openvpn-devel] [PATCH] Add support for TFTP and WPAD DHCP options. These DHCP options are picked up by the client-side (Windows) adapter and made available to other applications.
--- doc/openvpn.8 |8 src/openvpn/options.c | 14 ++ src/openvpn/tun.c | 29 + src/openvpn/tun.h |9 - 4 files changed, 59 insertions(+), 1 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e213f5a..87ac26c 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -5481,6 +5481,14 @@ is pushed via to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}". + +.B TFTP addr -- +Set TFTP server address (Trivial File Transer Protocol). +This option sets both the RFC2132 DHCP option (66) and the Cisco option (150). + +.B WPAD url -- +Set the WPAD url (Windows Proxy Auto Detection) for proxy autodetection. +The URL should be of the format "http://example.org/wpad.dat;. .\"* .TP .B \-\-tap\-sleep n diff --git a/src/openvpn/options.c b/src/openvpn/options.c index de4fa38..fb0cd71 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -674,11 +674,13 @@ static const char usage_message[] = "DNS addr: Set domain name server address(es)\n" "NTP : Set NTP server address(es)\n" "NBDD: Set NBDD server address(es)\n" + "TFTP: Set TFTP server address(es)\n" "WINS addr : Set WINS server address(es)\n" "NBT type: Set NetBIOS over TCP/IP Node type\n" " 1: B, 2: P, 4: M, 8: H\n" "NBS id : Set NetBIOS scope ID\n" "DISABLE-NBT : Disable Netbios-over-TCP/IP.\n" + "WPAD url: Set WebProxy AutoDiscovery url\n" "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n" "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" @@ -1098,11 +1100,13 @@ show_tuntap_options (const struct tuntap_options *o) SHOW_STR (netbios_scope); SHOW_INT (netbios_node_type); SHOW_BOOL (disable_nbt); + SHOW_STR (wpad_url); show_dhcp_option_addrs ("DNS", o->dns, o->dns_len); show_dhcp_option_addrs ("WINS", o->wins, o->wins_len); show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len); show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len); + show_dhcp_option_addrs ("TFTP", o->tftp, o->tftp_len); } #endif @@ -5282,6 +5286,8 @@ add_option (struct options *options, { if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */ { + struct tuntap_options *o = >tuntap_options; + options->route_default_gateway = p[1]; } else @@ -6079,6 +6085,14 @@ add_option (struct options *options, { o->disable_nbt = 1; } + else if (streq (p[1], "TFTP") && p[2]) + { + dhcp_option_address_parse ("TFTP", p[2], o->tftp, >tftp_len, msglevel); + } + else if (streq (p[1], "WPAD") && p[2]) + { + o->wpad_url = p[2]; + } else { msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 24a61ec..0ba3e8a 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -4967,6 +4967,11 @@ static bool build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o) { bool error = false; + const char *tftp_str = NULL; + int i; + + struct gc_arena gc = gc_new (); + if (o->domain) write_dhcp_str (buf, 15, o->domain, ); @@ -4997,6 +5002,30 @@ build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o) buf_write_u8 (buf, 4); /* length of the vendor specified field */ buf_write_u32 (buf, 0x002); } + + /* Set both the RFC2132 and Cisco DHCP options for a TFTP server */ + if (o->tftp_len > 0) + { + tftp_str = print_in_addr_t (o->tftp[0], 0, ); + write_dhcp_str (buf, 66, tftp_str, ); + } + write_dhcp_u32_array (buf, 150, (uint32_t*)o->tftp, o->tftp_len, ); + + /* IE6 seems to requires an extra character at the end of the URL */ + if (o->wpad_url) + { +#ifdef WIN32 +char str[256]; +strncpy( str, o->wpad_url, 255 ); +strcat( str, "\r" ); +write_dhcp_str (buf, 252, str, ); +#else +write_dhcp_str (buf, 252, o->wpad_url, ); +#endif + } + + gc_free (); + return !error; } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 65bacac..93be13e 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -78,7 +78,6 @@ struct tuntap_options { #define N_DHCP_ADDR 4/* Max # of addresses allowed for DNS, WINS, etc. */ - /* DNS (6) */ in_addr_t dns[N_DHCP_ADDR]; int dns_len; @@ -98,6 +97,14
Re: [Openvpn-devel] [PATCH] Export --redirect-gateway parameters
Hi, On Fri, May 09, 2014 at 09:23:01AM -0700, Paul Stewart wrote: > Report the flags passed to the --redirect-gateway and > --redirect-private flags, so that systems that manage routing > tables have hints about how the routing table should be modified. I mentioned that we don't have enough time, and so it was - apologies for not looking into this more quickly. We discussed this today, and while the code is good enough, it needs to satisfy the "why is this needed?" requirement - could you explain a bit better what this would be used for? (The drawback of this patch is that it needs maintenance if we add new options, like "--redirect-gateway ipv6" - David suggested that we add a global mapping table for that, and I wonder if the actual use case warrants the extra maintenance effort...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
[Openvpn-devel] [PATCH v2] Support for disabled peer-id
v2: * Add round brackets for clarity. * Rephrase comment. v1: * When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. * Make sure that issued peer-id does not exceed 0xFF. --- src/openvpn/mudp.c | 14 +++--- src/openvpn/multi.c | 3 ++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 57118f8..fcbb47d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -60,12 +60,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) struct hash_bucket *bucket = hash_bucket (hash, hv); uint8_t* ptr = BPTR(>top.c2.buf); uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); + bool peer_id_disabled = false; /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ - if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3)) + if (v2) { uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF; - if ((peer_id < m->max_clients) && (m->instances[peer_id])) + peer_id_disabled = (peer_id == 0xFF); + + if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { mi = m->instances[peer_id]; @@ -80,7 +84,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) } } } - else + if (!v2 || peer_id_disabled) { he = hash_lookup_fast (hash, bucket, , hv); if (he) @@ -103,10 +107,14 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) hash_add_fast (hash, bucket, >real, hv, mi); mi->did_real_hash = true; + /* In future we might want to use P_DATA_V2 but not need peer-id/float functionality */ for (i = 0; i < m->max_clients; ++i) { if (!m->instances[i]) { + /* issued peer-id should fit into 3 bytes to avoid wrap and cannot have reserved value 0xFF */ + ASSERT(i < 0xFF); + mi->context.c2.tls_multi->peer_id = i; m->instances[i] = mi; break; diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 902c4dc..76f5a44 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -562,7 +562,8 @@ multi_close_instance (struct multi_context *m, } #endif - m->instances[mi->context.c2.tls_multi->peer_id] = NULL; + if (mi->context.c2.tls_multi->peer_id != 0xFF) +m->instances[mi->context.c2.tls_multi->peer_id] = NULL; schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); -- 1.9.1
Re: [Openvpn-devel] [PATCH] Support for disabled peer-id
Hi, On Fri, Oct 09, 2015 at 03:29:17PM +0300, Lev Stipakov wrote: > + peer_id_disabled = peer_id == 0xFF; The general patch is fine, but while this line is technical correct, I don't think we should do so... please add least add some brackets... peer_id_disabled = (peer_id == 0xFF); > + /* TODO: support for disabled peer-id */ What is this TODO about? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
[Openvpn-devel] [PATCH] Support for disabled peer-id
When peer-id value is 0xFF, server should ignore it and treat packet in a same way as P_DATA_V1. Make sure that issued peer-id does not exceed 0xFF. --- src/openvpn/mudp.c | 15 --- src/openvpn/multi.c | 3 ++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 57118f8..43b4f06 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -60,12 +60,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) struct hash_bucket *bucket = hash_bucket (hash, hv); uint8_t* ptr = BPTR(>top.c2.buf); uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); + bool peer_id_disabled = false; /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ - if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3)) + if (v2) { uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF; - if ((peer_id < m->max_clients) && (m->instances[peer_id])) + peer_id_disabled = peer_id == 0xFF; + + if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { mi = m->instances[peer_id]; @@ -80,7 +84,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) } } } - else + if (!v2 || peer_id_disabled) { he = hash_lookup_fast (hash, bucket, , hv); if (he) @@ -103,11 +107,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) hash_add_fast (hash, bucket, >real, hv, mi); mi->did_real_hash = true; + /* TODO: support for disabled peer-id */ for (i = 0; i < m->max_clients; ++i) { if (!m->instances[i]) { + /* issued peer-id should fit into 3 bytes to avoid wrap and cannot have reserved value 0xFF */ + ASSERT(i < 0xFF); + mi->context.c2.tls_multi->peer_id = i; + m->instances[i] = mi; break; } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 902c4dc..76f5a44 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -562,7 +562,8 @@ multi_close_instance (struct multi_context *m, } #endif - m->instances[mi->context.c2.tls_multi->peer_id] = NULL; + if (mi->context.c2.tls_multi->peer_id != 0xFF) +m->instances[mi->context.c2.tls_multi->peer_id] = NULL; schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); -- 1.9.1
[Openvpn-devel] [PATCH] Author: Jan Just Keijser <janj...@nikhef.nl>
From: Jan Just KeijserAdd extended client certificate verification support. Replace --client-cert-not-required with a more flexible option, that allows for no, optional or mandatory client certificate verification. Signed-off-by: Jan Just Keijser --- doc/openvpn.8 | 49 +++- src/openvpn/options.c | 28 +++- src/openvpn/ssl_common.h |5 ++- src/openvpn/ssl_openssl.c | 15 + 4 files changed, 86 insertions(+), 11 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 3eb2493..6ff2b4e 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3549,18 +3549,63 @@ to empty strings (""). The authentication module/script MUST have logic to detect this condition and respond accordingly. .\"* .TP -.B \-\-client\-cert\-not\-required +.B \-\-client\-cert\-not\-required (DEPRECATED) Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. + +.B Please note: +This option is now deprecated and will be removed in OpenVPN v2.5. +It is replaced by +.B \-\-verify\-client\-cert +which allows for more flexibility. The option +.B \-\-verify\-client\-cert none +is functionally equivalent to +.B \-\-client\-cert\-not\-required +. + +.\"* +.TP +.B \-\-verify\-client\-cert none|optional|require +Specify whether the client is required to supply a valid certificate. + +Possible options are + +.B none +: a client certificate is not required. the client need to authenticate +using username/password only. Be aware that using this directive +is less secure than requiring certificates from all clients. + If you use this directive, the entire responsibility of authentication will rest on your .B \-\-auth\-user\-pass\-verify script, so keep in mind that bugs in your script could potentially compromise the security of your VPN. -If you don't use this directive, but you also specify an +.B \-\-verify\-client\-cert none +is functionally equivalent to +.B \-\-client\-cert\-not\-required. + +.B optional +: a client may present a certificate but it is not required to do so. +When using this directive, you should also use a +.B \-\-auth\-user\-pass\-verify +script to ensure that clients are authenticated using a +certificate, a username and password, or possibly even both. + +Again, the entire responsibility of authentication will rest on your +.B \-\-auth\-user\-pass\-verify +script, so keep in mind that bugs in your script +could potentially compromise the security of your VPN. + +.B require +: this is the default option. A client is required to present a +certificate, otherwise VPN access is refused. + +If you don't use this directive (or use +.B \-\-verify\-client\-cert require +) but you also specify an .B \-\-auth\-user\-pass\-verify script, then OpenVPN will perform double authentication. The client certificate verification AND the diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 74276d4..65e4658 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -437,6 +437,9 @@ static const char usage_message[] = " Only valid in a client-specific config file.\n" "--client-cert-not-required : Don't require client certificate, client\n" " will authenticate using username/password.\n" + "--verify-client-cert [none|optional|require] : perform no, optional or\n" + " mandatory client certificate verification.\n" + " Default is to require the client to supply a certificate.\n" "--username-as-common-name : For auth-user-pass authentication, use\n" " the authenticated username as the common name,\n" " rather than the common name from the client cert.\n" @@ -2091,8 +2094,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--duplicate-cn requires --mode server"); if (options->cf_max || options->cf_per) msg (M_USAGE, "--connect-freq requires --mode server"); - if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) - msg (M_USAGE, "--client-cert-not-required requires --mode server"); + if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED || options->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) + msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) msg (M_USAGE, "--username-as-common-name requires --mode server"); if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) @@ -5658,6 +5661,27 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |=