Re: [Openvpn-devel] [PATCH applied] Add support for Keying Material Exporter [RFC 5705]

2015-10-09 Thread David Sommerseth 
On 26/05/14 15:25, Daniel Kubec wrote:
> Add support for TLS Keying Material Exporters [RFC 5705].
> 
> Keying Material Exporter allow additional keying material to be derived from 
> existing TLS channel. 
> This exported keying material can then be used for a variety of purposes.

These patches have been applied to the git master branch:

* openvpn-rfc5705-v3.patch
commit 685e486e8b8f70c25f09590c24762ff734f94a51
Author: Daniel Kubec 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Mar 12 15:14:20 2015 +0100

Added support for TLS Keying Material Exporters [RFC-5705]

Signed-off-by: Daniel Kubec 
Signed-off-by: David Sommerseth 
Acked-by: Steffan Karger 


* openvpn-rfc5705-doc-v3.patch
commit 84604e0bae7216b46642d5a1a443b86f712d53aa
Author: Daniel Kubec 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Mar 12 15:25:42 2015 +0100

Added document for TLS Keying Material Exporters [RFC-5705]

[DS: Fixed option prefix from '-' to '--']

Signed-off-by: Daniel Kubec 
Signed-off-by: David Sommerseth 
Acked-by: Steffan Karger 


* openvpn-rfc5705-sample.patch
commit f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec
Author: Daniel Kubec 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Apr 5 00:10:37 2015 +0200

sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in

Signed-off-by: Daniel Kubec 
Signed-off-by: David Sommerseth 
Acked-by: David Sommerseth 


-- 
kind regards,

David Sommerseth

Re: [Openvpn-devel] [PATCH] Fast recovery when host is in unreachable network

2015-10-09 Thread Arne Schwabe 
Am 02.03.15 um 18:58 schrieb Lev Stipakov:
> When client connects to the server which is in unreachable network (for
> example hostname got resolved into ipv6 address and client has no ipv6),
> throw SIGUSR1 and connect to the next server without waiting 60 seconds
> for "TLS key negotiation failed".


ACK. It works for me and code looks good.

Arne

Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]

2015-10-09 Thread David Sommerseth 
On 09/10/15 17:54, daniel kubec wrote:
> Hi David,
> 
> Thank You for your comments. It makes sense to me.
> Can you apply your fixes into patches or it's up to me ?
> 

As this has been lingering just way too long, I can do these changes this
weekend and get it apply.


-- 
kind regards,

David Sommerseth

> 
> On 9 October 2015 at 17:27, David Sommerseth
>  wrote:
>> On 23/02/15 17:02, daniel kubec wrote:
>>> -- Forwarded message --
>>> From: Daniel Kubec 
>>> Date: 23 February 2015 at 16:51
>>> Subject: Add support for Keying Material Exporter [RFC 5705]
>>> To: openvpn-devel@lists.sourceforge.net
>>>
>>>
>>> Hi David,
>>>
>>> Keying Material Exporter [RFC 5705] Patch rebased to actual master
>>> branch.
>>>
>>> Daniel
>>
>> Hi,
>>
>> I've finally had time to do some review.  Your patches work, but I have a few
>> comments.
>>
>>
>> * openvpn-rfc5705-sample.patch
>> - The client config is missing a 'pull'.  I tried running this with a server
>>   running in a VM, and the client running outside of the server VM had no IP
>>   address or routing configured.  Adding 'pull' to the client config solved
>>   it.
>> - You've called the plug-in and 'sso'.  I'd try to avoid such a vague name, 
>> as
>>   it may be misunderstood to do something else.  I'd suggest using a more
>>   related name, for example 'keying-material-exporter-demo'.
>>
>>
>> * openvpn-rfc5705-doc-v3.patch
>> - The 'OpenVPN Configuration' example is missing a leading dash.  It now says
>>   -keying-material-exporter, but should say --keying-material-exporter.
>>
>>
>> * openvpn-rfc5705-v3.patch
>>   The code looks good to me, I share the same comment to the man page as
>>   Steffan had too, to also document the upper bound of 4095 bytes.
>>
>>
>> If we can agree on these changes, I'll ensure it gets applied fairly quickly.
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>

Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]

2015-10-09 Thread daniel kubec 
Ok, Thank You for these changes :)

Daniel

On 9 October 2015 at 18:09, David Sommerseth
 wrote:
> On 09/10/15 17:54, daniel kubec wrote:
>> Hi David,
>>
>> Thank You for your comments. It makes sense to me.
>> Can you apply your fixes into patches or it's up to me ?
>>
>
> As this has been lingering just way too long, I can do these changes this
> weekend and get it apply.
>
>
> --
> kind regards,
>
> David Sommerseth
>
>>
>> On 9 October 2015 at 17:27, David Sommerseth
>>  wrote:
>>> On 23/02/15 17:02, daniel kubec wrote:
 -- Forwarded message --
 From: Daniel Kubec 
 Date: 23 February 2015 at 16:51
 Subject: Add support for Keying Material Exporter [RFC 5705]
 To: openvpn-devel@lists.sourceforge.net


 Hi David,

 Keying Material Exporter [RFC 5705] Patch rebased to actual master
 branch.

 Daniel
>>>
>>> Hi,
>>>
>>> I've finally had time to do some review.  Your patches work, but I have a 
>>> few
>>> comments.
>>>
>>>
>>> * openvpn-rfc5705-sample.patch
>>> - The client config is missing a 'pull'.  I tried running this with a server
>>>   running in a VM, and the client running outside of the server VM had no IP
>>>   address or routing configured.  Adding 'pull' to the client config solved
>>>   it.
>>> - You've called the plug-in and 'sso'.  I'd try to avoid such a vague name, 
>>> as
>>>   it may be misunderstood to do something else.  I'd suggest using a more
>>>   related name, for example 'keying-material-exporter-demo'.
>>>
>>>
>>> * openvpn-rfc5705-doc-v3.patch
>>> - The 'OpenVPN Configuration' example is missing a leading dash.  It now 
>>> says
>>>   -keying-material-exporter, but should say --keying-material-exporter.
>>>
>>>
>>> * openvpn-rfc5705-v3.patch
>>>   The code looks good to me, I share the same comment to the man page as
>>>   Steffan had too, to also document the upper bound of 4095 bytes.
>>>
>>>
>>> If we can agree on these changes, I'll ensure it gets applied fairly 
>>> quickly.
>>>
>>>
>>> --
>>> kind regards,
>>>
>>> David Sommerseth
>>
>

Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]

2015-10-09 Thread David Sommerseth 
On 23/02/15 17:02, daniel kubec wrote:
> -- Forwarded message --
> From: Daniel Kubec 
> Date: 23 February 2015 at 16:51
> Subject: Add support for Keying Material Exporter [RFC 5705]
> To: openvpn-devel@lists.sourceforge.net
> 
> 
> Hi David,
> 
> Keying Material Exporter [RFC 5705] Patch rebased to actual master
> branch.
> 
> Daniel

Hi,

I've finally had time to do some review.  Your patches work, but I have a few
comments.


* openvpn-rfc5705-sample.patch
- The client config is missing a 'pull'.  I tried running this with a server
  running in a VM, and the client running outside of the server VM had no IP
  address or routing configured.  Adding 'pull' to the client config solved
  it.
- You've called the plug-in and 'sso'.  I'd try to avoid such a vague name, as
  it may be misunderstood to do something else.  I'd suggest using a more
  related name, for example 'keying-material-exporter-demo'.


* openvpn-rfc5705-doc-v3.patch
- The 'OpenVPN Configuration' example is missing a leading dash.  It now says
  -keying-material-exporter, but should say --keying-material-exporter.


* openvpn-rfc5705-v3.patch
  The code looks good to me, I share the same comment to the man page as
  Steffan had too, to also document the upper bound of 4095 bytes.


If we can agree on these changes, I'll ensure it gets applied fairly quickly.


-- 
kind regards,

David Sommerseth

Re: [Openvpn-devel] Fwd: Add support for Keying Material Exporter [RFC 5705]

2015-10-09 Thread daniel kubec 
Hi David,

Thank You for your comments. It makes sense to me.
Can you apply your fixes into patches or it's up to me ?

King Regards

Daniel




On 9 October 2015 at 17:27, David Sommerseth
 wrote:
> On 23/02/15 17:02, daniel kubec wrote:
>> -- Forwarded message --
>> From: Daniel Kubec 
>> Date: 23 February 2015 at 16:51
>> Subject: Add support for Keying Material Exporter [RFC 5705]
>> To: openvpn-devel@lists.sourceforge.net
>>
>>
>> Hi David,
>>
>> Keying Material Exporter [RFC 5705] Patch rebased to actual master
>> branch.
>>
>> Daniel
>
> Hi,
>
> I've finally had time to do some review.  Your patches work, but I have a few
> comments.
>
>
> * openvpn-rfc5705-sample.patch
> - The client config is missing a 'pull'.  I tried running this with a server
>   running in a VM, and the client running outside of the server VM had no IP
>   address or routing configured.  Adding 'pull' to the client config solved
>   it.
> - You've called the plug-in and 'sso'.  I'd try to avoid such a vague name, as
>   it may be misunderstood to do something else.  I'd suggest using a more
>   related name, for example 'keying-material-exporter-demo'.
>
>
> * openvpn-rfc5705-doc-v3.patch
> - The 'OpenVPN Configuration' example is missing a leading dash.  It now says
>   -keying-material-exporter, but should say --keying-material-exporter.
>
>
> * openvpn-rfc5705-v3.patch
>   The code looks good to me, I share the same comment to the man page as
>   Steffan had too, to also document the upper bound of 4095 bytes.
>
>
> If we can agree on these changes, I'll ensure it gets applied fairly quickly.
>
>
> --
> kind regards,
>
> David Sommerseth

[Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options V4

2015-10-09 Thread Jan Just Keijser 
These DHCP options will
be added on the client to the (Windows) tun adapter and will be
available to other applications.

This allows the server to push out a TFTP address to use for
applications like Cisco's IP Phone.

WPAD stands for Windows Proxy Auto Detection and it allows
Internet Explorer to automatically pick up a proxy address
via the  URL http:///wpad.dat
---
 doc/openvpn.8 |8 
 src/openvpn/options.c |   14 ++
 src/openvpn/tun.c |   20 
 src/openvpn/tun.h |9 -
 4 files changed, 50 insertions(+), 1 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index e213f5a..87ac26c 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -5481,6 +5481,14 @@ is pushed via
 to a non-windows client, the option will be saved in the client's
 environment before the up script is called, under
 the name "foreign_option_{n}".
+
+.B TFTP addr --
+Set TFTP server address (Trivial File Transer Protocol).
+This option sets both the RFC2132 DHCP option (66) and the Cisco option (150).
+
+.B WPAD url --
+Set the WPAD url (Windows Proxy Auto Detection) for proxy autodetection. 
+The URL should be of the format "http://example.org/wpad.dat;.
 .\"*
 .TP
 .B \-\-tap\-sleep n
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index de4fa38..fb0cd71 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -674,11 +674,13 @@ static const char usage_message[] =
   "DNS addr: Set domain name server address(es)\n"
   "NTP : Set NTP server address(es)\n"
   "NBDD: Set NBDD server address(es)\n"
+  "TFTP: Set TFTP server address(es)\n"
   "WINS addr   : Set WINS server address(es)\n"
   "NBT type: Set NetBIOS over TCP/IP Node type\n"
   "  1: B, 2: P, 4: M, 8: H\n"
   "NBS id  : Set NetBIOS scope ID\n"
   "DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
+  "WPAD url: Set WebProxy AutoDiscovery url\n"
   "--dhcp-renew   : Ask Windows to renew the TAP adapter lease on 
startup.\n"
   "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease 
on\n"
 "   startup.\n"
@@ -1098,11 +1100,13 @@ show_tuntap_options (const struct tuntap_options *o)
   SHOW_STR (netbios_scope);
   SHOW_INT (netbios_node_type);
   SHOW_BOOL (disable_nbt);
+  SHOW_STR (wpad_url);

   show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
   show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
   show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
   show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
+  show_dhcp_option_addrs ("TFTP", o->tftp, o->tftp_len);
 }

 #endif
@@ -5282,6 +5286,8 @@ add_option (struct options *options,
{
  if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || 
is_special_addr (p[1])) /* FQDN -- may be DNS name */
{
+ struct tuntap_options *o = >tuntap_options;
+
  options->route_default_gateway = p[1];
}
  else
@@ -6079,6 +6085,14 @@ add_option (struct options *options,
{
  o->disable_nbt = 1;
}
+ else if (streq (p[1], "TFTP") && p[2])
+   {
+ dhcp_option_address_parse ("TFTP", p[2], o->tftp, >tftp_len, 
msglevel);
+   }
+ else if (streq (p[1], "WPAD") && p[2])
+   {
+ o->wpad_url = p[2];
+   }
   else
{
  msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or 
unknown parameter", p[1]);
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 24a61ec..21e0138 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -4967,6 +4967,11 @@ static bool
 build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o)
 {
   bool error = false;
+  const char *tftp_str = NULL;
+  int i;
+
+  struct gc_arena gc = gc_new ();
+
   if (o->domain)
 write_dhcp_str (buf, 15, o->domain, );

@@ -4997,6 +5002,21 @@ build_dhcp_options_string (struct buffer *buf, const 
struct tuntap_options *o)
 buf_write_u8 (buf,  4);  /* length of the vendor specified field */
 buf_write_u32 (buf, 0x002);
   }
+
+  /* Set both the RFC2132 and Cisco DHCP options for a TFTP server */
+  if (o->tftp_len > 0)
+  {
+   tftp_str = print_in_addr_t (o->tftp[0], 0, );
+   write_dhcp_str (buf, 66, tftp_str, );
+  }
+  write_dhcp_u32_array (buf, 150, (uint32_t*)o->tftp, o->tftp_len, );
+  
+  /* IE6 seems to requires an extra character at the end of the URL */
+  if (o->wpad_url)
+write_dhcp_str (buf, 252, o->wpad_url, );
+
+  gc_free ();
+
   return !error;
 }

diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index 65bacac..93be13e 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -78,7 +78,6 @@ struct tuntap_options {

[Openvpn-devel] [PATCH] Add support for TFTP and WPAD DHCP options. These DHCP options are picked up by the client-side (Windows) adapter and made available to other applications.

2015-10-09 Thread Jan Just Keijser 
---
 doc/openvpn.8 |8 
 src/openvpn/options.c |   14 ++
 src/openvpn/tun.c |   29 +
 src/openvpn/tun.h |9 -
 4 files changed, 59 insertions(+), 1 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index e213f5a..87ac26c 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -5481,6 +5481,14 @@ is pushed via
 to a non-windows client, the option will be saved in the client's
 environment before the up script is called, under
 the name "foreign_option_{n}".
+
+.B TFTP addr --
+Set TFTP server address (Trivial File Transer Protocol).
+This option sets both the RFC2132 DHCP option (66) and the Cisco option (150).
+
+.B WPAD url --
+Set the WPAD url (Windows Proxy Auto Detection) for proxy autodetection. 
+The URL should be of the format "http://example.org/wpad.dat;.
 .\"*
 .TP
 .B \-\-tap\-sleep n
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index de4fa38..fb0cd71 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -674,11 +674,13 @@ static const char usage_message[] =
   "DNS addr: Set domain name server address(es)\n"
   "NTP : Set NTP server address(es)\n"
   "NBDD: Set NBDD server address(es)\n"
+  "TFTP: Set TFTP server address(es)\n"
   "WINS addr   : Set WINS server address(es)\n"
   "NBT type: Set NetBIOS over TCP/IP Node type\n"
   "  1: B, 2: P, 4: M, 8: H\n"
   "NBS id  : Set NetBIOS scope ID\n"
   "DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
+  "WPAD url: Set WebProxy AutoDiscovery url\n"
   "--dhcp-renew   : Ask Windows to renew the TAP adapter lease on 
startup.\n"
   "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease 
on\n"
 "   startup.\n"
@@ -1098,11 +1100,13 @@ show_tuntap_options (const struct tuntap_options *o)
   SHOW_STR (netbios_scope);
   SHOW_INT (netbios_node_type);
   SHOW_BOOL (disable_nbt);
+  SHOW_STR (wpad_url);

   show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
   show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
   show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
   show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
+  show_dhcp_option_addrs ("TFTP", o->tftp, o->tftp_len);
 }

 #endif
@@ -5282,6 +5286,8 @@ add_option (struct options *options,
{
  if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || 
is_special_addr (p[1])) /* FQDN -- may be DNS name */
{
+ struct tuntap_options *o = >tuntap_options;
+
  options->route_default_gateway = p[1];
}
  else
@@ -6079,6 +6085,14 @@ add_option (struct options *options,
{
  o->disable_nbt = 1;
}
+ else if (streq (p[1], "TFTP") && p[2])
+   {
+ dhcp_option_address_parse ("TFTP", p[2], o->tftp, >tftp_len, 
msglevel);
+   }
+ else if (streq (p[1], "WPAD") && p[2])
+   {
+ o->wpad_url = p[2];
+   }
   else
{
  msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or 
unknown parameter", p[1]);
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 24a61ec..0ba3e8a 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -4967,6 +4967,11 @@ static bool
 build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o)
 {
   bool error = false;
+  const char *tftp_str = NULL;
+  int i;
+
+  struct gc_arena gc = gc_new ();
+
   if (o->domain)
 write_dhcp_str (buf, 15, o->domain, );

@@ -4997,6 +5002,30 @@ build_dhcp_options_string (struct buffer *buf, const 
struct tuntap_options *o)
 buf_write_u8 (buf,  4);  /* length of the vendor specified field */
 buf_write_u32 (buf, 0x002);
   }
+
+  /* Set both the RFC2132 and Cisco DHCP options for a TFTP server */
+  if (o->tftp_len > 0)
+  {
+   tftp_str = print_in_addr_t (o->tftp[0], 0, );
+   write_dhcp_str (buf, 66, tftp_str, );
+  }
+  write_dhcp_u32_array (buf, 150, (uint32_t*)o->tftp, o->tftp_len, );
+  
+  /* IE6 seems to requires an extra character at the end of the URL */
+  if (o->wpad_url)
+  {
+#ifdef WIN32
+char str[256];
+strncpy( str, o->wpad_url, 255 );
+strcat( str, "\r" );
+write_dhcp_str (buf, 252, str, );
+#else
+write_dhcp_str (buf, 252, o->wpad_url, );
+#endif
+  }
+
+  gc_free ();
+
   return !error;
 }

diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index 65bacac..93be13e 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -78,7 +78,6 @@ struct tuntap_options {

 #define N_DHCP_ADDR 4/* Max # of addresses allowed for
DNS, WINS, etc. */
-
   /* DNS (6) */
   in_addr_t dns[N_DHCP_ADDR];
   int dns_len;
@@ -98,6 +97,14

Re: [Openvpn-devel] [PATCH] Export --redirect-gateway parameters

2015-10-09 Thread Gert Doering 
Hi,

On Fri, May 09, 2014 at 09:23:01AM -0700, Paul Stewart wrote:
> Report the flags passed to the --redirect-gateway and
> --redirect-private flags, so that systems that manage routing
> tables have hints about how the routing table should be modified.

I mentioned that we don't have enough time, and so it was - apologies for
not looking into this more quickly.

We discussed this today, and while the code is good enough, it needs to
satisfy the "why is this needed?" requirement - could you explain a bit
better what this would be used for?

(The drawback of this patch is that it needs maintenance if we add
new options, like "--redirect-gateway ipv6" - David suggested that we
add a global mapping table for that, and I wonder if the actual use
case warrants the extra maintenance effort...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH v2] Support for disabled peer-id

2015-10-09 Thread Lev Stipakov 
v2:
 * Add round brackets for clarity.
 * Rephrase comment.

v1:
 * When peer-id value is 0xFF, server should ignore it and treat packet
in a same way as P_DATA_V1.
 * Make sure that issued peer-id does not exceed 0xFF.
---
 src/openvpn/mudp.c  | 14 +++---
 src/openvpn/multi.c |  3 ++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 57118f8..fcbb47d 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -60,12 +60,16 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
   struct hash_bucket *bucket = hash_bucket (hash, hv);
   uint8_t* ptr = BPTR(>top.c2.buf);
   uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
+  bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
+  bool peer_id_disabled = false;

   /* make sure buffer has enough length to read opcode (1 byte) and 
peer-id (3 bytes) */
-  if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
+  if (v2)
{
  uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF;
- if ((peer_id < m->max_clients) && (m->instances[peer_id]))
+ peer_id_disabled = (peer_id == 0xFF);
+
+ if (!peer_id_disabled && (peer_id < m->max_clients) && 
(m->instances[peer_id]))
{
  mi = m->instances[peer_id];

@@ -80,7 +84,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool 
*floated)
  }
}
}
-  else
+  if (!v2 || peer_id_disabled)
{
  he = hash_lookup_fast (hash, bucket, , hv);
  if (he)
@@ -103,10 +107,14 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
  hash_add_fast (hash, bucket, >real, hv, mi);
  mi->did_real_hash = true;

+ /* In future we might want to use P_DATA_V2 but not need 
peer-id/float functionality */
  for (i = 0; i < m->max_clients; ++i)
{
  if (!m->instances[i])
{
+ /* issued peer-id should fit into 3 bytes to 
avoid wrap and cannot have reserved value 0xFF */
+ ASSERT(i < 0xFF);
+
  mi->context.c2.tls_multi->peer_id = i;
  m->instances[i] = mi;
  break;
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 902c4dc..76f5a44 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -562,7 +562,8 @@ multi_close_instance (struct multi_context *m,
}
 #endif

-  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
+  if (mi->context.c2.tls_multi->peer_id != 0xFF)
+m->instances[mi->context.c2.tls_multi->peer_id] = NULL;

   schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);

-- 
1.9.1

Re: [Openvpn-devel] [PATCH] Support for disabled peer-id

2015-10-09 Thread Gert Doering 
Hi,

On Fri, Oct 09, 2015 at 03:29:17PM +0300, Lev Stipakov wrote:
> +   peer_id_disabled = peer_id == 0xFF;

The general patch is fine, but while this line is technical correct, I don't
think we should do so...  please add least add some brackets...

  peer_id_disabled = (peer_id == 0xFF);


> +   /* TODO: support for disabled peer-id */

What is this TODO about?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH] Support for disabled peer-id

2015-10-09 Thread Lev Stipakov 
When peer-id value is 0xFF, server should ignore it and treat packet
in a same way as P_DATA_V1.

Make sure that issued peer-id does not exceed 0xFF.
---
 src/openvpn/mudp.c  | 15 ---
 src/openvpn/multi.c |  3 ++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 57118f8..43b4f06 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -60,12 +60,16 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
   struct hash_bucket *bucket = hash_bucket (hash, hv);
   uint8_t* ptr = BPTR(>top.c2.buf);
   uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
+  bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
+  bool peer_id_disabled = false;

   /* make sure buffer has enough length to read opcode (1 byte) and 
peer-id (3 bytes) */
-  if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
+  if (v2)
{
  uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFF;
- if ((peer_id < m->max_clients) && (m->instances[peer_id]))
+ peer_id_disabled = peer_id == 0xFF;
+
+ if (!peer_id_disabled && (peer_id < m->max_clients) && 
(m->instances[peer_id]))
{
  mi = m->instances[peer_id];

@@ -80,7 +84,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool 
*floated)
  }
}
}
-  else
+  if (!v2 || peer_id_disabled)
{
  he = hash_lookup_fast (hash, bucket, , hv);
  if (he)
@@ -103,11 +107,16 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
  hash_add_fast (hash, bucket, >real, hv, mi);
  mi->did_real_hash = true;

+ /* TODO: support for disabled peer-id */
  for (i = 0; i < m->max_clients; ++i)
{
  if (!m->instances[i])
{
+ /* issued peer-id should fit into 3 bytes to 
avoid wrap and cannot have reserved value 0xFF */
+ ASSERT(i < 0xFF);
+
  mi->context.c2.tls_multi->peer_id = i;
+
  m->instances[i] = mi;
  break;
}
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 902c4dc..76f5a44 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -562,7 +562,8 @@ multi_close_instance (struct multi_context *m,
}
 #endif

-  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
+  if (mi->context.c2.tls_multi->peer_id != 0xFF)
+m->instances[mi->context.c2.tls_multi->peer_id] = NULL;

   schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);

-- 
1.9.1

[Openvpn-devel] [PATCH] Author: Jan Just Keijser <janj...@nikhef.nl>

2015-10-09 Thread janjust 
From: Jan Just Keijser 

Add extended client certificate verification support.

Replace --client-cert-not-required with a more flexible option,
that allows for no, optional or mandatory client certificate
verification.

Signed-off-by: Jan Just Keijser 
---
 doc/openvpn.8 |   49 +++-
 src/openvpn/options.c |   28 +++-
 src/openvpn/ssl_common.h  |5 ++-
 src/openvpn/ssl_openssl.c |   15 +
 4 files changed, 86 insertions(+), 11 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3eb2493..6ff2b4e 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3549,18 +3549,63 @@ to empty strings ("").  The authentication 
module/script MUST have logic
 to detect this condition and respond accordingly.
 .\"*
 .TP
-.B \-\-client\-cert\-not\-required
+.B \-\-client\-cert\-not\-required (DEPRECATED)
 Don't require client certificate, client will authenticate
 using username/password only.  Be aware that using this directive
 is less secure than requiring certificates from all clients.

+
+.B Please note:
+This option is now deprecated and will be removed in OpenVPN v2.5.
+It is replaced by
+.B \-\-verify\-client\-cert
+which allows for more flexibility. The option 
+.B \-\-verify\-client\-cert none
+is functionally equivalent to 
+.B \-\-client\-cert\-not\-required
+.
+
+.\"*
+.TP
+.B \-\-verify\-client\-cert none|optional|require
+Specify whether the client is required to supply a valid certificate.
+
+Possible options are
+
+.B none
+: a client certificate is not required. the client need to authenticate
+using username/password only.  Be aware that using this directive
+is less secure than requiring certificates from all clients.
+
 If you use this directive, the
 entire responsibility of authentication will rest on your
 .B \-\-auth\-user\-pass\-verify
 script, so keep in mind that bugs in your script
 could potentially compromise the security of your VPN.

-If you don't use this directive, but you also specify an
+.B \-\-verify\-client\-cert none
+is functionally equivalent to 
+.B \-\-client\-cert\-not\-required.
+
+.B optional
+: a client may present a certificate but it is not required to do so.
+When using this directive, you should also use a
+.B \-\-auth\-user\-pass\-verify
+script to ensure that clients are authenticated using a 
+certificate, a username and password, or possibly even both.
+
+Again, the entire responsibility of authentication will rest on your
+.B \-\-auth\-user\-pass\-verify
+script, so keep in mind that bugs in your script
+could potentially compromise the security of your VPN.
+
+.B require
+: this is the default option. A client is required to present a 
+certificate, otherwise VPN access is refused.
+
+If you don't use this directive (or use 
+.B \-\-verify\-client\-cert require
+) but you also specify an
 .B \-\-auth\-user\-pass\-verify
 script, then OpenVPN will perform double authentication.  The
 client certificate verification AND the
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 74276d4..65e4658 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -437,6 +437,9 @@ static const char usage_message[] =
   "  Only valid in a client-specific config file.\n"
   "--client-cert-not-required : Don't require client certificate, client\n"
   "  will authenticate using username/password.\n"
+  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
+  "  mandatory client certificate verification.\n"
+  "  Default is to require the client to supply a 
certificate.\n"
   "--username-as-common-name  : For auth-user-pass authentication, use\n"
   "  the authenticated username as the common name,\n"
   "  rather than the common name from the client cert.\n"
@@ -2091,8 +2094,8 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
msg (M_USAGE, "--duplicate-cn requires --mode server");
   if (options->cf_max || options->cf_per)
msg (M_USAGE, "--connect-freq requires --mode server");
-  if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
-   msg (M_USAGE, "--client-cert-not-required requires --mode server");
+  if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED || 
options->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
+   msg (M_USAGE, "--client-cert-not-required and --verify-client-cert 
require --mode server");
   if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
msg (M_USAGE, "--username-as-common-name requires --mode server");
   if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
@@ -5658,6 +5661,27 @@ add_option (struct options *options,
 {
   VERIFY_PERMISSION (OPT_P_GENERAL);
   options->ssl_flags |=