Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing

[debbie10t]

Hi // You must be

- Original Message - 
From: "Eric Crist" 

To: 
Cc: 
Sent: Tuesday, September 22, 2015 1:05 PM
Subject: Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file 
missing


http://sourceforge.net/p/openvpn/mailman/message/34480727/

https://forums.openvpn.net/topic19629.html

It has only been one month.

http://sourceforge.net/p/openvpn/mailman/message/34556607/

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Morris, Russell]

Hi,

Lots of discussion on this - awesome to see! Perhaps a dumb question, but I can 
see a few different ways to go on this, as I see comments about services, 
applications, etc. ... so a couple thoughts,
- is the intention to run a service (like NSSM?) that keeps openvpn.exe "alive" 
(restarting it as necessary), so it's always up and running? I admit, I 
somewhat like this approach, one running application for each config file. Then 
control it through the management interface. Or,
- do folks prefer to have "control application" bring openvpn.exe up and down? 
I have tried this, and it's a bit messy, but it is functional also.

Thoughts?

I do believe there may also be TAP related stability issues, but that may be an 
artifact of openvpn.exe crashing - I guess the first step is to get openvpn.exe 
stable?

Thanks,
... Russell



-Original Message-
From: Christian Rank [mailto:christian.r...@uni-passau.de] 
Sent: Wednesday, October 21, 2015 1:47 AM
To: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

On 21.10.2015 00:39, openvpn-devel-requ...@lists.sourceforge.net wrote:
> From: ValdikSS 
> 
> By the way, there is an open-source SecurePoint VPN client 
> (https://sourceforge.net/projects/securepoint/) which handles current 
> versions of Windows very well.

Hi,

it seems that the current version of Securepoint's VPN client is no
longer open source. The repo at
> https://github.com/Securepoint/openvpn-client
has the source for version 1.0.3 (last commit 2 years ago), whereas the
current version (binaries) on sf.net is 2.0.10.

Securepoint's website
http://www.securepoint.cc/products-vpn-clients.html
says "The Securepoint OpenVPN client is free of charge" - the term "open
source" is not mentioned.

Regards,
Christian

-- 
Dr. Christian Rank
Rechenzentrum Universität Passau
Bereich Netzwerk und Telekommunikation
IT-Sicherheitsbeauftragter der Universität
Innstr. 33
D-94032 Passau
GERMANY

Re: [Openvpn-devel] [PATCH 1/2] polarssl: fix --client-cert-not-required

[Arne Schwabe]

Am 16.10.15 um 00:43 schrieb Steffan Karger:
> PolarSSL 1.3 determines whether to use a client key/cert based on the
> private key and/or certificate structs being allocated or not.  We
> previously would always allocate the structs in
> tls_ctx_{client,server}_new(), which made polarssl clients without a
> client key/cert (can also be mgmt-external-key or pkcs11) fail to connect.
>
> Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2
> does not contain the 'pk' abtraction layer and therefore behaves slightly
> different.
>
ACK. The code does exactly what the commit message says.

Arne

Re: [Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()

[Arne Schwabe]

ACK. Fine, whatever makes the analyzers happy.

Arne

Am 21.10.15 um 10:08 schrieb Steffan Karger:
> The code behind our ASSERT() macro is pretty complex.  Although it seems
> to be correct, make it trivially clear we will never return from a failed
> assert by adding an _exit(1) call.  As was suggested by Sebastian Krahmer
> of the SuSE security team.
>
> To make sure they that tools like clang static analyzer and coverity
> understand that assert_failed() will not return, add an
> __attribute__((__noreturn__)) annotation.
>
> v2: use __attribute__ instead of inline to convince static analysers.
>
> Signed-off-by: Steffan Karger 
> ---
>  src/openvpn/error.c | 1 +
>  src/openvpn/error.h | 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/openvpn/error.c b/src/openvpn/error.c
> index 77b6cec..66f37f3 100644
> --- a/src/openvpn/error.c
> +++ b/src/openvpn/error.c
> @@ -397,6 +397,7 @@ void
>  assert_failed (const char *filename, int line)
>  {
>msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
> +  _exit(1);
>  }
>  
>  /*
> diff --git a/src/openvpn/error.h b/src/openvpn/error.h
> index d5204f3..4d33843 100644
> --- a/src/openvpn/error.h
> +++ b/src/openvpn/error.h
> @@ -210,7 +210,7 @@ FILE *msg_fp(const unsigned int flags);
>  /* Fatal logic errors */
>  #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while 
> (false)
>  
> -void assert_failed (const char *filename, int line);
> +void assert_failed (const char *filename, int line) 
> __attribute__((__noreturn__));
>  
>  #ifdef ENABLE_DEBUG
>  void crash (void); /* force a segfault (debugging only) */

[Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()

[Steffan Karger]

The code behind our ASSERT() macro is pretty complex.  Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call.  As was suggested by Sebastian Krahmer
of the SuSE security team.

To make sure they that tools like clang static analyzer and coverity
understand that assert_failed() will not return, add an
__attribute__((__noreturn__)) annotation.

v2: use __attribute__ instead of inline to convince static analysers.

Signed-off-by: Steffan Karger 
---
 src/openvpn/error.c | 1 +
 src/openvpn/error.h | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 77b6cec..66f37f3 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -397,6 +397,7 @@ void
 assert_failed (const char *filename, int line)
 {
   msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  _exit(1);
 }

 /*
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index d5204f3..4d33843 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -210,7 +210,7 @@ FILE *msg_fp(const unsigned int flags);
 /* Fatal logic errors */
 #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while 
(false)

-void assert_failed (const char *filename, int line);
+void assert_failed (const char *filename, int line) 
__attribute__((__noreturn__));

 #ifdef ENABLE_DEBUG
 void crash (void); /* force a segfault (debugging only) */
-- 
2.1.4

Re: [Openvpn-devel] [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to clients.

[Arne Schwabe]

Am 21.10.15 um 00:50 schrieb David Sommerseth:
>> >  --push-filter ifconfig-ipv6 tun-ipv6 route-ipv6
>> > 
>> > which would do exactly what the current patch did, but is much more 
>> > flexible
>> > depending on what exactly needs to be worked around with *this* client...
>> > 
>> > (There's a trac ticket about "--push-reset", which we might resolve with
>> > this as well :-) )
> I agree with the intention.  Just not sure 'filter' is a clever word.  As it
> can be understood both as "remove these options" or "only include these
> options".  Both interpretations are results of a filter.
push-suppress?

Arne

Re: [Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()

[Arne Schwabe]

Am 21.10.15 um 00:37 schrieb Steffan Karger:
> The code behind our ASSERT() macro is pretty complex.  Although it seems
> to be correct, make it trivially clear we will never return from a failed
> assert by adding an _exit(1) call.  As was suggested by Sebastian Krahmer
> of the SuSE security team.
>
> A secondary benefit is that tools like clang static analyzer and coverity
> can now understand our ASSERT() macros too.  To make sure they do, change
> assert_failed() to a static inline function.
>
This change makes absolute sense. ACK from me.

Arne

Re: [Openvpn-devel] [PATCH] Fix memory leak in auth-pam plugin

[Lev Stipakov]

ACK from me. My Clang static analyzer concurs.

On 21.10.2015 01:38, Steffan Karger wrote:

As it says on the tin.  aresp would not be free'd nor returned by
my_conv() on errors.  Note that we never reach this code if allocation
of aresp failed.

Found with the Clang static analyzer.

Signed-off-by: Steffan Karger 
---
  src/plugins/auth-pam/auth-pam.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index bd71792..95692ab 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -642,6 +642,9 @@ my_conv (int n, const struct pam_message **msg_array,

if (ret == PAM_SUCCESS)
  *response_array = aresp;
+  else
+free(aresp);
+
return ret;
  }

Re: [Openvpn-devel] [PATCH] openssl: remove usage of OPENSSL_malloc() from show_available_curves

[Lev Stipakov]

ACK from me. Less code is better.

On 21.10.2015 01:39, Steffan Karger wrote:

There is no need to use OPENSSL_malloc(), so use our own functions that
automatically check for NULL and remove the now redundant NULL check.

Signed-off-by: Steffan Karger 
---
  src/openvpn/ssl_openssl.c | 33 +
  1 file changed, 13 insertions(+), 20 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index c08d4fe..c5543fe 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1447,31 +1447,24 @@ show_available_curves()
size_t n = 0;

crv_len = EC_get_builtin_curves(NULL, 0);
-
-  curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
-
-  if (curves == NULL)
-crypto_msg (M_FATAL, "Cannot create EC_builtin_curve object");
-  else
+  ALLOC_ARRAY(curves, EC_builtin_curve, crv_len);
+  if (EC_get_builtin_curves(curves, crv_len))
{
-if (EC_get_builtin_curves(curves, crv_len))
+printf ("Available Elliptic curves:\n");
+for (n = 0; n < crv_len; n++)
  {
-  printf ("Available Elliptic curves:\n");
-  for (n = 0; n < crv_len; n++)
-  {
-const char *sname;
-sname   = OBJ_nid2sn(curves[n].nid);
-if (sname == NULL) sname = "";
+  const char *sname;
+  sname   = OBJ_nid2sn(curves[n].nid);
+  if (sname == NULL) sname = "";

-printf("%s\n", sname);
-  }
+  printf("%s\n", sname);
  }
-else
-{
-  crypto_msg (M_FATAL, "Cannot get list of builtin curves");
-}
-OPENSSL_free(curves);
}
+  else
+  {
+crypto_msg (M_FATAL, "Cannot get list of builtin curves");
+  }
+  free(curves);
  #else
msg (M_WARN, "Your OpenSSL library was built without elliptic curve support. 
"
   "No curves available.");

[Openvpn-devel] [PATCH v2] Replace variable length array with malloc

[Lev Stipakov]

Commit 
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013 still 
requires
size of array to be compiler time constant. As a fix, use malloc/free.

v2:
 Replace OPENSSL_malloc with gc_malloc

Signed-off-by: Lev Stipakov 
---
 src/openvpn/ssl_openssl.c | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index c08d4fe..3c8d41f 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -141,12 +141,12 @@ key_state_export_keying_material(struct key_state_ssl 
*ssl,
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
   unsigned int size = session->opt->ekm_size;
-  unsigned char ekm[size];
+  struct gc_arena gc = gc_new();
+  unsigned char* ekm = (unsigned char*) gc_malloc(size, true, );

   if (SSL_export_keying_material(ssl->ssl, ekm, sizeof(ekm),
   session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0))
{
- struct gc_arena gc = gc_new();
  unsigned int len = (size * 2) + 2;

  const char *key = format_hex_ex (ekm, size, len, 0, NULL, );
@@ -154,14 +154,13 @@ key_state_export_keying_material(struct key_state_ssl 
*ssl,

  dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s",
   __func__, key);
-
- gc_free();
}
   else
{
  msg (M_WARN, "WARNING: Export keying material failed!");
  setenv_del (session->opt->es, "exported_keying_material");
}
+  gc_free();
 #endif
 }
 }
-- 
1.9.1

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Christian Rank]

On 21.10.2015 00:39, openvpn-devel-requ...@lists.sourceforge.net wrote:
> From: ValdikSS 
> 
> By the way, there is an open-source SecurePoint VPN client 
> (https://sourceforge.net/projects/securepoint/) which handles current 
> versions of Windows very well.

Hi,

it seems that the current version of Securepoint's VPN client is no
longer open source. The repo at
> https://github.com/Securepoint/openvpn-client
has the source for version 1.0.3 (last commit 2 years ago), whereas the
current version (binaries) on sf.net is 2.0.10.

Securepoint's website
http://www.securepoint.cc/products-vpn-clients.html
says "The Securepoint OpenVPN client is free of charge" - the term "open
source" is not mentioned.

Regards,
Christian

-- 
Dr. Christian Rank
Rechenzentrum Universität Passau
Bereich Netzwerk und Telekommunikation
IT-Sicherheitsbeauftragter der Universität
Innstr. 33
D-94032 Passau
GERMANY



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Selva Nair]

Hi Debbie,

On Tue, Oct 20, 2015 at 5:06 PM,  wrote:

> ho hum
>
> > -Original Message-
> > From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net]
> > Sent: Monday, October 19, 2015 3:01 PM
> > To: Morris, Russell ; Heiko Hund
> > ; sam...@openvpn.net
> > Cc: openvpn-devel@lists.sourceforge.net
> > Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
> >
>
> > My point is that nobody really expects anyone to be a fully experienced
> > OpenVPN developer to get involved.  Not at all.  We are a community,
> which
> > help each other.
>
> > Don't be afraid, take that chance and share your thoughts and ideas.
> Hang
> > out on the #openvpn-devel IRC channel if you can, share your opinions on
> > the mailing list ...
>
> I Disagree
>
> If past experience is anything to go by ..
> Don't expect help !
>
> I have always considered myself a cynic ..nt give
> The OpenVPN "community" cemented my opinion quite firmly.
>

Don't give up hope..

I'm only a lurker here, so just speaking from observation, not on behalf of
anyone: most developers here appear to be extremely busy people devoting
their little precious free time to openvpn. It took sometime for me to
realize that. Just be patient and you will get replies. If not, rephrase
and post again..

In fact, in my experience, this is one of the few lists where you seldom
get a rude response or a slap on the wrist for mistakenly posting to the
wrong list, or for asking a trivial question. You may know how caustic is
the atmosphere of many developer and user lists. People here are very
polite but can be very slow to respond, that just how it is..

Also I think we need more experienced users in the users list to take care
of questions that don't need the developers' attention.

Did I say don't give up?

Cheers,

Selva

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Selva Nair]

On Tue, Oct 20, 2015 at 7:01 AM, Samuli Seppänen  wrote:

>
> > On Tuesday 20 October 2015 10:15:22 Samuli Seppänen wrote:
>  Are you saying that the interactive service also doubles as a Windows
>  system service? If so, can it be  configured to autostart selected
>  openvpn connections on boot and restart them if they crash/stop?
> >>>
> >>> No, and I do not think that the service should take care of that.
> That's
> >>> rather things that can be handled by the GUI.
> >>
> >> What about persistent connections, especially on Windows servers?
> >
> > The interactive service patch doesn't remove the currently available
> service.
> > So, you still can fire up any connections the way it was before. I
> personally
> > do not care about the original service though, it may very well be that
> it
> > lacks decent functionality.
>
> The original openvpnserv.exe is truly crappy. It will not quit if all
> connections have died. It will not restart a connection should it crash.
> A single non-functional OpenVPN connection prevents it from launching
> the others (afaik). It will not work on Windows 10 in any reasonable
> fashion and works badly on anything post-Windows 7. It also does not
> handle resuming from suspend/hibernate properly.
>
> My NSSM-based replacement thingie aims to address all these
> shortcomings. I believe the interactive service and NSSM are complementary.
>

I totally agree. Both are necessary.

The interactive service (based on a quick scan through the code) looks to
be very useful on a desktop with a single user, allowing the GUI and openvpn
to run with user privileges. I hope the "windows team" would soon start
working on making the GUI to work with this new service :)

But a sever admin would not want it in the system as it can allow any user
with some VPN server account to change the routes etc using the
service..(please correct me if I'm mistaken).

That means for "non-interactive" servers and non-desktop clients, one would
still need an improved version of the old service or  NSSM.

Selva