Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing
Hi // You must be - Original Message - From: "Eric Crist"To: Cc: Sent: Tuesday, September 22, 2015 1:05 PM Subject: Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing http://sourceforge.net/p/openvpn/mailman/message/34480727/ https://forums.openvpn.net/topic19629.html It has only been one month. http://sourceforge.net/p/openvpn/mailman/message/34556607/
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, Lots of discussion on this - awesome to see! Perhaps a dumb question, but I can see a few different ways to go on this, as I see comments about services, applications, etc. ... so a couple thoughts, - is the intention to run a service (like NSSM?) that keeps openvpn.exe "alive" (restarting it as necessary), so it's always up and running? I admit, I somewhat like this approach, one running application for each config file. Then control it through the management interface. Or, - do folks prefer to have "control application" bring openvpn.exe up and down? I have tried this, and it's a bit messy, but it is functional also. Thoughts? I do believe there may also be TAP related stability issues, but that may be an artifact of openvpn.exe crashing - I guess the first step is to get openvpn.exe stable? Thanks, ... Russell -Original Message- From: Christian Rank [mailto:christian.r...@uni-passau.de] Sent: Wednesday, October 21, 2015 1:47 AM To: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? On 21.10.2015 00:39, openvpn-devel-requ...@lists.sourceforge.net wrote: > From: ValdikSS> > By the way, there is an open-source SecurePoint VPN client > (https://sourceforge.net/projects/securepoint/) which handles current > versions of Windows very well. Hi, it seems that the current version of Securepoint's VPN client is no longer open source. The repo at > https://github.com/Securepoint/openvpn-client has the source for version 1.0.3 (last commit 2 years ago), whereas the current version (binaries) on sf.net is 2.0.10. Securepoint's website http://www.securepoint.cc/products-vpn-clients.html says "The Securepoint OpenVPN client is free of charge" - the term "open source" is not mentioned. Regards, Christian -- Dr. Christian Rank Rechenzentrum Universität Passau Bereich Netzwerk und Telekommunikation IT-Sicherheitsbeauftragter der Universität Innstr. 33 D-94032 Passau GERMANY
Re: [Openvpn-devel] [PATCH 1/2] polarssl: fix --client-cert-not-required
Am 16.10.15 um 00:43 schrieb Steffan Karger: > PolarSSL 1.3 determines whether to use a client key/cert based on the > private key and/or certificate structs being allocated or not. We > previously would always allocate the structs in > tls_ctx_{client,server}_new(), which made polarssl clients without a > client key/cert (can also be mgmt-external-key or pkcs11) fail to connect. > > Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2 > does not contain the 'pk' abtraction layer and therefore behaves slightly > different. > ACK. The code does exactly what the commit message says. Arne
Re: [Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()
ACK. Fine, whatever makes the analyzers happy. Arne Am 21.10.15 um 10:08 schrieb Steffan Karger: > The code behind our ASSERT() macro is pretty complex. Although it seems > to be correct, make it trivially clear we will never return from a failed > assert by adding an _exit(1) call. As was suggested by Sebastian Krahmer > of the SuSE security team. > > To make sure they that tools like clang static analyzer and coverity > understand that assert_failed() will not return, add an > __attribute__((__noreturn__)) annotation. > > v2: use __attribute__ instead of inline to convince static analysers. > > Signed-off-by: Steffan Karger> --- > src/openvpn/error.c | 1 + > src/openvpn/error.h | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/error.c b/src/openvpn/error.c > index 77b6cec..66f37f3 100644 > --- a/src/openvpn/error.c > +++ b/src/openvpn/error.c > @@ -397,6 +397,7 @@ void > assert_failed (const char *filename, int line) > { >msg (M_FATAL, "Assertion failed at %s:%d", filename, line); > + _exit(1); > } > > /* > diff --git a/src/openvpn/error.h b/src/openvpn/error.h > index d5204f3..4d33843 100644 > --- a/src/openvpn/error.h > +++ b/src/openvpn/error.h > @@ -210,7 +210,7 @@ FILE *msg_fp(const unsigned int flags); > /* Fatal logic errors */ > #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while > (false) > > -void assert_failed (const char *filename, int line); > +void assert_failed (const char *filename, int line) > __attribute__((__noreturn__)); > > #ifdef ENABLE_DEBUG > void crash (void); /* force a segfault (debugging only) */
[Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()
The code behind our ASSERT() macro is pretty complex. Although it seems to be correct, make it trivially clear we will never return from a failed assert by adding an _exit(1) call. As was suggested by Sebastian Krahmer of the SuSE security team. To make sure they that tools like clang static analyzer and coverity understand that assert_failed() will not return, add an __attribute__((__noreturn__)) annotation. v2: use __attribute__ instead of inline to convince static analysers. Signed-off-by: Steffan Karger--- src/openvpn/error.c | 1 + src/openvpn/error.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 77b6cec..66f37f3 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -397,6 +397,7 @@ void assert_failed (const char *filename, int line) { msg (M_FATAL, "Assertion failed at %s:%d", filename, line); + _exit(1); } /* diff --git a/src/openvpn/error.h b/src/openvpn/error.h index d5204f3..4d33843 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -210,7 +210,7 @@ FILE *msg_fp(const unsigned int flags); /* Fatal logic errors */ #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false) -void assert_failed (const char *filename, int line); +void assert_failed (const char *filename, int line) __attribute__((__noreturn__)); #ifdef ENABLE_DEBUG void crash (void); /* force a segfault (debugging only) */ -- 2.1.4
Re: [Openvpn-devel] [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to clients.
Am 21.10.15 um 00:50 schrieb David Sommerseth: >> > --push-filter ifconfig-ipv6 tun-ipv6 route-ipv6 >> > >> > which would do exactly what the current patch did, but is much more >> > flexible >> > depending on what exactly needs to be worked around with *this* client... >> > >> > (There's a trac ticket about "--push-reset", which we might resolve with >> > this as well :-) ) > I agree with the intention. Just not sure 'filter' is a clever word. As it > can be understood both as "remove these options" or "only include these > options". Both interpretations are results of a filter. push-suppress? Arne
Re: [Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()
Am 21.10.15 um 00:37 schrieb Steffan Karger: > The code behind our ASSERT() macro is pretty complex. Although it seems > to be correct, make it trivially clear we will never return from a failed > assert by adding an _exit(1) call. As was suggested by Sebastian Krahmer > of the SuSE security team. > > A secondary benefit is that tools like clang static analyzer and coverity > can now understand our ASSERT() macros too. To make sure they do, change > assert_failed() to a static inline function. > This change makes absolute sense. ACK from me. Arne
Re: [Openvpn-devel] [PATCH] Fix memory leak in auth-pam plugin
ACK from me. My Clang static analyzer concurs. On 21.10.2015 01:38, Steffan Karger wrote: As it says on the tin. aresp would not be free'd nor returned by my_conv() on errors. Note that we never reach this code if allocation of aresp failed. Found with the Clang static analyzer. Signed-off-by: Steffan Karger--- src/plugins/auth-pam/auth-pam.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index bd71792..95692ab 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -642,6 +642,9 @@ my_conv (int n, const struct pam_message **msg_array, if (ret == PAM_SUCCESS) *response_array = aresp; + else +free(aresp); + return ret; }
Re: [Openvpn-devel] [PATCH] openssl: remove usage of OPENSSL_malloc() from show_available_curves
ACK from me. Less code is better. On 21.10.2015 01:39, Steffan Karger wrote: There is no need to use OPENSSL_malloc(), so use our own functions that automatically check for NULL and remove the now redundant NULL check. Signed-off-by: Steffan Karger--- src/openvpn/ssl_openssl.c | 33 + 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index c08d4fe..c5543fe 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1447,31 +1447,24 @@ show_available_curves() size_t n = 0; crv_len = EC_get_builtin_curves(NULL, 0); - - curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len)); - - if (curves == NULL) -crypto_msg (M_FATAL, "Cannot create EC_builtin_curve object"); - else + ALLOC_ARRAY(curves, EC_builtin_curve, crv_len); + if (EC_get_builtin_curves(curves, crv_len)) { -if (EC_get_builtin_curves(curves, crv_len)) +printf ("Available Elliptic curves:\n"); +for (n = 0; n < crv_len; n++) { - printf ("Available Elliptic curves:\n"); - for (n = 0; n < crv_len; n++) - { -const char *sname; -sname = OBJ_nid2sn(curves[n].nid); -if (sname == NULL) sname = ""; + const char *sname; + sname = OBJ_nid2sn(curves[n].nid); + if (sname == NULL) sname = ""; -printf("%s\n", sname); - } + printf("%s\n", sname); } -else -{ - crypto_msg (M_FATAL, "Cannot get list of builtin curves"); -} -OPENSSL_free(curves); } + else + { +crypto_msg (M_FATAL, "Cannot get list of builtin curves"); + } + free(curves); #else msg (M_WARN, "Your OpenSSL library was built without elliptic curve support. " "No curves available.");
[Openvpn-devel] [PATCH v2] Replace variable length array with malloc
Commit https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51 introduced a variable length array. Although C99 supports that, MSVS 2013 still requires size of array to be compiler time constant. As a fix, use malloc/free. v2: Replace OPENSSL_malloc with gc_malloc Signed-off-by: Lev Stipakov--- src/openvpn/ssl_openssl.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index c08d4fe..3c8d41f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -141,12 +141,12 @@ key_state_export_keying_material(struct key_state_ssl *ssl, { #if (OPENSSL_VERSION_NUMBER >= 0x10001000) unsigned int size = session->opt->ekm_size; - unsigned char ekm[size]; + struct gc_arena gc = gc_new(); + unsigned char* ekm = (unsigned char*) gc_malloc(size, true, ); if (SSL_export_keying_material(ssl->ssl, ekm, sizeof(ekm), session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0)) { - struct gc_arena gc = gc_new(); unsigned int len = (size * 2) + 2; const char *key = format_hex_ex (ekm, size, len, 0, NULL, ); @@ -154,14 +154,13 @@ key_state_export_keying_material(struct key_state_ssl *ssl, dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key); - - gc_free(); } else { msg (M_WARN, "WARNING: Export keying material failed!"); setenv_del (session->opt->es, "exported_keying_material"); } + gc_free(); #endif } } -- 1.9.1
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
On 21.10.2015 00:39, openvpn-devel-requ...@lists.sourceforge.net wrote: > From: ValdikSS> > By the way, there is an open-source SecurePoint VPN client > (https://sourceforge.net/projects/securepoint/) which handles current > versions of Windows very well. Hi, it seems that the current version of Securepoint's VPN client is no longer open source. The repo at > https://github.com/Securepoint/openvpn-client has the source for version 1.0.3 (last commit 2 years ago), whereas the current version (binaries) on sf.net is 2.0.10. Securepoint's website http://www.securepoint.cc/products-vpn-clients.html says "The Securepoint OpenVPN client is free of charge" - the term "open source" is not mentioned. Regards, Christian -- Dr. Christian Rank Rechenzentrum Universität Passau Bereich Netzwerk und Telekommunikation IT-Sicherheitsbeauftragter der Universität Innstr. 33 D-94032 Passau GERMANY smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi Debbie, On Tue, Oct 20, 2015 at 5:06 PM,wrote: > ho hum > > > -Original Message- > > From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] > > Sent: Monday, October 19, 2015 3:01 PM > > To: Morris, Russell ; Heiko Hund > > ; sam...@openvpn.net > > Cc: openvpn-devel@lists.sourceforge.net > > Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? > > > > > My point is that nobody really expects anyone to be a fully experienced > > OpenVPN developer to get involved. Not at all. We are a community, > which > > help each other. > > > Don't be afraid, take that chance and share your thoughts and ideas. > Hang > > out on the #openvpn-devel IRC channel if you can, share your opinions on > > the mailing list ... > > I Disagree > > If past experience is anything to go by .. > Don't expect help ! > > I have always considered myself a cynic ..nt give > The OpenVPN "community" cemented my opinion quite firmly. > Don't give up hope.. I'm only a lurker here, so just speaking from observation, not on behalf of anyone: most developers here appear to be extremely busy people devoting their little precious free time to openvpn. It took sometime for me to realize that. Just be patient and you will get replies. If not, rephrase and post again.. In fact, in my experience, this is one of the few lists where you seldom get a rude response or a slap on the wrist for mistakenly posting to the wrong list, or for asking a trivial question. You may know how caustic is the atmosphere of many developer and user lists. People here are very polite but can be very slow to respond, that just how it is.. Also I think we need more experienced users in the users list to take care of questions that don't need the developers' attention. Did I say don't give up? Cheers, Selva
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
On Tue, Oct 20, 2015 at 7:01 AM, Samuli Seppänenwrote: > > > On Tuesday 20 October 2015 10:15:22 Samuli Seppänen wrote: > Are you saying that the interactive service also doubles as a Windows > system service? If so, can it be configured to autostart selected > openvpn connections on boot and restart them if they crash/stop? > >>> > >>> No, and I do not think that the service should take care of that. > That's > >>> rather things that can be handled by the GUI. > >> > >> What about persistent connections, especially on Windows servers? > > > > The interactive service patch doesn't remove the currently available > service. > > So, you still can fire up any connections the way it was before. I > personally > > do not care about the original service though, it may very well be that > it > > lacks decent functionality. > > The original openvpnserv.exe is truly crappy. It will not quit if all > connections have died. It will not restart a connection should it crash. > A single non-functional OpenVPN connection prevents it from launching > the others (afaik). It will not work on Windows 10 in any reasonable > fashion and works badly on anything post-Windows 7. It also does not > handle resuming from suspend/hibernate properly. > > My NSSM-based replacement thingie aims to address all these > shortcomings. I believe the interactive service and NSSM are complementary. > I totally agree. Both are necessary. The interactive service (based on a quick scan through the code) looks to be very useful on a desktop with a single user, allowing the GUI and openvpn to run with user privileges. I hope the "windows team" would soon start working on making the GUI to work with this new service :) But a sever admin would not want it in the system as it can allow any user with some VPN server account to change the routes etc using the service..(please correct me if I'm mistaken). That means for "non-interactive" servers and non-desktop clients, one would still need an improved version of the old service or NSSM. Selva