Re: [Openvpn-devel] XP broken (wrt IPv6 in 2.3.9)

[ValdikSS]

I don't like the idea with additional win32-route option, it really should just 
use interface name on XP and index on Vista+.

On 12/20/2015 09:19 PM, Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2015 at 07:32:56PM +0200, Lev Stipakov wrote:
> The usual problem of  "attached you'll find... (nothing)".  Resend :-)
>
> That would help with "part 2", right...  (XP has a function 
> "IsWindowsVistaOrGreater"?  wtf!?)
>
> Maybe IV_PLAT_VER=, to be extended for other platforms if we want to.
>
> gert
>
>
>
> --
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: OpenPGP digital signature

[Openvpn-devel] [PATCH v3] cleanup: get rid of httpdigest.c type warnings

[Steffan Karger]

When I compile with --enable-strict, I only want to see warnings that are
relevant.  So, change httpdigest.c to make the casts explicit.

This commit should not change behaviour.

v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead
of uint8_t.
v3: as further discussed on #openvpn-devel, don't use a 'colon' var, but
just add casts.

Signed-off-by: Steffan Karger 
---
 src/openvpn/httpdigest.c | 44 ++--
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c
index 78b8344..99bbda4 100644
--- a/src/openvpn/httpdigest.c
+++ b/src/openvpn/httpdigest.c
@@ -76,20 +76,20 @@ DigestCalcHA1(
   const md_kt_t *md5_kt = md_kt_get("MD5");

   md_ctx_init(_ctx, md5_kt);
-  md_ctx_update(_ctx, pszUserName, strlen(pszUserName));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszRealm, strlen(pszRealm));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszPassword, strlen(pszPassword));
+  md_ctx_update(_ctx, (const uint8_t *) pszUserName, strlen(pszUserName));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszPassword, strlen(pszPassword));
   md_ctx_final(_ctx, HA1);
   if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0)
 {
   md_ctx_init(_ctx, md5_kt);
   md_ctx_update(_ctx, HA1, HASHLEN);
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszNonce, strlen(pszNonce));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
   md_ctx_final(_ctx, HA1);
 };
   md_ctx_cleanup(_ctx);
@@ -119,12 +119,12 @@ DigestCalcResponse(

   /* calculate H(A2) */
   md_ctx_init(_ctx, md5_kt);
-  md_ctx_update(_ctx, pszMethod, strlen(pszMethod));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszDigestUri, strlen(pszDigestUri));
+  md_ctx_update(_ctx, (const uint8_t *) pszMethod, strlen(pszMethod));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszDigestUri, 
strlen(pszDigestUri));
   if (strcasecmp(pszQop, "auth-int") == 0)
 {
-  md_ctx_update(_ctx, ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
   md_ctx_update(_ctx, HEntity, HASHHEXLEN);
 };
   md_ctx_final(_ctx, HA2);
@@ -133,17 +133,17 @@ DigestCalcResponse(
   /* calculate response */
   md_ctx_init(_ctx, md5_kt);
   md_ctx_update(_ctx, HA1, HASHHEXLEN);
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszNonce, strlen(pszNonce));
-  md_ctx_update(_ctx, ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
   if (*pszQop)
 {
-  md_ctx_update(_ctx, pszNonceCount, strlen(pszNonceCount));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszQop, strlen(pszQop));
-  md_ctx_update(_ctx, ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszNonceCount, 
strlen(pszNonceCount));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszQop, strlen(pszQop));
+  md_ctx_update(_ctx, (const uint8_t *) ":", 1);
 };
   md_ctx_update(_ctx, HA2Hex, HASHHEXLEN);
   md_ctx_final(_ctx, RespHash);
-- 
2.5.0

[Openvpn-devel] Testing challenge-response

[Selva Nair]

Hi,

To test the challenge-response handling, I had setup a test server. Will
keep running it for a while, so if anyone wants to use it for testing, a
config is available at https://s3.amazonaws.com/selva-temp/cr-test.conf

It uses the sample keys and certs, and the server will only provide limited
network access, useful only for testing the static and dynamic challenge
options. See the comments in the config file for details.

Selva

Re: [Openvpn-devel] [PATCH v2] Make assert_failed() print the failed condition

[Arne Schwabe]

On 20.12.2015 11:44, Steffan Karger wrote:
> Easy change to make logging output more useful.
>
> v2: don't print the failed condition if ENABLE_SMALL is defined.
>
ACK. Thanks.

Arne

[Openvpn-devel] [PATCH] Support reading the challenge-response from console

[Selva Nair]

Trying to keep the footrpint small, this patch adds to the
convoluted code-flow in get_user_pass_cr(). Cleanup left for later.
-8<-

Currently prompting for a response to static-challenge
gets skipped when the username and passowrd are read
from a file. Further, dynamic challenge gets wrongly handled
as if its a username/password request.

The Fix:
- Add yet another flag in get_user_pass_cr() to
  set when prompting of response from console is needed.
- In receive_auth_failed(), the challenge text received
  from server _always_ copied to  the auth_challenge
  buffer: this is needed to trigger prompting from console
  when required.
- Also show the challenge text instead of an opaque
  "Response:" at the prompt.

While at it, also remove the special treatment of authfile ==
"management" in get_user_pass_cr(). The feature implied by that
test does not exist.

Tested:
  - username and optionally password from file, rest from console
  - the above with a static challenge
  - the above with a dynamic challenge
  - all of the above with systemd in place of console
  - all from management with and without static/dynamic
challenge.

Thanks to Wayne Davison  for pointing out the
issue with challenge-response, and an initial patch.

Signed-off-by: Selva Nair 
---
 src/openvpn/misc.c |   22 +++---
 src/openvpn/push.c |5 -
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 05ed073..363b8f7 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1044,6 +1044,7 @@ get_user_pass_cr (struct user_pass *up,
   bool from_authfile = (auth_file && !streq (auth_file, "stdin"));
   bool username_from_stdin = false;
   bool password_from_stdin = false;
+  bool response_from_stdin = true;

   if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
msg (M_WARN, "Note: previous '%s' credentials failed", prefix);
@@ -1053,10 +1054,11 @@ get_user_pass_cr (struct user_pass *up,
* Get username/password from management interface?
*/
   if (management
- && ((auth_file && streq (auth_file, "management")) || (!from_authfile 
&& (flags & GET_USER_PASS_MANAGEMENT)))
+  && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))
  && management_query_user_pass_enabled (management))
{
  const char *sc = NULL;
+  response_from_stdin = false;

  if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
management_auth_failure (management, prefix, "previous auth 
credentials failed");
@@ -1090,7 +1092,10 @@ get_user_pass_cr (struct user_pass *up,
  if (!strlen (up->password))
strcpy (up->password, "ok");
}
-  else if (from_authfile)
+  /*
+   * Read from auth file unless this is a dynamic challenge request.
+   */
+  else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
 {
   /*
* Try to get username/password from a file.
@@ -1141,10 +1146,10 @@ get_user_pass_cr (struct user_pass *up,
   /*
* Get username/password from standard input?
*/
-  if (username_from_stdin || password_from_stdin)
+  if (username_from_stdin || password_from_stdin || response_from_stdin)
{
 #ifdef ENABLE_CLIENT_CR
- if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
+  if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && 
response_from_stdin)
{
  struct auth_challenge_info *ac = get_auth_challenge 
(auth_challenge, );
  if (ac)
@@ -1154,7 +1159,8 @@ get_user_pass_cr (struct user_pass *up,

  buf_set_write (_resp, (uint8_t*)up->password, 
USER_PASS_LEN);
  msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", ac->challenge_text);
- if (!get_console_input ("Response:", 
BOOL_CAST(ac->flags_ECHO), response, USER_PASS_LEN))
+  if (!get_console_input (ac->challenge_text, 
BOOL_CAST(ac->flags_ECHO),
+  response, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read challenge response 
from stdin");
  strncpynt (up->username, ac->user, USER_PASS_LEN);
  buf_printf (_resp, "CRV1::%s::%s", ac->state_id, 
response);
@@ -1185,14 +1191,16 @@ get_user_pass_cr (struct user_pass *up,
msg (M_FATAL, "ERROR: could not not read %s password from 
stdin", prefix);

 #ifdef ENABLE_CLIENT_CR
- if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
+  if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) 
&& response_from_stdin)
{
  char *response = (char *) gc_malloc (USER_PASS_LEN, false, 
);
  struct buffer packed_resp;
  char *pw64=NULL, *resp64=NULL;

  msg 

Re: [Openvpn-devel] XP broken (wrt IPv6 in 2.3.9)

[Gert Doering]

Hi,

On Sun, Dec 20, 2015 at 07:32:56PM +0200, Lev Stipakov wrote:
> Screenshot seems to be lost in transmission.

The usual problem of  "attached you'll find... (nothing)".  Resend :-)

> Moving to openvpn-devel.
> 
> We could probably detect XP only (or technically "less then Vista") by
> checking that IsWindowsVistaOrGreater() == false which seems to be
> simpler. It should fix the problem.

That would help with "part 2", right...  (XP has a function 
"IsWindowsVistaOrGreater"?  wtf!?)

> However I like the idea that server will be able to know client's win
> version, which might help with troubleshooting. I wouldn't not change
> "IV_PLAT" value, so shall we add something like "IV_PLAT_WINVER=6.1"?

Maybe IV_PLAT_VER=, to be extended for other platforms if we want to.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] XP broken

[Lev Stipakov]

Hi,

Screenshot seems to be lost in transmission.

Moving to openvpn-devel.

We could probably detect XP only (or technically "less then Vista") by
checking that IsWindowsVistaOrGreater() == false which seems to be
simpler. It should fix the problem.

However I like the idea that server will be able to know client's win
version, which might help with troubleshooting. I wouldn't not change
"IV_PLAT" value, so shall we add something like "IV_PLAT_WINVER=6.1"?

-Lev

2015-12-20 15:46 GMT+02:00 Gert Doering :

> Unfortunately, this is a bit complicated.
>
> First, XP really doesn't *do* interface indexes in netsh (*rant*) - I
> have attached a screen shot.  German, unfortunately, but "Zeichenkette"
> is "string", and the example clearly has an interface name there...
>
> We *could* introduce yet another option ("--ip-win32 netsh-names"),
> but the usefulness of that would depend on "whoever writes the .conf file
> knows what client OS it is for" (plus, we add an option that 2.4 won't
> have because it has no XP support anyway).  This does not sound like
> the way forward.
>
> So, I think we need to do this in two steps:
>
>  - add (in win32.c) a "win32_version_info()" function that will do the
>necessary things to figure out what Windows version we're running on.
>Stackoverflow suggests that this is complicated, as Windows will lie
>to programs most of the time, so "Win10" is reported as "Win8" unless
>there is something in the manifest (whatever that is) that tells windows
>"this program is prepared to deal with THE TRUTH"
>
>  - while at it, add "win32_version_string()" which would produce a printed
>version of this - so we can log it at startup, to help people diagnose
>why something isn't working for a user - and we could send it to the
>server as well if --push-peer-info is enabled (ssl.c, push_peer_info())
>
>  - and then, make the interface index bit conditional...
>
> if ( win32_version_info() == WIN_XP )
> device = tt->actual;
> else
>   {
> buf_printf (, "interface=%d", tt->adapter_index );
> device = buf_bptr();
>   }
>
>(for add/delete_route_ipv6(), but ifconfig would look the same)
>
>
> the win32_version_* stuff would go into 2.3 and master, because having
> that information is generally useful - the conditional setting only into
> 2.3.10
>
> what do you think?

-- 
-Lev

[Openvpn-devel] [PATCH applied] Re: Make assert_failed() print the failed condition

[Gert Doering]

ACK (Arne's ACK for v2 taken from IRC, did not make it to the list yet).

Your patch has been applied to the master and release/2.3 branch.

commit 9b36bd40d393620cce83392f4a56392ba391fb7c (master)
commit 87e555aea146ec69007ff25ce66e63ad94ae9f7d (release/2.3)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Dec 20 11:44:09 2015 +0100

 Make assert_failed() print the failed condition

 Signed-off-by: Steffan Karger 
 Acked-by: Arne Schwabe 
 Acked-by: Gert Doering 
 Message-Id: <1450608249-9947-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10862
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH v2] cleanup: get rid of httpdigest.c type warnings

[Steffan Karger]

When I compile with --enable-strict, I only want to see warnings that are
relevant.  So, change httpdigest.c to use the correct type when possible
and make any remaining casts explicit.

This commit should not change behaviour.

v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead
of uint8_t.

Signed-off-by: Steffan Karger 
---
 src/openvpn/httpdigest.c | 46 --
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c
index 78b8344..908d259 100644
--- a/src/openvpn/httpdigest.c
+++ b/src/openvpn/httpdigest.c
@@ -74,22 +74,23 @@ DigestCalcHA1(
   HASH HA1;
   md_ctx_t md5_ctx;
   const md_kt_t *md5_kt = md_kt_get("MD5");
+  const uint8_t *colon = (const uint8_t *) ":";

   md_ctx_init(_ctx, md5_kt);
-  md_ctx_update(_ctx, pszUserName, strlen(pszUserName));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszRealm, strlen(pszRealm));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszPassword, strlen(pszPassword));
+  md_ctx_update(_ctx, (const uint8_t *) pszUserName, strlen(pszUserName));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszPassword, strlen(pszPassword));
   md_ctx_final(_ctx, HA1);
   if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0)
 {
   md_ctx_init(_ctx, md5_kt);
   md_ctx_update(_ctx, HA1, HASHLEN);
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszNonce, strlen(pszNonce));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
   md_ctx_final(_ctx, HA1);
 };
   md_ctx_cleanup(_ctx);
@@ -116,15 +117,16 @@ DigestCalcResponse(

   md_ctx_t md5_ctx;
   const md_kt_t *md5_kt = md_kt_get("MD5");
+  const uint8_t *colon = (const uint8_t *) ":";

   /* calculate H(A2) */
   md_ctx_init(_ctx, md5_kt);
-  md_ctx_update(_ctx, pszMethod, strlen(pszMethod));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszDigestUri, strlen(pszDigestUri));
+  md_ctx_update(_ctx, (const uint8_t *) pszMethod, strlen(pszMethod));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszDigestUri, 
strlen(pszDigestUri));
   if (strcasecmp(pszQop, "auth-int") == 0)
 {
-  md_ctx_update(_ctx, ":", 1);
+  md_ctx_update(_ctx, colon, 1);
   md_ctx_update(_ctx, HEntity, HASHHEXLEN);
 };
   md_ctx_final(_ctx, HA2);
@@ -133,17 +135,17 @@ DigestCalcResponse(
   /* calculate response */
   md_ctx_init(_ctx, md5_kt);
   md_ctx_update(_ctx, HA1, HASHHEXLEN);
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszNonce, strlen(pszNonce));
-  md_ctx_update(_ctx, ":", 1);
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
+  md_ctx_update(_ctx, colon, 1);
   if (*pszQop)
 {
-  md_ctx_update(_ctx, pszNonceCount, strlen(pszNonceCount));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce));
-  md_ctx_update(_ctx, ":", 1);
-  md_ctx_update(_ctx, pszQop, strlen(pszQop));
-  md_ctx_update(_ctx, ":", 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszNonceCount, 
strlen(pszNonceCount));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
+  md_ctx_update(_ctx, colon, 1);
+  md_ctx_update(_ctx, (const uint8_t *) pszQop, strlen(pszQop));
+  md_ctx_update(_ctx, colon, 1);
 };
   md_ctx_update(_ctx, HA2Hex, HASHHEXLEN);
   md_ctx_final(_ctx, RespHash);
-- 
2.5.0

[Openvpn-devel] [PATCH v2] Make assert_failed() print the failed condition

[Steffan Karger]

Easy change to make logging output more useful.

v2: don't print the failed condition if ENABLE_SMALL is defined.

Signed-off-by: Steffan Karger 
---
 src/openvpn/error.c | 7 +--
 src/openvpn/error.h | 9 +++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 66f37f3..cfd5a41 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -394,9 +394,12 @@ dont_mute (unsigned int flags)
 }

 void
-assert_failed (const char *filename, int line)
+assert_failed (const char *filename, int line, const char *condition)
 {
-  msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  if (condition)
+msg (M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition);
+  else
+msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
   _exit(1);
 }

diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1dc0864..dd5ccf7 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -211,9 +211,14 @@ const char *msg_flags_string (const unsigned int flags, 
struct gc_arena *gc);
 FILE *msg_fp(const unsigned int flags);

 /* Fatal logic errors */
-#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while 
(false)
+#ifndef ENABLE_SMALL
+#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__, #x); } 
while (false)
+#else
+#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__, NULL); } 
while (false)
+#endif

-void assert_failed (const char *filename, int line) 
__attribute__((__noreturn__));
+void assert_failed (const char *filename, int line, const char *condition)
+  __attribute__((__noreturn__));

 #ifdef ENABLE_DEBUG
 void crash (void); /* force a segfault (debugging only) */
-- 
2.5.0

Re: [Openvpn-devel] [PATCH] Make assert_failed() print the failed condition

[Arne Schwabe]

On 20.12.2015 10:10, Steffan Karger wrote:
> Easy change to make logging output more useful.
>
ACK. BUt I think if we keep the minimal build option, this should be
disabled int that option since the extra strings will increase code size.

Arne

[Openvpn-devel] [PATCH] Make assert_failed() print the failed condition

[Steffan Karger]

Easy change to make logging output more useful.

Signed-off-by: Steffan Karger 
---
 src/openvpn/error.c | 4 ++--
 src/openvpn/error.h | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 66f37f3..6daf465 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -394,9 +394,9 @@ dont_mute (unsigned int flags)
 }

 void
-assert_failed (const char *filename, int line)
+assert_failed (const char *filename, int line, const char *condition)
 {
-  msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  msg (M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition);
   _exit(1);
 }

diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1dc0864..5ad75e2 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -211,9 +211,10 @@ const char *msg_flags_string (const unsigned int flags, 
struct gc_arena *gc);
 FILE *msg_fp(const unsigned int flags);

 /* Fatal logic errors */
-#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while 
(false)
+#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__, #x); } 
while (false)

-void assert_failed (const char *filename, int line) 
__attribute__((__noreturn__));
+void assert_failed (const char *filename, int line, const char *condition)
+  __attribute__((__noreturn__));

 #ifdef ENABLE_DEBUG
 void crash (void); /* force a segfault (debugging only) */
-- 
2.5.0