Re: [Openvpn-devel] XP broken (wrt IPv6 in 2.3.9)
I don't like the idea with additional win32-route option, it really should just use interface name on XP and index on Vista+. On 12/20/2015 09:19 PM, Gert Doering wrote: > Hi, > > On Sun, Dec 20, 2015 at 07:32:56PM +0200, Lev Stipakov wrote: > The usual problem of "attached you'll find... (nothing)". Resend :-) > > That would help with "part 2", right... (XP has a function > "IsWindowsVistaOrGreater"? wtf!?) > > Maybe IV_PLAT_VER=, to be extended for other platforms if we want to. > > gert > > > > -- > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel signature.asc Description: OpenPGP digital signature
[Openvpn-devel] [PATCH v3] cleanup: get rid of httpdigest.c type warnings
When I compile with --enable-strict, I only want to see warnings that are relevant. So, change httpdigest.c to make the casts explicit. This commit should not change behaviour. v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead of uint8_t. v3: as further discussed on #openvpn-devel, don't use a 'colon' var, but just add casts. Signed-off-by: Steffan Karger--- src/openvpn/httpdigest.c | 44 ++-- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c index 78b8344..99bbda4 100644 --- a/src/openvpn/httpdigest.c +++ b/src/openvpn/httpdigest.c @@ -76,20 +76,20 @@ DigestCalcHA1( const md_kt_t *md5_kt = md_kt_get("MD5"); md_ctx_init(_ctx, md5_kt); - md_ctx_update(_ctx, pszUserName, strlen(pszUserName)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszRealm, strlen(pszRealm)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszPassword, strlen(pszPassword)); + md_ctx_update(_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); md_ctx_final(_ctx, HA1); if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0) { md_ctx_init(_ctx, md5_kt); md_ctx_update(_ctx, HA1, HASHLEN); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszNonce, strlen(pszNonce)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); md_ctx_final(_ctx, HA1); }; md_ctx_cleanup(_ctx); @@ -119,12 +119,12 @@ DigestCalcResponse( /* calculate H(A2) */ md_ctx_init(_ctx, md5_kt); - md_ctx_update(_ctx, pszMethod, strlen(pszMethod)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszDigestUri, strlen(pszDigestUri)); + md_ctx_update(_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); if (strcasecmp(pszQop, "auth-int") == 0) { - md_ctx_update(_ctx, ":", 1); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); md_ctx_update(_ctx, HEntity, HASHHEXLEN); }; md_ctx_final(_ctx, HA2); @@ -133,17 +133,17 @@ DigestCalcResponse( /* calculate response */ md_ctx_init(_ctx, md5_kt); md_ctx_update(_ctx, HA1, HASHHEXLEN); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszNonce, strlen(pszNonce)); - md_ctx_update(_ctx, ":", 1); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); if (*pszQop) { - md_ctx_update(_ctx, pszNonceCount, strlen(pszNonceCount)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszQop, strlen(pszQop)); - md_ctx_update(_ctx, ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszQop, strlen(pszQop)); + md_ctx_update(_ctx, (const uint8_t *) ":", 1); }; md_ctx_update(_ctx, HA2Hex, HASHHEXLEN); md_ctx_final(_ctx, RespHash); -- 2.5.0
[Openvpn-devel] Testing challenge-response
Hi, To test the challenge-response handling, I had setup a test server. Will keep running it for a while, so if anyone wants to use it for testing, a config is available at https://s3.amazonaws.com/selva-temp/cr-test.conf It uses the sample keys and certs, and the server will only provide limited network access, useful only for testing the static and dynamic challenge options. See the comments in the config file for details. Selva
Re: [Openvpn-devel] [PATCH v2] Make assert_failed() print the failed condition
On 20.12.2015 11:44, Steffan Karger wrote: > Easy change to make logging output more useful. > > v2: don't print the failed condition if ENABLE_SMALL is defined. > ACK. Thanks. Arne
[Openvpn-devel] [PATCH] Support reading the challenge-response from console
Trying to keep the footrpint small, this patch adds to the convoluted code-flow in get_user_pass_cr(). Cleanup left for later. -8<- Currently prompting for a response to static-challenge gets skipped when the username and passowrd are read from a file. Further, dynamic challenge gets wrongly handled as if its a username/password request. The Fix: - Add yet another flag in get_user_pass_cr() to set when prompting of response from console is needed. - In receive_auth_failed(), the challenge text received from server _always_ copied to the auth_challenge buffer: this is needed to trigger prompting from console when required. - Also show the challenge text instead of an opaque "Response:" at the prompt. While at it, also remove the special treatment of authfile == "management" in get_user_pass_cr(). The feature implied by that test does not exist. Tested: - username and optionally password from file, rest from console - the above with a static challenge - the above with a dynamic challenge - all of the above with systemd in place of console - all from management with and without static/dynamic challenge. Thanks to Wayne Davisonfor pointing out the issue with challenge-response, and an initial patch. Signed-off-by: Selva Nair --- src/openvpn/misc.c | 22 +++--- src/openvpn/push.c |5 - 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 05ed073..363b8f7 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1044,6 +1044,7 @@ get_user_pass_cr (struct user_pass *up, bool from_authfile = (auth_file && !streq (auth_file, "stdin")); bool username_from_stdin = false; bool password_from_stdin = false; + bool response_from_stdin = true; if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) msg (M_WARN, "Note: previous '%s' credentials failed", prefix); @@ -1053,10 +1054,11 @@ get_user_pass_cr (struct user_pass *up, * Get username/password from management interface? */ if (management - && ((auth_file && streq (auth_file, "management")) || (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))) + && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT)) && management_query_user_pass_enabled (management)) { const char *sc = NULL; + response_from_stdin = false; if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) management_auth_failure (management, prefix, "previous auth credentials failed"); @@ -1090,7 +1092,10 @@ get_user_pass_cr (struct user_pass *up, if (!strlen (up->password)) strcpy (up->password, "ok"); } - else if (from_authfile) + /* + * Read from auth file unless this is a dynamic challenge request. + */ + else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) { /* * Try to get username/password from a file. @@ -1141,10 +1146,10 @@ get_user_pass_cr (struct user_pass *up, /* * Get username/password from standard input? */ - if (username_from_stdin || password_from_stdin) + if (username_from_stdin || password_from_stdin || response_from_stdin) { #ifdef ENABLE_CLIENT_CR - if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) + if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) { struct auth_challenge_info *ac = get_auth_challenge (auth_challenge, ); if (ac) @@ -1154,7 +1159,8 @@ get_user_pass_cr (struct user_pass *up, buf_set_write (_resp, (uint8_t*)up->password, USER_PASS_LEN); msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", ac->challenge_text); - if (!get_console_input ("Response:", BOOL_CAST(ac->flags_ECHO), response, USER_PASS_LEN)) + if (!get_console_input (ac->challenge_text, BOOL_CAST(ac->flags_ECHO), + response, USER_PASS_LEN)) msg (M_FATAL, "ERROR: could not read challenge response from stdin"); strncpynt (up->username, ac->user, USER_PASS_LEN); buf_printf (_resp, "CRV1::%s::%s", ac->state_id, response); @@ -1185,14 +1191,16 @@ get_user_pass_cr (struct user_pass *up, msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix); #ifdef ENABLE_CLIENT_CR - if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE)) + if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) { char *response = (char *) gc_malloc (USER_PASS_LEN, false, ); struct buffer packed_resp; char *pw64=NULL, *resp64=NULL; msg
Re: [Openvpn-devel] XP broken (wrt IPv6 in 2.3.9)
Hi, On Sun, Dec 20, 2015 at 07:32:56PM +0200, Lev Stipakov wrote: > Screenshot seems to be lost in transmission. The usual problem of "attached you'll find... (nothing)". Resend :-) > Moving to openvpn-devel. > > We could probably detect XP only (or technically "less then Vista") by > checking that IsWindowsVistaOrGreater() == false which seems to be > simpler. It should fix the problem. That would help with "part 2", right... (XP has a function "IsWindowsVistaOrGreater"? wtf!?) > However I like the idea that server will be able to know client's win > version, which might help with troubleshooting. I wouldn't not change > "IV_PLAT" value, so shall we add something like "IV_PLAT_WINVER=6.1"? Maybe IV_PLAT_VER=, to be extended for other platforms if we want to. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] XP broken
Hi, Screenshot seems to be lost in transmission. Moving to openvpn-devel. We could probably detect XP only (or technically "less then Vista") by checking that IsWindowsVistaOrGreater() == false which seems to be simpler. It should fix the problem. However I like the idea that server will be able to know client's win version, which might help with troubleshooting. I wouldn't not change "IV_PLAT" value, so shall we add something like "IV_PLAT_WINVER=6.1"? -Lev 2015-12-20 15:46 GMT+02:00 Gert Doering: > Unfortunately, this is a bit complicated. > > First, XP really doesn't *do* interface indexes in netsh (*rant*) - I > have attached a screen shot. German, unfortunately, but "Zeichenkette" > is "string", and the example clearly has an interface name there... > > We *could* introduce yet another option ("--ip-win32 netsh-names"), > but the usefulness of that would depend on "whoever writes the .conf file > knows what client OS it is for" (plus, we add an option that 2.4 won't > have because it has no XP support anyway). This does not sound like > the way forward. > > So, I think we need to do this in two steps: > > - add (in win32.c) a "win32_version_info()" function that will do the >necessary things to figure out what Windows version we're running on. >Stackoverflow suggests that this is complicated, as Windows will lie >to programs most of the time, so "Win10" is reported as "Win8" unless >there is something in the manifest (whatever that is) that tells windows >"this program is prepared to deal with THE TRUTH" > > - while at it, add "win32_version_string()" which would produce a printed >version of this - so we can log it at startup, to help people diagnose >why something isn't working for a user - and we could send it to the >server as well if --push-peer-info is enabled (ssl.c, push_peer_info()) > > - and then, make the interface index bit conditional... > > if ( win32_version_info() == WIN_XP ) > device = tt->actual; > else > { > buf_printf (, "interface=%d", tt->adapter_index ); > device = buf_bptr(); > } > >(for add/delete_route_ipv6(), but ifconfig would look the same) > > > the win32_version_* stuff would go into 2.3 and master, because having > that information is generally useful - the conditional setting only into > 2.3.10 > > what do you think? -- -Lev
[Openvpn-devel] [PATCH applied] Re: Make assert_failed() print the failed condition
ACK (Arne's ACK for v2 taken from IRC, did not make it to the list yet). Your patch has been applied to the master and release/2.3 branch. commit 9b36bd40d393620cce83392f4a56392ba391fb7c (master) commit 87e555aea146ec69007ff25ce66e63ad94ae9f7d (release/2.3) Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Sun Dec 20 11:44:09 2015 +0100 Make assert_failed() print the failed condition Signed-off-by: Steffan KargerAcked-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <1450608249-9947-1-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10862 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH v2] cleanup: get rid of httpdigest.c type warnings
When I compile with --enable-strict, I only want to see warnings that are relevant. So, change httpdigest.c to use the correct type when possible and make any remaining casts explicit. This commit should not change behaviour. v2: as discussed on #openvpn-devel, make colon a const uint8_t *, instead of uint8_t. Signed-off-by: Steffan Karger--- src/openvpn/httpdigest.c | 46 -- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c index 78b8344..908d259 100644 --- a/src/openvpn/httpdigest.c +++ b/src/openvpn/httpdigest.c @@ -74,22 +74,23 @@ DigestCalcHA1( HASH HA1; md_ctx_t md5_ctx; const md_kt_t *md5_kt = md_kt_get("MD5"); + const uint8_t *colon = (const uint8_t *) ":"; md_ctx_init(_ctx, md5_kt); - md_ctx_update(_ctx, pszUserName, strlen(pszUserName)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszRealm, strlen(pszRealm)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszPassword, strlen(pszPassword)); + md_ctx_update(_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); md_ctx_final(_ctx, HA1); if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0) { md_ctx_init(_ctx, md5_kt); md_ctx_update(_ctx, HA1, HASHLEN); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszNonce, strlen(pszNonce)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); md_ctx_final(_ctx, HA1); }; md_ctx_cleanup(_ctx); @@ -116,15 +117,16 @@ DigestCalcResponse( md_ctx_t md5_ctx; const md_kt_t *md5_kt = md_kt_get("MD5"); + const uint8_t *colon = (const uint8_t *) ":"; /* calculate H(A2) */ md_ctx_init(_ctx, md5_kt); - md_ctx_update(_ctx, pszMethod, strlen(pszMethod)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszDigestUri, strlen(pszDigestUri)); + md_ctx_update(_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); if (strcasecmp(pszQop, "auth-int") == 0) { - md_ctx_update(_ctx, ":", 1); + md_ctx_update(_ctx, colon, 1); md_ctx_update(_ctx, HEntity, HASHHEXLEN); }; md_ctx_final(_ctx, HA2); @@ -133,17 +135,17 @@ DigestCalcResponse( /* calculate response */ md_ctx_init(_ctx, md5_kt); md_ctx_update(_ctx, HA1, HASHHEXLEN); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszNonce, strlen(pszNonce)); - md_ctx_update(_ctx, ":", 1); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(_ctx, colon, 1); if (*pszQop) { - md_ctx_update(_ctx, pszNonceCount, strlen(pszNonceCount)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszCNonce, strlen(pszCNonce)); - md_ctx_update(_ctx, ":", 1); - md_ctx_update(_ctx, pszQop, strlen(pszQop)); - md_ctx_update(_ctx, ":", 1); + md_ctx_update(_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_update(_ctx, colon, 1); + md_ctx_update(_ctx, (const uint8_t *) pszQop, strlen(pszQop)); + md_ctx_update(_ctx, colon, 1); }; md_ctx_update(_ctx, HA2Hex, HASHHEXLEN); md_ctx_final(_ctx, RespHash); -- 2.5.0
[Openvpn-devel] [PATCH v2] Make assert_failed() print the failed condition
Easy change to make logging output more useful. v2: don't print the failed condition if ENABLE_SMALL is defined. Signed-off-by: Steffan Karger--- src/openvpn/error.c | 7 +-- src/openvpn/error.h | 9 +++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 66f37f3..cfd5a41 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -394,9 +394,12 @@ dont_mute (unsigned int flags) } void -assert_failed (const char *filename, int line) +assert_failed (const char *filename, int line, const char *condition) { - msg (M_FATAL, "Assertion failed at %s:%d", filename, line); + if (condition) +msg (M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition); + else +msg (M_FATAL, "Assertion failed at %s:%d", filename, line); _exit(1); } diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1dc0864..dd5ccf7 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -211,9 +211,14 @@ const char *msg_flags_string (const unsigned int flags, struct gc_arena *gc); FILE *msg_fp(const unsigned int flags); /* Fatal logic errors */ -#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false) +#ifndef ENABLE_SMALL +#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__, #x); } while (false) +#else +#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__, NULL); } while (false) +#endif -void assert_failed (const char *filename, int line) __attribute__((__noreturn__)); +void assert_failed (const char *filename, int line, const char *condition) + __attribute__((__noreturn__)); #ifdef ENABLE_DEBUG void crash (void); /* force a segfault (debugging only) */ -- 2.5.0
Re: [Openvpn-devel] [PATCH] Make assert_failed() print the failed condition
On 20.12.2015 10:10, Steffan Karger wrote: > Easy change to make logging output more useful. > ACK. BUt I think if we keep the minimal build option, this should be disabled int that option since the extra strings will increase code size. Arne
[Openvpn-devel] [PATCH] Make assert_failed() print the failed condition
Easy change to make logging output more useful. Signed-off-by: Steffan Karger--- src/openvpn/error.c | 4 ++-- src/openvpn/error.h | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 66f37f3..6daf465 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -394,9 +394,9 @@ dont_mute (unsigned int flags) } void -assert_failed (const char *filename, int line) +assert_failed (const char *filename, int line, const char *condition) { - msg (M_FATAL, "Assertion failed at %s:%d", filename, line); + msg (M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition); _exit(1); } diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1dc0864..5ad75e2 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -211,9 +211,10 @@ const char *msg_flags_string (const unsigned int flags, struct gc_arena *gc); FILE *msg_fp(const unsigned int flags); /* Fatal logic errors */ -#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false) +#define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__, #x); } while (false) -void assert_failed (const char *filename, int line) __attribute__((__noreturn__)); +void assert_failed (const char *filename, int line, const char *condition) + __attribute__((__noreturn__)); #ifdef ENABLE_DEBUG void crash (void); /* force a segfault (debugging only) */ -- 2.5.0