Re: [Openvpn-devel] [PATCH 1/2] Migrate to mbed TLS 2.x
On Wed, Apr 27, 2016 at 1:00 PM, Arne Schwabewrote: > Am 17.04.16 um 21:35 schrieb Steffan Karger: >> #ifdef HAVE_AEAD_CIPHER_MODES > > Are there actually mBedTLS >=2.0 without this? It's possible to compile mbed TLS without GCM, yes. Though I could imagine getting rid of HAVE_AEAD_CIPHER_MODES, and just fail if GCM support is missing. If there are more in favour of that approach, I'll either send a v2, or a follow-up patch. > P.S.: This was probably one of the most boring reviews I did (for most > part of the changes). Hehe, yes, I can imagine. Writing this patch wasn't exactly exciting either ;) Let's hope mbed TLS sticks to this naming scheme for a while... -Steffan
Re: [Openvpn-devel] [PATCH] Support for disabled peer-id
Yep, was a bit busy with other stuff last weeks. On 27.04.2016 11:16, Arne Schwabe wrote: I am just going through the patches. Lev, do you plan a follow up for this? Arne
Re: [Openvpn-devel] [PATCH] Added client-ip option to NAT
> > + if (network && !strcmp(network, "client-ip")) > +{ > + msg (M_INFO, "*** client-nat client-ip detected..."); > + e.network = 0x; > +} else { I am not sure that this message is useful. It does not provide any additional information to the user. Also please add a comment that you are using network 0x as special marker for client-ip. >e.network = getaddr(0, network, 0, , NULL); >if (!ok) > { >msg(msglevel, "client-nat: bad network: %s", network); >return; > } > +} > + Whitespace change. >e.netmask = getaddr(0, netmask, 0, , NULL); >if (!ok) > { > @@ -263,3 +270,34 @@ client_nat_transform (const struct > client_nat_option_list *list, > } > } > } > + > +/* > +* Replaces the client_ip token with the IP received from OpenVPN > +*/ > +bool > +update_client_ip_nat(struct client_nat_option_list *dest, in_addr_t > local_ip) > +{ > + int i; > + bool ret = false; > + > + if (!dest) > +return ret; > + > + for (i=0; i <= dest->n; i++) > +{ > + struct client_nat_entry *nat_entry = >entries[i]; > + if (nat_entry && nat_entry->network == 0x) > +{ > + struct in_addr addr; > + > + nat_entry->network = ntohl(local_ip); > + addr.s_addr = nat_entry->network; > + char *dot_ip = inet_ntoa(addr); > + > + msg (M_INFO, "CNAT - Updating NAT table from client-ip to: > %s", dot_ip); > + ret = true; > +} > +} > + > + return ret; > +} > diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h > old mode 100644 > new mode 100755 > index a5779e1..156e84c > --- a/src/openvpn/clinat.h > +++ b/src/openvpn/clinat.h > @@ -62,4 +62,6 @@ void client_nat_transform (const struct > client_nat_option_list *list, >struct buffer *ipbuf, >const int direction); > > +bool update_client_ip_nat(struct client_nat_option_list *dest, > in_addr_t local_ip); > + > #endif > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > old mode 100644 > new mode 100755 > index c5c0ab6..f54bc14 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -1481,6 +1481,8 @@ do_open_tun (struct context *c) >c->c1.tuntap->post_open_mtu, >SET_MTU_TUN | SET_MTU_UPPER_BOUND); > > +update_client_ip_nat(c->options.client_nat, c->c1.tuntap->local); > + >ret = true; >static_context = c; > #ifndef TARGET_ANDROID > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > old mode 100644 > new mode 100755 > index 2f8915d..c08e775 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -223,6 +223,7 @@ static const char usage_message[] = >"--redirect-private [flags]: Like --redirect-gateway, but omit > actually changing\n" >" the default gateway. Useful when pushing private > subnets.\n" >"--client-nat snat|dnat network netmask alias : on client add 1-to-1 > NAT rule.\n" > + " Set the network parameter to 'client-ip' to use > the received ip from OpenVPN Server.\n" > #ifdef ENABLE_PUSH_PEER_INFO >"--push-peer-info : (client only) push client info to server.\n" > #endif > -- > 1.7.9.5 > > > > -- > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
Re: [Openvpn-devel] [PATCH] Support for disabled peer-id
Am 09.10.15 um 16:39 schrieb Gert Doering: > Hi, > > On Fri, Oct 09, 2015 at 03:29:17PM +0300, Lev Stipakov wrote: >> + peer_id_disabled = peer_id == 0xFF; > > The general patch is fine, but while this line is technical correct, I don't > think we should do so... please add least add some brackets... > > peer_id_disabled = (peer_id == 0xFF); > > >> + /* TODO: support for disabled peer-id */ > > What is this TODO about? > I am just going through the patches. Lev, do you plan a follow up for this? Arne signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] [PATCH] Push an IPv6 CIDR mask used by the server, not the pool's size
Am 18.08.14 um 13:51 schrieb Josh Cepek: > Correctly handle CIDR masks when pushing clients addressing from an IPv6 > pool. This change ignores the incorrectly used `bits` argument to the > --ifconfig-ipv6-pool option. > > The code to save any provided CIDR mask after the pool IP is left in; > this may someday become useful when we move to allow IPv6 pools without > relying on an IPv4 pool assignment. > ACK from me. The code change makes sense and the manpage change is good too. Arne
[Openvpn-devel] Exported keying material is always sizeof(unsigned char*)
There is patch 'git show 41e4b67a229e774ebc57a882c386e10d80e10e7e' which actually works arround poor support of c99 in MSVC compiler released in 2013 :) It introduces the bug because exported key size is always sizeof(unsigned char *). There is patch for this.>From 65c273f4d2eb63a26d270b870e303d5eff99cd0a Mon Sep 17 00:00:00 2001 From: Daniel KubecList-Post: openvpn-devel@lists.sourceforge.net Date: Wed, 27 Apr 2016 07:40:31 +0200 Subject: [PATCH 1/1] Exported keying material is always sizeof(unsigned char *) There is patch 'git show 41e4b67a229e774ebc57a882c386e10d80e10e7e' which actually works arround poor support of c99 in MSVC compiler released in 2013 :) It introduces the bug because exported key size is always sizeof(unsigned char *). There is patch for this. --- src/openvpn/ssl_openssl.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index ca9b67b..8909ca3 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -144,7 +144,7 @@ key_state_export_keying_material(struct key_state_ssl *ssl, struct gc_arena gc = gc_new(); unsigned char* ekm = (unsigned char*) gc_malloc(size, true, ); - if (SSL_export_keying_material(ssl->ssl, ekm, sizeof(ekm), + if (SSL_export_keying_material(ssl->ssl, ekm, size, session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0)) { unsigned int len = (size * 2) + 2; -- 1.7.1