Re: [Openvpn-devel] [PATCH 1/2] Migrate to mbed TLS 2.x

2016-04-27 Thread Steffan Karger 
On Wed, Apr 27, 2016 at 1:00 PM, Arne Schwabe  wrote:
> Am 17.04.16 um 21:35 schrieb Steffan Karger:
>>  #ifdef HAVE_AEAD_CIPHER_MODES
>
> Are there  actually mBedTLS >=2.0 without this?

It's possible to compile mbed TLS without GCM, yes.  Though I could
imagine getting rid of HAVE_AEAD_CIPHER_MODES, and just fail if GCM
support is missing.  If there are more in favour of that approach,
I'll either send a v2, or a follow-up patch.

> P.S.: This was probably one of the most boring reviews I did (for most
> part of the changes).

Hehe, yes, I can imagine.  Writing this patch wasn't exactly exciting
either ;)  Let's hope mbed TLS sticks to this naming scheme for a
while...

-Steffan

Re: [Openvpn-devel] [PATCH] Support for disabled peer-id

2016-04-27 Thread Lev Stipakov 

Yep, was a bit busy with other stuff last weeks.

On 27.04.2016 11:16, Arne Schwabe wrote:


I am just going through the patches. Lev, do you plan a follow up for this?

Arne

Re: [Openvpn-devel] [PATCH] Added client-ip option to NAT

2016-04-27 Thread Arne Schwabe 

>  
> +  if (network && !strcmp(network, "client-ip"))
> +{
> +  msg (M_INFO, "*** client-nat client-ip detected...");
> +  e.network = 0x;
> +} else {

I am not sure that this message is useful. It does not provide any
additional information to the user. Also please add a comment that you
are using network 0x as special marker for client-ip.

>e.network = getaddr(0, network, 0, , NULL);
>if (!ok)
>  {
>msg(msglevel, "client-nat: bad network: %s", network);
>return;
>  }
> +}
> +

Whitespace change.
>e.netmask = getaddr(0, netmask, 0, , NULL);
>if (!ok)
>  {
> @@ -263,3 +270,34 @@ client_nat_transform (const struct
> client_nat_option_list *list,
>  }
>  }
>  }
> +
> +/*
> +* Replaces the client_ip token with the IP received from OpenVPN
> +*/
> +bool 
> +update_client_ip_nat(struct client_nat_option_list *dest, in_addr_t
> local_ip)
> +{
> +  int i;
> +  bool ret = false;
> +
> +  if (!dest)
> +return ret;
> +
> +  for (i=0; i <= dest->n; i++) 
> +{
> +  struct client_nat_entry *nat_entry = >entries[i];
> +  if (nat_entry && nat_entry->network == 0x) 
> +{
> +  struct in_addr addr;
> +  
> +  nat_entry->network = ntohl(local_ip);
> +  addr.s_addr = nat_entry->network;
> +  char *dot_ip = inet_ntoa(addr);
> +
> +  msg (M_INFO, "CNAT - Updating NAT table from client-ip to:
> %s", dot_ip); 
> +  ret = true;
> +}
> +}
> +
> +  return ret;
> +}
> diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h
> old mode 100644
> new mode 100755
> index a5779e1..156e84c
> --- a/src/openvpn/clinat.h
> +++ b/src/openvpn/clinat.h
> @@ -62,4 +62,6 @@ void client_nat_transform (const struct
> client_nat_option_list *list,
>struct buffer *ipbuf,
>const int direction);
>  
> +bool update_client_ip_nat(struct client_nat_option_list *dest,
> in_addr_t local_ip);
> +
>  #endif
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> old mode 100644
> new mode 100755
> index c5c0ab6..f54bc14
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1481,6 +1481,8 @@ do_open_tun (struct context *c)
>c->c1.tuntap->post_open_mtu,
>SET_MTU_TUN | SET_MTU_UPPER_BOUND);
>  
> +update_client_ip_nat(c->options.client_nat, c->c1.tuntap->local);
> +
>ret = true;
>static_context = c;
>  #ifndef TARGET_ANDROID
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> old mode 100644
> new mode 100755
> index 2f8915d..c08e775
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -223,6 +223,7 @@ static const char usage_message[] =
>"--redirect-private [flags]: Like --redirect-gateway, but omit
> actually changing\n"
>"  the default gateway.  Useful when pushing private
> subnets.\n"
>"--client-nat snat|dnat network netmask alias : on client add 1-to-1
> NAT rule.\n"
> +  "  Set the network parameter to 'client-ip' to use
> the received ip from OpenVPN Server.\n"
>  #ifdef ENABLE_PUSH_PEER_INFO
>"--push-peer-info : (client only) push client info to server.\n"
>  #endif
> -- 
> 1.7.9.5
> 
> 
> 
> --
> 
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] [PATCH] Support for disabled peer-id

2016-04-27 Thread Arne Schwabe 
Am 09.10.15 um 16:39 schrieb Gert Doering:
> Hi,
> 
> On Fri, Oct 09, 2015 at 03:29:17PM +0300, Lev Stipakov wrote:
>> +  peer_id_disabled = peer_id == 0xFF;
> 
> The general patch is fine, but while this line is technical correct, I don't
> think we should do so...  please add least add some brackets...
> 
> peer_id_disabled = (peer_id == 0xFF);
> 
> 
>> +  /* TODO: support for disabled peer-id */
> 
> What is this TODO about?
> 

I am just going through the patches. Lev, do you plan a follow up for this?

Arne




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH] Push an IPv6 CIDR mask used by the server, not the pool's size

2016-04-27 Thread Arne Schwabe 
Am 18.08.14 um 13:51 schrieb Josh Cepek:
> Correctly handle CIDR masks when pushing clients addressing from an IPv6
> pool. This change ignores the incorrectly used `bits` argument to the
> --ifconfig-ipv6-pool option.
> 
> The code to save any provided CIDR mask after the pool IP is left in;
> this may someday become useful when we move to allow IPv6 pools without
> relying on an IPv4 pool assignment.
> 

ACK from me. The code change makes sense and the manpage change is good too.

Arne

[Openvpn-devel] Exported keying material is always sizeof(unsigned char*)

2016-04-27 Thread Daniel Kubec 
There is patch 'git show 41e4b67a229e774ebc57a882c386e10d80e10e7e'
which actually works arround poor support of c99 in MSVC compiler released
in 2013 :)

It introduces the bug because exported key size is always sizeof(unsigned
char *).

There is patch for this.>From 65c273f4d2eb63a26d270b870e303d5eff99cd0a Mon Sep 17 00:00:00 2001
From: Daniel Kubec 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed, 27 Apr 2016 07:40:31 +0200
Subject: [PATCH 1/1] Exported keying material is always sizeof(unsigned char *)

There is patch 'git show 41e4b67a229e774ebc57a882c386e10d80e10e7e'
which actually works arround poor support of c99 in MSVC compiler released in 2013 :)

It introduces the bug because exported key size is always sizeof(unsigned char *).
There is patch for this.
---
 src/openvpn/ssl_openssl.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index ca9b67b..8909ca3 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -144,7 +144,7 @@ key_state_export_keying_material(struct key_state_ssl *ssl,
   struct gc_arena gc = gc_new();
   unsigned char* ekm = (unsigned char*) gc_malloc(size, true, );
 
-  if (SSL_export_keying_material(ssl->ssl, ekm, sizeof(ekm),
+  if (SSL_export_keying_material(ssl->ssl, ekm, size,
   session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0))
{
  unsigned int len = (size * 2) + 2;
-- 
1.7.1