Re: [Openvpn-devel] Separate apt repositories for 2.4-alpha/beta/rc releases?

2016-10-14 Thread Steffan Karger 
On 14 Oct 2016 9:14 p.m., "Matthias Andree"  wrote:
>
> Am 14.10.2016 um 17:28 schrieb Samuli Seppänen:
> > Hi,
> >
> > Should we have a separate apt repository for "unstable" apt packages?
> > Right now our apt repositories hold 2.3.x packages, meaning that
> > upgrades have historically been fairly minor.
> >
> > That said, users who use _our_ apt repositories have expressed interest
> > in using something newer than what is available in their distribution's
> > repositories.
> >
> > Would 2.3.12 -> 2.4-alpha1 be too big an upgrade?
> >
> Yes, definitely. Please create a separate distribution for .deb packages
> derived from pre-releases.

Indeed. We shouldn't upgrade people who are expecting stable releases to
alpha versions.

-Steffan
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 4/5] auth-gen-token: Push generated auth-tokens to the client

2016-10-14 Thread David Sommerseth 
On 14/10/16 15:30, Steffan Karger wrote:
> 
> 
> On 13-10-16 21:59, David Sommerseth wrote:
>> If --auth-gen-token has been enabled and a token has been generated,
>> ensure this token is pushed to the client using the 'auth-token' option.
>>
>> Signed-off-by: David Sommerseth 
>> ---
>>  src/openvpn/misc.c   | 5 +
>>  src/openvpn/push.c   | 9 -
>>  src/openvpn/ssl_common.h | 2 ++
>>  3 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
>> index 225f0bf..b74ac9d 100644
>> --- a/src/openvpn/misc.c
>> +++ b/src/openvpn/misc.c
>> @@ -2073,6 +2073,11 @@ sanitize_control_message(const char *src, struct 
>> gc_arena *gc)
> 
> Wait, what?  We have over 2000 lines of 'misc.c'...?
> 
>> +  else if (!check_debug_level(D_SHOW_KEYS) && (c == 'a' && 
>> !strncmp(src, "auth-token ", 11)))
> 
> Overly long line.  (And not so clear code, but this is in line with the
> surrounding code, and you already sent an explanation.)
> 
>> diff --git a/src/openvpn/push.c b/src/openvpn/push.c
>> index ee2eda4..0fb87ba 100644
>> --- a/src/openvpn/push.c
>> +++ b/src/openvpn/push.c
>> @@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena 
>> *gc,
>>  struct push_list *push_list)
>>  {
>>const char *optstr = NULL;
>> -  const struct tls_multi *tls_multi = c->c2.tls_multi;
>> +  struct tls_multi *tls_multi = c->c2.tls_multi;
>>const char * const peer_info = tls_multi->peer_info;
>>struct options *o = >options;
>>  
>> @@ -371,6 +371,13 @@ prepare_push_reply (struct context *c, struct gc_arena 
>> *gc,
>>push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
>>  }
>>  }
>> +
>> +  /* If server uses --auth-gen-token and we have an auth token to send to 
>> client */
>> +  if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token)
>> +{
>> +  push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", 
>> tls_multi->auth_token);
>> +  tls_multi->auth_token_sent = true;
>> +}
>>return true;
>>  }
>>  
>> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
>> index 1b90c5e..3d802c9 100644
>> --- a/src/openvpn/ssl_common.h
>> +++ b/src/openvpn/ssl_common.h
>> @@ -526,6 +526,8 @@ struct tls_multi
>>uint32_t peer_id;
>>bool use_peer_id;
>>  
>> +  bool auth_token_sent;  /**< If server uses --auth-gen-token and
>> +  *   token has been sent to client */
>>char *auth_token;  /** If server sends a generated auth-token,
>>* this is the token to use for future
>>* user/pass authentications in this session.
>>
> 
> ACK, if you wrap the long lines and update the commit message.
> 

Thanks a lot! As there were some more slight changes, I decided to send
a v2 patch, just for avoid any further confusion.


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 4/5] auth-gen-token: Push generated auth-tokens to the client

2016-10-14 Thread David Sommerseth 
If --auth-gen-token has been enabled and a token has been generated,
ensure this token is pushed to the client using the 'auth-token' option.

This patch will also remove the logging of auth-token values being
pushed, unless --verb level is 7 or higher.

  v2 - Don't exceed 80 chars line length
 - Clarify the magic in sanitize_control_message()
 - Relocate auth_token_sent struct member slightly

Signed-off-by: David Sommerseth 
---
 src/openvpn/misc.c   |  9 +
 src/openvpn/push.c   | 12 +++-
 src/openvpn/ssl_common.h |  2 ++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 225f0bf..b06d446 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -2073,6 +2073,15 @@ sanitize_control_message(const char *src, struct 
gc_arena *gc)
  skip = 4;
  redact = true;
}
+  else if (!check_debug_level(D_SHOW_KEYS)
+   && (c == 'a' && !strncmp(src, "auth-token ", 11)))
+   {
+  /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide
+   * the auth-token value coming in the src string
+   */
+ skip = 10;
+ redact = true;
+   }
 
   if (c == ',') /* end of redacted item? */
{
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ee2eda4..ff374c8 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
struct push_list *push_list)
 {
   const char *optstr = NULL;
-  const struct tls_multi *tls_multi = c->c2.tls_multi;
+  struct tls_multi *tls_multi = c->c2.tls_multi;
   const char * const peer_info = tls_multi->peer_info;
   struct options *o = >options;
 
@@ -371,6 +371,16 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
}
 }
+
+  /* If server uses --auth-gen-token and we have an auth token
+   * to send to the client
+   */
+  if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token)
+{
+  push_option_fmt(gc, push_list, M_USAGE,
+  "auth-token %s", tls_multi->auth_token);
+  tls_multi->auth_token_sent = true;
+}
   return true;
 }
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 9b63a12..b04a24c 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -533,6 +533,8 @@ struct tls_multi
   *   user/pass authentications in this session.
   */
   time_t auth_token_tstamp; /**< timestamp of the generated token */
+  bool auth_token_sent;  /**< If server uses --auth-gen-token and
+  *   token has been sent to client */
   /*
* Our session objects.
*/
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Separate apt repositories for 2.4-alpha/beta/rc releases?

2016-10-14 Thread Matthias Andree 
Am 14.10.2016 um 17:28 schrieb Samuli Seppänen:
> Hi,
>
> Should we have a separate apt repository for "unstable" apt packages? 
> Right now our apt repositories hold 2.3.x packages, meaning that 
> upgrades have historically been fairly minor.
>
> That said, users who use _our_ apt repositories have expressed interest 
> in using something newer than what is available in their distribution's 
> repositories.
>
> Would 2.3.12 -> 2.4-alpha1 be too big an upgrade?
>
Yes, definitely. Please create a separate distribution for .deb packages
derived from pre-releases.


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2.1 3/5] auth-gen-token: Generate an auth-token per client

2016-10-14 Thread David Sommerseth 
When --auth-gen-token is used a random token key is generated for
each client after a successful user/password authentication.  This
token is expected to be returned in the password field on the
following authentications.

The token is 256 bits long and BASE64 encoded before it is stored.

  v2 - Fix Doxygen comment typo
 - Don't exceed 80 chars line length

Signed-off-by: David Sommerseth 
---
 src/openvpn/ssl.c|  6 ++
 src/openvpn/ssl_common.h |  8 
 src/openvpn/ssl_verify.c | 39 +++
 3 files changed, 53 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index c7cf78d..54b6686 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1173,6 +1173,12 @@ tls_multi_free (struct tls_multi *multi, bool clear)
 
   cert_hash_free (multi->locked_cert_hash_set);
 
+  if (multi->auth_token)
+{
+  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+}
+
   for (i = 0; i < TM_SIZE; ++i)
 tls_session_free (>session[i], false);
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 50c4a9c..9b63a12 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -351,6 +351,9 @@ struct tls_options
 /** @} name Index of key_state objects within a tls_session structure */
 /** @} addtogroup control_processor */
 
+#define AUTH_TOKEN_SIZE 32  /**< Size of server side generated auth tokens.
+ *   32 bytes == 256 bits
+ */
 
 /**
  * Security parameter state of a single session within a VPN tunnel.
@@ -525,6 +528,11 @@ struct tls_multi
   uint32_t peer_id;
   bool use_peer_id;
 
+  char *auth_token;  /**< If server sends a generated auth-token,
+  *   this is the token to use for future
+  *   user/pass authentications in this session.
+  */
+  time_t auth_token_tstamp; /**< timestamp of the generated token */
   /*
* Our session objects.
*/
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index d0c22b8..0ac5689 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -39,6 +39,8 @@
 
 #include "misc.h"
 #include "manage.h"
+#include "otime.h"
+#include "base64.h"
 #include "ssl_verify.h"
 #include "ssl_verify_backend.h"
 
@@ -1174,6 +1176,43 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   if (man_def_auth != KMDA_UNDEF)
ks->auth_deferred = true;
 #endif
+
+  if ((session->opt->auth_token_generate) && (NULL == multi->auth_token))
+   {
+ /* Server is configured with --auth-gen-token but no token has yet
+  * been generated for this client.  Generate one and save it.
+  */
+ uint8_t tok[AUTH_TOKEN_SIZE];
+
+ if (!rand_bytes(tok, AUTH_TOKEN_SIZE))
+   {
+ msg( M_FATAL, "Failed to get enough randomness for "
+   "authentication token");
+   }
+
+ /* The token should be longer than the input when
+   * being base64 encoded
+   */
+ if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE,
+>auth_token) < AUTH_TOKEN_SIZE)
+   {
+ msg(D_TLS_ERRORS, "BASE64 encoding of token failed. "
+  "No auth-token will be activated now");
+ if (multi->auth_token)
+   {
+ memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+ free (multi->auth_token);
+ multi->auth_token = NULL;
+   }
+   }
+ else
+   {
+ multi->auth_token_tstamp = now;
+ dmsg (D_SHOW_KEYS, "Generated token for client: %s",
+multi->auth_token);
+   }
+   }
+
   if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
set_common_name (session, up->username);
 #ifdef ENABLE_DEF_AUTH
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2 3/5] auth-gen-token: Generate an auth-token per client

2016-10-14 Thread David Sommerseth 

Meh ... disregard this patch.  Just noticed that the auth_token_sent
member in the struct tls_options sneaked into this patch during my git
rebasing.

I'll send the correct v2 patch (as v2.1 in the subject only)

--
kind regards,

David Sommerseth


On 14/10/16 12:18, David Sommerseth wrote:
> When --auth-gen-token is used a random token key is generated for
> each client after a successful user/password authentication.  This
> token is expected to be returned in the password field on the
> following authentications.
> 
> The token is 256 bits long and BASE64 encoded before it is stored.
> 
>   v2 - Fix Doxygen comment typo
>  - Don't exceed 80 chars line length
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/ssl.c|  6 ++
>  src/openvpn/ssl_common.h |  8 
>  src/openvpn/ssl_verify.c | 39 +++
>  3 files changed, 53 insertions(+)
> 
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index c7cf78d..54b6686 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -1173,6 +1173,12 @@ tls_multi_free (struct tls_multi *multi, bool clear)
>  
>cert_hash_free (multi->locked_cert_hash_set);
>  
> +  if (multi->auth_token)
> +{
> +  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
> +  free (multi->auth_token);
> +}
> +
>for (i = 0; i < TM_SIZE; ++i)
>  tls_session_free (>session[i], false);
>  
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index 50c4a9c..a340a69 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -351,6 +351,7 @@ struct tls_options
>  /** @} name Index of key_state objects within a tls_session structure */
>  /** @} addtogroup control_processor */
>  
> +#define AUTH_TOKEN_SIZE 32  /**< Size of server side generated auth 
> tokens.  32 bytes == 256 bits */
>  
>  /**
>   * Security parameter state of a single session within a VPN tunnel.
> @@ -525,6 +526,13 @@ struct tls_multi
>uint32_t peer_id;
>bool use_peer_id;
>  
> +  bool auth_token_sent;  /**< If server uses --auth-gen-token and
> +  *   token has been sent to client */
> +  char *auth_token;  /**< If server sends a generated auth-token,
> +  *   this is the token to use for future
> +  *   user/pass authentications in this session.
> +  */
> +  time_t auth_token_tstamp; /**< timestamp of the generated token */
>/*
> * Our session objects.
> */
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index d0c22b8..497d1b7 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
> @@ -39,6 +39,8 @@
>  
>  #include "misc.h"
>  #include "manage.h"
> +#include "otime.h"
> +#include "base64.h"
>  #include "ssl_verify.h"
>  #include "ssl_verify_backend.h"
>  
> @@ -1174,6 +1176,43 @@ verify_user_pass(struct user_pass *up, struct 
> tls_multi *multi,
>if (man_def_auth != KMDA_UNDEF)
>   ks->auth_deferred = true;
>  #endif
> +
> +  if ((session->opt->auth_generate_token) && (NULL == multi->auth_token))
> + {
> +   /* Server is configured with --auth-gen-token but no token has yet
> +* been generated for this client.  Generate one and save it.
> +*/
> +   uint8_t tok[AUTH_TOKEN_SIZE];
> +
> +   if (!rand_bytes(tok, AUTH_TOKEN_SIZE))
> + {
> +   msg( M_FATAL, "Failed to get enough randomness for "
> +   "authentication token");
> + }
> +
> +   /* The token should be longer than the input when
> +   * being base64 encoded
> +   */
> +   if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE,
> +>auth_token) < AUTH_TOKEN_SIZE)
> + {
> +   msg(D_TLS_ERRORS, "BASE64 encoding of token failed. "
> +  "No auth-token will be activated now");
> +   if (multi->auth_token)
> + {
> +   memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
> +   free (multi->auth_token);
> +   multi->auth_token = NULL;
> + }
> + }
> +   else
> + {
> +   multi->auth_token_tstamp = now;
> +   dmsg (D_SHOW_KEYS, "Generated token for client: %s",
> +multi->auth_token);
> + }
> + }
> +
>if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
>   set_common_name (session, up->username);
>  #ifdef ENABLE_DEF_AUTH
> 


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net

Re: [Openvpn-devel] [PATCH v2 3/5] auth-gen-token: Generate an auth-token per client

2016-10-14 Thread David Sommerseth 


binzYSpfSyiyE.bin
Description: PGP/MIME version identification


encrypted.asc
Description: OpenPGP encrypted message
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Separate apt repositories for 2.4-alpha/beta/rc releases?

2016-10-14 Thread Samuli Seppänen 
Hi,

Should we have a separate apt repository for "unstable" apt packages? 
Right now our apt repositories hold 2.3.x packages, meaning that 
upgrades have historically been fairly minor.

That said, users who use _our_ apt repositories have expressed interest 
in using something newer than what is available in their distribution's 
repositories.

Would 2.3.12 -> 2.4-alpha1 be too big an upgrade?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-14 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ACK.  This looks good now, testing looks fine on Linux (SL7.2 x86_64) too.

I've done some editorial changes to the commit message though, nothing changed
except adding and removing whitespaces and fixing a few typos (Ipv6 -> IPv6, 
etc).

Your patch has been applied to the master branch

commit 86e2fa5597fd1ad8e0102f134c63d6bc8cb7c291
Author: Arne Schwabe
Date:   Thu Oct 13 18:54:16 2016 +0200

 Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

 Signed-off-by: Arne Schwabe 
 Acked-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <1476377656-3150-1-git-send-email-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12695.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYANQOAAoJEIbPlEyWcf3ye88P/RFci2mayFPpS9pnrXt7A8yT
YXdp99eWH2gvKZNFaC4yg3FQyjeZ0pZBYHU+DHkyZjbWFtX7ctXGioiy7gw+tkgu
UzU6ZUNWPb8c1lmMdftGS2Xgo8IrRaGLbfnVG1NJBK30xPRwc9qplss4qo+LVeU6
92f8477tbM+b1qpD1UP+2yTqubvhmPcPecS1w9qCW48T96friWWDZNx2FEjaee/k
37Xnc3Vqr9ae/uw2tLSt4yfMcC9gT2Gm9D3DehiW3d/VP/qlRGQwBtEmUmXYJbXe
62sD7kVDXAAmidrsFTI6+uo/ubZW8vVTwEYYRcf1GuUsMAlqxYWevuX2ONGSL4Hv
1LnU9ePv1IBno5IRLn5iWube+Ij7SLIZk+NpUx1c37yuawiqz/rYz/rozscGm7P0
W6fv+f2HzdCGxxI4ZMhKUsdnvWkKv6eAa7ce+uCYMUwwI5s8NtS9bOLy2RSdlbmS
rxk88xpeKajgSOy3WVJArBStbp1pj1h4AVqZ8gKFnUBYIbMEz+uAsExB5D/x6Snk
aE9a6Au2d1DDVNoAVAKMrLts9DI7P0LXq7Us7hwZJeDXJKTQlqLgzPoEyvcd3Hj5
GsHVuEBKk+Rlgy3sc9ocgHQNtq8wU09talsyVDwaaEF+TDGyV5XJyba91qKTMr+G
fM/+WSOWHghUA9txU8AG
=zsQ8
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Patch v5] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-14 Thread Gert Doering 
Hi,

On Thu, Oct 13, 2016 at 06:54:16PM +0200, Arne Schwabe wrote:
> Patch V5: Assume generic OS in tun.c is also IPv6 capable. Add changes to man 
> page. Fix typos/change message as suggest by David.

Patch still looks reasonable.  Since David tested Linux, I gave NetBSD 5.1
a run for the money (other platforms have no platform-specific code that
might be broken).

What can I say?  This stuff works :-)

 Test sets succeded: 1 1a 2 2b 2c 3 4 5.
 Test sets failed: 2a.

(That I actually ran 2a is an oversight - it's the IPv4 --multihome test
which I know is broken on NetBSD, unrelated to this patch)

So, throw in an ACK from me, too.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 4/5] auth-gen-token: Push generated auth-tokens to the client

2016-10-14 Thread David Sommerseth 
On 13/10/16 21:59, David Sommerseth wrote:
> If --auth-gen-token has been enabled and a token has been generated,
> ensure this token is pushed to the client using the 'auth-token' option.
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/misc.c   | 5 +
>  src/openvpn/push.c   | 9 -
>  src/openvpn/ssl_common.h | 2 ++
>  3 files changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
> index 225f0bf..b74ac9d 100644
> --- a/src/openvpn/misc.c
> +++ b/src/openvpn/misc.c
> @@ -2073,6 +2073,11 @@ sanitize_control_message(const char *src, struct 
> gc_arena *gc)
> skip = 4;
> redact = true;
>   }
> +  else if (!check_debug_level(D_SHOW_KEYS) && (c == 'a' && !strncmp(src, 
> "auth-token ", 11)))
> + {
> +   skip = 10;
> +   redact = true;
> + }

This magic here should probably be explained in the commit message.  It
basically removes the auth-token value from the log file, unless --verb
is set to 7 or higher and debug logging have not been disabled
(configure --disable-debug).

-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 3/5] auth-gen-token: Generate an auth-token per client

2016-10-14 Thread David Sommerseth 
When --auth-gen-token is used a random token key is generated for
each client after a successful user/password authentication.  This
token is expected to be returned in the password field on the
following authentications.

The token is 256 bits long and BASE64 encoded before it is stored.

  v2 - Fix Doxygen comment typo
 - Don't exceed 80 chars line length

Signed-off-by: David Sommerseth 
---
 src/openvpn/ssl.c|  6 ++
 src/openvpn/ssl_common.h |  8 
 src/openvpn/ssl_verify.c | 39 +++
 3 files changed, 53 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index c7cf78d..54b6686 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1173,6 +1173,12 @@ tls_multi_free (struct tls_multi *multi, bool clear)
 
   cert_hash_free (multi->locked_cert_hash_set);
 
+  if (multi->auth_token)
+{
+  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+}
+
   for (i = 0; i < TM_SIZE; ++i)
 tls_session_free (>session[i], false);
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 50c4a9c..a340a69 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -351,6 +351,7 @@ struct tls_options
 /** @} name Index of key_state objects within a tls_session structure */
 /** @} addtogroup control_processor */
 
+#define AUTH_TOKEN_SIZE 32  /**< Size of server side generated auth 
tokens.  32 bytes == 256 bits */
 
 /**
  * Security parameter state of a single session within a VPN tunnel.
@@ -525,6 +526,13 @@ struct tls_multi
   uint32_t peer_id;
   bool use_peer_id;
 
+  bool auth_token_sent;  /**< If server uses --auth-gen-token and
+  *   token has been sent to client */
+  char *auth_token;  /**< If server sends a generated auth-token,
+  *   this is the token to use for future
+  *   user/pass authentications in this session.
+  */
+  time_t auth_token_tstamp; /**< timestamp of the generated token */
   /*
* Our session objects.
*/
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index d0c22b8..497d1b7 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -39,6 +39,8 @@
 
 #include "misc.h"
 #include "manage.h"
+#include "otime.h"
+#include "base64.h"
 #include "ssl_verify.h"
 #include "ssl_verify_backend.h"
 
@@ -1174,6 +1176,43 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   if (man_def_auth != KMDA_UNDEF)
ks->auth_deferred = true;
 #endif
+
+  if ((session->opt->auth_generate_token) && (NULL == multi->auth_token))
+   {
+ /* Server is configured with --auth-gen-token but no token has yet
+  * been generated for this client.  Generate one and save it.
+  */
+ uint8_t tok[AUTH_TOKEN_SIZE];
+
+ if (!rand_bytes(tok, AUTH_TOKEN_SIZE))
+   {
+ msg( M_FATAL, "Failed to get enough randomness for "
+   "authentication token");
+   }
+
+ /* The token should be longer than the input when
+   * being base64 encoded
+   */
+ if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE,
+>auth_token) < AUTH_TOKEN_SIZE)
+   {
+ msg(D_TLS_ERRORS, "BASE64 encoding of token failed. "
+  "No auth-token will be activated now");
+ if (multi->auth_token)
+   {
+ memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+ free (multi->auth_token);
+ multi->auth_token = NULL;
+   }
+   }
+ else
+   {
+ multi->auth_token_tstamp = now;
+ dmsg (D_SHOW_KEYS, "Generated token for client: %s",
+multi->auth_token);
+   }
+   }
+
   if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
set_common_name (session, up->username);
 #ifdef ENABLE_DEF_AUTH
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] auth-gen-token: Add --auth-gen-token option

2016-10-14 Thread David Sommerseth 
This sets the flag if the OpenVPN server should create authentication
tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.

If an OpenVPN server is running without this option, it should behave
as before.  Next patches will implement the auth-token generation and
passing it on to the clients.

The --auth-gen-token can be given an optional integer argument which
defines the lifetime of generated tokens.  The lifetime argument
must be given in number of seconds.

  v2 - Update Changes.rst
 - Improve man page in regards to lifetime argument
 - Rename struct member auth_generate_token to auth_token_generate
   to have a consistent naming scheme

Signed-off-by: David Sommerseth 
---
 Changes.rst  | 15 +++
 doc/openvpn.8| 22 ++
 src/openvpn/init.c   |  2 ++
 src/openvpn/options.c| 16 
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl_common.h |  3 +++
 6 files changed, 60 insertions(+)

diff --git a/Changes.rst b/Changes.rst
index 9fcba75..fa9bf7e 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -62,6 +62,21 @@ Cipher negotiation
 to use that cipher.  Data channel cipher negotiation can be controlled
 using --ncp-ciphers and --ncp-disable.
 
+Authentication tokens
+In situations where it is not suitable to save users passwords on the 
client
+OpenVPN have since v2.3 had support for --auth-token.  This option is
+pushed from the server to the client with a token value to be used instead
+of the users password.  For this to work, the authentication plug-in would
+need to implement this support as well.  In OpenVPN 2.4 --auth-gen-token
+is introduced, which will allow the OpenVPN server to generate a random
+token and push it to the client without any changes to the authentication
+modules.  When the clients need to re-authenticate the OpenVPN server will
+instead of sending the re-authentication request to the authentication
+module do the authentication internally.  This feature is especially
+useful in configurations which adds One Time Password (OTP) authentication
+schemes, as this allows the tunnel to be renegotiated regularly without
+any need to supply new OTP codes.
+
 
 User-visible Changes
 
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 1c341ae..24d0ab3 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3595,6 +3595,28 @@ For a sample script that performs PAM authentication, see
 in the OpenVPN source distribution.
 .\"*
 .TP
+.B \-\-auth\-gen\-token [lifetime]
+After successful user/password authentication, the OpenVPN
+server will with this option generate a temporary
+authentication token and push that to client.  On the following
+renegotiations, the OpenVPN client will pass this token instead
+of the users password.  On the server side the server will do
+the token authentication internally and it will NOT do any
+additional authentications against configured external
+user/password authentication mechanisms.
+
+The
+.B lifetime
+argument defines how long the generated token is valid.  The
+lifetime is defined in seconds.  If lifetime is not set
+or it is set to 0, the token will never expire.
+
+This feature is useful for environments which is configured
+to use One Time Passwords (OTP) as part of the user/password
+authentications and that authentication mechanism does not
+implement any auth-token support.
+.\"*
+.TP
 .B \-\-opt\-verify
 Clients that connect with options that are incompatible
 with those of the server will be disconnected.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cc8e945..65bcb2a 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   if (options->ccd_exclusive)
 to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_token_generate = options->auth_token_generate;
+  to.auth_token_lifetime = options->auth_token_lifetime;
 #endif
 
   to.x509_track = options->x509_track;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ed14b0..b6adf55 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -445,6 +445,11 @@ static const char usage_message[] =
   "  run command cmd to verify.  If method='via-env', pass\n"
   "  user/pass via environment, if method='via-file', pass\n"
   "  user/pass via temporary file.\n"
+  "--auth-gen-token  [lifetime] Generate a random authentication token which 
is pushed\n"
+  "  to each client, replacing the password.  Usefull when\n"
+  "  OTP based two-factor auth mechanisms are in use and\n"
+  "

Re: [Openvpn-devel] [PATCH 3/5] auth-gen-token: Generate an auth-token per client

2016-10-14 Thread Steffan Karger 
Hi,

Patch looks good, but haven't tested yet.  Will test he set as a whole.

Some minor remarks:

On 13-10-16 21:59, David Sommerseth wrote:
> When --auth-gen-token is used a random token key is generated for
> each client after a successful user/password authentication.  This
> token is expected to be returned in the password field on the
> following authentications.
> 
> The token is 256 bits long and BASE64 encoded before it is stored.
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/ssl.c|  6 ++
>  src/openvpn/ssl_common.h |  6 ++
>  src/openvpn/ssl_verify.c | 33 +
>  3 files changed, 45 insertions(+)
> 
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index c7cf78d..54b6686 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -1173,6 +1173,12 @@ tls_multi_free (struct tls_multi *multi, bool clear)
>  
>cert_hash_free (multi->locked_cert_hash_set);
>  
> +  if (multi->auth_token)
> +{
> +  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
> +  free (multi->auth_token);
> +}

This memset() is likely to be optimized away by the compiler, but we
have many more like this, so let's leave it like this for now, and fix
all these in one go (I created trac #751 to keep track).

>for (i = 0; i < TM_SIZE; ++i)
>  tls_session_free (>session[i], false);
>  
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index 60121db..1b90c5e 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -351,6 +351,7 @@ struct tls_options
>  /** @} name Index of key_state objects within a tls_session structure */
>  /** @} addtogroup control_processor */
>  
> +#define AUTH_TOKEN_SIZE 32  /**< Size of server side generated auth 
> tokens.  32 bytes == 256 bits */
>  
>  /**
>   * Security parameter state of a single session within a VPN tunnel.
> @@ -525,6 +526,11 @@ struct tls_multi
>uint32_t peer_id;
>bool use_peer_id;
>  
> +  char *auth_token;  /** If server sends a generated auth-token,
> +  * this is the token to use for future
> +  * user/pass authentications in this session.
> +  */

Use /**< to make this a doxygen comment (like you did below).

> +  time_t auth_token_tstamp; /**< timestamp of the generated token */
>/*
> * Our session objects.
> */
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index d0c22b8..24ec56e 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
> @@ -39,6 +39,8 @@
>  
>  #include "misc.h"
>  #include "manage.h"
> +#include "otime.h"
> +#include "base64.h"
>  #include "ssl_verify.h"
>  #include "ssl_verify_backend.h"
>  
> @@ -1174,6 +1176,37 @@ verify_user_pass(struct user_pass *up, struct 
> tls_multi *multi,
>if (man_def_auth != KMDA_UNDEF)
>   ks->auth_deferred = true;
>  #endif
> +
> +  if ((session->opt->auth_generate_token) && (NULL == multi->auth_token))
> + {
> +   /* Server is configured with --auth-gen-token but no token has yet 
> been
> +* generated for this client.  Generate one and save it.
> +*/
> +   uint8_t tok[AUTH_TOKEN_SIZE];
> +
> +   if (!rand_bytes(tok, AUTH_TOKEN_SIZE))
> + {
> +   msg( M_FATAL, "Failed to get enough randomness for authentication 
> token");
> + }
> +
> +   /* The token should be longer than the input when being base64 
> encoded*/
> +   if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, >auth_token) < 
> AUTH_TOKEN_SIZE)
> + {
> +   msg(D_TLS_ERRORS, "BASE64 encoding of token failed.  No 
> auth-token will be activated now");

These are quite a bit longer than 80 chars.

-Steffan

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Move memcmp_constant_time() to crypto.h

2016-10-14 Thread David Sommerseth 
On 14/10/16 10:48, David Sommerseth wrote:
> Your patch has been applied to the master branch
> 
> commit b891e57e1fe794483c08296e32c15751f2676a2d
> Author: David Sommerseth
> Date:   Thu Oct 13 21:59:27 2016 +0200
> 
>  Move memcmp_constant_time() to crypto.h
> 
>  Signed-off-by: David Sommerseth 
>  Acked-by: Steffan Karger 
>  Message-Id: <1476388771-16492-2-git-send-email-dav...@openvpn.net>
>  URL: 
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12698.html
> 

[Lets try again, and see if Enigmail can be convinced not to encrypt it
this time]

Just for reference, as I forgot to state that in the previous mail.

This patch was slightly modified at commit time.  The function
declaration changed from 'static int' to 'static inline int', as
requested by Steffan Karger.

The difference is:

@@ -31,7 +31,7 @@
 + * As memcmp(), but constant-time.
 + * Returns 0 when data is equal, non-zero otherwise.
 + */
-+static int
++static inline int
 +memcmp_constant_time (const void *a, const void *b, size_t size) {
 +  const uint8_t * a1 = a;
 +  const uint8_t * b1 = b;



-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Move memcmp_constant_time() to crypto.h

2016-10-14 Thread David Sommerseth 


binefI2zJVRFB.bin
Description: PGP/MIME version identification


encrypted.asc
Description: OpenPGP encrypted message
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option

2016-10-14 Thread Steffan Karger 


On 13-10-16 21:59, David Sommerseth wrote:
> This sets the flag if the OpenVPN server should create authentication
> tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.
> 
> If an OpenVPN server is running without this option, it should behave
> as before.  Next patches will implement the auth-token generation and
> passing it on to the clients.
> 
> The --auth-gen-token can be given an optional integer argument which
> defines the lifetime of generated tokens.  The lifetime argument
> must be given in number of seconds.
> 
> Signed-off-by: David Sommerseth 
> ---
>  doc/openvpn.8| 16 
>  src/openvpn/init.c   |  2 ++
>  src/openvpn/options.c| 16 
>  src/openvpn/options.h|  2 ++
>  src/openvpn/ssl_common.h |  3 +++
>  5 files changed, 39 insertions(+)
> 
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index 1c341ae..521bd9b 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, 
> see
>  in the OpenVPN source distribution.
>  .\"*
>  .TP
> +.B \-\-auth\-gen\-token [lifetime]
> +After successful user/password authentication, the OpenVPN
> +server will with this option generate a temporary
> +authentication token and push that to client.  On the following
> +renegotiations, the OpenVPN client will pass this token instead
> +of the users password.  On the server side the server will do
> +the token authentication internally and it will NOT do any
> +additional authentications against configured external
> +user/password authentication mechanisms.

This should mention that a lifetime of 0 indicates 'never expires'.

> +This feature is useful for environments which is configured
> +to use One Time Passwords (OTP) as part of the user/password
> +authentications and that authentication mechanism does not
> +implement any auth-token support.
> +.\"*
> +.TP
>  .B \-\-opt\-verify
>  Clients that connect with options that are incompatible
>  with those of the server will be disconnected.
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index cc8e945..5a8cb1f 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned 
> int flags)
>if (options->ccd_exclusive)
>  to.client_config_dir_exclusive = options->client_config_dir;
>to.auth_user_pass_file = options->auth_user_pass_file;
> +  to.auth_generate_token = options->auth_generate_token;
> +  to.auth_token_lifetime = options->auth_token_lifetime;
>  #endif
>  
>to.x509_track = options->x509_track;
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 1ed14b0..1037619 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -445,6 +445,11 @@ static const char usage_message[] =
>"  run command cmd to verify.  If method='via-env', pass\n"
>"  user/pass via environment, if method='via-file', pass\n"
>"  user/pass via temporary file.\n"
> +  "--auth-gen-token  [lifetime] Generate a random authentication token which 
> is pushed\n"
> +  "  to each client, replacing the password.  Usefull when\n"
> +  "  OTP based two-factor auth mechanisms are in use and\n"
> +  "  --reneg-* options are enabled. Optionally a lifetime in 
> seconds\n"
> +  "  for generated tokens can be set.\n"
>"--opt-verify: Clients that connect with options that are 
> incompatible\n"
>"  with those of the server will be disconnected.\n"
>"--auth-user-pass-optional : Allow connections by clients that don't\n"
> @@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
>  #ifdef ENABLE_PKCS11
>o->pkcs11_pin_cache_period = -1;
>  #endif   /* ENABLE_PKCS11 */
> +  o->auth_generate_token = false;
>  
>  /* tmp is only used in P2MP server context */
>  #if P2MP_SERVER
> @@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
>SHOW_INT (max_routes_per_client);
>SHOW_STR (auth_user_pass_verify_script);
>SHOW_BOOL (auth_user_pass_verify_script_via_file);
> +  SHOW_BOOL (auth_generate_token);
> +  SHOW_INT (auth_token_lifetime);
>  #if PORT_SHARE
>SHOW_STR (port_share_host);
>SHOW_STR (port_share_port);
> @@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
> *options, const struct conne
>   "tcp-nodelay in the server configuration instead.");
>if (options->auth_user_pass_verify_script)
>   msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
> +  if (options->auth_generate_token)
> + msg (M_USAGE, "--auth-gen-token requires --mode server");
>  #if PORT_SHARE
>if

Re: [Openvpn-devel] [PATCH 1/5] Move memcmp_constant_time() to crypto.h

2016-10-14 Thread Steffan Karger 
Hi David,

On 13-10-16 21:59, David Sommerseth wrote:
> This function is quite useful other places, so make it generally
> accessible.
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/crypto.c | 18 --
>  src/openvpn/crypto.h | 18 ++
>  2 files changed, 18 insertions(+), 18 deletions(-)
> 
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 3dd4a9e..026d9ae 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -66,24 +66,6 @@
>  #define CRYPT_ERROR(format) \
>do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } 
> while (false)
>  
> -/**
> - * As memcmp(), but constant-time.
> - * Returns 0 when data is equal, non-zero otherwise.
> - */
> -static int
> -memcmp_constant_time (const void *a, const void *b, size_t size) {
> -  const uint8_t * a1 = a;
> -  const uint8_t * b1 = b;
> -  int ret = 0;
> -  size_t i;
> -
> -  for (i = 0; i < size; i++) {
> -  ret |= *a1++ ^ *b1++;
> -  }
> -
> -  return ret;
> -}
> -
>  static void
>  openvpn_encrypt_aead (struct buffer *buf, struct buffer work,
>struct crypto_options *opt) {
> diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
> index 3b6bb98..9ae0610 100644
> --- a/src/openvpn/crypto.h
> +++ b/src/openvpn/crypto.h
> @@ -476,6 +476,24 @@ void get_tls_handshake_key (const struct key_type 
> *key_type,
>   * Inline functions
>   */
>  
> +/**
> + * As memcmp(), but constant-time.
> + * Returns 0 when data is equal, non-zero otherwise.
> + */
> +static int

I think this should carry an 'inline', now that it's in the header.

> +memcmp_constant_time (const void *a, const void *b, size_t size) {
> +  const uint8_t * a1 = a;
> +  const uint8_t * b1 = b;
> +  int ret = 0;
> +  size_t i;
> +
> +  for (i = 0; i < size; i++) {

Since we're allowed to write C99 now, can we take this opportunity to
save ourselves a line and write for (size_t i = 0, ...) ?  (Feel free to
ignore if you disagree.)

If you fix the first comment: ACK.

-Steffan

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel