[Openvpn-devel] [PATCH applied] Re: attempt to add IPv6 route even when no IPv6 address was configured

[Gert Doering]

ACK.  What we had was too strict in some cases, breaking people's
configs - with this change, we give users enough rope to hang themselves
if they insist to do so, but point out in the log file that this might
be a stupid idea...

(That this came up in the first place is a consequence of commit
86e2fa5597fd1ad8e, 2.3 "supported" this mode of operation "fine")

Tested on linux - and it does the right motions.  Whether or not 
"route6 without ifconfig6" does the right thing on platform 
is not something we guarantee or promise :-)


Your patch has been applied to the master and release/2.4 branch.

commit 2b7650e7ec9241745e4f66c932d6cffaece927d7 (master)
commit c74d574417b8b491fe6ad44e89843af8479cc9be (release/2.4)
Author: Antonio Quartulli
Date:   Tue Jan 31 19:21:31 2017 +0800

 attempt to add IPv6 route even when no IPv6 address was configured

 Signed-off-by: Antonio Quartulli 
 Acked-by: Gert Doering 
 Message-Id: <20170131112131.13570-...@unstable.cc>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13994.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

[Gert Doering]

Hi,

On Mon, Feb 20, 2017 at 11:13:49AM -0500, Selva Nair wrote:
> > MS documentation for GetTokenInformation() suggests that group membership
> > tests should be done with "CheckTokenMembership()", which sounds more
> > convenient than "extract them all and walk the list" - so maybe this
> > is done to avoid domain controller contact?
> 
> Thanks for the review :)
> 
> CheckTokenMembership() returns true only if the SID is present and enabled.
> That means when UAC is active it will not detect that the user is a member
> of administrators group as the SID will not be enabled. In other words, our
> usage of group membership is somewhat special -- we only care user is a
> member of admin or ovpn_admin groups, not that the corresponding rights be
> enabled in the token.

Oh, wow.

Thanks for the explanation - indeed, that makes sense :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

[Selva Nair]

On Mon, Feb 20, 2017 at 7:18 AM, Gert Doering  wrote:

> On Sat, Jan 14, 2017 at 04:16:29PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair 
> >
> > Currently the username unqualified by the domain is used to validate
> > a user which fails for domain users. Instead authorize the user
> >
> > (i) if the built-in admin group or ovpn_admin group is in the process
> token
> > (ii) else if the user's SID is in the built-in admin or ovpn_admin groups
> >
> > The second check is needed to recognize dynamic updates to group
> membership
> > on the local machine that will not be reflected in the token.
> >
> > These checks do not require connection to a domain controller and will
> > work even when user is logged in with cached credentials.
> >
> > Resolves Trac: #810
> >
> > v2: include the token check as described above
>
> Took me way too long...  the code change looks reasonable ("does what it
> says on the tin, and safely so").
>
> One questions occured to me, though...
>
> MS documentation for GetTokenInformation() suggests that group membership
> tests should be done with "CheckTokenMembership()", which sounds more
> convenient than "extract them all and walk the list" - so maybe this
> is done to avoid domain controller contact?


Thanks for the review :)

CheckTokenMembership() returns true only if the SID is present and enabled.
That means when UAC is active it will not detect that the user is a member
of administrators group as the SID will not be enabled. In other words, our
usage of group membership is somewhat special -- we only care user is a
member of admin or ovpn_admin groups, not that the corresponding rights be
enabled in the token.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Christian Hesse  on Mon, 2017/02/20 16:02:
> Emmanuel Deloget  on Mon, 2017/02/20 15:52:
> > On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget 
> > wrote:  
> > > Hi again,
> > >
> > > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget 
> > > wrote:
> > >> Hi Christian,
> > >>
> > >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse 
> > >> wrote:
> > >>> That matches my findings. Built against openssl 1.1.0e (Arch Linux
> > >>> package openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make
> > >>> check' reports lots of cipher failures.
> > >>>
> > >>> Are your patches available from a public git repository?
> > >>
> > >> I will make my patches available on github ASAP.
> > >
> > > I did as fast as I could, here they are:
> > >
> > > https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1
> > 
> > BTW, sorry for the branch name. I believe my fingers got stuck to a
> > limited number of characters. This should have been openssl-1.1 but
> > it's not too late to change it :)  
> 
> Ah, I checked out the wrong branch. :-p
> 
> Redoing my test...

That one looks good! Build and tested against ArchLinux package
openssl 1.1.0e.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpTFnINrW3gD.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Emmanuel Deloget  on Mon, 2017/02/20 15:52:
> On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget  wrote:
> > Hi again,
> >
> > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget 
> > wrote:  
> >> Hi Christian,
> >>
> >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:  
> >>> That matches my findings. Built against openssl 1.1.0e (Arch Linux
> >>> package openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make
> >>> check' reports lots of cipher failures.
> >>>
> >>> Are your patches available from a public git repository?  
> >>
> >> I will make my patches available on github ASAP.  
> >
> > I did as fast as I could, here they are:
> >
> > https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1  
> 
> BTW, sorry for the branch name. I believe my fingers got stuck to a
> limited number of characters. This should have been openssl-1.1 but
> it's not too late to change it :)

Ah, I checked out the wrong branch. :-p

Redoing my test...
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpm9G60bKpi6.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Emmanuel Deloget]

On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget  wrote:
> Hi again,
>
> On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget  wrote:
>> Hi Christian,
>>
>> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
>>> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
>>> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
>>> lots of cipher failures.
>>>
>>> Are your patches available from a public git repository?
>>
>> I will make my patches available on github ASAP.
>
> I did as fast as I could, here they are:
>
> https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1

BTW, sorry for the branch name. I believe my fingers got stuck to a
limited number of characters. This should have been openssl-1.1 but
it's not too late to change it :)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [RFC PATCH v2 06/15] OpenSSL: don't use direct access to the internal of EVP_PKEY

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_PKEY. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  3 +++
 src/openvpn/openssl_compat.h | 42 ++
 src/openvpn/ssl_openssl.c|  6 +++---
 3 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index c41db3e..8d99eb3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -906,6 +906,9 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
X509_STORE_get0_objects \
X509_OBJECT_free \
X509_OBJECT_get_type \
+   EVP_PKEY_id \
+   EVP_PKEY_get0_RSA \
+   EVP_PKEY_get0_DSA \
RSA_meth_new \
RSA_meth_free \
RSA_meth_set_pub_enc \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 6a89b91..72ed7ac 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -134,6 +134,48 @@ X509_OBJECT_get_type(const X509_OBJECT *obj)
 }
 #endif
 
+#if !defined(HAVE_EVP_PKEY_GET0_RSA)
+/**
+ * Get the RSA object of a public key
+ *
+ * @param pkeyPublic key object
+ * @returnThe underlying RSA object
+ */
+static inline RSA *
+EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+return pkey ? pkey->pkey.rsa : NULL;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_ID)
+/**
+ * Get the PKEY type
+ *
+ * @param pkeyPublic key object
+ * @returnThe key type
+ */
+static inline int
+EVP_PKEY_id(const EVP_PKEY *pkey)
+{
+return pkey ? pkey->type : EVP_PKEY_NONE;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_GET0_DSA)
+/**
+ * Get the DSA object of a public key
+ *
+ * @param pkeyPublic key object
+ * @returnThe underlying DSA object
+ */
+static inline DSA *
+EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+{
+return pkey ? pkey->pkey.dsa : NULL;
+}
+#endif
+
 #if !defined(HAVE_RSA_METH_NEW)
 /**
  * Allocate a new RSA method object
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b683961..dbeb868 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1075,7 +1075,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
 /* get the public key */
 EVP_PKEY *pkey = X509_get0_pubkey(cert);
 ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
-pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
+pub_rsa = EVP_PKEY_get0_RSA(pkey);
 
 /* initialize RSA object */
 rsa->n = BN_dup(pub_rsa->n);
@@ -1680,13 +1680,13 @@ print_details(struct key_state_ssl *ks_ssl, const char 
*prefix)
 EVP_PKEY *pkey = X509_get_pubkey(cert);
 if (pkey != NULL)
 {
-if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
+if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) 
!= NULL
 && pkey->pkey.rsa->n != NULL)
 {
 openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
  BN_num_bits(pkey->pkey.rsa->n));
 }
-else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
+else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && 
EVP_PKEY_get0_DSA(pkey) != NULL
  && pkey->pkey.dsa->p != NULL)
 {
 openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
-- 
2.7.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [RFC PATCH v2 15/15] OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()

[Emmanuel Deloget]

The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead
of clearing the context when the cipher parameter was !NULL, it now
clears the context unconditionnaly. As a result, subsequent calls
to the function with additional information now fails.

The bulk work is done by EVP_CipherInit_ex() which has been part of the
OpenSSL interface since the dawn of time (0.9.8 already has it). Thus,
the change allows us to get the old behavior back instead of relying
on dirty tricks.

Signed-off-by: Emmanuel Deloget 
---
 src/openvpn/crypto_openssl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 23de175..2bca88b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -683,7 +683,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int 
key_len,
 crypto_msg(M_FATAL, "EVP set key size");
 }
 #endif
-if (!EVP_CipherInit(ctx, NULL, key, NULL, enc))
+if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
 {
 crypto_msg(M_FATAL, "EVP cipher init #2");
 }
@@ -736,7 +736,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
 int
 cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf)
 {
-return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1);
+return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1);
 }
 
 int
-- 
2.7.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [RFC PATCH v2 00/15] Add support for OpenSSL 1.1.x

[Emmanuel Deloget]

This (limited) series replaces a few patches on the v1 series, namely: 

* "OpenSSL: don't use direct access to the internal of EVP_PKEY"
  This version replaces the previous version and adds function
  EVP_PKEY_id() which is present in 1.0.0 and later but not in
  0.9.8. 

* "OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()"

This version has been compile-tested with the following versions:

* 0.9.8zh
* 1.0.0t
* 1.0.1u
* 1.0.2k
* 1.1.0-git

Each compilation test was followed by a connection test to an OpenVPN
server (v2.3). So far, everything seems to work. 

Emmanuel Deloget (15):
  OpenSSL: don't use direct access to the internal of SSL_CTX
  OpenSSL: don't use direct access to the internal of X509_STORE
  OpenSSL: don't use direct access to the internal of X509_OBJECT
  OpenSSL: don't use direct access to the internal of RSA_METHOD
  OpenSSL: don't use direct access to the internal of X509
  OpenSSL: don't use direct access to the internal of EVP_PKEY
  OpenSSL: don't use direct access to the internal of RSA
  OpenSSL: don't use direct access to the internal of DSA
  OpenSSL: don't use direct access to the internal of X509_STORE_CTX
  OpenSSL: don't use direct access to the internal of EVP_MD_CTX
  OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
  OpenSSL: don't use direct access to the internal of HMAC_CTX
  OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
  OpenSSL: constify getbio() parameters
  OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()

 configure.ac |  38 +++
 src/openvpn/crypto.c |   8 +-
 src/openvpn/crypto_backend.h |  42 +++
 src/openvpn/crypto_mbedtls.c |  40 +++
 src/openvpn/crypto_openssl.c |  54 +++-
 src/openvpn/httpdigest.c |  78 ++---
 src/openvpn/misc.c   |  14 +-
 src/openvpn/ntlm.c   |  12 +-
 src/openvpn/openssl_compat.h | 623 +++
 src/openvpn/openvpn.h|   2 +-
 src/openvpn/push.c   |  11 +-
 src/openvpn/ssl.c|  38 +--
 src/openvpn/ssl_openssl.c|  94 +++---
 src/openvpn/ssl_verify_openssl.c |  55 ++--
 14 files changed, 963 insertions(+), 146 deletions(-)
 create mode 100644 src/openvpn/openssl_compat.h

-- 
2.7.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Emmanuel Deloget]

Hi again,

On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget  wrote:
> Hi Christian,
>
> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
>> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
>> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
>> lots of cipher failures.
>>
>> Are your patches available from a public git repository?
>
> I will make my patches available on github ASAP.

I did as fast as I could, here they are:

https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1

I post the PATCH V2 in a few minutes

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Emmanuel Deloget]

Hi,

On Mon, Feb 20, 2017 at 1:37 PM, Gert Doering  wrote:
>
> Interesting.  Anything useful in openvpn's logs?
>

Mon Feb 20 11:57:56 2017 us=371715 OpenSSL: error:0607B083:digital
envelope routines:EVP_CipherInit_ex:no cipher set
Mon Feb 20 11:57:56 2017 us=371746 EVP cipher init #2

I found the culprit: OpenSSL's EVP_CipherInit() changed way too much
for a 3 lines function. Prior to v1.1, the code did a check on cipher
parameter and cleared the EVP context only if cipher was not null. In
1.1, it clears the context unconditionnaly. Having to cope with
changes in the interface is not that fun, having to cope with behavior
changes is even worse :)

I'm producing an additional commit to work around that change (the
proposed change does not depend on the OpenSSL version).

>> I don't have much time to test with other OpenSSL versions but I guess
>> you have the infrastructure that will help.
>
> Well, *I* do not have specific "test across various OpenSSL versions"
> infrastructure, but compiling across our buildbot zoo gives us quite a
> bit of coverage...  and I assume Steffan has more coverage on SSL library
> versions.
>
> thanks for your work!
>
> gert

Well, thanks to everyone involved -- all of you have been really kind
with me (for now :))

Best regards,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Emmanuel Deloget]

Hi Christian,

On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
> lots of cipher failures.
>
> Are your patches available from a public git repository?

I will make my patches available on github ASAP.

Best regards

-- Emmanuel Deloget

On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
> Emmanuel Deloget  on Mon, 2017/02/20 12:45:
>> Hello,
>>
>> On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
>> > Hi,
>> >
>> > On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:
>> >> Thank you very much.  You approach looks good to me, and quite closely
>> >> matches what I had in mind for when I would find the time to tackle
>> >> this.  (Which might have taken me a while, so really happy to see these
>> >> patches!)
>> > [..]
>> >> Also very good that this is split up into small and independently
>> >> reviewable patches.  I'll start review soon.
>> >
>> > While Steffan is our resident expert on nasty crypto libraries, I just
>> > want to echo the sentiment - having these "chunks" tackle one API function
>> > at a time, they are easily testable, and in case something explodes, it's
>> > much easier to bisect to find the problematic one.
>> >
>> > Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
>> > the APIs well enough to properly comment on the changes, I can only run
>> > tests...)
>>
>> I resumed the work this morning. So far the results are :
>>
>> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
>> openssl_compat.h and will provide a v2 patch with the change. Once
>> added, OpenVPN compiled successfully and was able to connect to my
>> /2.3 server.
>>
>> * 1.0.0t --> compile OK, connect OK
>>
>> * 1.0.1u --> compile OK, connect OK
>>
>> * 1.0.2.k --> compile OK, connect OK
>>
>> * 1.1.0-git --> compile OK, failure to connect. I'm currently
>> investigating this issue. I'll  provide a patch as soon as I fix this
>> (this is a bit ironic ; I may have forgotten something somewhere...).
>
> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
> lots of cipher failures.
>
> Are your patches available from a public git repository?
>
> [0] https://www.archlinux.org/packages/staging/x86_64/openssl/
> --
> main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
> "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
> putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] dev-tools: Simple tool wihch automates rebasing LZ4 compat library

[Gert Doering]

Hi,

On Mon, Feb 20, 2017 at 02:13:20PM +0100, David Sommerseth wrote:
> > and ran it against a local copy of lz4 v131, and that produced the
> > expected result - no significant changes to compat-lz4.c/compat-lz4.h
> > (the "#ifdef HAVE_CONFIG_H" block moves to the top of the file, but 
> > that is purely cosmetic - the block itself is fine)
> 
> I /did/ consider to do some clever sed hacks here too ... but I wasn't
> in mood for that complexity, and I actually feared how *BSD would
> explode in my face :)  

We'll always get you ;-)

> But as it turned out, the BSD explosion trigger
> was even lower than that ... ;-)

GNU sed enables "more complex" matching by default, but I can never
remember which sed version does what, and when I need to turn on -E 
("extended regex") to make sed do what I want :-)

> > So, any objections against the much simpler sed command there?  "lz4.h"
> > with double quotes never shows up elsewhere in the file today - and 
> > when importing, we need to run a compile test anyway, so if it should
> > ever garble the .c file, we fix the script...
> 
> This is purely my "match a precise as possible" approach I default to.
> I have no issues making this simpler if that is what is required.

Understood, but in this particular case, I think "simple is good enough"

> New patch or fix at commit time?

Whatever you prefer.  It's your code :)

(And since this is not "main openvpn code", the rules are not as strict
anyway - the actual lz4 commit change would need to be reviewed anyway)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] dev-tools: Simple tool wihch automates rebasing LZ4 compat library

[David Sommerseth]

On 20/02/17 14:03, Gert Doering wrote:
> Hi,
> 
> On Wed, Jan 25, 2017 at 09:53:02PM +0100, David Sommerseth wrote:
>> This tool depends on a cloned upstream LZ4 git repository and a
>> checked out release tag.  Then run the script like this:
>>
>>$ ./dev-tools/lz4-rebaser.sh /path/to/lz4.git
>>
>> To see the result before committing, use: git diff --cached
> 
> All willing to give this an ACK, alas, it's penguin-tainted :-) - read,
> won't work with a FreeBSD sed.
> 
>> +#ifdef NEED_COMPAT_LZ4
>> +EOF
>> +sed '/"lz4\.h"/s/\(#include "\)lz4\.h\("\+\)/\1compat-lz4.h\2/' "$LZ4_C"
>> +cat < 
> Not sure why this is not working here, but it looks like having too
> much bells and whistles :-9 - I replaced this with
> 
>sed 's/\"lz4\.h\"/\"compat-lz4.h"/' "$LZ4_C"
> 
> and ran it against a local copy of lz4 v131, and that produced the
> expected result - no significant changes to compat-lz4.c/compat-lz4.h
> (the "#ifdef HAVE_CONFIG_H" block moves to the top of the file, but 
> that is purely cosmetic - the block itself is fine)

I /did/ consider to do some clever sed hacks here too ... but I wasn't
in mood for that complexity, and I actually feared how *BSD would
explode in my face :)  But as it turned out, the BSD explosion trigger
was even lower than that ... ;-)

> So, any objections against the much simpler sed command there?  "lz4.h"
> with double quotes never shows up elsewhere in the file today - and 
> when importing, we need to run a compile test anyway, so if it should
> ever garble the .c file, we fix the script...

This is purely my "match a precise as possible" approach I default to.
I have no issues making this simpler if that is what is required.

New patch or fix at commit time?


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] dev-tools: Simple tool wihch automates rebasing LZ4 compat library

[Gert Doering]

Hi,

On Wed, Jan 25, 2017 at 09:53:02PM +0100, David Sommerseth wrote:
> This tool depends on a cloned upstream LZ4 git repository and a
> checked out release tag.  Then run the script like this:
> 
>$ ./dev-tools/lz4-rebaser.sh /path/to/lz4.git
> 
> To see the result before committing, use: git diff --cached

All willing to give this an ACK, alas, it's penguin-tainted :-) - read,
won't work with a FreeBSD sed.

> +#ifdef NEED_COMPAT_LZ4
> +EOF
> +sed '/"lz4\.h"/s/\(#include "\)lz4\.h\("\+\)/\1compat-lz4.h\2/' "$LZ4_C"
> +cat <

signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Gert Doering]

Hi,

On Mon, Feb 20, 2017 at 12:45:24PM +0100, Emmanuel Deloget wrote:
> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
> openssl_compat.h and will provide a v2 patch with the change. Once
> added, OpenVPN compiled successfully and was able to connect to my
> /2.3 server.

If possible, please do only resend the commit that got changed, not all
of it (easier to keep track when Steffan starts sending reviews).

> * 1.0.0t --> compile OK, connect OK
> 
> * 1.0.1u --> compile OK, connect OK
> 
> * 1.0.2.k --> compile OK, connect OK

Great :-)

> * 1.1.0-git --> compile OK, failure to connect. I'm currently
> investigating this issue. I'll  provide a patch as soon as I fix this
> (this is a bit ironic ; I may have forgotten something somewhere...).

Interesting.  Anything useful in openvpn's logs?

> I don't have much time to test with other OpenSSL versions but I guess
> you have the infrastructure that will help.

Well, *I* do not have specific "test across various OpenSSL versions"
infrastructure, but compiling across our buildbot zoo gives us quite a
bit of coverage...  and I assume Steffan has more coverage on SSL library
versions.

thanks for your work!

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix user's group membership check in interactive service to work with domains

[Gert Doering]

ACK, based on "according to MSDN documentation these are the correct
functions and are called properly", and on the test results in #810.

I have only compile tested this (which succeeds).

Your patch has been applied to the master and release/2.4 branch.

commit e82733a1ab78062feca28578fe505b275a2356a6 (master)
commit a9743bf25e661d66ca7537adfe457e75afc947c4 (release/2.4)
Author: Selva Nair
Date:   Sat Jan 14 16:16:29 2017 -0500

 Fix user's group membership check in interactive service to work with 
domains

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <1484428589-7882-1-git-send-email-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13877.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Emmanuel Deloget  on Mon, 2017/02/20 12:45:
> Hello,
> 
> On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
> > Hi,
> >
> > On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:  
> >> Thank you very much.  You approach looks good to me, and quite closely
> >> matches what I had in mind for when I would find the time to tackle
> >> this.  (Which might have taken me a while, so really happy to see these
> >> patches!)  
> > [..]  
> >> Also very good that this is split up into small and independently
> >> reviewable patches.  I'll start review soon.  
> >
> > While Steffan is our resident expert on nasty crypto libraries, I just
> > want to echo the sentiment - having these "chunks" tackle one API function
> > at a time, they are easily testable, and in case something explodes, it's
> > much easier to bisect to find the problematic one.
> >
> > Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
> > the APIs well enough to properly comment on the changes, I can only run
> > tests...)  
> 
> I resumed the work this morning. So far the results are :
> 
> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
> openssl_compat.h and will provide a v2 patch with the change. Once
> added, OpenVPN compiled successfully and was able to connect to my
> /2.3 server.
> 
> * 1.0.0t --> compile OK, connect OK
> 
> * 1.0.1u --> compile OK, connect OK
> 
> * 1.0.2.k --> compile OK, connect OK
> 
> * 1.1.0-git --> compile OK, failure to connect. I'm currently
> investigating this issue. I'll  provide a patch as soon as I fix this
> (this is a bit ironic ; I may have forgotten something somewhere...).

That matches my findings. Built against openssl 1.1.0e (Arch Linux package
openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
lots of cipher failures.

Are your patches available from a public git repository?

[0] https://www.archlinux.org/packages/staging/x86_64/openssl/
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpUrshXYFkya.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

[Gert Doering]

HI,

On Sat, Jan 14, 2017 at 04:16:29PM -0500, selva.n...@gmail.com wrote:
> From: Selva Nair 
> 
> Currently the username unqualified by the domain is used to validate
> a user which fails for domain users. Instead authorize the user
> 
> (i) if the built-in admin group or ovpn_admin group is in the process token
> (ii) else if the user's SID is in the built-in admin or ovpn_admin groups
> 
> The second check is needed to recognize dynamic updates to group membership
> on the local machine that will not be reflected in the token.
> 
> These checks do not require connection to a domain controller and will
> work even when user is logged in with cached credentials.
> 
> Resolves Trac: #810
> 
> v2: include the token check as described above

Took me way too long...  the code change looks reasonable ("does what it
says on the tin, and safely so").  

One questions occured to me, though...

MS documentation for GetTokenInformation() suggests that group membership 
tests should be done with "CheckTokenMembership()", which sounds more 
convenient than "extract them all and walk the list" - so maybe this 
is done to avoid domain controller contact?

OTOH, the example given somewhere else does the same thing with
EqualSid(), so MS doesn't know what to recommend either, it seems...
https://msdn.microsoft.com/de-de/library/windows/desktop/aa379554(v=vs.85).aspx


A few more tests, then merge...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Emmanuel Deloget]

Hello,

On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
> Hi,
>
> On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:
>> Thank you very much.  You approach looks good to me, and quite closely
>> matches what I had in mind for when I would find the time to tackle
>> this.  (Which might have taken me a while, so really happy to see these
>> patches!)
> [..]
>> Also very good that this is split up into small and independently
>> reviewable patches.  I'll start review soon.
>
> While Steffan is our resident expert on nasty crypto libraries, I just
> want to echo the sentiment - having these "chunks" tackle one API function
> at a time, they are easily testable, and in case something explodes, it's
> much easier to bisect to find the problematic one.
>
> Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
> the APIs well enough to properly comment on the changes, I can only run
> tests...)

I resumed the work this morning. So far the results are :

* 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
openssl_compat.h and will provide a v2 patch with the change. Once
added, OpenVPN compiled successfully and was able to connect to my
/2.3 server.

* 1.0.0t --> compile OK, connect OK

* 1.0.1u --> compile OK, connect OK

* 1.0.2.k --> compile OK, connect OK

* 1.1.0-git --> compile OK, failure to connect. I'm currently
investigating this issue. I'll  provide a patch as soon as I fix this
(this is a bit ironic ; I may have forgotten something somewhere...).

I don't have much time to test with other OpenSSL versions but I guess
you have the infrastructure that will help.

> gert

Best regards,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel