[Openvpn-devel] [Patch] New man page corrections - script-options.rst

[Richard Bonhomme]

Signed-off-by: Richard Bonhomme 
---
 doc/man-sections/script-options.rst | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/doc/man-sections/script-options.rst 
b/doc/man-sections/script-options.rst
index 280127b1..8ea5b4a7 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -67,7 +67,7 @@ SCRIPT HOOKS
   OpenVPN will run command ``cmd`` to validate the username/password
   provided by the client.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -114,7 +114,7 @@ SCRIPT HOOKS
 --client-connect cmd
   Run command ``cmd`` on client connection.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -174,7 +174,7 @@ SCRIPT HOOKS
   Run command ``cmd`` when our remote ip-address is initially
   authenticated or changes.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -200,13 +200,13 @@ SCRIPT HOOKS
   Similarly if *our* IP address changes due to DHCP, we should configure
   our IP address change script (see man page for ``dhcpcd``\(8)) to
   deliver a ``SIGHUP`` or ``SIGUSR1`` signal to OpenVPN. OpenVPN will
-  then reestablish a connection with its most recently authenticated
+  then re-establish a connection with its most recently authenticated
   peer on its new IP address.
 
 --learn-address cmd
   Run command ``cmd`` to validate client virtual addresses or routes.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -244,7 +244,7 @@ SCRIPT HOOKS
 --route-up cmd
   Run command ``cmd`` after routes are added, subject to ``--route-delay``.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -255,7 +255,7 @@ SCRIPT HOOKS
 --route-pre-down cmd
   Run command ``cmd`` before routes are removed upon disconnection.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -316,7 +316,7 @@ SCRIPT HOOKS
   ``cmd`` should return :code:`0` to allow the TLS handshake to proceed,
   or :code:`1` to fail.
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
@@ -346,7 +346,7 @@ SCRIPT HOOKS
   Run command ``cmd`` after successful TUN/TAP device open (pre ``--user``
   UID change).
 
-  ``cmd`` consists of a path to script (or executable program), optionally
+  ``cmd`` consists of a path to a script (or executable program), optionally
   followed by arguments. The path and arguments may be single- or
   double-quoted and/or escaped using a backslash, and should be separated
   by one or more spaces.
-- 
2.17.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [Patch] New man page corrections - server-options.rst

[Richard Bonhomme]

Signed-off-by: Richard Bonhomme 
---
 doc/man-sections/server-options.rst | 38 ++---
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/doc/man-sections/server-options.rst 
b/doc/man-sections/server-options.rst
index ada387a2..218d4f35 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -18,13 +18,13 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
 
   After successful user/password authentication, the OpenVPN server will
   with this option generate a temporary authentication token and push that
-  to client. On the following renegotiations, the OpenVPN client will pass
+  to the client. On the following renegotiations, the OpenVPN client will pass
   this token instead of the users password. On the server side the server
   will do the token authentication internally and it will NOT do any
   additional authentications against configured external user/password
   authentication mechanisms.
 
-  The tokens implemented by this mechanism include a initial timestamp and
+  The tokens implemented by this mechanism include an initial timestamp and
   a renew timestamp and are secured by HMAC.
 
   The ``lifetime`` argument defines how long the generated token is valid.
@@ -39,7 +39,7 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
   time, while at the same time permitting much longer token lifetimes for
   active clients.
 
-  This feature is useful for environments which is configured to use One
+  This feature is useful for environments which are configured to use One
   Time Passwords (OTP) as part of the user/password authentications and
   that authentication mechanism does not implement any auth-token support.
 
@@ -49,11 +49,11 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
   verification suceeds or fails.
 
   This option postpones this decision to the external authentication
-  methods and check the validity of the account and do other checks.
+  methods and checks the validity of the account and do other checks.
 
-  In this mode the environment will have a session\_id variable that hold
-  the session id from auth-gen-token. Also a environment variable
-  session\_state is present. This variable tells whether the auth-token
+  In this mode the environment will have a session\_id variable that holds
+  the session id from auth-gen-token. Also an environment variable
+  session\_state is present. This variable indicates whether the auth-token
   has succeeded or not. It can have the following values:
 
   :code:`Initial`
@@ -69,9 +69,9 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
   Token is invalid (failed HMAC or wrong length)
 
   :code:`AuthenticatedEmptyUser` / :code:`ExpiredEmptyUser`
-  The token is not valid with the username send from the client but
-  would be valid (or expired) if we assume an  empty  username was
-  used instead.  These two  cases are a workaround for behaviour in
+  The token is not valid with the username sent from the client but
+  would be valid (or expired) if we assume an empty username was
+  used instead.  These two cases are a workaround for behaviour in
   OpenVPN 3.  If this workaround is not needed these two cases should
   be handled in the same way as :code:`Invalid`.
 
@@ -86,16 +86,16 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
   password from a script).
 
 --auth-gen-token-secret file
-  Specifies a file that hold a secret for the HMAC used in
+  Specifies a file that holds a secret for the HMAC used in
   ``--auth-gen-token`` If ``file`` is not present OpenVPN will generate a
   random secret on startup. This file should be used if auth-token should
-  valid after restarting a server or if client should be able to roam
-  between multiple OpenVPN server with their auth-token.
+  validate after restarting a server or if client should be able to roam
+  between multiple OpenVPN servers with their auth-token.
 
 --auth-user-pass-optional
   Allow connections by clients that do not specify a username/password.
   Normally, when ``--auth-user-pass-verify`` or
-  ``--management-client-auth`` is specified (or an authentication plugin
+  ``--management-client-auth`` are specified (or an authentication plugin
   module), the OpenVPN server daemon will require connecting clients to
   specify a username and password. This option makes the submission of a
   username/password by clients optional, passing the responsibility to the
@@ -626,8 +626,8 @@ fast hardware. SSL/TLS authentication must be used in this 
mode.
 tls-server
 
 --stale-routes-check args
-  Remove routes haven't had activity for ``n`` seconds (i.e. the ageing
-  time).  This check is ran every ``t`` seconds (i.e. check interval).
+  Remove routes which haven't had activity for ``n`` seconds (i.e. the ageing
+  time).  This check is run every ``t`` seconds (i.e. check 

Re: [Openvpn-devel] [PATCH 1/2] Remember if we have seen a push request without async push

[Arne Schwabe]

Am 06.07.20 um 20:43 schrieb Gert Doering:
> Hi,
> 
> On Mon, Jul 06, 2020 at 06:35:15PM +0200, Arne Schwabe wrote:
>> The logic if we already have seen a push request is still
>> correct/useful without async push. I am not entirely sure if also
>> deferred management authentication can trigger this code path but
>> it should be able to. The other benefit is removing a number of
>> ifdefs.
> 
> NAK.
> 
> In combination with async-auth (plugin) this triggers some sort of
> key inconsistency - the client does get the proper PUSH_REPLY, but 
> key state is kaput

I will double check the patch but this might be that this code path is
broken with async push too, when you do write status to file and do not
close but wait for openvpn to pick up the state itself.

Arne



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] merge key_state->authenticated and key_state->auth_deferred

[Antonio Quartulli]

Hi,

Thanks for taking one more step towards simplifying this state jungle..

On 06/07/2020 18:35, Arne Schwabe wrote:
> Both are tightly coupled often both are checked at the same time.
> Merging them into one state makes the code simpler and also brings
> us closer in the direction of a state machine
> 
> Signed-off-by: Arne Schwabe 
> ---
>  src/openvpn/ssl.c| 29 -
>  src/openvpn/ssl_common.h |  9 +++--
>  src/openvpn/ssl_verify.c | 27 ++-
>  3 files changed, 33 insertions(+), 32 deletions(-)
> 
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 1cf8e44f..9df7552d 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -1930,7 +1930,7 @@ tls_session_generate_data_channel_keys(struct 
> tls_session *session)
>  const struct session_id *server_sid = !session->opt->server ?
>&ks->session_id_remote : 
> &session->session_id;
>  
> -if (!ks->authenticated)
> +if (ks->authenticated == KS_AUTH_FALSE)
>  {
>  msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
>  goto cleanup;
> @@ -2466,7 +2466,7 @@ key_method_2_write(struct buffer *buf, struct 
> tls_session *session)
>  if (session->opt->server && !(session->opt->ncp_enabled
>&& session->opt->mode == MODE_SERVER && 
> ks->key_id <= 0))
>  {
> -if (ks->authenticated)
> +if (ks->authenticated != KS_AUTH_FALSE)
>  {
>  if (!tls_session_generate_data_channel_keys(session))
>  {
> @@ -2536,7 +2536,7 @@ key_method_1_read(struct buffer *buf, struct 
> tls_session *session)
>   &session->opt->key_type, OPENVPN_OP_DECRYPT,
>   "Data Channel Decrypt");
>  secure_memzero(&key, sizeof(key));
> -ks->authenticated = true;
> +ks->authenticated = KS_AUTH_TRUE;
>  return true;
>  
>  error:
> @@ -2594,7 +2594,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
> *multi, struct tls_sessio
>  goto error;
>  }
>  
> -ks->authenticated = false;
> +ks->authenticated = KS_AUTH_FALSE;
>  
>  /* always extract username + password fields from buf, even if not
>   * authenticating for it, because otherwise we can't get at the
> @@ -2652,14 +2652,14 @@ key_method_2_read(struct buffer *buf, struct 
> tls_multi *multi, struct tls_sessio
>  "TLS Error: Certificate verification failed (key-method 2)");
>  goto error;
>  }
> -ks->authenticated = true;
> +ks->authenticated = KS_AUTH_TRUE;
>  }
>  
>  /* clear username and password from memory */
>  secure_memzero(up, sizeof(*up));
>  
>  /* Perform final authentication checks */
> -if (ks->authenticated)
> +if (ks->authenticated != KS_AUTH_FALSE)
>  {
>  verify_final_auth_checks(multi, session);
>  }
> @@ -2673,7 +2673,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
> *multi, struct tls_sessio
>  if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
>  {
>  msg(D_TLS_ERRORS, "Option inconsistency warnings triggering 
> disconnect due to --opt-verify");
> -ks->authenticated = false;
> +ks->authenticated = KS_AUTH_FALSE;
>  }
>  }
>  #endif
> @@ -2684,13 +2684,14 @@ key_method_2_read(struct buffer *buf, struct 
> tls_multi *multi, struct tls_sessio
>   * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
>   * veto opportunity over authentication decision.
>   */
> -if (ks->authenticated && plugin_defined(session->opt->plugins, 
> OPENVPN_PLUGIN_TLS_FINAL))
> +if ((ks->authenticated != KS_AUTH_FALSE)
> +&& plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
>  {
>  key_state_export_keying_material(&ks->ks_ssl, session);
>  
>  if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, 
> NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
>  {
> -ks->authenticated = false;
> +ks->authenticated = KS_AUTH_FALSE;
>  }
>  
>  setenv_del(session->opt->es, "exported_keying_material");
> @@ -3394,10 +3395,7 @@ tls_pre_decrypt(struct tls_multi *multi,
>   */
>  if (DECRYPT_KEY_ENABLED(multi, ks)
>  && key_id == ks->key_id
> -&& ks->authenticated
> -#ifdef ENABLE_DEF_AUTH
> -&& !ks->auth_deferred
> -#endif
> +&& (ks->authenticated == KS_AUTH_TRUE)
>  && (floated || link_socket_actual_match(from, 
> &ks->remote_addr)))
>  {
>  if (!ks->crypto_options.key_ctx_bi.initialized)
> @@ -3946,11 +3944,8 @@ tls_pre_encrypt(struct tls_multi *multi,
>  {
>  struct key_state *ks = multi->key_scan[i];
>  if (ks->state >= S_ACTIVE
> -  

[Openvpn-devel] [PATCH] Remove --writepid file on program exit.

[Gert Doering]

For whatever reason, we never removed the pid file on program exit.

Not only this is unclean, but it also makes testing for "I want this
test case to FAIL" in t_client.sh more annoying to code for "is the
OpenVPN process still around?"...

Do not unlink the file if chroot() is active (might be outside the
chroot arena - testing for realpath etc. is left for someone else).

Signed-off-by: Gert Doering 
---
 src/openvpn/openvpn.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index dc7001dc..65029e86 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -335,6 +335,12 @@ openvpn_main(int argc, char *argv[])
 while (c.sig->signal_received == SIGHUP);
 }
 
+/* if we opened a PID file and did not chroot(), unlink() it again */
+if (c.options.writepid && !c.options.chroot_dir)
+{
+platform_unlink(c.options.writepid);
+}
+
 context_gc_free(&c);
 
 #ifdef ENABLE_MANAGEMENT
-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] Remember if we have seen a push request without async push

[Gert Doering]

Hi,

On Mon, Jul 06, 2020 at 06:35:15PM +0200, Arne Schwabe wrote:
> The logic if we already have seen a push request is still
> correct/useful without async push. I am not entirely sure if also
> deferred management authentication can trigger this code path but
> it should be able to. The other benefit is removing a number of
> ifdefs.

NAK.

In combination with async-auth (plugin) this triggers some sort of
key inconsistency - the client does get the proper PUSH_REPLY, but 
key state is kaput

...
Jul  6 20:41:30 gentoo openvpn[32657]: PLUGIN AUTH-PAM: BACKGROUND: name match 
found, query/match-string ['Password: ', 'Password:'] = 'PASSWORD'
Jul  6 20:41:30 gentoo openvpn[32657]: PLUGIN AUTH-PAM: BACKGROUND: 
fbsd-tc-master: deferred auth: PAM succeeded
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: MULTI_sva: pool 
returned IPv4=194.97.145.74, IPv6=2001:608:3:814::1000
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: OPTIONS IMPORT: 
reading client specific options from: 
/tmp/openvpn_cc_6f7cfcfda4cb5ecf1366685a7270c804.tmp
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: SENT CONTROL 
[cron2-freebsd-tc-amd64]: 'PUSH_REPLY,route 10.204.0.0 255.255.0.0,route-ipv6 
fd00:abcd:204::/48,tun-ipv6,route-gateway 194.97.145.73,topology subnet,ping 
10,ping-restart 30,compress lz4,ifconfig-ipv6 2001:608:3:814::1000/64 
2001:608:3:814::1,ifconfig 194.97.145.74 255.255.255.248,peer-id 0,cipher 
AES-256-GCM' (status=1)
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: 
cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 PUSH: Received control message: 
'PUSH_REQUEST'
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: 
cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 Key 
[AF_INET6]2001:608:0:814::f000:21:51780 [0] not initialized (yet), dropping 
packet.


"I was about to ACK-and-merge this"... but it's reproduceable, async auth
(without --async-push) is broken with this patch.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Unified success messages for setting mtu

[Jonathan K. Bullard]

Hi,

On Mon, Jul 6, 2020 at 11:43 AM Gert Doering  wrote:
>
> Acked-by: Gert Doering 
>
> Thanks :-) - given that this is somewhat trivial, I have not actually
> run a binary to look at the messages.  I have counted arguments and done
> a test build to see if new warnings show up (no).
>
> I *do* see an old warning...
>
> tun.c: In function 'windows_set_mtu':
> tun.c:5523:21: warning: format '%u' expects argument of type 'unsigned int', 
> but argument 5 has type 'DWORD {aka long unsigned int}' [-Wformat=]
>  msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%u if_index=%d]",

It's ok if this is only for Windows code (I assume it is because of
the name of the function) because x86 and ARM have the same
endian-ness and are the only Windows platforms (that I know of).
However, it would still be better to use "%lu" to avoid the warning
and to future-proof it for any _new_ Windows platform that's
different. (Although I admit Microsoft is unlikely to do that.)

Best regards,

Jon


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] Remember if we have seen a push request without async push

[Arne Schwabe]

The logic if we already have seen a push request is still
correct/useful without async push. I am not entirely sure if also
deferred management authentication can trigger this code path but
it should be able to. The other benefit is removing a number of
ifdefs.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/multi.c   | 4 +---
 src/openvpn/openvpn.h | 2 --
 src/openvpn/push.c| 2 --
 3 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index f1ced9b7..f6be6618 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -824,8 +824,8 @@ multi_create_instance(struct multi_context *m, const struct 
mroute_addr *real)
 mi->did_cid_hash = true;
 #endif
 
-#ifdef ENABLE_ASYNC_PUSH
 mi->context.c2.push_request_received = false;
+#ifdef ENABLE_ASYNC_PUSH
 mi->inotify_watch = -1;
 #endif
 
@@ -2074,13 +2074,11 @@ script_failed:
 /* set context-level authentication flag */
 mi->context.c2.context_auth = CAS_SUCCEEDED;
 
-#ifdef ENABLE_ASYNC_PUSH
 /* authentication complete, send push reply */
 if (mi->context.c2.push_request_received)
 {
 process_incoming_push_request(&mi->context);
 }
-#endif
 }
 else
 {
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 4609af3e..a1308852 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -432,9 +432,7 @@ struct context_2
 #if P2MP
 
 /* --ifconfig endpoints to be pushed to client */
-#ifdef ENABLE_ASYNC_PUSH
 bool push_request_received;
-#endif
 bool push_ifconfig_defined;
 time_t sent_push_reply_expiry;
 in_addr_t push_ifconfig_local;
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 56d652a3..e7c3c08c 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -794,9 +794,7 @@ process_incoming_push_request(struct context *c)
 {
 int ret = PUSH_MSG_ERROR;
 
-#ifdef ENABLE_ASYNC_PUSH
 c->c2.push_request_received = true;
-#endif
 if (tls_authentication_status(c->c2.tls_multi, 0) == 
TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED)
 {
 const char *client_reason = tls_client_reason(c->c2.tls_multi);
-- 
2.26.2



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2] merge key_state->authenticated and key_state->auth_deferred

[Arne Schwabe]

Both are tightly coupled often both are checked at the same time.
Merging them into one state makes the code simpler and also brings
us closer in the direction of a state machine

Signed-off-by: Arne Schwabe 
---
 src/openvpn/ssl.c| 29 -
 src/openvpn/ssl_common.h |  9 +++--
 src/openvpn/ssl_verify.c | 27 ++-
 3 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 1cf8e44f..9df7552d 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1930,7 +1930,7 @@ tls_session_generate_data_channel_keys(struct tls_session 
*session)
 const struct session_id *server_sid = !session->opt->server ?
   &ks->session_id_remote : 
&session->session_id;
 
-if (!ks->authenticated)
+if (ks->authenticated == KS_AUTH_FALSE)
 {
 msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
 goto cleanup;
@@ -2466,7 +2466,7 @@ key_method_2_write(struct buffer *buf, struct tls_session 
*session)
 if (session->opt->server && !(session->opt->ncp_enabled
   && session->opt->mode == MODE_SERVER && 
ks->key_id <= 0))
 {
-if (ks->authenticated)
+if (ks->authenticated != KS_AUTH_FALSE)
 {
 if (!tls_session_generate_data_channel_keys(session))
 {
@@ -2536,7 +2536,7 @@ key_method_1_read(struct buffer *buf, struct tls_session 
*session)
  &session->opt->key_type, OPENVPN_OP_DECRYPT,
  "Data Channel Decrypt");
 secure_memzero(&key, sizeof(key));
-ks->authenticated = true;
+ks->authenticated = KS_AUTH_TRUE;
 return true;
 
 error:
@@ -2594,7 +2594,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
*multi, struct tls_sessio
 goto error;
 }
 
-ks->authenticated = false;
+ks->authenticated = KS_AUTH_FALSE;
 
 /* always extract username + password fields from buf, even if not
  * authenticating for it, because otherwise we can't get at the
@@ -2652,14 +2652,14 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
*multi, struct tls_sessio
 "TLS Error: Certificate verification failed (key-method 2)");
 goto error;
 }
-ks->authenticated = true;
+ks->authenticated = KS_AUTH_TRUE;
 }
 
 /* clear username and password from memory */
 secure_memzero(up, sizeof(*up));
 
 /* Perform final authentication checks */
-if (ks->authenticated)
+if (ks->authenticated != KS_AUTH_FALSE)
 {
 verify_final_auth_checks(multi, session);
 }
@@ -2673,7 +2673,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
*multi, struct tls_sessio
 if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
 {
 msg(D_TLS_ERRORS, "Option inconsistency warnings triggering 
disconnect due to --opt-verify");
-ks->authenticated = false;
+ks->authenticated = KS_AUTH_FALSE;
 }
 }
 #endif
@@ -2684,13 +2684,14 @@ key_method_2_read(struct buffer *buf, struct tls_multi 
*multi, struct tls_sessio
  * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
  * veto opportunity over authentication decision.
  */
-if (ks->authenticated && plugin_defined(session->opt->plugins, 
OPENVPN_PLUGIN_TLS_FINAL))
+if ((ks->authenticated != KS_AUTH_FALSE)
+&& plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
 {
 key_state_export_keying_material(&ks->ks_ssl, session);
 
 if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, 
NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
 {
-ks->authenticated = false;
+ks->authenticated = KS_AUTH_FALSE;
 }
 
 setenv_del(session->opt->es, "exported_keying_material");
@@ -3394,10 +3395,7 @@ tls_pre_decrypt(struct tls_multi *multi,
  */
 if (DECRYPT_KEY_ENABLED(multi, ks)
 && key_id == ks->key_id
-&& ks->authenticated
-#ifdef ENABLE_DEF_AUTH
-&& !ks->auth_deferred
-#endif
+&& (ks->authenticated == KS_AUTH_TRUE)
 && (floated || link_socket_actual_match(from, 
&ks->remote_addr)))
 {
 if (!ks->crypto_options.key_ctx_bi.initialized)
@@ -3946,11 +3944,8 @@ tls_pre_encrypt(struct tls_multi *multi,
 {
 struct key_state *ks = multi->key_scan[i];
 if (ks->state >= S_ACTIVE
-&& ks->authenticated
+&& (ks->authenticated == KS_AUTH_TRUE)
 && ks->crypto_options.key_ctx_bi.initialized
-#ifdef ENABLE_DEF_AUTH
-&& !ks->auth_deferred
-#endif
 )
 {
 if (!ks_select)
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index fe523362..fdf

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

[Gert Doering]

Hi,

On Thu, Jul 02, 2020 at 11:04:41PM +0200, David Sommerseth wrote:
> Can we please see this discussion also in context of this mail thread, which
> tries to look a broader at this challenge?

There's two things here - a small and useful featurette which can go
into 2.5, and the broader negotiation / option rehaul work for 2.6.

> The main purpose of that RFC is to ensure we handle DNS and --dhcp-options
> consistently across all OpenVPN implementations we care about, and that we
> document this properly.

As far as I understand, jjk's patch is in line with what Tunnelblick
already does on MAC, and does not conflict with the larger plan.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

[Gert Doering]

Hi,

On Tue, Jun 30, 2020 at 04:15:58PM +0200, Jan Just Keijser wrote:
> On 30/06/20 16:11, Gert Doering wrote:
> > On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote:
> >> @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const 
> >> struct tuntap_options *o)
> >>   write_dhcp_u32_array(buf, 42, (uint32_t *)o->ntp, o->ntp_len, 
> >> &error);
> >>   write_dhcp_u32_array(buf, 45, (uint32_t *)o->nbdd, o->nbdd_len, 
> >> &error);
> >>   
> >> +for (int i=0; i < o->domain_search_list_len; i++)
> >> +{
> >> +write_dhcp_search_str(buf, 119, o->domain_search_list[i], &error);
> >> +}
> > I assume that this won't work.  In the DHCP answer, it must be a single
> > option with the concatenated list, not multiple answers with a single
> > domain name each.
>
> see https://tools.ietf.org/html/rfc3397
> 
> "
> 
> In the above diagram, Searchstring is a string specifying the
> searchlist.  If the length of the searchlist exceeds the maximum
> permissible within a single option (255 octets), then multiple
> options MAY be used, as described in "Encoding Long Options in the
> Dynamic Host Configuration Protocol (DHCPv4)" [RFC3396 
> ].
> 
> "
> so you MAY use this option multiple times - and wireshark groks it fine. I 
> don't have a Windows 10
> client to test it against, however, so I am hoping that someone (Selva?) can 
> do that for me.

I did test, and my initial suspicion was correct - Windows accepts the
option, but only one of them.

I am pushing

  dhcp-option DOMAIN-SEARCH v6.de,dhcp-option DOMAIN-SEARCH leo.org,dhcp-option 
DOMAIN-SEARCH ov.greenie.net,dhcp-option DOMAIN-SEARCH nekosoft.de

(because these are domains that have more interesting hostnames in than
just "www" and "mail", so I can see if "v4only.v6.de" is found, or 
"dict.leo.org")

and "ipconfig /all" only shows the "nekosoft.de" one.

This one works(!), so generally, Win10 accepts this DHCP option - but
it seems to want "all domains in one".


Can you send a v3?

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Unified success messages for setting mtu

[Gert Doering]

Acked-by: Gert Doering 

Thanks :-) - given that this is somewhat trivial, I have not actually
run a binary to look at the messages.  I have counted arguments and done
a test build to see if new warnings show up (no).

I *do* see an old warning...

tun.c: In function 'windows_set_mtu':
tun.c:5523:21: warning: format '%u' expects argument of type 'unsigned int', 
but argument 5 has type 'DWORD {aka long unsigned int}' [-Wformat=]
 msg(M_WARN, "TUN: Setting %s mtu failed: %s [status=%u if_index=%d]",

mmmh...

Your patch has been applied to the master branch.

commit efe01d52e36c597484b6fa24c4820b6345d08ae6
Author: Christopher Schenk
Date:   Tue Jun 30 11:54:44 2020 +0200

 Unified success messages for setting mtu

 Acked-by: Gert Doering 
 Message-Id: <20200630095443.7188-1-csch...@mail.uni-paderborn.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20171.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [Patch] New man page corrections - tls-options.rst

[Richard Bonhomme]

Signed-off-by: Richard Bonhomme 
---
 doc/man-sections/tls-options.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index bb8fc986..21549bdb 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -81,7 +81,7 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
   ``openssl crl`` and ``X509_LOOKUP_hash_dir()``\(3)
   for more information.
 
-  Similarly to the ``--crl-verify`` option CRLs are not mandatory -
+  Similar to the ``--crl-verify`` option, CRLs are not mandatory -
   OpenVPN will log the usual warning in the logs if the relevant CRL is
   missing, but the connection will be allowed.
 
@@ -491,7 +491,7 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
   Exit on TLS negotiation failure.
 
 --tls-export-cert directory
-  Store the certificates the clients uses upon connection to this
+  Store the certificates the clients use upon connection to this
   directory. This will be done before ``--tls-verify`` is called. The
   certificates will use a temporary name and will be deleted when the
   tls-verify script returns. The file name used for the certificate is
-- 
2.17.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: tap.c: fix adapter renaming

[Gert Doering]

Your patch has been applied to the master branch.

I have changed the // comments to /* C */ style and word-wrapped the
commit message a bit.

I have not actually tested a .msi install, but I have test-compiled it
(at least) (unbuntu 18 / mingw) and that worked fine.

commit 5b313a3565558cd1da4723c3950df227f941cf62
Author: Lev Stipakov
Date:   Fri Jul 3 22:20:29 2020 +0300

 tap.c: fix adapter renaming

 Signed-off-by: Lev Stipakov 
 Acked-by: Simon Rozman 
 Message-Id: <20200703192029.306-1-lstipa...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20207.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] tap.c: fix adapter renaming

[Simon Rozman via Openvpn-devel]

Hi,

> +// stripped version of ExecCommand in interactive.c static DWORD

C++ style comment.

> +// rename adapter via netsh call

C++ style comment.

> +const TCHAR* szFmt = _T("netsh interface set interface name=\"%s\"
> newname=\"%s\"");
> +size_t ncmdline = _tcslen(szFmt) + _tcslen(szOldName) +
> _tcslen(szName) + 1;
> +WCHAR* szCmdLine = malloc(ncmdline * sizeof(TCHAR));
> +_stprintf_s(szCmdLine, ncmdline, szFmt, szOldName, szName);

For the record:
1. `netsh interface set interface` does not accept adapter index. Therefore, 
the interface to rename must be selected by name. I'd prefer more explicit 
selection like adapter GUID or interface index, but selecting by name seems the 
only way here. Interface indexes are a thing of the TCP/IP, so it kind of makes 
sense lower layers are not operating with them. Ack.

2. I've tested `netsh interface set interface` to ignore case when selecting 
adapter. Ack.

3. I've tested `netsh interface set interface` to work when renaming adapter 
back to the original name. Ack.

Reviewed the code, compiled, debugged, tested.

Acked-by: Simon Rozman 

Regards,
Simon


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel