[Openvpn-devel] [Openvpn-devel/users] Debugging Windows based server scripts

[tincanteksup]

Hi,

due to not being allowed to have scripts "echo data" to the log file 
under Windows, debugging scripts is next to impossible.


I presume there are no compile time options to enable "echo" under Windows ?

Could anybody provide me with a patch to enable "echo" just for the 
purpose of debugging ?


I would like the patch to work for Openvpn 2.5

I understand the risks and I am not distributing OpenVPN binaries.

As justification I make these points:

* Any large distributor of Openvpn binaries could make the change to 
enable "echo" under Windows.


* That distributor could then abuse it as they please.

* I am simply asking for help for the purpose of debugging Open Source 
Software made for the community.


Thanks.
R


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4] Allow running a default configuration with TLS libraries without BF-CBC

[Arne Schwabe]

Modern TLS libraries might drop Blowfish by default or distributions
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
options with BF-CBC compatible strings. To avoid requiring BF-CBC
for this, special this one usage of BF-CBC enough to avoid a hard
requirement on Blowfish in the default configuration.

Signed-off-by: Arne Schwabe 

Patch v2: add more clarifying comment, do not warn about OCC only insecure
  ciphers, code improvements

Patch V3: Put ciphername resolution via ciper_kt_name in the right branch

Patch V4: Fix cornercase of BF-CBC in data-ciphers not itialising cipher.
---
 src/openvpn/crypto_backend.h |  2 ++
 src/openvpn/init.c   | 32 ++--
 src/openvpn/options.c| 47 +++-
 3 files changed, 67 insertions(+), 14 deletions(-)

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 384ffc80..93f7e475 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -241,6 +241,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
  * The returned name is normalised to the OpenVPN config name in case the
  * name differs from the name used by the crypto library.
  *
+ * Returns [null-cipher] in case the cipher_kt is NULL.
+ *
  * @param cipher_kt Static cipher parameters
  *
  * @return a statically allocated string describing the cipher.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 46c933b1..5cf257eb 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2769,14 +2769,30 @@ do_init_crypto_tls_c1(struct context *c)
 #endif /* if P2MP */
 }
 
-/* Do not warn if we only have BF-CBC in options->ciphername
- * because it is still the default cipher */
-bool warn = !streq(options->ciphername, "BF-CBC")
- || options->enable_ncp_fallback;
-/* Get cipher & hash algorithms */
-init_key_type(>c1.ks.key_type, options->ciphername, 
options->authname,
-  options->keysize, true, warn);
-
+   /*
+* BF-CBC is allowed to be used only when explicitly configured
+* as NCP-fallback or when NCP has been disabled.
+* In all other cases don't attempt to initialize BF-CBC as it
+* may not even be supported by the underlying SSL library.
+*
+* Therefore, the key structure has to be initialized when:
+* - any non-BF-CBC cipher was selected; or
+* - BF-CBC is selected and NCP is disabled (explicit request to
+*   use the BF-CBC cipher); or
+* - BF-CBC is selected, NCP is enabled and fallback is enabled
+*   (BF-CBC will be the fallback).
+*
+* Note that BF-CBC will still be part of the OCC string to retain
+* backwards compatibility with older clients.
+*/
+if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
+|| options->enable_ncp_fallback)
+{
+/* Do not warn if the if the cipher is used only in OCC */
+bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
+init_key_type(>c1.ks.key_type, options->ciphername, 
options->authname,
+  options->keysize, true, warn);
+}
 /* Initialize PRNG with config-specified digest */
 prng_init(options->prng_hash, options->prng_nonce_secret_len);
 
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 059386b3..c02ad051 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3609,9 +3609,29 @@ calc_options_string_link_mtu(const struct options *o, 
const struct frame *frame)
 {
 struct frame fake_frame = *frame;
 struct key_type fake_kt;
-init_key_type(_kt, o->ciphername, o->authname, o->keysize, true,
-  false);
+
 frame_remove_from_extra_frame(_frame, crypto_max_overhead());
+
+
+/* o->ciphername might be BF-CBC even though the underlying SSL library
+ * does not support it. For this reason we workaround this corner case
+ * by pretending to have no encryption enabled and by manually adding
+ * the required packet overhead to the MTU computation.
+ */
+const char* ciphername = o->ciphername;
+
+if (strcmp(o->ciphername, "BF-CBC") == 0)
+{
+/* none has no overhead, so use this to later add only --auth
+ * overhead */
+
+/* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
+frame_add_to_extra_frame(_frame, 64/8 + 64/8);
+}
+
+init_key_type(_kt, ciphername, o->authname, o->keysize, true,
+  false);
+
 crypto_adjust_frame_parameters(_frame, _kt, o->replay,
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
 frame_finalize(_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
@@ -3781,18 +3801,33 @@ options_string(const struct 

[Openvpn-devel] Summary of the community meeting (17th February 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 17th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, novaflash, ordex, plaisthos and Pippin
participated in this meeting.

---

Noted that mattock will containerize the to-be upgraded buildmaster and
his own buildslaves. This helps cut through the (generally) crappy OS
packaging that needs to be dealt with on real VMs. [OpenVPN connectivity
tests (t_client) could complicate this on Docker, though].

---

Talked about potentially becoming a Linux Foundation project. This would
give us a number of benefits:



However, this seems to be "all or nothing" package. In our (OpenVPN Inc)
case trademarks is the big question. Other requirements look quite
reasonable.

This needs to be discussed in more detail later.

---

Agreed to release 2.5.1 next Tuesday (23rd Feb).

---

Noted that there is a new shared trac/forums account "openvpn_inc".
Novaflash will reassign tickets from "denys" (an old support guy) to
this new account which will be manned by four people.

---

Talked about the current layout on the community forums:



Agreed that it is confusing and that it should be improved. Completely
archiving the old forums is an option, but (important) articles would
need to migrated and traffic redirected to the new URLs. So just
improving what we have would be easiest and safest. This needs to be
discussed in more detail later.

There are also plans to setup a GDPR plugin to the forums.

Also noted that PhpBB is behind three versions and should be upgraded.

---

Lev will take over the "Bridged Windows 10 Causes Sporadic Crashes" issue:



It would still be good to know if this is a tap driver bug, or general
windows fubar.

---

Lev has been working on Windows version of OpenVPN-DCO recently. It is
WDF and NetAdapterCx based so no more NDIS. Results are promising.

Lev and d12fk will start working together on getting the OpenVPN 3
reference client up-to-shape for this new DCO driver on Windows.

---

Plaistos' Linux OpenVPN + DCO seems to be quite stable now. He is also
doing the openvpn2 side of things for ovpn-dco on Linux, including
server support.

---

Full chatlog attached

(13:03:09) mattock: hi
(13:04:11) mattock: cron2: you here already?
(13:04:13) cron2_: soon
(13:06:29) mattock: ok
(13:06:34) dazo: hey!
(13:07:28) cron2_: nearly there
(13:08:23) cron2_: so!
(13:09:13) cron2_: sorry for messing up your scheduling... the 11:30-12:30 time 
slot is very conflict prone if I get to do some actual work (as opposed to 
"sitting on IRC and ranting all day")
(13:09:33) cron2_: where's ordex and plaisthos and lev? :)
(13:09:54) mattock: hi!
(13:10:07) ordex: hi!
(13:10:50) lev__: guten tag
(13:10:51) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(13:11:02) cron2_: oh, nice, lots of updates in the agenda page already :)
(13:11:20) cron2_: hi lev, novaflash
(13:11:25) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-17
(13:11:34) novaflash: i bring news
(13:11:49) mattock: tell the quickly
(13:11:52) mattock: we have 19 minutes
(13:11:55) novaflash: oh. it's in the meeting notes already. damnit.
(13:11:56) mattock: total :D
(13:12:03) novaflash: okay go go hurry hurry
(13:12:10) mattock: may I start with some quick updates
(13:13:05) cron2_: go
(13:13:07) mattock: "Containerized buildmaster and mattock's buildslaves": 
buildbot and the slaves are easiest to manage as containers, so that's my plan 
when going about upgrading them - this will not have any effect on any other 
buildslave providers
(13:13:18) mattock: cuts through the poor OS packaging
(13:13:47) mattock: then something I did not actually put on the topic list: I 
looked a Linux Foundation project support thingies (hinted by dazo)
(13:13:51) cron2_: won't help me much on non-linux, but as I only have one 
buildslave per VM, "the VM is the container".  So you just tell me what I want
(13:14:30) mattock: it seems like we could not in practice become a linux 
foundation project because of trademarks (we want to keep them), but otherwise 
there were no really major blockers
(13:15:02) mattock: that said, the Linux Foundation Project approach seems to 
be suited better for large projects with multiple (large) vendors co-operating 
on the same piece of software
(13:15:04) cron2_: what was the intention?  funding, or prestige?
(13:15:05) mattock: openstack or such
(13:15:17) mattock: just to research if we could  benefit from their programs
(13:15:19) cron2_: or manpower / project management?