si simsons | 20 Sep 00:29 2014

(no subject)

Slashdot TV.  Video for Nerds.  Stuff that Matters.
Openvpn-devel mailing list
Openvpn-devel <at>
David Sommerseth | 18 Sep 11:02 2014

[PATCH] Add systemd unit file for OpenVPN

From: David Sommerseth <davids <at>>

This is to encourage all Linux distributions to use a unified systemd
unit file.

This unit file also tries to reduce the capabilities of the running
openvpn process.

Signed-off-by: David Sommerseth <davids <at>>
 distro/systemd/openvpn <at> .service | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 distro/systemd/openvpn <at> .service

diff --git a/distro/systemd/openvpn <at> .service b/distro/systemd/openvpn <at> .service
new file mode 100644
index 0000000..e17a8a5
--- /dev/null
+++ b/distro/systemd/openvpn <at> .service
 <at>  <at>  -0,0 +1,19  <at>  <at> 
+Description=OpenVPN tunnel for %I
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/ --cd /etc/openvpn/
--config %i.conf
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw


Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
David Sommerseth | 9 Sep 19:26 2014

[PATCH v2 0/2] Further systemd cleanups

From: David Sommerseth <davids <at>>

This replaces patch 2/4 [1] and patch 3/4 [2] of the last round,
just fixing up things from the review.

Patch 1/4 [3] got an ACK and have been applied, while patch 4/4 [4]
will be considered in a bigger scope.

[1] <>
[2] <>
[3] <>
[4] <>

David Sommerseth (2):
  Don't try to use systemd-ask-password if it is not available
  Clean up the pipe closing in openvpn_popen()

 src/openvpn/console.c |  8 +++++---
 src/openvpn/misc.c    | 18 ++++++++++--------
 2 files changed, 15 insertions(+), 11 deletions(-)



Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
davids | 5 Sep 17:25 2014

[PATCH 0/4] Clean-up of the systemd integration

From: David Sommerseth <davids <at>>

There were a few issues with the systemd implementation,
where the openvpn binary would have zombie processes attached
to itself when systemd-ask-password was used.  In addition
to not always properly closing the communcation pipes used.

This patch set also avoids OpenVPN failing if systemd-ask-password
is not found, but rather falls back to the normal console method.

David Sommerseth (4):
  Don't let openvpn_popen() keep zombies around
  Don't try to use systemd-ask-password if it is not available
  Clean up the pipe closing in openvpn_popen()
  White-space clean-up of openvpn_popen()

 src/openvpn/console.c | 11 ++++----
 src/openvpn/misc.c    | 75 ++++++++++++++++++++++++++++-----------------------
 2 files changed, 47 insertions(+), 39 deletions(-)

kind regards,

David Sommerseth



Slashdot TV.  
Video for Nerds.  Stuff that matters.
Steffan Karger | 4 Sep 13:13 2014

[PATCH] Remove quadratic complexity from openvpn_base64_decode()


Attached a patch for a change suggested by Jann Horn, to remove the
quadratic complexity from openvpn_base64_decode().

The suggestion was originally sent to the security list, because
quadratic complexity can potentially lead to a denial-of-service attack
vector. In the current OpenVPN codebase, this is however *not* the case.

OpenVPN doesn't use it's base64 encoding a lot. The only place where a
denial of service could be interesting is when the server uses a
management interface, and an authenticated client sends a malicious
challenge response to the server. Those responses are sent over the TLS
channel, and openvpn limits those messages to 2048 bytes
(TLS_CHANNEL_BUF_SIZE). The old base64 decode code has a complexity of
(n/8)^2 (one strlen over on average half the string length per 4-byte
base64 token), which results in 65536 byte comparisons per message.
That's not enough to be practical for an attack.

That said, I do like the suggestion to make the code constant time. I'd
say it should be applied to both master and 2.3 branches as a bugfix.

Slashdot TV.  
Video for Nerds.  Stuff that matters.
Openvpn-devel mailing list
Openvpn-devel <at>
davids | 3 Sep 18:23 2014

[PATCH] Don't let openvpn_popen() keep zoombies around

From: David Sommerseth <davids <at>>

Commit 9449e6a9eba30c9ed054f57d630a88c9f087080f introduced the
openvpn_popen() function to support retrieving passwords via systemd.

It was discovered that the child processes openvpn fork()ed would
be lingering around until openvpn stopped.  This was due to the lack
of a wait() call.

This patch also cleans up a few minor white-space issues in the same
code segment.

Cc: Frederic Crozat <fcrozat <at>>
Signed-off-by: David Sommerseth <davids <at>>
 src/openvpn/misc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 63b4c1c..16c8dcf 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
 <at>  <at>  -376,8 +376,11  <at>  <at>  openvpn_popen (const struct argv *a,  const struct env_set *es)
 		      else /* parent side */
-                            ret=pipe_stdout[0];
-			    close (pipe_stdout[1]);
+                          int status;
+                          waitpid(pid, &status, 0);
+                          ret = pipe_stdout[0];
+                          close (pipe_stdout[1]);
 	      else {


Slashdot TV.  
Video for Nerds.  Stuff that matters.
張 世杰 | 3 Sep 13:18 2014

[PATCH] kill command with IPv6 client address and port


For ticket #280, this patch allows server to kill client with specified IPv6(port)
And show port in status command

For example, when server started with proto udp6, the result of status 2 command shows like:
CLIENT_LIST,admin,::ffff:,,7849, ...
CLIENT_LIST,admin,fe80::211:32ff:fe19:699b(1194),,13010, ...

And can kill client with kill command:
kill ::ffff:
kill fe80::211:32ff:fe19:699b(1194)

Slashdot TV.  
Video for Nerds.  Stuff that matters.
Openvpn-devel mailing list
Openvpn-devel <at>
Steffan Karger | 23 Aug 18:21 2014

[PATCH] Add option to disable Diffie Hellman key exchange by setting "--dh none"

As requested on the mailing list and in trac ticket #410, add an option to
disable 'traditional' Diffie Hellman key exchange. People want to be able
to create ecdh-only configurations.

Also update the manpage to reflect the new behaviour, and while touching it
change the text to motivate users towards a more secure configuration.

Signed-off-by: Steffan Karger <steffan <at>>
 doc/openvpn.8         | 15 ++++++++++-----
 src/openvpn/options.c | 14 ++++++++++----
 src/openvpn/ssl.c     |  5 ++++-
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index f2911c0..0448d29 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -4238,13 +4238,18  <at>  <at>  Not available with PolarSSL.
 File containing Diffie Hellman parameters
 in .pem format (required for
 .B \-\-tls-server
-only). Use

-.B openssl dhparam -out dh1024.pem 1024
+.B file=none
+to disable Diffie Hellman key exchange (and use ECDH only). Note that this
+requires peers to be using an SSL library that supports ECDH TLS cipher suites
+(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+).

-to generate your own, or use the existing dh1024.pem file
-included with the OpenVPN distribution.  Diffie Hellman parameters
-may be considered public.
+.B openssl dhparam -out dh2048.pem 2048
+to generate 2048-bit DH parameters. Diffie Hellman parameters may be considered
 .B \-\-ecdh-curve name
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 84eb6ed..92189a5 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
 <at>  <at>  -2149,10 +2149,6  <at>  <at>  options_postprocess_verify_ce (const struct options *options, const struct conne
       (options->shared_secret_file != NULL) > 1)
     msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");

-  if (options->tls_server)
-    {
-      notnull (options->dh_file, "DH file (--dh)");
-    }
   if (options->tls_server || options->tls_client)
 #ifdef ENABLE_PKCS11
 <at>  <at>  -2504,6 +2500,16  <at>  <at>  options_postprocess_mutate (struct options *o)
   for (i = 0; i < o->connection_list->len; ++i)
 	options_postprocess_mutate_ce (o, o->connection_list->array[i]);

+#ifdef ENABLE_SSL
+  if (o->tls_server)
+    {
+      /* Check that DH file is specified, or explicitly disabled */
+      notnull (o->dh_file, "DH file (--dh)");
+      if (streq (o->dh_file, "none"))
+	o->dh_file = NULL;
+    }
   if (o->http_proxy_override)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 3ce1f60..34f02a7 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
 <at>  <at>  -483,7 +483,10  <at>  <at>  init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
   if (options->tls_server)
-      tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
+      if (options->dh_file)
+	tls_ctx_load_dh_params(new_ctx, options->dh_file,
+			       options->dh_file_inline);
   else				/* if client */


Slashdot TV.  
Video for Nerds.  Stuff that matters.
Steffan Karger | 20 Aug 23:00 2014

[PATCH 1/2] Fix some unintialized variable warnings

Does not actually change behaviour, but fixes compiler warnings
and properly initializing is good habit anyway.

Signed-off-by: Steffan Karger <steffan <at>>
 src/openvpn/plugin.c | 2 +-
 src/openvpn/sig.c    | 2 +-
 src/openvpn/socket.c | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0948f23..54c5b52 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
 <at>  <at>  -291,7 +291,7  <at>  <at>  plugin_init_item (struct plugin *p, const struct plugin_option *o)
 static void
 plugin_vlog (openvpn_plugin_log_flags_t flags, const char *name, const char *format, va_list arglist)
-  unsigned int msg_flags;
+  unsigned int msg_flags = 0;

   if (!format)
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
index 90e39a4..a3d29de 100644
--- a/src/openvpn/sig.c
+++ b/src/openvpn/sig.c
 <at>  <at>  -126,7 +126,7  <at>  <at>  print_signal (const struct signal_info *si, const char *title, int msglevel)
       const char *type = (si->signal_text ? si->signal_text : "");
       const char *t = (title ? title : "process");
-      const char *hs;
+      const char *hs = NULL;
       switch (si->source)
         case SIG_SOURCE_SOFT:
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 9e6bd10..c649d62 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
 <at>  <at>  -2354,12 +2354,12  <at>  <at>  print_sockaddr_ex (const struct sockaddr *sa,
 				   struct gc_arena *gc)
   struct buffer out = alloc_buf_gc (128, gc);
-  bool addr_is_defined;
+  bool addr_is_defined = false;
   char hostaddr[NI_MAXHOST] = "";
   char servname[NI_MAXSERV] = "";
   int status;

-  socklen_t salen;
+  socklen_t salen = 0;
     case AF_INET:


Slashdot TV.  
Video for Nerds.  Stuff that matters.
Gert Doering | 20 Aug 13:22 2014

Re: Ongoing Windoes 8 issues


On Wed, Aug 20, 2014 at 11:49:18AM +0200, Richard Weinberger wrote:
> Okay, let's come down a bit and have a cup of coffee first.

Good plan :-)

> I did not know about the new NDIS6 drivers. Now there is a comment mentioning it. Thanks for
> that. This is all I wanted.

So, yes, "we are working on it" (it was decided last year in Munich that
this was needed, and OpenVPN Tech actually found someone who understands
windows programming well enough to tackle this and paid him to do it).  

It seems to have some bugs left, though, so carefully test this before 
rolling out.


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert <at>
fax: +49-89-35655025                        gert <at>
Slashdot TV.  
Video for Nerds.  Stuff that matters.
Openvpn-devel mailing list
Openvpn-devel <at>
Richard Weinberger | 20 Aug 09:32 2014

Ongoing Windoes 8 issues


This bug exists for almost 14 months (!!) without a solution.
Some hacks work some not.

I really wonder why this issue is ignored by the OpenVPN developers.



Slashdot TV.  
Video for Nerds.  Stuff that matters.