Steffan Karger | 29 Jul 23:04 2014

[PATCH] Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/crypto_backend.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index a48ad6c..bc067a7 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
 <at>  <at>  -231,7 +231,7  <at>  <at>  int cipher_kt_block_size (const cipher_kt_t *cipher_kt);
 int cipher_kt_mode (const cipher_kt_t *cipher_kt);

 /**
- * Check of the supplied cipher is a supported CBC mode cipher.
+ * Check if the supplied cipher is a supported CBC mode cipher.
  *
  *  <at> param cipher	Static cipher parameters. May not be NULL.
  *
 <at>  <at>  -241,7 +241,7  <at>  <at>  bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
   __attribute__((nonnull));

 /**
- * Check of the supplied cipher is a supported OFB or CFB mode cipher.
+ * Check if the supplied cipher is a supported OFB or CFB mode cipher.
  *
  *  <at> param cipher	Static cipher parameters. May not be NULL.
  *
--

-- 
1.9.1

(Continue reading)

Steffan Karger | 29 Jul 22:52 2014

[PATCH] Fix frame size calculation for non-CBC modes.

CBC mode is the only mode that OpenVPN supports that needs padding. So,
only include the worst case padding size in the frame size calculation when
using CBC mode.

While doing so, rewrite crypto_adjust_frame_parameters() to be better
readable, and provide debug output (for high debug levels).

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/crypto.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ef2bde1..2ba8487 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
 <at>  <at>  -403,11 +403,27  <at>  <at>  crypto_adjust_frame_parameters(struct frame *frame,
 			       bool packet_id,
 			       bool packet_id_long_form)
 {
-  frame_add_to_extra_frame (frame,
-			    (packet_id ? packet_id_size (packet_id_long_form) : 0) +
-			    ((cipher_defined && use_iv) ? cipher_kt_iv_size (kt->cipher) : 0) +
-			    (cipher_defined ? cipher_kt_block_size (kt->cipher) : 0) + /* worst case padding expansion */
-			    kt->hmac_length);
+  size_t crypto_overhead = 0;
+
+  if (packet_id)
+    crypto_overhead += packet_id_size (packet_id_long_form);
+
(Continue reading)

Julien Muchembled | 29 Jul 19:28 2014

[PATCH] Fix --mtu-disc option with IPv6 transport

Socket configuration of MTU discovery was done unconditionally at IP level,
which has no effect for other protocols. This fixes the issue of OpenVPN
sending fragmented tcp6/udp6 packets even when 'mtu-disc yes' option is passed.

Signed-off-by: Julien Muchembled <jm <at> nexedi.com>
---
 src/openvpn/mtu.c    | 23 +++++++++++++++++------
 src/openvpn/mtu.h    |  2 +-
 src/openvpn/socket.c |  2 +-
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c
index 13f3f6c..426c487 100644
--- a/src/openvpn/mtu.c
+++ b/src/openvpn/mtu.c
 <at>  <at>  -153,15 +153,26  <at>  <at>  frame_print (const struct frame *frame,
 #define MTUDISC_NOT_SUPPORTED_MSG "--mtu-disc is not supported on this OS"

 void
-set_mtu_discover_type (int sd, int mtu_type)
+set_mtu_discover_type (int sd, int mtu_type, sa_family_t proto_af)
 {
   if (mtu_type >= 0)
     {
-#if defined(HAVE_SETSOCKOPT) && defined(SOL_IP) && defined(IP_MTU_DISCOVER)
-      if (setsockopt
-	  (sd, SOL_IP, IP_MTU_DISCOVER, &mtu_type, sizeof (mtu_type)))
-	msg (M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket",
-	     mtu_type);
+#if defined(HAVE_SETSOCKOPT) && defined(IP_MTU_DISCOVER) && defined(IPV6_MTU_DISCOVER)
(Continue reading)

Lev Stipakov | 29 Jul 12:56 2014
Picon

Async OPENVPN_PLUGIN_CLIENT_CONNECT plugin support

Hello,

I am pondering about asynchronous OPENVPN_PLUGIN_CLIENT_CONNECT
callback. Basically, I want _not_ to establish connection until
response is received and ofcI  don't want to block rest of traffic.

My idea is to have some kind of connect_control_file (similar to
auth_conrol_file) and pass its path via env to
OPENVPN_PLUGIN_CLIENT_CONNECT. In case of plugin (or maybe script
too?) has returned OPENVPN_PLUGIN_FUNC_DEFERRED, I continue executing
"multi_connection_established" as usual except I don't set
"push_reply_deferred" to False (to prevent push response from being
sent) and I set some "connect-deferred" flag.

Next, when "process_incoming_push_msg" get called and flag
"connect-deferred" is set, I check the state of connect_control_file.
If there is, say, "1" - I send push reply and connection got
established.

What do you think about that? Does that approach sound reasonable?

--

-- 
-Lev

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
(Continue reading)

pbarton | 25 Jul 16:09 2014

OpenVPN FIPS 140-2 Compliant

I was directed to this mailing list from the OpenVPN forums by one of the moderators.  I hope someone here can help me.  Here is a link to my post:


Any assistance or comments you can provide would be welcome and greatly appreciated.

Thank you,

--
Peter Barton
NetProtec
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Arne Schwabe | 24 Jul 23:37 2014

[PATCH] Remove deprecated --max-routes option from manual

---
 doc/openvpn.8 | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index aee0bc8..f2911c0 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -1011,13 +1011,6  <at>  <at>  table (not supported on all OSes).
 address if OpenVPN is being run in client mode, and is undefined in server mode.
 .\"*********************************************************
 .TP
-.B \-\-max-routes n
-Allow a maximum number of n
-.B \-\-route
-options to be specified, either in the local configuration file,
-or pulled from an OpenVPN server.  By default, n=100.
-.\"*********************************************************
-.TP
 .B \-\-route-gateway gw|'dhcp'
 Specify a default gateway
 .B gw
--

-- 
1.8.5.2 (Apple Git-48)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Gert Doering | 24 Jul 20:10 2014
Picon

Re: Openvpn 2.3.2: "Could not create temporary file" ....Too many open files

Hi,

On Thu, Jul 24, 2014 at 05:22:37PM +0200, arno.odermatt <at> ch.schindler.com wrote:
> I did the first part:
> 
> NO, we are not using any Plugins, only client -connects scripts

Mmmh, ok.

> lsof -n | wc -l           4405 

That doesn't tell much, except "the total number of open files in
the system is 4405".

> lsof -p 25211 > openvpn1.txt
> lsof -p 25232 > openvpn2.txt
> lsof -p 25252 > openvpn3.txt
> 
> It looks like, we got much more then just some lines:
>          
> openvpn3.txt    openvpn2.txt    openvpn1.txt

If you look at the files (in attachment), you'll see that the large bulk
of it is "TCP" - so your openvpn processes are using up the amount of file
descriptors the system is willing to give them for TCP connects, as every
TCP client needs to have it's own socket.

If you run "ulimit -a" from the same environment where you start the
OpenVPN processes, you'll see a line that looks like this:

$ ulimit -a
...
nofile                         (-n)  1024

that's the maximum number of file descriptors - subtract some 20-odd,
and you have ~1000 left for about 1000 clients.

$ ulimit -n 2000

can usually be used to raise that limit to 2000 (if run as root, in the 
same shell that starts openvpn later)...  I'm not a Fedora expert, so 
maybe they have some other limitations, or ways to control the limits.

gert

--

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert <at> greenie.muc.de
fax: +49-89-35655025                        gert <at> net.informatik.tu-muenchen.de
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
arno.odermatt | 22 Jul 18:24 2014

Openvpn 2.3.2: "Could not create temporary file" ....Too many open files

Dear all,

we are driving O-VPN 2.3.2 on Fedora20.
Since we have quit many permanently connected O-VPN clients, we have started three O-VPN processes, listening on three different ports and setting up three different tap interfaces:

Today, all three O-VPN processes crashed suddenly, whereas we found following error:

ip-172-16-128-101 openvpn[654]: <CN>/172.16.253.10:44214 Could not create temporary file '/var/tmp/openvpn_cc_1bd37815cbacd70936015e40e25198aa.tmp': Too many open files

We did not find any helpful information, neither in the the mail-archives, nor in other forums/panels, beside something related to user/password authentication (openvpn-auth-pam), which we are not using (using TLS-server) and also lsof did not provide any helpful information to correlate this error to a (file-) resource problem
https://forums.openvpn.net/topic13474.html
https://community.openvpn.net/openvpn/ticket/201



After this happened, we found:

- in /tmp:        -rw-r--r--.  1 root    0 Jul 18 10:51 vpn3_sema_15198                #sema files laying around

- in /var/tmp        -rw-------.  1 root        0 Jul 18 10:51 openvpn_cc_0e211df697b9f5620da89bd05f44ef48.tmp


Deleting of the sema-files and restarting O-VPN brought back everything to life.

Has anybody ever experienced something similar, can this be a bug and what could be the corrective action to overcome, this to repeat again?

Thank you for any help in this

Ar


******************************************************
Notice: The information contained in this message is intended only for use of the individual(s) named above and may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you are not the intended recipient of this message you are hereby notified that you must not use, disseminate , copy it in any form or take any action in reliance of it. If you have received this message in error please delete it and any copies of it and notify the sender immediately.
*******************************************************
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Lisa Minogue | 21 Jul 11:35 2014
Picon

OpenSSL in OpenVPN software to be replaced?

Hi guys,

It's been universally acknowledged that you all have been doing a wonderful job by providing free,
open-source OpenVPN software and free support for it over the past few years.

However a few days ago OpenSSL, in a project roadmap last modified on July 16, stated [sic]"there are a very
significant number of them. A large proportion of these issues have been open for years. Some of these have
in fact been dealt with and should be closed, but this has not been recorded in the system. Most however have
not been looked at."

I'm no expert of cryptography but I guess some of these issues could inflict more devastating effects than
the recent Heartbleed/Heartbeat bug.

In the light of the above, do you have plans to replace OpenSSL with PolarSSL or LibreSSL? And how soon will
new bundles of OpenVPN software be released that incorporate OpenSSL alternatives?

Regards.

Lisa

P.S.: I apologize if the above questions have been dealt with in the past.
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Josh Cepek | 20 Jul 20:04 2014
Picon
Picon

[PATCH] Support IPv6 env-vars for server-provided IPs

Patch attached, with detached GPG sig. The patch description follows:

This adds missing IPv6 pool support in the env-vars provided to scripts.
Also adds a setenv_in6_addr() function to socket.c that provides a
v6-version of setenv_in_addr_t().

The ifconfig_ipv6_pool_netbits will in most cases be exactly the same as
ifconfig_ipv6_netbits. However, the code does allow the client to be
pushed a different CIDR range. To support this, and match handling of
IPv4, this is exposed to client scripts. Should this design change in
the future, it is likely both the ifconfig_ipv6_pool_netbits and
ifconfig_pool_netmask can be removed. This patch makes no attempt to
resolve these larger issues.

Aside from the netbits. the ifconfig_ipv6_pool_local_ip is useful to
expose as well. In a p2p topology, the pair of IPs pushed is completely
arbitrary and need not match the IP the server is using. It often will
out of convention, but since an --ifconfig-ipv6-push can supply
arbitrary values, this should again be available to scripts wishing to
take advantage of it.

This fixes #230.

Signed-off-by: Josh Cepek <josh.cepek <at> usa.net>
Attachment (v6-pool-env-vars.patch): text/x-patch, 4518 bytes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQGcBAABAgAGBQJTzAcPAAoJENcx2Xpgb9RjmpgMAKt/u5gXGBtf5xQtmu59MuDP
HzFetN52BvP1FIHMR0LulOKkUmWDKCWuorSN9dGir7mk13ob/6pNL6eLi/X0J4BD
+Zi97wXVrJz7TdAcdKQKBwhNiAkl2f2RUDrKeOK60AuA3fL7Bv7EMNpSzo94Q25y
h4TMQul9N3M8le6Oqc5bq6RnBwnV/9KacN6GvSp3OP9lEpOB+9dB0uC3JMnh2CA0
rpX7GY/3rHF9DmpsKtZz05Txg4EmYJfj5uwdqJNKss04bvxuD0UrADaTH932N9o4
pSiEfZq1OGzHUitcMOKkUMKjbbFN1vBzMUR7Kyk5aLug+tlycJiw16ov1g/CBM+Q
8kZHQEa4uVPa33aXj4Ji7ec4KDHh2DMeinAY3hPV8NU2bcxdS6vGaVkz8EXKEkyu
SrXId1CvRltnu5fnh5QSfAnPcdQcig06OSsfWXfodGfCySIsPki3BCEYKh51oKfl
vcJAMaXvIHKyrM8HXqxqsND+Yb9PE+en8oBUjqqBbA==
=rceb
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Mike Akiba | 20 Jul 19:20 2014
Picon

SimpliFied Chinese translation for OpenVPN GUI

Hello,
I have noticed there is no SimpliFied Chinese translation for OpenVPN 
GUI, so I made one.
I did not test it enough, thought.

https://github.com/mike2718/openvpn-gui/blob/master/openvpn-gui-res-zh-CN.rc

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

Gmane