Lev Stipakov | 27 Feb 18:01 2015
Picon

[PATCH] Notify clients about server's restart/shutdown

When server gets shutdown signal (SIGUSR1, SIGTERM, SIGHUP, SIGINT), it
broadcasts new OCC_SHUTTING_DOWN command to all clients and reschedules
received signal in 2 secs.

When client receives OCC_SHUTTING_DOWN, it fires SIGUSR1 and switches to
the next remote.
---
 src/openvpn/multi.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++----
 src/openvpn/multi.h | 14 +++++++++++-
 src/openvpn/occ.c   |  8 +++++++
 src/openvpn/occ.h   |  6 +++++
 4 files changed, 86 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 4412491..b5f2dd2 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
 <at>  <at>  -396,6 +396,8  <at>  <at>  multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
         t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
       event_timeout_init (&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
     }
+
+  m->deferred_signal.signal_received = 0;
 }

 const char *
 <at>  <at>  -603,6 +605,25  <at>  <at>  multi_close_instance (struct multi_context *m,
   perf_pop ();
 }

(Continue reading)

Vasily Kulikov | 25 Feb 17:07 2015

[PATCH v4] Mac OS X Keychain management client

This patch adds support for using certificates stored in the Mac OSX
Keychain to authenticate with the OpenVPN server.  This works with
certificates stored on the computer as well as certificates on hardware
tokens that support Apple's tokend interface.  The patch is based on
the Windows Crypto API certificate functionality that currently exists
in OpenVPN.

This patch version implements management client which handles RSA-SIGN
command for RSA offloading.  Also it handles new 'NEED-CERTIFICATE'
request to pass a certificate from the keychain to OpenVPN.

OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when
--management-external-cert is used.  It is implemented as a multiline
command very similar to an existing 'RSA-SIGN' command.

The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.

v4:
 - added '--management-external-cert' argument
 - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed
   as cmdline's identity template
 - fixed typo in help output option name
 - added '--management-external-cert' info in openvpn(8) manpage
 - added 'certificate' command documentation into doc/management-notes.txt

v3:
 - used new 'NEED-CERTIFICATE' command for certificate data request instead of 'NEED-OK'
 - improved option checking
 - improved invalid certificate selection string handling
 - added man page for keychain-mcd
(Continue reading)

steffan.karger | 22 Feb 15:11 2015

[PATCH] Use tls-auth in sample config files

From: Steffan Karger <steffan.karger <at> fox-it.com>

For two reasons:
1) May motivate people to use tls-auth in their setups
2) Verify tls-auth functionality when running 'make check'

Signed-off-by: Steffan Karger <steffan.karger <at> fox-it.com>
---
 sample/sample-config-files/client.conf     |  2 +-
 sample/sample-config-files/loopback-client |  1 +
 sample/sample-config-files/loopback-server |  1 +
 sample/sample-config-files/server.conf     |  2 +-
 sample/sample-keys/gen-sample-keys.sh      |  3 +++
 sample/sample-keys/ta.key                  | 21 +++++++++++++++++++++
 6 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 sample/sample-keys/ta.key

diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 050ef60..fedcbd6 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
 <at>  <at>  -105,7 +105,7  <at>  <at>  remote-cert-tls server

 # If a tls-auth key is used on the server
 # then every client must also have the key.
-;tls-auth ta.key 1
+tls-auth ta.key 1

 # Select a cryptographic cipher.
 # If the cipher option is used on the server
(Continue reading)

Reinoud Koornstra | 19 Feb 21:52 2015
Picon

statistics file format not respected in point-to-point?

Hi Everyone,

I have a side to side (point to point) configuration. Meaning no
client or server involved.
It comes up fine.
I did set this as well in the  config file:

status /tmp/openvpn_hello_status.log 5
status-version 3

When i look at the file:

OpenVPN STATISTICS
Updated,Thu Feb 19 13:41:29 2015
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,1480
TCP/UDP write bytes,1647
Auth read bytes,1480
END

This looks like format 1 when looking at the client-server statistics file case.
Is this correct or is the actually format 3?
The statistics file for server is more like I expected:

TITLE   OpenVPN 2.3.4 i486-gnu-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH]
[IPv6] built on Feb 19 2015
TIME    Thu Feb 19 13:25:08 2015        1424377508
HEADER  CLIENT_LIST     Common Name     Real Address    Virtual
Address Bytes Received  Bytes Sent      Connected Since Connected
(Continue reading)

Steffan Karger | 15 Feb 15:24 2015

[PATCH] Disable SSL compression

As reported in trac #502, SSL compression can cause problems in some corner
cases.  OpenVPN does not need SSL compression, since the control channel is
low bandwidth.  This does not influence the data channel compressen (i.e.
--comp or --comp-lzo).

Even though this has not yet been relevant for OpenVPN (since an attacker
can not easily control contents of control channel messages), SSL
compression has been used in the CRIME and BREACH attacks on TLS.  TLS 1.3
will probably even remove support for compression all together, for
exactly this reason.

Since we don't need it, and SSL compression causes issues, let's just
disable it in OpenSSL builds.  PolarSSL has no run-time flag to disable
compression, but is by default compiled without compression.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/ssl_openssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 48c0571..d9abc6e 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
 <at>  <at>  -203,6 +203,10  <at>  <at>  tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
     if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
       sslopt |= SSL_OP_NO_TLSv1_2;
 #endif
+#ifdef SSL_OP_NO_COMPRESSION
+    /* Disable compression - flag not available in OpenSSL 0.9.8 */
(Continue reading)

Gert Doering | 7 Feb 19:51 2015
Picon

[PATCH] New approach to handle peer-id related changes to link-mtu.

Instead of statically increasing link-mtu by +3, keep the old value for
OCC compatibility with old servers/clients, and only increase link-mtu
if peer-id option is enabled (right now: is pushed by server).

If link-mtu has been set in the config, keep configured value, and log
warning (because the extra overhead has to decrease tun-mtu).

Reserve extra +3 bytes in frame->extra_buffer.

This reverts commit f95010ad247a8998e0c39e394236251fca316849.

Signed-off-by: Gert Doering <gert <at> greenie.muc.de>
---
 src/openvpn/init.c | 19 +++++++++++++++++++
 src/openvpn/ssl.c  | 10 ++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 706d07c..a4ef84b 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
 <at>  <at>  -1794,6 +1794,19  <at>  <at>  do_deferred_options (struct context *c, const unsigned int found)
       msg (D_PUSH, "OPTIONS IMPORT: peer-id set");
       c->c2.tls_multi->use_peer_id = true;
       c->c2.tls_multi->peer_id = c->options.peer_id;
+      frame_add_to_extra_frame(&c->c2.frame, +3);	/* peer-id overhead */
+      if ( !c->options.ce.link_mtu_defined )
+	{
+	  c->c2.frame.link_mtu += 3;
+	  msg (D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
(Continue reading)

Jonathan K. Bullard | 6 Feb 20:49 2015
Picon

[PATCH] Fix mismatch of fprintf format specifier and argument type

This fixes a warning about a mismatch between a fprintf format string
and an argument type on Darwin-64-bit builds:

%lu specifies type 'unsigned long' but the argument has type
'__darwin_suseconds_t' (aka 'int')
--- openvpn/src/openvpn/error.c 2015-01-23 13:17:50.000000000 -0500
+++ patched/src/openvpn/error.c 2015-02-03 22:12:32.000000000 -0500
 <at>  <at>  -319,7 +319,7  <at>  <at> 

 	      fprintf (fp, "%lu.%06lu %x %s%s%s%s",
 		       tv.tv_sec,
-		       tv.tv_usec,
+		       (unsigned long)tv.tv_usec,
 		       flags,
 		       prefix,
 		       prefix_sep,
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
(Continue reading)

Lev Stipakov | 6 Feb 13:38 2015
Picon

[PATCH] Fix NULL dereferencing

In certain cases buf.len can be -1, which causes BPTR to return NULL and
NULL pointer dereferencing on the next line.

As a fix, process only packets with non-zero length.
---
 src/openvpn/mudp.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 3e3f750..57118f8 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
 <at>  <at>  -52,20 +52,19  <at>  <at>  multi_get_create_instance_udp (struct multi_context *m, bool *floated)
   struct multi_instance *mi = NULL;
   struct hash *hash = m->hash;

-  if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true))
+  if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true) &&
+      m->top.c2.buf.len > 0)
     {
       struct hash_element *he;
       const uint32_t hv = hash_value (hash, &real);
       struct hash_bucket *bucket = hash_bucket (hash, hv);
       uint8_t* ptr = BPTR(&m->top.c2.buf);
       uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
-      uint32_t peer_id;
-      int i;

       /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
       if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
(Continue reading)

Marine B | 5 Feb 11:53 2015
Picon

Error

Good Morning,

I would like to know the possible error of openVPN that need to be recorded. I want to make a logstash configuration file for OpenVPN. So far I have recorded login, diconnection and outdated certificate.

Do you have a list of all the error ar event available on OpenVPN ?

Thank you
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Jorge Luiz Silva Peixoto | 4 Feb 18:01 2015
Picon

[PATCH] Fix CN maximum length

The following patch fixes CN maximum length as discussed with Steffan
Kargen at openvpn users mailing list.

Signed-off-by: Jorge Peixoto <jorgepeixoto <at> gmail.com>
---
 src/openvpn/ssl_verify.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index ad50458..73488fc 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
 <at>  <at>  -47,7 +47,7  <at>  <at> 
 #endif

 /** Maximum length of common name */
-#define TLS_USERNAME_LEN 64
+#define TLS_USERNAME_LEN 65

 /** Legal characters in an X509 name with --compat-names */
 #define X509_NAME_CHAR_CLASS
(CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_COLON|CC_EQUAL)
 <at>  <at>  -625,7 +625,7  <at>  <at>  verify_cert(struct tls_session *session,
openvpn_x509_cert_t *cert, int cert_dep
              "limited to %d characters",
               opt->x509_username_field,
                 subject,
-                TLS_USERNAME_LEN);
+                TLS_USERNAME_LEN-1);
          goto cleanup;
        }
     }
 <at>  <at>  -1165,7 +1165,7  <at>  <at>  verify_user_pass(struct user_pass *up, struct
tls_multi *multi,
   /* check sizing of username if it will become our common name */
   if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) &&
strlen (up->username) >= TLS_USERNAME_LEN)
     {
-      msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name
specified and username is longer than the maximum permitted Common
Name length of %d characters", TLS_USERNAME_LEN);
+      msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name
specified and username is longer than the maximum permitted Common
Name length of %d characters", TLS_USERNAME_LEN-1);
       s1 = OPENVPN_PLUGIN_FUNC_ERROR;
     }

--

-- 
1.9.1

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
duncan atherton | 4 Feb 11:39 2015
Picon

(no subject)

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Gmane