David Sommerseth | 24 Nov 19:09 2014
Picon

[PATCH] autotools: Fix wrong ./configure help screen default values

From: David Sommerseth <davids <at> redhat.com>

enable_crypto_ofb_cfb is "yes" by default, so the --help screen
should show --disable-ofb-cfb and not --enable-ofb-cfb.

enable_small and enable_password_save are both "no" by default, so
the --help screen should state "default: no".  Now it says "yes" as
default, but is really disabled in the reality.

Signed-off-by: David Sommerseth <davids <at> redhat.com>
---
 configure.ac | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 608ab6d..ddaa2b2 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -73,7 +73,7  <at>  <at>  AC_ARG_ENABLE(

 AC_ARG_ENABLE(
 	[ofb-cfb],
-	[AS_HELP_STRING([--enable-ofb-cfb], [enable support for OFB and CFB cipher modes  <at> <: <at> default=yes <at> :> <at> ])],
+	[AS_HELP_STRING([--disable-ofb-cfb], [disable support for OFB and CFB cipher modes  <at> <: <at> default=yes <at> :> <at> ])],
 	,
 	[enable_crypto_ofb_cfb="yes"]
 )
 <at>  <at>  -157,14 +157,14  <at>  <at>  AC_ARG_ENABLE(

 AC_ARG_ENABLE(
(Continue reading)

Lev Stipakov | 23 Nov 16:17 2014
Picon

[PATCH] Peer-id patch v7

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.

Changes in v7:
A few nitpicks.

Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory corruption and crash.
Various review fixes.

Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.

If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.

Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.

Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated client.
---
 src/openvpn/forward.c    | 50 ++++++++++++++++---------
(Continue reading)

Yegor Yefremov | 23 Nov 13:21 2014

[PATCH] polarssl: fix unreachable code

Found via cppcheck and compile-tested.

Signed-off-by: Yegor Yefremov <yegorslists <at> googlemail.com>
---
 src/openvpn/ssl_polarssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index b026a17..2036885 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
 <at>  <at>  -846,8 +846,8  <at>  <at>  key_state_write_plaintext (struct key_state_ssl *ks, struct buffer *buf)

   if (0 == buf->len)
     {
-      return 0;
       perf_pop ();
+      return 0;
     }

   retval = ssl_write(ks->ctx, BPTR(buf), buf->len);
--

-- 
1.8.3.2

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
(Continue reading)

Yegor Yefremov | 22 Nov 21:13 2014

[PATCH] socket: remove duplicate expression

Found via cppcheck and compile-tested.

Signed-off-by: Yegor Yefremov <yegorslists <at> googlemail.com>
---
 src/openvpn/socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 29f9958..331a9d9 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
 <at>  <at>  -2666,7 +2666,7  <at>  <at>  proto_is_tcp(int proto)
 {
   if (proto < 0 || proto >= PROTO_N)
     ASSERT(0);
-  return proto == PROTO_TCP_CLIENT || proto == PROTO_TCP_SERVER || proto == PROTO_TCP_CLIENT;
+  return proto == PROTO_TCP_CLIENT || proto == PROTO_TCP_SERVER;
 }

 int
--

-- 
1.8.3.2

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
(Continue reading)

Yegor Yefremov | 21 Nov 20:40 2014

[PATCH] configure.ac: fix default behavior

Set enable_password_save to "yes", if the option is not given,
as stated in the description.

Signed-off-by: Yegor Yefremov <yegorslists <at> googlemail.com>
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 608ab6d..9dcd2ab 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -166,7 +166,7  <at>  <at>  AC_ARG_ENABLE(
 	[password-save],
 	[AS_HELP_STRING([--enable-password-save], [allow --askpass and --auth-user-pass passwords to be
read from a file  <at> <: <at> default=yes <at> :> <at> ])],
 	,
-	[enable_password_save="no"]
+	[enable_password_save="yes"]
 )

 AC_ARG_ENABLE(
--

-- 
1.8.3.2

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
(Continue reading)

samuli | 21 Nov 11:09 2014
Picon

[PATCH] Fix to --shaper documentation on the man-page

From: Samuli Seppänen <samuli <at> openvpn.net>

Trac: #413
Trac-URL: https://community.openvpn.net/openvpn/ticket/413
Signed-off-by: Samuli Seppänen <samuli <at> openvpn.net>
---
 doc/openvpn.8 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 8fca9aa..96ba555 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -1437,6 +1437,7  <at>  <at>  Currently defaults to 100.
 Limit bandwidth of outgoing tunnel data to
 .B n
 bytes per second on the TCP/UDP port.
+Note that this will only work if mode is set to p2p.
 If you want to limit the bandwidth
 in both directions, use this option on both peers.

--

-- 
1.9.1

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
(Continue reading)

Lev Stipakov | 21 Nov 10:44 2014
Picon

[PATCH] Peer-id patch v6

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.

Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory corruption and crash.
Various review fixes.

Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.

If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.

Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.

Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated client.
---
 src/openvpn/forward.c    | 50 ++++++++++++++++---------
 src/openvpn/forward.h    |  2 +
 src/openvpn/init.c       | 12 +++++-
 src/openvpn/mudp.c       | 57 +++++++++++++++++++++-------
(Continue reading)

Samuli Seppänen | 21 Nov 10:00 2014
Picon

Topics for next Monday's (24th Nov 2014) community meeting


Hi,

We're having an IRC meeting on Monday, starting at 20:00 CET (19:00
UTC) on #openvpn-devel <at> irc.freenode.net. Current topic list along with
basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2014-11-24>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
Abdullah Alshalan (Student | 18 Nov 23:47 2014
Picon

Sending packets from VPN client to VPN server

Hi,
I was wondering if anyone can help me understanding why my code isn't working. I'm working on  a project for
fun modifying openvpn-2.2.2. What i need help with is this:
I have a packet cached in a buffer structure. And I want the VPN client to send it to the VPN server so it can
reach its intended destination.

What i was trying to do is something like this:

struct buffer *buf = cached_buffer;
buffer_turnover(buf->data, &c->c2.buf, buf, buf);
pocess_incoming_tun(c);
process_outgoing_tun(c);

Unfortunately, when I ran Wireshark on the virtual tun of the client I don't see that cached packet.

alternatively, I tried:
struct buffer *buf = cached_buffer;
write_tun(c->c1.tuntap, BPTR(buf), BLEN(buf));

in this case I can see the packet in Wireshark but it's never received at the VPN server side. 

Any insights or suggestion would be highly appreciated.

Thanks in advance,
Ab
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
(Continue reading)

Matthias Andree | 18 Nov 23:46 2014
Picon
Picon

AES-NI trouble, and patch - please review/comment

Greetings,

I received a bug report against the FreeBSD OpenVPN port, but before
applying a patch (by Ermal Luçi) I do not currently oversee, I would
like your input.

https://redmine.pfsense.org/issues/3966			 original
https://community.openvpn.net/openvpn/ticket/480	 copy
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195004 downstream

Is this a safe fix, or will it break other features or requirements, in
the lights of restarts after timeouts, and all that?

Thanks.

Cheers,
Matthias

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
(Continue reading)

David Sommerseth | 17 Nov 23:14 2014
Picon

[PATCH] down-root: Improve error messages

From: David Sommerseth <davids <at> redhat.com>

If down-root fails it will now use warn() to provide some more information
about what went wrong, by retrieving the error message via errno.

Signed-off-by: David Sommerseth <davids <at> redhat.com>
---
 src/plugins/down-root/down-root.c | 52 +++++++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 16 deletions(-)

diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c
index 4d10f48..ed2636a 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
 <at>  <at>  -41,6 +41,7  <at>  <at> 
 #include <fcntl.h>
 #include <signal.h>
 #include <syslog.h>
+#include <errno.h>

 #include <openvpn-plugin.h>

 <at>  <at>  -160,7 +161,7  <at>  <at>  daemonize (const char *envp[])
 	fd = dup (2);
       if (daemon (0, 0) < 0)
 	{
-	  fprintf (stderr, "DOWN-ROOT: daemonization failed\n");
+	  warn ("DOWN-ROOT: daemonization failed");
 	}
       else if (fd >= 3)
(Continue reading)


Gmane