Re: [Openvpn-devel] openvpn-2.1.0-r1: easy-rsa tools creates broken client CERTs unusable for TLS

2010-06-08 Thread Martin Mokrejs 
Hi,
  I had a look into the original bug report I sent and the summary is this:
at some version openvpn implemented a more strict check for certificate
values and if teh cjeck fails one yields "unsupported certificate purpose"
message.

  I figured out that few more allowed values have to be included in the
certificate so that openVPN does not complain anymore. Basically, the patch
synchronizes the current openVPN behavior with the easy-rsa/ tools.

  Is it clearer now? I attached to the bugreport at Gentoo an older version
of the patch to hopefully help you better with understanding what I tried.
What I believe should happen that somebody documents better what requirements
are for the server/client certifices in openVPN. The patch(es) show what
fields you should describe in docs and some version of the patch be committed
over easy-rsa/openssl.cf as well (or loosen the checks back in openVPN sources).
Martin

> Hi,
> 
> We discussed your bug report in last week's public IRC meeting:
> 
> 
> 
> In a nutshell, we had difficulties understanding what is required to
> reproduce this bug. Unfortunately the discussion logs were lost so I
> can't be any more specific. Would you like help us understand this issue
> by chatting with our devs on #openvpn-de...@irc.freenode.net? Or
> alternatively by sending mail to openvpn-devel mailinglist:
> 
> 
> 
> All the best,
> 
> -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode 
> net: mattock 

> Martin Mokrejs wrote:
>> Hi,
>>   I think the easy-rsa/openssl.cnf file should be modified so thet client
>> CERTs would match current openVPN expectations. Please see my bug report
>> at http://bugs.gentoo.org/show_bug.cgi?id=320171 . For convenience, I am
>> attaching the patch here. Did I get it right what has to be done? Would
>> someone fix the HOWTO and FAQ documentation to describe the keyUsage
>> fields and what is actually required for what? There is too many hit
>> in google for "unsupported certificate purpose". ;)

[Openvpn-devel] Dynamic Routing Patch

2010-06-08 Thread reg9009 

 Hi all,

here's the 2nd and hopefully cleaner version of the dynamic routing patch.

Regards,
Sebastian
>From a122b9cfc5962e6fc3591e57a59599381a6d278c Mon Sep 17 00:00:00 2001
From: shundertmark 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Mon, 7 Jun 2010 13:58:38 +0200
Subject: [PATCH] First test with 'dynamic routing'

Signed-off-by: shundertmark 
---
 Makefile.am  |4 +
 configure.ac |   12 +++
 dynroute.c   |  285 ++
 dynroute.h   |   24 +
 multi.c  |   10 ++
 5 files changed, 335 insertions(+), 0 deletions(-)
 create mode 100644 dynroute.c
 create mode 100644 dynroute.h

diff --git a/Makefile.am b/Makefile.am
index 2980dac..84e10d9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,3 +152,7 @@ openvpn.8.html: $(srcdir)/openvpn.8
 else
 dist_man_MANS = openvpn.8
 endif
+
+if ENABLE_DYNROUTE
+   openvpn_SOURCES += dynroute.c
+endif
diff --git a/configure.ac b/configure.ac
index 5575705..c7da5ff 100644
--- a/configure.ac
+++ b/configure.ac
@@ -212,6 +212,12 @@ AC_ARG_ENABLE(selinux,
[SELINUX="yes"]
 )

+AC_ARG_ENABLE(dynroute,
+   [  --enable-dynroute   Enable dynamic routing],
+   [DYNROUTE="$enableval"],
+   [DYNROUTE="no"]
+)
+
 AC_ARG_WITH(ssl-headers,
[  --with-ssl-headers=DIR  Crypto/SSL Include files location],
[CS_HDR_DIR="$withval"]
@@ -869,6 +875,12 @@ if test "$PASSWORD_SAVE" = "yes"; then
AC_DEFINE(ENABLE_PASSWORD_SAVE, 1, [Allow --askpass and --auth-user-pass 
passwords to be read from a file])
 fi

+dnl enable dynroute
+if test "$DYNROUTE" = "yes"; then
+   AC_DEFINE(ENABLE_DYNROUTE, 1, [Enable dynamic routing])
+fi
+AM_CONDITIONAL(ENABLE_DYNROUTE, test "${DYNROUTE}" = "yes")
+
 dnl
 dnl check for SELinux library and headers
 dnl
diff --git a/dynroute.c b/dynroute.c
new file mode 100644
index 000..f9a3ca8
--- /dev/null
+++ b/dynroute.c
@@ -0,0 +1,285 @@
+#include "dynroute.h"
+
+struct dynroute dr;
+
+static struct multi_instance *
+multi_learn_in_addr_t (struct multi_context *m,
+   struct multi_instance *mi,
+   in_addr_t a,
+   int netbits, /* -1 if host route, otherwise # of network bits in 
address */
+   bool primary);
+
+static void netlink_parse_rtattr (struct rtattr **tb, int max, struct rtattr 
*rta, int len)
+{
+  while (RTA_OK (rta, len))
+  {
+if (rta->rta_type <= max)
+  tb[rta->rta_type] = rta;
+rta = RTA_NEXT (rta, len);
+  }
+}
+
+static uint32_t endian_swap (uint32_t x)
+{
+  x = (x>>24) | 
+((x<<8) & 0x00FF) |
+((x>>8) & 0xFF00) |
+(x<<24);
+  return x;
+}
+
+static bool dynroute_init (struct dynroute *dr)
+{
+  if (!dr->initialized)
+  {
+dr->last_error = 0;
+dr->action = DRA_NONE;
+dr->initialized = false;
+dr->nope = true;
+dr->sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+if (dr->sock < 0)
+{
+#ifdef DYNROUTE_DEBUG
+  dr->last_error = dr->sock;
+  fprintf (stderr, "dynroute_init: ERROR socket() : %d\n", dr->last_error);
+#endif
+  return false;
+}
+struct sockaddr_nl addr;
+memset ((void *) &addr, 0, sizeof (addr));
+addr.nl_family = AF_NETLINK;
+addr.nl_pid = getpid ();
+addr.nl_groups = RTMGRP_IPV4_ROUTE;
+dr->last_error = bind (dr->sock, (struct sockaddr *) &addr, sizeof (addr));
+if (dr->last_error < 0)
+{
+#ifdef DYNROUTE_DEBUG
+  fprintf (stderr, "dynroute_init: ERROR bind() : %d\n", dr->last_error);
+#endif
+  return false;
+}
+dr->last_error = fcntl (dr->sock, F_SETFL, O_NONBLOCK);
+if (dr->last_error < 0)
+{
+#ifdef DYNROUTE_DEBUG
+  fprintf (stderr, "dynroute_init: ERROR fcntl() : %d\n", dr->last_error);
+#endif
+  return false;
+}
+#ifdef DYNROUTE_DEBUG
+fprintf (stderr, "dynroute_init: OK\n");
+#endif
+dr->initialized = true;
+  }
+#ifdef DYNROUTE_DEBUG
+  else
+  {
+fprintf (stderr, "dynroute_init: allready initialised, skipped.\n");
+  }
+#endif
+  dr->nope = !dr->initialized;
+  return dr->initialized;
+}
+
+static bool dynroute_read (struct dynroute *dr)
+{
+  dr->action = DRA_NONE;
+  if (!dr->initialized)
+  {
+#ifdef DYNROUTE_DEBUG
+fprintf (stderr, "dynroute_read: not ready, trying dynroute_init().\n");
+#endif
+if (!dynroute_init (dr))
+  return false;
+  }
+
+  struct nlmsghdr *nlh;
+  struct rtmsg *rtm;
+  struct sockaddr_nl addr;
+  struct rtattr *tb[RTA_MAX + 1];
+  
+  char buf [4096];
+  struct iovec iov = { buf, sizeof (buf) };
+  struct msghdr msg;
+  int len;
+
+  msg.msg_name = (void *) &addr;
+  msg.msg_namelen = sizeof (addr);
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+
+  dr->last_error = recvmsg (dr->sock, &msg, 0);
+  if (dr->last_error < 0)
+  {
+#ifdef DYNROUTE_DEBUG
+if (DYNROUTE_DEBUG == DYNROUTE_DEBUG_CHATTY)
+  fprintf (stderr, "dynroute_read: recvmsg() : %d\n", dr->last_error);
+#endif
+return false;
+  }
+  nlh = (struct nlmsghdr *) buf;
+  rtm = NLMSG_DATA(nlh);
+
+  if (rtm->rtm_protocol !=