[Openvpn-devel] [PATCH] ssl_polarssl.c: fix includes and make casts explicit

2014-10-25 Thread Steffan Karger
The master branch already has a commit doing almost the same (9048d50), but since the API for polarssl 1.2 is different, this could not be cherry-picked back to the 2.3 branch. This commit: * adds a number of missing #includes. * makes a number of implicit casts explicit, to silence gcc -Wall

[Openvpn-devel] [PATCH] Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

2014-10-25 Thread Steffan Karger
Signed-off-by: Steffan Karger --- src/openvpn/ssl_verify_openssl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 56e1c11..33cd757 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @

[Openvpn-devel] [PATCH applied] Re: ssl_polarssl.c: fix includes and make casts explicit

2014-10-25 Thread Gert Doering
Your patch has been applied to the release/2.3 branch. commit 35b2ffdcf3f48f4a500cb8ad22330ca3454e6149 Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Sat Oct 25 11:47:49 2014 +0200 ssl_polarssl.c: fix includes and make casts explicit Signed-off-by: Steffa

[Openvpn-devel] [PATCH applied] Re: Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

2014-10-25 Thread Gert Doering
ACK. Your patch has been applied to the release/2.3 branch. commit 6e469f46e94b2bd0fc1509f2bfbda4d6b5374b14 Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Sat Oct 25 11:54:11 2014 +0200 Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

Re: [Openvpn-devel] [PATCH applied] Re: Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

2014-10-25 Thread Gert Doering
Hi, On Sat, Oct 25, 2014 at 12:41:50PM +0200, Gert Doering wrote: > ACK. > > Your patch has been applied to the release/2.3 branch. ... and to master. Given the comment on IRC I wasn't sure if that was only 2.3-specific (like the first patch) or "both branches" (this one :) ). > commit 6e469f4

[Openvpn-devel] [PATCH] Improve crypto/ssl logging

2014-10-25 Thread Steffan Karger
Hi, This patch set improves the logging from the crypto/ssl components. It adds some debug/logging wrappers to make it easy for developers to add proper logging, and makes the logging more verbose by reporting the underlying crypto library errors too. When errors occur during the TLS handshake

[Openvpn-devel] [PATCH 2/6] polarssl: Improve PolarSSL logging

2014-10-25 Thread Steffan Karger
Use the new polar_log_err() and polar_ok() functions introduced in the previous commit to provide more log/debug output on SSL errors. Signed-off-by: Steffan Karger --- src/openvpn/crypto_polarssl.c | 35 --- src/openvpn/ssl_polarssl.c| 91 ++--

[Openvpn-devel] [PATCH 3/6] polarssl: don't ignore failed ssl_init(), but ASSERT() on failure

2014-10-25 Thread Steffan Karger
Since key_state_ssl_init() returns void, it *must* succeed. By changing the 'if(a) { success } else ignore' into 'ASSERT(a); success', we make sure we don't fail (which we in practice don't do, because otherwise we would have had complaining users with hard to trace errors). This patch just change

[Openvpn-devel] [PATCH 1/6] polarssl: add polar_log_err() and polar_ok(), to easily log PolarSSL errors

2014-10-25 Thread Steffan Karger
Signed-off-by: Steffan Karger --- src/openvpn/crypto_polarssl.c | 26 ++ src/openvpn/crypto_polarssl.h | 40 2 files changed, 66 insertions(+) diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c index 1a986db

[Openvpn-devel] [PATCH 4/6] openssl: add crypto_msg(), to easily log openssl errors

2014-10-25 Thread Steffan Karger
This works towards removing OpenSSL-specific error printing code from error.c. The crypto_msg() functions provide convenience wrappers, specific to OpenSSL. Instead of passing the magical 'M_SSLERR' flag to msg(), a developer now just calls crypto_msg() to get OpenSSL errors dumped to log. Signed-

[Openvpn-devel] [PATCH 5/6] openssl: use crypto_msg(), get rid of openssl-specific code in error.c

2014-10-25 Thread Steffan Karger
Signed-off-by: Steffan Karger --- src/openvpn/crypto_openssl.c | 30 +++- src/openvpn/error.c | 29 src/openvpn/error.h | 5 -- src/openvpn/ssl_openssl.c| 107 +++ 4 files changed, 75 insertions(+), 96 deletion

[Openvpn-devel] [PATCH 6/6] openssl: add more descriptive message for "no shared cipher" error

2014-10-25 Thread Steffan Karger
Overzealous users using the --tls-cipher option, or users with actual incompatible crypto libaries often waste quite some time debugging the "no shared cipher" error from openssl. See e.g. trac ticket #359: https://community.openvpn.net/openvpn/ticket/359 This change adds a more clear, verb 1 erro