Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jeremie Courreges-Anglas]

Hi,

Emmanuel Deloget  writes:

> Hi David,
>
> On Wed, Jun 21, 2017 at 11:06 PM, David Sommerseth <
> open...@sf.lists.topphemmelig.net> wrote:
>
> ​​
>
>
>> But for reasons unknown to me, those tarballs got re-created somewhere
>> later in the release chain.  The contents of all tarballs are
>> essentially the same, but due to the "nice" artefact that the tar format
>> is non-deterministic on the output, even though the input is the same,
>> that begins to prepare the stage for this chaos.  Especially when what
>> is being uploaded is partly from the initial run and then some files
>> from a different run
>> ​.
>>
>
> ​It might be possible to pay with several tar options, including:
>
> --sort=name : sort added files by name, and not by the order specified by
> the OS
> --mtime=DATE-OR-FILE : set mtime of added file to a known value (either the
> mtime of a file or an arbitrary date/time string).  ​
>
> ​These two options should help​

--sort and --mtime seem like GNU tar options.

It would be cool if whatever is used to produce the tarballs was
portable to systems where the default tar program is not GNU tar.
If those tar options end up being used, then it would make sense to add
a knob to specify the the GNU tar program used to build the tarballs.

> ​Both options are being used by the LEDE project​ which claim support of
> reproducible builds for a limited list of targets (tar is used when
> building packages [1]).
>
> ​[1]
> https://git.lede-project.org/?p=source.git;a=blob;f=scripts/ipkg-build#l142​

Since OpenVPN uses automake, I'll just mention that the automake folks
also discussed reproducible tarballs:

  https://lists.gnu.org/archive/html/automake/2015-12/msg00012.html

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[James Bekkema]

> On 22 Jun 2017, at 7:06 am, David Sommerseth 
>  wrote:
> 
> - What can be done with Cloudflare to fully ensure their caches are
>  truly purged when we ask for it?  As Jonathan noticed, their caches
>  are tightly connected to the web browser and have a non-deterministic
>  behaviour across browsers, even on the same computer.

Cloudflare’s API supports clearing the cache (as does their web control panel), 
and this can be done on a file-by-file basis. Based on our experience it only 
takes around 15-20 seconds for the cache to be cleared on all of Cloudflare's 
CDN nodes for a file and it can be easily thrown into a release script.
https://api.cloudflare.com/#zone-purge-individual-files-by-url-and-cache-tags

As for some web browsers, proxy servers, etc. in-between the user and a 
Cloudflare node, they’re respecting the HTTP cache-control headers which are 
currently set to cache for 24 hours:

curl -I https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
Expires: Fri, 23 Jun 2017 00:14:19 GMT
Cache-Control: public, max-age=86400

Of course, many proxy servers and web browsers have different approaches to 
handling caching headers (especially for zipped files), so you will get some 
differing behaviour. The best approach is to still have an appropriate caching 
time between nodes and the web server (24 hours is fine) so they don’t need to 
re-fetch the files too often, but then have a Cloudflare Page Rule to rewrite 
these with a lower time to clients (we use 4 hours) to limit the impact in the 
(hopefully rare) event of a file update being needed.
https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-Page-Rules-#cache

The final cause of differing behaviour is that each Cloudflare node’s caching 
time of a file starts when that individual node first gets a request for it. 
But this can easily be ignored by just using the API to clear the cache of all 
nodes when needed.

> So I suggest we take a few weeks holiday, let this sink in, and then we
> can schedule a meeting some time in August where we discuss these
> issues.


Sorry to throw more noise at the mailing list, but I figured I’d put up some 
comments as IRC meeting times don’t usually align for those of us in Australia 
:-)

Regards,
James

--
James Bekkema
SparkLabs Developer
https://www.sparklabs.com
https://twitter.com/sparklabs
supp...@sparklabs.com
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Emmanuel Deloget]

Hi David,

On Wed, Jun 21, 2017 at 11:06 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

​​


> But for reasons unknown to me, those tarballs got re-created somewhere
> later in the release chain.  The contents of all tarballs are
> essentially the same, but due to the "nice" artefact that the tar format
> is non-deterministic on the output, even though the input is the same,
> that begins to prepare the stage for this chaos.  Especially when what
> is being uploaded is partly from the initial run and then some files
> from a different run
> ​.
>

​It might be possible to pay with several tar options, including:

--sort=name : sort added files by name, and not by the order specified by
the OS
--mtime=DATE-OR-FILE : set mtime of added file to a known value (either the
mtime of a file or an arbitrary date/time string).  ​

​These two options should help​

​Both options are being used by the LEDE project​ which claim support of
reproducible builds for a limited list of targets (tar is used when
building packages [1]).

​[1]
https://git.lede-project.org/?p=source.git;a=blob;f=scripts/ipkg-build#l142​



> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
​BR,

-- Emmanuel Deloget​
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Move adjust_power_of_2() to integer.h

[Steffan Karger]

From: Steffan Karger 

misc.c is a mess of incoherent functions, and is therefore included by
virtually all our source files.  That makes testing harder than it should
be.  As a first step of cleaning up misc.c, move adjust_power_of_2() to
integer.h, which is a more suitable place for a function like this.

This allows us to remove the duplicate implementation from test_argv.c.

Signed-off-by: Steffan Karger 
---
v2: fix includes, fix typo in commit msg

 src/openvpn/argv.c   |  1 +
 src/openvpn/integer.h| 18 ++
 src/openvpn/list.c   |  1 +
 src/openvpn/mbuf.c   |  1 +
 src/openvpn/misc.c   | 18 --
 src/openvpn/misc.h   |  2 --
 tests/unit_tests/openvpn/test_argv.c | 18 --
 7 files changed, 21 insertions(+), 38 deletions(-)

diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c
index a71d261c..95bdfeac 100644
--- a/src/openvpn/argv.c
+++ b/src/openvpn/argv.c
@@ -36,6 +36,7 @@
 #include "syshead.h"
 
 #include "argv.h"
+#include "integer.h"
 #include "options.h"
 
 static void
diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h
index 884b849f..600e1384 100644
--- a/src/openvpn/integer.h
+++ b/src/openvpn/integer.h
@@ -114,6 +114,24 @@ modulo_add(int x, int y, int mod)
 return sum;
 }
 
+/*
+ * Return the next largest power of 2
+ * or u if u is a power of 2.
+ */
+static inline size_t
+adjust_power_of_2(size_t u)
+{
+size_t ret = 1;
+
+while (ret < u)
+{
+ret <<= 1;
+ASSERT(ret > 0);
+}
+
+return ret;
+}
+
 static inline int
 index_verify(int index, int size, const char *file, int line)
 {
diff --git a/src/openvpn/list.c b/src/openvpn/list.c
index edca6f79..91765d20 100644
--- a/src/openvpn/list.c
+++ b/src/openvpn/list.c
@@ -31,6 +31,7 @@
 
 #if P2MP_SERVER
 
+#include "integer.h"
 #include "list.h"
 #include "misc.h"
 
diff --git a/src/openvpn/mbuf.c b/src/openvpn/mbuf.c
index fafbce01..f969a2b5 100644
--- a/src/openvpn/mbuf.c
+++ b/src/openvpn/mbuf.c
@@ -33,6 +33,7 @@
 
 #include "buffer.h"
 #include "error.h"
+#include "integer.h"
 #include "misc.h"
 #include "mbuf.h"
 
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 608204ee..0b65e6e2 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1646,24 +1646,6 @@ openvpn_sleep(const int n)
 }
 
 /*
- * Return the next largest power of 2
- * or u if u is a power of 2.
- */
-size_t
-adjust_power_of_2(size_t u)
-{
-size_t ret = 1;
-
-while (ret < u)
-{
-ret <<= 1;
-ASSERT(ret > 0);
-}
-
-return ret;
-}
-
-/*
  * Remove security-sensitive strings from control message
  * so that they will not be output to log file.
  */
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index d504e68a..c9fa97ab 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -328,8 +328,6 @@ extern const char *iproute_path;
 #define SSEC_PW_ENV3 /* allow calling of built-in programs and 
user-defined scripts that may receive a password as an environmental variable */
 extern int script_security; /* GLOBAL */
 
-/* return the next largest power of 2 */
-size_t adjust_power_of_2(size_t u);
 
 #define COMPAT_FLAG_QUERY 0   /** compat_flags operator: Query for 
a flag */
 #define COMPAT_FLAG_SET   (1<<0)  /** compat_flags operator: Set a 
compat flag */
diff --git a/tests/unit_tests/openvpn/test_argv.c 
b/tests/unit_tests/openvpn/test_argv.c
index 8c90eb9c..4a3ba559 100644
--- a/tests/unit_tests/openvpn/test_argv.c
+++ b/tests/unit_tests/openvpn/test_argv.c
@@ -13,24 +13,6 @@
 #include "argv.h"
 #include "buffer.h"
 
-/*
- * This is defined here to prevent #include'ing misc.h
- * which makes things difficult beyond any recognition
- */
-size_t
-adjust_power_of_2(size_t u)
-{
-size_t ret = 1;
-
-while (ret < u)
-{
-ret <<= 1;
-assert(ret > 0);
-}
-
-return ret;
-}
-
 /* Defines for use in the tests and the mock parse_line() */
 #define PATH1   "/s p a c e"
 #define PATH2   "/foo bar/baz"
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Fix typo in extract_x509_extension() debug message

[Steffan Karger]

This message should use the external name, not the internal one.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_verify_openssl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index f9e889ff..ea474955 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -129,8 +129,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char 
*out, int size)
 if (!x509_username_field_ext_supported(fieldname))
 {
 msg(D_TLS_ERRORS,
-"ERROR: --x509-alt-username field 'ext:%s' not supported",
-fieldname);
+"ERROR: --x509-username-field 'ext:%s' not supported", fieldname);
 return false;
 }
 
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Move adjust_power_of_2() to integer.h

[Steffan Karger]

Hi,

On 21-06-17 22:17, Antonio Quartulli wrote:
> However, now that adjust_power_of_2() has been moved to integer.h, shouldn't
> this file be included by every .c where the function is used? Or do we have 
> some
> other rule about header files inclusion?
> 
> Personally I prefer when every .c file directly includes the .h it relies on,
> without assuming any indirect inclusion. What's the common habit here?

We have no consistent rule or habit that I know of, but I fully agree
with you.  So thanks for paying attention, will send a v2 in a minute.

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 12:47, Samuli Seppänen wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
> 
> 
> 
> OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
> the process several vulnerabilities were found, some of which are
> remotely exploitable in certain circumstances. We recommend you to
> upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are
> available in our official security announcement:
> 
> 
> 
> In addition a number of bugs with no security impact have been fixed.
> The one big feature in the 2.4.3 release is support for building with
> OpenSSL 1.1.
> 
> A summary of all included changes is available here:
> 
> 
So just trying to hijack this discussion which is to be found a few more
places elsewhere in this mail thread.  No need to let this discussion
run longer.

There are several area where we definitely can improve the release
process.  Last round where we managed to mess up the 2.3.15 release, so
I wrote a brand new "prepare release tarballs" script, which also
handles the signing.  This script _was_ used to produce the files to be
pushed out for the 2.4.3/2.3.17 releases.

But for reasons unknown to me, those tarballs got re-created somewhere
later in the release chain.  The contents of all tarballs are
essentially the same, but due to the "nice" artefact that the tar format
is non-deterministic on the output, even though the input is the same,
that begins to prepare the stage for this chaos.  Especially when what
is being uploaded is partly from the initial run and then some files
from a different run.

All that is history now.  Now we need to look forward.  Many good points
have been raised.

- Do we need .tar.gz and .zip files?  Where and why?
  The fewer source tarballs we need to handle, the less chance for
  errors

- Improve Makefile.am to not generate dist-gz files when running
  distcheck.  The distcheck run often provides very good indicator if we
  have packaged all the needed files in the source tarball.  If this
  doesn't pass, something is really wrong.

- Do we really need to re-create the source tarballs which the new
  ./dev-tools/gen-release-tarballs.sh?  Why?

- What can be done with Cloudflare to fully ensure their caches are
  truly purged when we ask for it?  As Jonathan noticed, their caches
  are tightly connected to the web browser and have a non-deterministic
  behaviour across browsers, even on the same computer.

- What else in the release process can be automated and put into a
  script?  This to ensure consistency between all releases we do.

- We need to write down a proper check-list of all the steps needed
  for a release, including putting a clear responsibility for each
  release.  This list must also mention which scripts to be run.  Again,
  automation is key to reduce the risk for errors.

- Consider how many who really needs to be involved in producing a
  release.  More chefs in a kitchen can result in great food, but it can
  also end up quite messy.

- At the same time, ensure we don't end up in a "single point of
  failure".  More of us core developers need to be able to step in for
  others, and still be able to produce a release without errors.  This
  can be the end result if we have proper scripts, both for automated
  and manual tasks.


My intention with these points are primarily "food for thought".  I
don't fully believe it will be easy to have a well structured debate
about the complete release process in a mailing list thread.

So I suggest we take a few weeks holiday, let this sink in, and then we
can schedule a meeting some time in August where we discuss these
issues.  And lets hope we don't need to rush yet another release before
August :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: travis-ci: added gcc and clang openssl-1.1.0 builds

[Steffan Karger]

The following have to be cherry-picked (just tested, works without fuzz):

56e6bd8967d72c4374389dfd5cf32f5e3b86242c
81ba70b39b78d7677aabab957421264800028f53
aeac1139a34321a7f770ca20bfef886a21a89fe9

-Steffan

On 21-06-17 21:57, Gert Doering wrote:
> Your patch has been applied to the master branch.
> 
> I tried to apply it to release/2.4 as well, but it seems some prior
> patch to the .travis/ stuff never made it, so this patch does not apply.
> 
> As I'm a bit lazy today - could you backport all the travis stuff that
> is missing from 2.4 to release/2.4 and send a patch for that?  thanks :)
> 
> commit aeac1139a34321a7f770ca20bfef886a21a89fe9 (master)
> Author: Ilya Shipitsin
> Date:   Mon Jun 19 23:38:08 2017 +0500
> 
>  travis-ci: added gcc and clang openssl-1.1.0 builds
> 
>  Acked-by: Steffan Karger 
>  Message-Id: <1497897488-15999-1-git-send-email-chipits...@gmail.com>
>  URL: 
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14890.html
>  Signed-off-by: Gert Doering 
> 
> 
> --
> kind regards,
> 
> Gert Doering
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] OpenSSL: remove pre-1.1 function from the OpenSSL compat interface

[Steffan Karger]

Hi,

On 19-06-17 17:35, log...@free.fr wrote:
> From: Emmanuel Deloget 
> 
> HMAC_CTX_init() has been removed from OpenSSL 1.1. Both this function
> and function HMAC_CTX_cleanup() has been replaced by HMAC_CTX_reset().
> 
> Commit aba98e9050eb54d72d921e70bcd422cb892b9c6c introduced support for
> HMAC_CTX_init() for OpenSSL 1.1+ while other functions were mimicking
> the OpenSSL 1.1 interface for earlier version. This is clearly not a
> good idea -- a better approach would be to provide the new interface for
> pre-1.1 versions in order to have the dependant code use only one
> interface version. To implement that, we remove HMAC_CTX_init() from our
> compatibility layer and implement HMAC_CTX_reset() in terms of a cleanup
> followed by an init (as the regular HMAC_CTX_reset() function does in
> OpenSSL 1.1. This change has a consequence on HMAC_CTX_free() which now
> need to cleanup() the HMAC context before freeing it.
> ---
>  configure.ac |  1 -
>  src/openvpn/crypto_openssl.c |  2 +-
>  src/openvpn/openssl_compat.h | 39 ++-
>  3 files changed, 15 insertions(+), 27 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 56ce5f82..22f91cb6 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -924,7 +924,6 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>   HMAC_CTX_new \
>   HMAC_CTX_free \
>   HMAC_CTX_reset \
> - HMAC_CTX_init \
>   EVP_MD_CTX_new \
>   EVP_MD_CTX_free \
>   EVP_MD_CTX_reset \
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index a55e65c1..9cf3355b 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -930,7 +930,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int 
> key_len,
>  {
>  ASSERT(NULL != kt && NULL != ctx);
>  
> -HMAC_CTX_init(ctx);
> +HMAC_CTX_reset(ctx);
>  HMAC_Init_ex(ctx, key, key_len, kt, NULL);
>  
>  /* make sure we used a big enough key */
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index c765f0bb..617410e0 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -120,6 +120,15 @@ EVP_CIPHER_CTX_new(void)
>  /**
>   * Reset a HMAC context
>   *
> + * OpenSSL 1.1+ removes APIs HMAC_CTX_init() and HMAC_CTX_cleanup()
> + * and replace them with a single call that does a cleanup followed
> + * by an init. A proper _reset() for OpenSSL < 1.1 should perform
> + * a similar set of operations.
> + *
> + * It means that before we kill a HMAC context, we'll have to cleanup
> + * again, as we probably have allocated a few resources when we forced
> + * an init.
> + *
>   * @param ctx The HMAC context
>   * @return1 on success, 0 on error
>   */
> @@ -127,42 +136,22 @@ static inline int
>  HMAC_CTX_reset(HMAC_CTX *ctx)
>  {
>  HMAC_CTX_cleanup(ctx);
> +HMAC_CTX_init(ctx);
>  return 1;
>  }
>  #endif
>  
> -#if !defined(HAVE_HMAC_CTX_INIT)
> -/**
> - * Init a HMAC context
> - *
> - * @param ctx The HMAC context
> - *
> - * Contrary to many functions in this file, HMAC_CTX_init() is not
> - * an OpenSSL 1.1 function: it comes from previous versions and was
> - * removed in v1.1. As a consequence, there is no distincting in
> - * v1.1 between a cleanup, and init and a reset. Yet, previous OpenSSL
> - * version need this distinction.
> - *
> - * In order to respect previous OpenSSL versions, we implement init
> - * as reset for OpenSSL 1.1+.
> - */
> -static inline void
> -HMAC_CTX_init(HMAC_CTX *ctx)
> -{
> -HMAC_CTX_reset(ctx);
> -}
> -#endif
> -
>  #if !defined(HAVE_HMAC_CTX_FREE)
>  /**
> - * Free an existing HMAC context
> + * Cleanup and free an existing HMAC context
>   *
>   * @param ctx The HMAC context
>   */
>  static inline void
> -HMAC_CTX_free(HMAC_CTX *c)
> +HMAC_CTX_free(HMAC_CTX *ctx)
>  {
> - free(c);
> +HMAC_CTX_cleanup(ctx);
> +free(ctx);
>  }
>  #endif
>  
> 

Thanks, ACK.

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Move adjust_power_of_2() to integer.h

[Antonio Quartulli]

On Mon, Jun 19, 2017 at 01:47:33PM +0200, Steffan Karger wrote:
> misc.c it a mess of incoherent functions, and is therefore included by

little typ0 here: s/it/is/

> virtually all our source files.  That makes testing harder than it should
> be.  As a first step of cleaning up misc.c, move adjust_power_of_2() to
> integer.h, which is a more suitable place for a function like this.
> 
> This allows us to remove the duplicate implementation from test_argv.c.
> 
> Signed-off-by: Steffan Karger 
> ---
>  src/openvpn/integer.h| 17 +
>  src/openvpn/misc.c   | 18 --
>  src/openvpn/misc.h   |  2 --
>  tests/unit_tests/openvpn/test_argv.c | 19 +--
>  4 files changed, 18 insertions(+), 38 deletions(-)
> 
> diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h
> index 240781b..882322a 100644
> --- a/src/openvpn/integer.h
> +++ b/src/openvpn/integer.h
> @@ -118,6 +118,23 @@ modulo_add(int x, int y, int mod)
>  return sum;
>  }
>  
> +/*
> + * Return the next largest power of 2
> + * or u if u is a power of 2.
> + */
> +static inline size_t adjust_power_of_2(size_t u)
> +{
> +size_t ret = 1;
> +
> +while (ret < u)
> +{
> +ret <<= 1;
> +ASSERT(ret > 0);
> +}
> +
> +return ret;
> +}
> +
>  static inline int
>  index_verify(int index, int size, const char *file, int line)
>  {
> diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
> index df108b0..561f80f 100644
> --- a/src/openvpn/misc.c
> +++ b/src/openvpn/misc.c
> @@ -1641,24 +1641,6 @@ openvpn_sleep(const int n)
>  }
>  
>  /*
> - * Return the next largest power of 2
> - * or u if u is a power of 2.
> - */
> -size_t
> -adjust_power_of_2(size_t u)
> -{
> -size_t ret = 1;
> -
> -while (ret < u)
> -{
> -ret <<= 1;
> -ASSERT(ret > 0);
> -}
> -
> -return ret;
> -}
> -
> -/*
>   * Remove security-sensitive strings from control message
>   * so that they will not be output to log file.
>   */
> diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
> index 94573b2..f55186f 100644
> --- a/src/openvpn/misc.h
> +++ b/src/openvpn/misc.h
> @@ -325,8 +325,6 @@ extern const char *iproute_path;
>  #define SSEC_PW_ENV3 /* allow calling of built-in programs and 
> user-defined scripts that may receive a password as an environmental variable 
> */
>  extern int script_security; /* GLOBAL */
>  
> -/* return the next largest power of 2 */
> -size_t adjust_power_of_2(size_t u);
>  
>  #define COMPAT_FLAG_QUERY 0   /** compat_flags operator: Query 
> for a flag */
>  #define COMPAT_FLAG_SET   (1<<0)  /** compat_flags operator: Set a 
> compat flag */
> diff --git a/tests/unit_tests/openvpn/test_argv.c 
> b/tests/unit_tests/openvpn/test_argv.c
> index 8c90eb9..c5ebc09 100644
> --- a/tests/unit_tests/openvpn/test_argv.c
> +++ b/tests/unit_tests/openvpn/test_argv.c
> @@ -12,24 +12,7 @@
>  
>  #include "argv.h"
>  #include "buffer.h"
> -
> -/*
> - * This is defined here to prevent #include'ing misc.h
> - * which makes things difficult beyond any recognition
> - */
> -size_t
> -adjust_power_of_2(size_t u)
> -{
> -size_t ret = 1;
> -
> -while (ret < u)
> -{
> -ret <<= 1;
> -assert(ret > 0);
> -}
> -
> -return ret;
> -}
> +#include "integer.h"

This duplication was really ugly :-P Thanks for getting rid of it.

However, now that adjust_power_of_2() has been moved to integer.h, shouldn't
this file be included by every .c where the function is used? Or do we have some
other rule about header files inclusion?

Personally I prefer when every .c file directly includes the .h it relies on,
without assuming any indirect inclusion. What's the common habit here?


Cheers,


>  
>  /* Defines for use in the tests and the mock parse_line() */
>  #define PATH1   "/s p a c e"
> -- 
> 2.7.4
> 

-- 
Antonio Quartulli


signature.asc
Description: Digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: travis-ci: added gcc and clang openssl-1.1.0 builds

[Gert Doering]

Your patch has been applied to the master branch.

I tried to apply it to release/2.4 as well, but it seems some prior
patch to the .travis/ stuff never made it, so this patch does not apply.

As I'm a bit lazy today - could you backport all the travis stuff that
is missing from 2.4 to release/2.4 and send a patch for that?  thanks :)

commit aeac1139a34321a7f770ca20bfef886a21a89fe9 (master)
Author: Ilya Shipitsin
Date:   Mon Jun 19 23:38:08 2017 +0500

 travis-ci: added gcc and clang openssl-1.1.0 builds

 Acked-by: Steffan Karger 
 Message-Id: <1497897488-15999-1-git-send-email-chipits...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14890.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 12:48 PM, Matthias Andree
 wrote:
>
> Am 21.06.2017 um 16:33 schrieb Samuli Seppänen:
> > On 21/06/2017 17:06, Simon Matter wrote:
> >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
> >>> wrote:
>  The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>  can be downloaded from here:
> 
>  
> >>> Hi. Thanks for this release.
> >>>
> >>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> >>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> >>> fails with:
> >> I wanted to ask this during the 2.4.2 hickup but now I really ask because
> >> there is confusion again with 2.4.3:
> >>
> >> Could you please add check sums of all release files so that one can
> >> easily check to have the correct download. Even MD5 works better no check
> >> sum :-)
> >>
> >> Regards,
> >> Simon
> >>
> > Makes sense. I'll see if I could tackle that tomorrow.
> >
> > Meanwhile I added a test script which downloads every release file and
> > verifies their signatures. I will run this script as part of the release
> > process.
>
> It makes no sense at all. Don't start that!
>

I disagree. Having the checksums would have saved me a lot of time
today because I would have immediately known which file was corrupt --
the binary or the signature file -- without bothering the list. It
might help rule out Cloudflare as a suspected cause of the problem.


> You already provide detached GnuPG signatures, which are better suited
> for most purposes and incidentally also cover the "checksum" purpose.

Yes, "most purposes", but not "all purposes".

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 7:48 AM, Jonathan K. Bullard 
wrote:

> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
> wrote:
> > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> > can be downloaded from here:
> >
> > 
>
> Hi. Thanks for this release.
>
> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> fails with:


I downloaded 2.4.3.tar.gz and 2.4.3.tar.gz.asc several times in the past
few hours and always got a bad copy of 2.4.3.tar.gz. Then I restarted my
computer and downloaded again: same thing. Then I downloaded with Safari
(instead of Chrome, which I had been using) -- and the downloaded
2.4.3.tar.gz was different and its signature verifies properly (the
2.4.3.tar.gz.asc was identical in all cases). So I went back to Chrome and
downloaded again -- bad copy. Firefox: good copy. Then Chrome again: good
copy.

So all seems OK now, but something is or was flakey with my computer,
Chrome, Cloudflare, my ISP… (or some combination).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Matthias Andree]

Am 21.06.2017 um 18:02 schrieb Gert Doering:
> Hi,
>
> On Wed, Jun 21, 2017 at 05:58:18PM +0200, David Sommerseth wrote:
>> Hmmm ... not a bad idea.  But do we really need tar.gz at all these
>> days?  Why not just make autotools generate tar.xz by default and be
>> done with it?
> "distcheck" tends to just do .tar.gz - can you make it still do the check,
> but produce .tar.gz?

yes, in Makefile.am:
AUTOMAKE_OPTIONS= ...(whatever)... no-dist-gzip



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Matthias Andree]

Am 21.06.2017 um 16:33 schrieb Samuli Seppänen:
> On 21/06/2017 17:06, Simon Matter wrote:
>>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>>> wrote:
 The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
 can be downloaded from here:

 
>>> Hi. Thanks for this release.
>>>
>>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>>> fails with:
>> I wanted to ask this during the 2.4.2 hickup but now I really ask because
>> there is confusion again with 2.4.3:
>>
>> Could you please add check sums of all release files so that one can
>> easily check to have the correct download. Even MD5 works better no check
>> sum :-)
>>
>> Regards,
>> Simon
>>
> Makes sense. I'll see if I could tackle that tomorrow.
>
> Meanwhile I added a test script which downloads every release file and
> verifies their signatures. I will run this script as part of the release
> process.

It makes no sense at all. Don't start that!

You already provide detached GnuPG signatures, which are better suited
for most purposes and incidentally also cover the "checksum" purpose.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Gert Doering]

Hi,

On Wed, Jun 21, 2017 at 05:58:18PM +0200, David Sommerseth wrote:
> Hmmm ... not a bad idea.  But do we really need tar.gz at all these
> days?  Why not just make autotools generate tar.xz by default and be
> done with it?

"distcheck" tends to just do .tar.gz - can you make it still do the check,
but produce .tar.gz?

> Or to put it differently: Which platforms lacks lzma/xz support these days?

plus "what platform needs .zip", as in "seriously, so often that the 3
persons unpacking OpenVPN source builds on Windows will not have 7zip
installed anyway"?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 17:49, Gert Doering wrote:
> Hi,
> 
> On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote:
>>> .gz is built with "make distcheck", .xz right after from the same
>>> tree with "make dist-xz".
>>>
>>> What differs?
>>
>> The check sum of both extracted tarballs, not really their content.
> 
> Ah.  Yeah, that's one of the drawbacks of building two independent
> tarballs - timestamps in the tar header (IIRC), so the end result always
> differs in a few bytes.
> 
>> I suggest to create .xz from .gz instead of building another tarball. That
>> way the extracted tarballs from .gz and .xz share the same checksum ->
>> less confusion in case something goes wrong - as it did with 2.4.2 and
>> now.
> 
> David, you're listening?  Should be an easy-enough change from what 
> we have now... ("gunzip <...tar.gz | xz >...tar.xz" or however you
> do xz balls) :-)

Hmmm ... not a bad idea.  But do we really need tar.gz at all these
days?  Why not just make autotools generate tar.xz by default and be
done with it?

Or to put it differently: Which platforms lacks lzma/xz support these days?


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Gert Doering]

Hi,

On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote:
> > .gz is built with "make distcheck", .xz right after from the same
> > tree with "make dist-xz".
> >
> > What differs?
> 
> The check sum of both extracted tarballs, not really their content.

Ah.  Yeah, that's one of the drawbacks of building two independent
tarballs - timestamps in the tar header (IIRC), so the end result always
differs in a few bytes.

> I suggest to create .xz from .gz instead of building another tarball. That
> way the extracted tarballs from .gz and .xz share the same checksum ->
> less confusion in case something goes wrong - as it did with 2.4.2 and
> now.

David, you're listening?  Should be an easy-enough change from what 
we have now... ("gunzip <...tar.gz | xz >...tar.xz" or however you
do xz balls) :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

> Hi,
>
> On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote:
>> An additional source of confusion seems that the tarball of the .gz and
>> .xz files don't match. Maybe this could easily be fixed in the build
>> process.
>
> .gz is built with "make distcheck", .xz right after from the same
> tree with "make dist-xz".
>
> What differs?

The check sum of both extracted tarballs, not really their content.

I suggest to create .xz from .gz instead of building another tarball. That
way the extracted tarballs from .gz and .xz share the same checksum ->
less confusion in case something goes wrong - as it did with 2.4.2 and
now.

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Gert Doering]

Hi,

On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote:
> An additional source of confusion seems that the tarball of the .gz and
> .xz files don't match. Maybe this could easily be fixed in the build
> process.

.gz is built with "make distcheck", .xz right after from the same
tree with "make dist-xz".

What differs?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

>>> I believe it is Cloudflare playing tricks on us again.
>>>
>>> Attached are the proper signature files and below a list of the SHA256
>>> checksums:
>>>
>>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
>>> openvpn-2.4.3.tar.xz
>>>
>>> This is based on the files I've already pushed to the Fedora builder
>>> (koji), which
>>
>> I have the following sums:
>>
>> 15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb
>> openvpn-2.4.3.tar.xz
>>
>
> Those sha256sums are the correct ones.

That's the problem, which one is the correct one for openvpn-2.4.3.tar.xz?

7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571

or

15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

On 21/06/2017 17:42, Simon Matter wrote:
>> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>>> wrote:
 The OpenVPN community project team is proud to release OpenVPN 2.4.3.
 It
 can be downloaded from here:

 
>>>
>>> Hi. Thanks for this release.
>>>
>>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>>> fails with:
>>>
>>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>>> 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: BAD signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>>
>>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>>
>>> The files were downloaded from
>>> https://openvpn.net/index.php/open-source/downloads.html at about
>>> 10:24 UCT today from the New York City area.
>>>
>>> For reference, here is the output from verifying 2.3.17:
>>>
>>> $ gpg2 -v --verify
>>> /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in
>>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>>> 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: Good signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:  There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B
>>> 01E7
>>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2
>>> B034
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> Any ideas or suggestions?
>>
>> I believe it is Cloudflare playing tricks on us again.
>>
>> Attached are the proper signature files and below a list of the SHA256
>> checksums:
>>
>> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3
>> openvpn-2.3.17.tar.xz
>> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29
>> openvpn-2.3.17.tar.xz.asc
>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
>> openvpn-2.4.3.tar.xz
>> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210
>> openvpn-2.4.3.tar.xz.asc
>>
>> This is based on the files I've already pushed to the Fedora builder
>> (koji), which
> 
> I have the following sums:
> 
> af806c47623aa1d8246cf0790984766f61c8d0a63ea0b04127ff5c6c65e46088 
> openvpn-2.3.17.tar.gz
> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 
> openvpn-2.3.17.tar.xz
> cee3d3ca462960a50a67c0ebd186e01b6d13db70275205663695152c9aca8579 
> openvpn-2.4.3.tar.gz
> 15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb 
> openvpn-2.4.3.tar.xz
> 
> So 2.3.17 seems fine but what about 2.4.3? What is the real final check
> sum for openvpn-2.4.3.tar.gz and openvpn-2.4.3.tar.xz?
> 
> Thanks,
> Simon
> 

Those sha256sums are the correct ones.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>> wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3.
>>> It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
>>
>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>> 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: BAD signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>
>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>
>> The files were downloaded from
>> https://openvpn.net/index.php/open-source/downloads.html at about
>> 10:24 UCT today from the New York City area.
>>
>> For reference, here is the output from verifying 2.3.17:
>>
>> $ gpg2 -v --verify
>> /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in
>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>> 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: Good signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:  There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B
>> 01E7
>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2
>> B034
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> Any ideas or suggestions?
>
> I believe it is Cloudflare playing tricks on us again.
>
> Attached are the proper signature files and below a list of the SHA256
> checksums:
>
> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3
> openvpn-2.3.17.tar.xz
> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29
> openvpn-2.3.17.tar.xz.asc
> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
> openvpn-2.4.3.tar.xz
> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210
> openvpn-2.4.3.tar.xz.asc
>
> This is based on the files I've already pushed to the Fedora builder
> (koji), which

I have the following sums:

af806c47623aa1d8246cf0790984766f61c8d0a63ea0b04127ff5c6c65e46088 
openvpn-2.3.17.tar.gz
d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 
openvpn-2.3.17.tar.xz
cee3d3ca462960a50a67c0ebd186e01b6d13db70275205663695152c9aca8579 
openvpn-2.4.3.tar.gz
15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb 
openvpn-2.4.3.tar.xz

So 2.3.17 seems fine but what about 2.4.3? What is the real final check
sum for openvpn-2.4.3.tar.gz and openvpn-2.4.3.tar.xz?

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

On 21/06/2017 17:06, Simon Matter wrote:
>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>> wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
> 
> I wanted to ask this during the 2.4.2 hickup but now I really ask because
> there is confusion again with 2.4.3:
> 
> Could you please add check sums of all release files so that one can
> easily check to have the correct download. Even MD5 works better no check
> sum :-)
> 
> Regards,
> Simon
> 

Makes sense. I'll see if I could tackle that tomorrow.

Meanwhile I added a test script which downloads every release file and
verifies their signatures. I will run this script as part of the release
process.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>> wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3.
>>> It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
>
> I wanted to ask this during the 2.4.2 hickup but now I really ask because
> there is confusion again with 2.4.3:
>
> Could you please add check sums of all release files so that one can
> easily check to have the correct download. Even MD5 works better no check
> sum :-)

An additional source of confusion seems that the tarball of the .gz and
.xz files don't match. Maybe this could easily be fixed in the build
process.

Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
> wrote:
>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>> can be downloaded from here:
>>
>> 
>
> Hi. Thanks for this release.
>
> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> fails with:

I wanted to ask this during the 2.4.2 hickup but now I really ask because
there is confusion again with 2.4.3:

Could you please add check sums of all release files so that one can
easily check to have the correct download. Even MD5 works better no check
sum :-)

Regards,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 15:11, Jonathan K. Bullard wrote:
> And I tried using a VPN : ) to download from London, hoping to get a
> different CloudFlare server, but get the same (bad) .targ.gz and/or
> .tar.gz.asc as my original downloads.
> 
> Should swupdates.openvpn.net be publicly accessible? It doesn't
> resolve for me using Google DNS.

Sorry, I obviously did a typo 

$ host swupdate.openvpn.net
swupdate.openvpn.net has address 104.20.195.50
swupdate.openvpn.net has address 104.20.194.50

That should be public, and is "hidden" behind cloudflare, which seems to
challenge us from time to time with its caching.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

On 21/06/2017 16:11, Jonathan K. Bullard wrote:
> On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth
>  wrote:
>> On 21/06/17 14:30, David Sommerseth wrote:
>>> On 21/06/17 13:48, Jonathan K. Bullard wrote:
 On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  
 wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
>
> 

 Hi. Thanks for this release.

 Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
 a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
 fails with:

 $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc

 gpg: armor header: Version: GnuPG v1
 gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
 gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
 gpg:using RSA key D72AF3448CC2B034
 gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
 gpg: using pgp trust model
 gpg: BAD signature from "OpenVPN - Security Mailing List
 " [unknown]
 gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

 The SHA256 ofopenvpn-2.4.3.tar.gz is
  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b

 The SHA256 of openvpn-2.4.3.tar.gz.asc is
  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437

 The files were downloaded from
 https://openvpn.net/index.php/open-source/downloads.html at about
 10:24 UCT today from the New York City area.

 For reference, here is the output from verifying 2.3.17:

 $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc

 gpg: armor header: Version: GnuPG v1
 gpg: assuming signed data in
 '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
 gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
 gpg:using RSA key D72AF3448CC2B034
 gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
 gpg: using pgp trust model
 gpg: Good signature from "OpenVPN - Security Mailing List
 " [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:  There is no indication that the signature belongs to the 
 owner.
 Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
 gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

 Any ideas or suggestions?
>>>
>>> I believe it is Cloudflare playing tricks on us again.
>>>
>>> Attached are the proper signature files and below a list of the SHA256 
>>> checksums:
>>>
>>> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
>>> openvpn-2.3.17.tar.xz
>>> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
>>> openvpn-2.3.17.tar.xz.asc
>>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
>>> openvpn-2.4.3.tar.xz
>>> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
>>> openvpn-2.4.3.tar.xz.asc
>>>
>>> This is based on the files I've already pushed to the Fedora builder 
>>> (koji), which
>>> I downloaded soon after the swupdates.openvpn.net server was updated.
>> Lets try to attach the _proper_ signature file for v2.4.3.  I managed to
>> send the signature for the previous (v2.4.2) release in the previous mail.
> 
> Thanks.
> 
> My original post was about the .tar.**gz**, but I downloaded (at about
> 12:45 UCT) both openvpn-2.4.3.tar.xz and openvpn-2.4.3.tar.xz.asc, and
> verifying fails. However, verifying the .tar.xz against the .asc in
> your email succeeds. So the problems seem to be with the .asc (for the
> tar.xz, at least), not with the .tar.gz itself.
> 
> And I tried using a VPN : ) to download from London, hoping to get a
> different CloudFlare server, but get the same (bad) .targ.gz and/or
> .tar.gz.asc as my original downloads.
> 
> Should swupdates.openvpn.net be publicly accessible? It doesn't
> resolve for me using Google DNS.
> 
> Best regards,
> 
> Jon
> 

Hi,

For whatever reason the following packages were incorrect:

  openvpn-2.4.3.tar.gz
  openvpn-2.4.3.tar.xz
  openvpn-2.4.3.zip

I suspect that the incorrect packages were the ones generated
automatically by my release script. The contents of those packages would
have been identical to the "official" packages, but the GPG signature
belonging to the correct package would not verify correctly.

Now all the files on the primary download server (swupdate) should be
correct. I will verify the files on the secondary server next and add
automated "download files from web and verify them with GnuPG" to my
release script.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc 

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth
 wrote:
> On 21/06/17 14:30, David Sommerseth wrote:
>> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
 The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
 can be downloaded from here:

 
>>>
>>> Hi. Thanks for this release.
>>>
>>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>>> fails with:
>>>
>>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: BAD signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>>
>>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>>
>>> The files were downloaded from
>>> https://openvpn.net/index.php/open-source/downloads.html at about
>>> 10:24 UCT today from the New York City area.
>>>
>>> For reference, here is the output from verifying 2.3.17:
>>>
>>> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in
>>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: Good signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:  There is no indication that the signature belongs to the 
>>> owner.
>>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> Any ideas or suggestions?
>>
>> I believe it is Cloudflare playing tricks on us again.
>>
>> Attached are the proper signature files and below a list of the SHA256 
>> checksums:
>>
>> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
>> openvpn-2.3.17.tar.xz
>> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
>> openvpn-2.3.17.tar.xz.asc
>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
>> openvpn-2.4.3.tar.xz
>> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
>> openvpn-2.4.3.tar.xz.asc
>>
>> This is based on the files I've already pushed to the Fedora builder (koji), 
>> which
>> I downloaded soon after the swupdates.openvpn.net server was updated.
> Lets try to attach the _proper_ signature file for v2.4.3.  I managed to
> send the signature for the previous (v2.4.2) release in the previous mail.

Thanks.

My original post was about the .tar.**gz**, but I downloaded (at about
12:45 UCT) both openvpn-2.4.3.tar.xz and openvpn-2.4.3.tar.xz.asc, and
verifying fails. However, verifying the .tar.xz against the .asc in
your email succeeds. So the problems seem to be with the .asc (for the
tar.xz, at least), not with the .tar.gz itself.

And I tried using a VPN : ) to download from London, hoping to get a
different CloudFlare server, but get the same (bad) .targ.gz and/or
.tar.gz.asc as my original downloads.

Should swupdates.openvpn.net be publicly accessible? It doesn't
resolve for me using Google DNS.

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 14:30, David Sommerseth wrote:
> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
>>
>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: BAD signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>
>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>
>> The files were downloaded from
>> https://openvpn.net/index.php/open-source/downloads.html at about
>> 10:24 UCT today from the New York City area.
>>
>> For reference, here is the output from verifying 2.3.17:
>>
>> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in
>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: Good signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:  There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> Any ideas or suggestions?
> 
> I believe it is Cloudflare playing tricks on us again.
> 
> Attached are the proper signature files and below a list of the SHA256 
> checksums:
> 
> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
> openvpn-2.3.17.tar.xz
> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
> openvpn-2.3.17.tar.xz.asc
> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
> openvpn-2.4.3.tar.xz
> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
> openvpn-2.4.3.tar.xz.asc
> 
> This is based on the files I've already pushed to the Fedora builder (koji), 
> which
> I downloaded soon after the swupdates.openvpn.net server was updated.
Lets try to attach the _proper_ signature file for v2.4.3.  I managed to
send the signature for the previous (v2.4.2) release in the previous mail.

-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc



openvpn-2.4.3.tar.xz.asc
Description: application/pgp-encrypted


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 13:48, Jonathan K. Bullard wrote:
> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>> can be downloaded from here:
>>
>> 
> 
> Hi. Thanks for this release.
> 
> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> fails with:
> 
> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
> 
> gpg: armor header: Version: GnuPG v1
> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
> gpg:using RSA key D72AF3448CC2B034
> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
> gpg: using pgp trust model
> gpg: BAD signature from "OpenVPN - Security Mailing List
> " [unknown]
> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
> 
> The SHA256 ofopenvpn-2.4.3.tar.gz is
>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
> 
> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
> 
> The files were downloaded from
> https://openvpn.net/index.php/open-source/downloads.html at about
> 10:24 UCT today from the New York City area.
> 
> For reference, here is the output from verifying 2.3.17:
> 
> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
> 
> gpg: armor header: Version: GnuPG v1
> gpg: assuming signed data in
> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
> gpg:using RSA key D72AF3448CC2B034
> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
> gpg: using pgp trust model
> gpg: Good signature from "OpenVPN - Security Mailing List
> " [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
> 
> Any ideas or suggestions?

I believe it is Cloudflare playing tricks on us again.

Attached are the proper signature files and below a list of the SHA256 
checksums:

d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
openvpn-2.3.17.tar.xz
b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
openvpn-2.3.17.tar.xz.asc
7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
openvpn-2.4.3.tar.xz
9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
openvpn-2.4.3.tar.xz.asc

This is based on the files I've already pushed to the Fedora builder (koji), 
which
I downloaded soon after the swupdates.openvpn.net server was updated.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc



openvpn-2.3.17.tar.xz.asc
Description: application/pgp-encrypted


openvpn-2.4.2.tar.xz.asc
Description: application/pgp-encrypted


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
>
> 

Hi. Thanks for this release.

Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
fails with:

$ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc

gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
gpg:using RSA key D72AF3448CC2B034
gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
gpg: using pgp trust model
gpg: BAD signature from "OpenVPN - Security Mailing List
" [unknown]
gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

The SHA256 ofopenvpn-2.4.3.tar.gz is
 84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b

The SHA256 of openvpn-2.4.3.tar.gz.asc is
 695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437

The files were downloaded from
https://openvpn.net/index.php/open-source/downloads.html at about
10:24 UCT today from the New York City area.

For reference, here is the output from verifying 2.3.17:

$ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc

gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in
'/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
gpg:using RSA key D72AF3448CC2B034
gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
gpg: using pgp trust model
gpg: Good signature from "OpenVPN - Security Mailing List
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
 Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

Any ideas or suggestions?

Thanks,

Jon Bullard

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
can be downloaded from here:



OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. We recommend you to
upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are
available in our official security announcement:



In addition a number of bugs with no security impact have been fixed.
The one big feature in the 2.4.3 release is support for building with
OpenSSL 1.1.

A summary of all included changes is available here:



A full list of changes is available here:



Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:



The new OpenVPN GUI features are documented here:



Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.3.17 released (with security fixes)

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.17.
It can be downloaded from here:



OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. Most of these issues also
affect OpenVPN 2.3.16 and earlier. We recommend you to upgrade to
OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are available
in our official security announcement:



A summary of the changes is available here:



A full list of changes is available here:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] NTLM.c security fix / CVE-2017-7520

[Gert Doering]

Hi,

most patches that went into the tree today came to me by git-send-email,
so I could re-send them to the list after embargo, and message-id:s 
referenced in the code match between mailing list, git tree, and
in-reply-to in the ACK mail.

One patch came as a patch attached to a longer mail that I do not want
to bounce "as is" to the list - so here's the patch that originally came
to me as 

  Message-Id: 


and is referenced as such, plus my ACK-and-merge mail, both as attachments.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
From 83694284a1b7918fdf55c2e4ebebce2126bd92fa Mon Sep 17 00:00:00 2001
From: Guido Vranken 
Date: Fri, 19 May 2017 14:04:25 +0200
Subject: [PATCH] Prevent two kinds of stack buffer OOB reads and a crash for
 invalid input data

Signed-off-by: Guido Vranken 
---
 src/openvpn/ntlm.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 0c43681..bb8679f 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -197,7 +197,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char 
*phase_2, struct gc_are
  */
 
 char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
-char buf2[128]; /* decoded reply from proxy */
+unsigned char buf2[128]; /* decoded reply from proxy */
 unsigned char phase3[464];
 
 char md4_hash[MD4_DIGEST_LENGTH+5];
@@ -303,7 +303,13 @@ ntlm_phase_3(const struct http_proxy_info *p, const char 
*phase_2, struct gc_are
 tib_len = 96;
 }
 {
-char *tib_ptr = buf2 + buf2[0x2c];   /* Get Target 
Information block pointer */
+char *tib_ptr;
+int tib_pos = buf2[0x2c];
+if (tib_pos + tib_len > sizeof(buf2))
+{
+return NULL;
+}
+tib_ptr = buf2 + tib_pos;   /* Get 
Target Information block pointer */
 memcpy(_blob[0x1c], tib_ptr, tib_len);   /* 
Copy Target Information block into the blob */
 }
 }
-- 
2.1.4

From: Gert Doering 
To: Guido Vranken 
Cc: openvpn-devel@lists.sourceforge.net
Subject: [PATCH applied] Re: Prevent two kinds of stack buffer OOB reads and a 
crash for invalid input data
In-Reply-To: 

References: 

ACK.

Your patch has been applied to the master, release/2.4, 2.3 and 2.2 branch.

commit 7718c8984f04b507c1885f363970e2124e3c6c77 (master)
commit 043fe327878eba75efa13794c9845f85c3c629f2 (release/2.4)
commit f38a4a105979b87ebebe9be1c3d323116d3fb924 (release/2.3)
commit 4bec9d25d519a56bc40458e947d3dfa964b82b13 (release/2.2)
Author: Guido Vranken
Date:   Fri May 19 14:04:25 2017 +0200

 Prevent two kinds of stack buffer OOB reads and a crash for invalid input 
data

 CVE: 2017-7520
 Signed-off-by: Guido Vranken 
 Acked-by: Gert Doering 
 Message-Id: 

 URL: 
https://www.mail-archive.com/search?l=mid=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] openssl and mbedtls x509 fixes (CVE-2017-7521 & -7522)

[Steffan Karger]

Hi,

This patch set contains the five commits that fix the X509 issues found
by Guido in both our mbedtls and openssl code.  It is based on the
current master branch.

Compared to the previously sent patches, patch 4/5 ('Restrict
--x509-alt-username extension types') was changed to include more
user-friendly error reporting, and fix a typo in the man page.  The
other patches have only slightly tweaked commit messages and Changes.rst
entries, mostly just mentioning the CVE ID.

-Steffan



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/5] mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

[Steffan Karger]

asn1_buf_to_c_string() returned a literal string if the input ASN.1 string
contained a NUL character, while the caller expects a mutable string.
The caller will attempt to change this string, which allows a client to
crash a server by sending a certificate with an embedded NUL character.

(The other way around is not interesting, as servers are allowed to stop
a client by design.)

Impact analysis:
 * applies to mbedtls builds only
 * introduced in 2.4 (so 2.3 is not affected)
 * can only be exploited if the --x509-track option is used
 * requires the CA to sign a certificate with an embedded NUL in the
   certificate subject

This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.

Signed-off-by: Steffan Karger 
---
 Changes.rst  | 8 
 src/openvpn/ssl_verify_mbedtls.c | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/Changes.rst b/Changes.rst
index 94cba07..f1aed2d 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -306,6 +306,14 @@ Maintainer-visible changes
 Version 2.4.3
 =
 
+Security
+
+- CVE-2017-7522: Fix --x509-track post-authentication remote DoS
+  A client could crash a 2.4+ mbedtls server, if that server uses the
+  --x509-track option and the client has a correct, signed and unrevoked
+  certificate that contains an embedded NUL in the certificate subject.
+  Discovered and reported to the OpenVPN security team by Guido Vranken.
+
 User-visible Changes
 
 - ``--verify-hash`` can now take an optional flag which changes the hashing
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index 2b7056c..d3b36dc 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -271,7 +271,7 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct 
gc_arena *gc)
 {
 if (orig->p[i] == '\0')
 {
-return "ERROR: embedded null value";
+return string_alloc("ERROR: embedded null value", gc);
 }
 }
 val = gc_malloc(orig->len+1, false, gc);
-- 
2.7.4



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 4/5] Restrict --x509-alt-username extension types

[Steffan Karger]

The code never supported all extension types.  Make this explicit by only
allowing subjectAltName and issuerAltName (for which the current code does
work).

Using unsupported extension fields would most likely cause OpenVPN to crash
as soon as a client connects.  This does not have a real-world security
impact, as such a configuration would not be possible to use in practice.

This bug was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.

Signed-off-by: Steffan Karger 
---
 Changes.rst  |  3 +++
 doc/openvpn.8|  2 ++
 src/openvpn/options.c|  4 
 src/openvpn/ssl_verify_backend.h |  8 
 src/openvpn/ssl_verify_openssl.c | 19 ---
 5 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 89cfae8..6fa1c0c 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -324,6 +324,9 @@ User-visible Changes
 - ``--verify-hash`` can now take an optional flag which changes the hashing
   algorithm. It can be either SHA1 or SHA256.  The default if not provided is
   SHA1 to preserve backwards compatibility with existing configurations.
+- Restrict the supported --x509-alt-username extension fields to subjectAltName
+  and issuerAltName.  Other extensions probably didn't work anyway, and would
+  cause OpenVPN to crash when a client connects.
 
 Bugfixes
 
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3f183e6..20bdd91 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -5307,6 +5307,8 @@ option will match against the chosen
 .B fieldname
 instead of the Common Name.
 
+Only the subjectAltName and issuerAltName X.509 extensions are supported.
+
 .B Please note:
 This option has a feature which will convert an all-lowercase
 .B fieldname
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 76a8550..505c5b2 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8083,6 +8083,10 @@ add_option(struct options *options,
 "configuration", p[1]);
 }
 }
+else if (!x509_username_field_ext_supported(s+4))
+{
+msg(msglevel, "Unsupported x509-username-field extension: %s", s);
+}
 options->x509_username_field = p[1];
 }
 #endif /* ENABLE_X509ALTUSERNAME */
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 978e54f..e8eaabe 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -124,6 +124,14 @@ struct buffer 
x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert,
 result_t backend_x509_get_username(char *common_name, int cn_len,
char *x509_username_field, 
openvpn_x509_cert_t *peer_cert);
 
+#ifdef ENABLE_X509ALTUSERNAME
+/**
+ * Return true iff the supplied extension field is supported by the
+ * --x509-username-field option.
+ */
+bool x509_username_field_ext_supported(const char *extname);
+#endif
+
 /*
  * Return the certificate's serial number in decimal string representation.
  *
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 7c1a481..08451f2 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -113,16 +113,29 @@ cleanup:
 }
 
 #ifdef ENABLE_X509ALTUSERNAME
+bool x509_username_field_ext_supported(const char *fieldname)
+{
+int nid = OBJ_txt2nid(fieldname);
+return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
+}
+
 static
 bool
 extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
 {
 bool retval = false;
 char *buf = 0;
-GENERAL_NAMES *extensions;
-int nid = OBJ_txt2nid(fieldname);
 
-extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
+if (!x509_username_field_ext_supported(fieldname))
+{
+msg(D_TLS_ERRORS,
+"ERROR: --x509-alt-username field 'ext:%s' not supported",
+fieldname);
+return false;
+}
+
+int nid = OBJ_txt2nid(fieldname);
+GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL);
 if (extensions)
 {
 int numalts;
-- 
2.7.4



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/5] mbedtls: require C-string compatible types for --x509-username-field

[Steffan Karger]

In the --x509-username-field extenstion, we handle the subject string as
if it is a C string.  Make this assumption explicit and reject incomatible
ASN.1 string types.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_verify_mbedtls.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index d3b36dc..838c217 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -267,6 +267,14 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct 
gc_arena *gc)
 size_t i;
 char *val;
 
+if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING
+  || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
+  || orig->tag == MBEDTLS_ASN1_IA5_STRING))
+{
+/* Only support C-string compatible types */
+return string_alloc("ERROR: unsupported ASN.1 string type", gc);
+}
+
 for (i = 0; i < orig->len; ++i)
 {
 if (orig->p[i] == '\0')
-- 
2.7.4



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 5/5] Fix potential double-free in --x509-alt-username (CVE-2017-7521)

[Steffan Karger]

We didn't check the return value of ASN1_STRING_to_UTF8() in
extract_x509_extension().  Ignoring such a failure could result in buf
being free'd twice.  An error in ASN1_STRING_to_UTF8() can be caused
remotely if the peer can make the local process run out of memory.

The problem can only be triggered for configurations that use the
--x509-alt-username option with an x509 extension (i.e. the option
parameter starts with "ext:").

This issue was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.

Extensive testing by Guido Vranken gives confidence that this function
is very unlikely to fail in real-world usage (using subjectAltName or
issuerAltName extensions) for other reasons than memory exhaustion.

Signed-off-by: Steffan Karger 
---
 Changes.rst  | 7 +++
 src/openvpn/ssl_verify_openssl.c | 5 -
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Changes.rst b/Changes.rst
index 6fa1c0c..726e591 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -318,6 +318,13 @@ Security
   server.  That can eventuall cause the server to run out of memory, and 
thereby
   causing the server process to terminate. Discovered and reported to the
   OpenVPN security team by Guido Vranken.  (OpenSSL builds only.)
+- CVE-2017-7521: Fix a potential post-authentication remote code execution
+  attack on servers that use the ``--x509-alt-username`` option with an X.509
+  extension field (option argument prefixed with ``ext:``).  A client that can
+  cause a server to run out-of-memory (see above) might be able to cause the
+  server to double free, which in turn might lead to remote code execution.
+  Discovered and reported to the OpenVPN security team by Guido Vranken.
+  (OpenSSL builds only.)
 
 User-visible Changes
 
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 08451f2..f9e889f 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -156,7 +156,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char 
*out, int size)
 switch (name->type)
 {
 case GEN_EMAIL:
-ASN1_STRING_to_UTF8((unsigned char **), name->d.ia5);
+if (ASN1_STRING_to_UTF8((unsigned char **), 
name->d.ia5) < 0)
+{
+continue;
+}
 if (strlen(buf) != name->d.ia5->length)
 {
 msg(D_TLS_ERRORS, "ASN1 ERROR: string contained 
terminating zero");
-- 
2.7.4



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/5] Fix remote-triggerable memory leaks (CVE-2017-7521)

[Steffan Karger]

Several of our OpenSSL-specific certificate-parsing code paths did not
always clear all allocated memory.  Since a client can cause a few bytes
of memory to be leaked for each connection attempt, a client can cause a
server to run out of memory and thereby kill the server.  That makes this
a (quite inefficient) DoS attack.

When using the --x509-alt-username option on openssl builds with an
extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the
code would not free all allocated memory.  Fix this by using the proper
free function.

If ASN1_STRING_to_UTF8() returns 0, it didn't fail and *did* allocate
memory.  So also free the returned buffer if it returns 0.

These issues were found, analysed and reported to the OpenVPN team by Guido
Vranken.

Signed-off-by: Steffan Karger 
---
 Changes.rst  | 5 +
 src/openvpn/ssl_verify_openssl.c | 9 -
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index f1aed2d..89cfae8 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -313,6 +313,11 @@ Security
   --x509-track option and the client has a correct, signed and unrevoked
   certificate that contains an embedded NUL in the certificate subject.
   Discovered and reported to the OpenVPN security team by Guido Vranken.
+- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks
+  A client could cause a server to leak a few bytes each time it connects to 
the
+  server.  That can eventuall cause the server to run out of memory, and 
thereby
+  causing the server process to terminate. Discovered and reported to the
+  OpenVPN security team by Guido Vranken.  (OpenSSL builds only.)
 
 User-visible Changes
 
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 31c1638..7c1a481 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -163,7 +163,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char 
*out, int size)
 break;
 }
 }
-sk_GENERAL_NAME_free(extensions);
+GENERAL_NAMES_free(extensions);
 }
 return retval;
 }
@@ -225,8 +225,7 @@ extract_x509_field_ssl(X509_NAME *x509, const char 
*field_name, char *out,
 {
 return FAILURE;
 }
-tmp = ASN1_STRING_to_UTF8(, asn1);
-if (tmp <= 0)
+if (ASN1_STRING_to_UTF8(, asn1) < 0)
 {
 return FAILURE;
 }
@@ -466,7 +465,7 @@ x509_setenv_track(const struct x509_track *xt, struct 
env_set *es, const int dep
 {
 ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
 unsigned char *buf = NULL;
-if (ASN1_STRING_to_UTF8(, val) > 0)
+if (ASN1_STRING_to_UTF8(, val) >= 0)
 {
 do_setenv_x509(es, xt->name, (char *)buf, 
depth);
 OPENSSL_free(buf);
@@ -553,7 +552,7 @@ x509_setenv(struct env_set *es, int cert_depth, 
openvpn_x509_cert_t *peer_cert)
 {
 continue;
 }
-if (ASN1_STRING_to_UTF8(, val) <= 0)
+if (ASN1_STRING_to_UTF8(, val) < 0)
 {
 continue;
 }
-- 
2.7.4



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix remotely-triggerable ASSERT() on malformed IPv6 packet.

[Gert Doering]

Patch has been applied to the master, release/2.4 and release/2.3 branch.

commit c3f47077a7756de5929094569421a95aa66f2022 (master)
commit ed28cde3d8bf3f1459b2f42f0e27d64801009f92 (release/2.4)
commit fc61d1bda112ffc669dbde961fab19f60b3c7439 (release/2.3)
Author: Gert Doering
Date:   Tue Jun 13 22:08:32 2017 +0200

 Fix remotely-triggerable ASSERT() on malformed IPv6 packet.

 Signed-off-by: Gert Doering 
 Acked-by: Steffan Karger 
 Message-Id: <20170613200832.15027-1-g...@greenie.muc.de>
 URL: 
https://www.mail-archive.com/search?l=mid=20170613200832.15027-1-g...@greenie.muc.de
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Fix remotely-triggerable ASSERT() on malformed IPv6 packet.

[Gert Doering]

Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(),
and change the ASSERT() check in mss_fixup_dowork() into a simple
"return" (= the TCP header will simply not be inspected further).

CVE-2017-7508 has been assigned due to the serious nature of the
bug: it can be used to remotely shutdown an openvpn server or
client, if IPv6 and --mssfix are enabled and the IPv6 networks used
inside the VPN are known.

Found by Guido Vranken .

v2: style changes

Signed-off-by: Gert Doering 
---
 src/openvpn/mss.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c
index 51e1ae0..e451350 100644
--- a/src/openvpn/mss.c
+++ b/src/openvpn/mss.c
@@ -120,8 +120,12 @@ mss_fixup_ipv6(struct buffer *buf, int maxmss)
 return;
 }
 
+/* skip IPv6 header (40 bytes),
+ * verify remainder is large enough to contain a full TCP header
+ */
 newbuf = *buf;
-if (buf_advance( , 40 ) )
+if (buf_advance( , 40 )
+&& BLEN() >= (int) sizeof(struct openvpn_tcphdr))
 {
 struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR();
 if (tc->flags & OPENVPN_TCPH_SYN_MASK)
@@ -145,7 +149,10 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)
 int accumulate;
 struct openvpn_tcphdr *tc;
 
-ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr));
+if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr))
+{
+   return;
+}
 
 verify_align_4(buf);
 tc = (struct openvpn_tcphdr *) BPTR(buf);
-- 
2.10.2



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix potential double-free in --x509-alt-username (CVE-2017-7521)

[Gert Doering]

Your patch has been applied to the master, release/2.4 and release/2.3 branch.

commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b (master)
commit 040084067119dd5a9e15eb3bcfc0079debaa3777 (release/2.4)
commit 1dde0cd6e5e6a0f2f45ec9969b7ff1b6537514ad (release/2.3)
Author: Steffan Karger
Date:   Mon Jun 19 11:28:40 2017 +0200

 Fix potential double-free in --x509-alt-username (CVE-2017-7521)

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Acked-by: David Sommerseth 
 Acked-by: Guido Vranken 
 Message-Id: <1497864520-12219-6-git-send-email-steffan.kar...@fox-it.com>
 URL: 
https://www.mail-archive.com/search?l=mid=1497864520-12219-6-git-send-email-steffan.kar...@fox-it.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Restrict --x509-alt-username extension types

[Gert Doering]

Your patch has been applied to the master, release/2.4 and release/2.3 branch.

commit d2a19185fd78030ce4a1bba6c9f83e0dac9e15a6 (master)
commit b72472baa5f228acf211542a7511f6960479f4c8 (release/2.4)
commit a6dbec1cb481d6f0237372a7dec059f1c572b7b7 (release/2.3)
Author: Steffan Karger
Date:   Mon Jun 19 11:28:39 2017 +0200

 Restrict --x509-alt-username extension types

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Acked-by: David Sommerseth 
 Acked-by: Guido Vranken 
 Message-Id: <1497864520-12219-5-git-send-email-steffan.kar...@fox-it.com>
 URL: 
https://www.mail-archive.com/search?l=mid=1497864520-12219-5-git-send-email-steffan.kar...@fox-it.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix remote-triggerable memory leaks (CVE-2017-7521)

[Gert Doering]

Your patch has been applied to the master, release/2.4 and release/2.3 branch.

commit 2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d (master)
commit 2341f716198fa90193e040b3fdb16959a47c6c27 (release/2.4)
commit 84e1775961de1c9d2ab32159fc03f758591f5238 (release/2.3)
Author: Steffan Karger
Date:   Mon Jun 19 11:28:38 2017 +0200

 Fix remote-triggerable memory leaks (CVE-2017-7521)

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Acked-by: David Sommerseth 
 Acked-by: Guido Vranken 
 Message-Id: <1497864520-12219-4-git-send-email-steffan.kar...@fox-it.com>
 URL: 
https://www.mail-archive.com/search?l=mid=1497864520-12219-4-git-send-email-steffan.kar...@fox-it.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: mbedtls: require C-string compatible types for --x509-username-field

[Gert Doering]

Your patch has been applied to the master and release/2.4 branch.

commit 0007b2dbd12a83be3e4aeabc20550a5e16faf214 (master)
commit 20f1a472031f0e8ad207ed96acc46ddf51616b5e (release/2.4)
Author: Steffan Karger
Date:   Mon Jun 19 11:28:37 2017 +0200

 mbedtls: require C-string compatible types for --x509-username-field

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1497864520-12219-3-git-send-email-steffan.kar...@fox-it.com>
 URL: 
https://www.mail-archive.com/search?l=mid=1497864520-12219-3-git-send-email-steffan.kar...@fox-it.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

[Gert Doering]

Your patch has been applied to the master and release/2.4 branch.

commit 426392940c7060300a10077c389f5156c790c2f6 (master)
commit 67edada0beaf5ce6e47f13526b9f678dad4fc126 (release/2.4)
Author: Steffan Karger
Date:   Mon Jun 19 11:28:36 2017 +0200

 mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1497864520-12219-2-git-send-email-steffan.kar...@fox-it.com>
 URL: 
https://www.mail-archive.com/search?l=mid=1497864520-12219-2-git-send-email-steffan.kar...@fox-it.com
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel