[Openvpn-devel] [PATCH applied] Re: Remove unused havege.h header
Acked-by: Gert Doering That seems to be an easy one - all definitions in that file have "havege" in their name, and "git grep havege" does not show any uses of them. Out it goes! Your patch has been applied to the master branch. commit d6d4feb4ddd0f23c3816878ff88b49b37379e31b Author: Max Fillinger Date: Sun Nov 7 17:05:08 2021 +0100 Remove unused havege.h header Signed-off-by: Max Fillinger Acked-by: Gert Doering Message-Id: <20211107160508.3935-1-maximilian.fillin...@foxcrypto.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23126.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Refactor early initialisation and uninitialisation into methods
Took us long enough for such a "simple" refactoring task... pesky language, this "C" stuff :-) Thanks, Antonio, for verifying the sitnl stuff. (GCC on Linux actually found and errored on the v4 bit with the missing "&", I just did not look at the compile result because I saw the mismatch in the diff earlier... now, no more warnings, and success on Linux/sitnl with the v5 patch) Your patch has been applied to the master branch. commit 97056dbf936b01b367a66ea78cca3dadc41bdf64 Author: Arne Schwabe Date: Sat Nov 6 19:00:55 2021 +0100 Refactor early initialisation and uninitialisation into methods Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20211106180055.3073072-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23110.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Completely remove DES checks
Patch looks good, explanation makes sense, logical continuation of the process started with the "removal for 3.0.0". All DES keys are weak :-) Lightly tested with OpenSSL 1.1.1 and mbedTLS builds (no actual *use* of DES, though, besides "make check"). Your patch has been applied to the master branch. commit 1325cf1198f78ccd8ab74394bb2e9b13f410ef20 Author: Arne Schwabe Date: Sun Nov 7 10:01:38 2021 +0100 Completely remove DES checks Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Message-Id: <20211107090138.3150187-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23115.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove custom PRNG function
Applied as instructed (textual change to Changes.rst, whitespace fix). This is a surprisingly large patch :-) Lightly tested on Linux / OpenSSL. Your patch has been applied to the master branch. commit a2f6604d55ea34c33668cab632928a2da2ae11f1 Author: Arne Schwabe Date: Sun Nov 7 10:01:47 2021 +0100 Remove custom PRNG function Signed-off-by: Arne Schwabe Acked-by: Steffan Karger Message-Id: <20211107090147.3150261-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23116.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] README.down-root: Fix plugin module name
From: Ville Skyttä The module name is openvpn-plugin-down-root.so, not openvpn-down-root.so. Signed-off-by: Frank Lichtenheld --- src/plugins/down-root/README.down-root | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. PR: https://github.com/OpenVPN/openvpn/pull/98 diff --git a/src/plugins/down-root/README.down-root b/src/plugins/down-root/README.down-root index d337ffe9..98a3ee63 100644 --- a/src/plugins/down-root/README.down-root +++ b/src/plugins/down-root/README.down-root @@ -16,13 +16,13 @@ run in the same execution environment as the up script. BUILD Build this module with the "make" command. The plugin -module will be named openvpn-down-root.so +module will be named openvpn-plugin-down-root.so USAGE To use this module, add to your OpenVPN config file: - plugin openvpn-down-root.so "command ..." + plugin openvpn-plugin-down-root.so "command ..." CAVEATS -- 2.30.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Updated URLs in README
From: Peppernrino Updated to current links, and added SSL to all. Changed tap-windows to reflect NDIS 6 repository shift. Signed-off-by: Frank Lichtenheld --- README | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. I know David didn't like the manual URL but it is still better than the current one that goes to a completely wrong document. PR: https://github.com/OpenVPN/openvpn/pull/114 diff --git a/README b/README index b75a568e..2a953be7 100644 --- a/README +++ b/README @@ -9,7 +9,7 @@ as published by the Free Software Foundation. To get the latest release of OpenVPN, go to: - https://openvpn.net/index.php/download/community-downloads.html + https://openvpn.net/community-downloads/ To Build and Install, @@ -24,10 +24,10 @@ or see the file INSTALL for more info. * For detailed information on OpenVPN, including examples, see the man page - http://openvpn.net/man.html + https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ For a sample VPN configuration, see - http://openvpn.net/howto.html + https://openvpn.net/community-resources/how-to/ To report an issue, see https://community.openvpn.net/openvpn/report @@ -56,15 +56,15 @@ Other Files & Directories: * sample/sample-config-files/ A collection of OpenVPN config files and scripts from - the HOWTO at http://openvpn.net/howto.html + the HOWTO at https://openvpn.net/community-resources/how-to/ * -Note that easy-rsa and tap-windows are now maintained in their own subprojects. +Note that easy-rsa and tap-windows6 are now maintained in their own subprojects. Their source code is available here: https://github.com/OpenVPN/easy-rsa - https://github.com/OpenVPN/tap-windows + https://github.com/OpenVPN/tap-windows6 The old cross-compilation environment (domake-win) and the Python-based buildsystem have been replaced with openvpn-build: -- 2.30.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix error in example firewall.sh script
From: Adrian The man page says: [!] -s, --source address[/mask][,...] Signed-off-by: Frank Lichtenheld --- sample/sample-config-files/firewall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) As part of an initative to clean up the Github PR submissions, submitting this patch to the mailing list for inclusion. Looks obviously correct to me. diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh index 19d75ee9..456700ca 100755 --- a/sample/sample-config-files/firewall.sh +++ b/sample/sample-config-files/firewall.sh @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT -- 2.30.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v5] Refactor early initialisation and uninitialisation into methods
Hi, On 06/11/2021 19:00, Arne Schwabe wrote: This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Signed-off-by: Arne Schwabe Change looks good, no error/warning upon compilation and a basic connectivity test just worked with both sitnl and iproute2. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove unused havege.h header
This header was removed in mbedtls 3. Luckily, we weren't actually using it, it seems. Signed-off-by: Max Fillinger --- src/openvpn/crypto_mbedtls.c | 1 - src/openvpn/ssl_mbedtls.c| 2 -- 2 files changed, 3 deletions(-) diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 2f7f00d1..72e19d23 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -50,7 +50,6 @@ #include #include #include -#include #include #include diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e7c45c09..1cb27aaa 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -46,8 +46,6 @@ #include "pkcs11_backend.h" #include "ssl_common.h" -#include - #include "ssl_verify_mbedtls.h" #include #include -- 2.11.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenSSL build on Windows: OPENSSLDIR and MODULESDIR
Hi, We agreed during the hackathon that we are going to ship a 2.6 Windows client with OpenSSL 3.0. Apart from merging relevant patches, there are few (small) blocks: - vcpkg hasn't yet added OpenSSL 3.0 to official repo, but there is a PR https://github.com/microsoft/vcpkg/pull/20428 This shouldn't be a problem for us, since we could just have this port in openvpn repo, like we do with pkcs11-helper. - The latest release of pkcs11-helper doesn't build with openssl3, but things are progressing - https://github.com/OpenSC/pkcs11-helper/issues/42. We would also have to make sure that our vcpkg port for pkcs11-helper builds with openssl3. Once OpenSSL 3.0 support is somewhat settled, we could look into configuration file loading. I haven't checked vcpkg scripts, but in the best case scenario we won't have to do anything and just rely on readonly values you've mentioned. -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] NTLMv1, NTLMv2 HTTP proxy support?
Hi Community, OpenVPN supports HTTP proxies that require NTLM authentication, supporting NTLMv1 and NTLMv2 protocols. This is old code, which was written in the dark ages, is not currently unit/client tested, and uses DES which got deprecated in OpenSSL 3.0.0... That said, if people still *use* it, we are likely to keep it - otherwise it might just become lost :-) So - if you use HTTP proxy in OpenVPN, and that proxy authenticates against a Windows AD domain, and you use NTLMv1 or NTLMv2 authentication, please speak up and tell us about your use case! gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Completely remove DES checks
On 07/11/2021 13:29, Arne Schwabe wrote: The patch removes checking for weak keys and making DES just like any other CBC cipher and not doing extra checks for this. It basically removes the special treatment of DES. After this, do we have any DES functionality left in OpenVPN? If so, we should remove it. After this patch, no special handling for DES anymore. YOu can still use DES but it is handled like any other cipher, e.g. BF-CBC, AES-CBC Arne I think the point is that if we stop checking weak keys, we should rip out DES support completely. (I'd be in favor, but I'm not deep enough into it to know what the fallout would be.) My view is, if someone's doing DES, they're not caring about security, so the small risk of weak keys is acceptable. Basically, "all DES keys are weak keys." ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Completely remove DES checks
The patch removes checking for weak keys and making DES just like any other CBC cipher and not doing extra checks for this. It basically removes the special treatment of DES. After this, do we have any DES functionality left in OpenVPN? If so, we should remove it. After this patch, no special handling for DES anymore. YOu can still use DES but it is handled like any other cipher, e.g. BF-CBC, AES-CBC Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Completely remove DES checks
Am 07.11.21 um 13:13 schrieb Arne Schwabe: Am 07.11.21 um 12:57 schrieb Matthias Andree: Am 07.11.21 um 10:01 schrieb Arne Schwabe: We already removed the check in d67658fee for OpenSSL 3.0. This removes the checks entirely for all crypto libraries. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 15 src/openvpn/crypto_backend.h | 28 --- src/openvpn/crypto_mbedtls.c | 56 -- src/openvpn/crypto_openssl.c | 66 4 files changed, 165 deletions(-) - /* DES is deprecated and the method to even check the keys is deprecated - * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys - * we just accept them in OpenSSL 3.0 since the risk of randomly getting - * these is pretty low (and "all DES keys are weak" anyway) */ - return true; Should not we nuke DES altogether in that case? Or am I misunderstanding the patch? The patch removes checking for weak keys and making DES just like any other CBC cipher and not doing extra checks for this. It basically removes the special treatment of DES. After this, do we have any DES functionality left in OpenVPN? If so, we should remove it. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Completely remove DES checks
Am 07.11.21 um 12:57 schrieb Matthias Andree: Am 07.11.21 um 10:01 schrieb Arne Schwabe: We already removed the check in d67658fee for OpenSSL 3.0. This removes the checks entirely for all crypto libraries. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 15 src/openvpn/crypto_backend.h | 28 --- src/openvpn/crypto_mbedtls.c | 56 -- src/openvpn/crypto_openssl.c | 66 4 files changed, 165 deletions(-) - /* DES is deprecated and the method to even check the keys is deprecated - * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys - * we just accept them in OpenSSL 3.0 since the risk of randomly getting - * these is pretty low (and "all DES keys are weak" anyway) */ - return true; Should not we nuke DES altogether in that case? Or am I misunderstanding the patch? The patch removes checking for weak keys and making DES just like any other CBC cipher and not doing extra checks for this. It basically removes the special treatment of DES. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Completely remove DES checks
Am 07.11.21 um 10:01 schrieb Arne Schwabe: We already removed the check in d67658fee for OpenSSL 3.0. This removes the checks entirely for all crypto libraries. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 15 src/openvpn/crypto_backend.h | 28 --- src/openvpn/crypto_mbedtls.c | 56 -- src/openvpn/crypto_openssl.c | 66 4 files changed, 165 deletions(-) -/* DES is deprecated and the method to even check the keys is deprecated - * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys - * we just accept them in OpenSSL 3.0 since the risk of randomly getting - * these is pretty low (and "all DES keys are weak" anyway) */ -return true; Should not we nuke DES altogether in that case? Or am I misunderstanding the patch? ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Remove custom PRNG function
Hi, On 07-11-2021 10:01, Arne Schwabe wrote: > Remove the custom PRNG from OpenVPN and instead rely always on the random > number generator from the SSL library. The only place that this is in a > performance critical place is the CBC IV generation. Even with that in mind > a micro benchmark shows no significant enough change with OpenSSL 3.0: > > > Benchmark Time CPU Iterations > > BM_OpenSSL_RAND 842 ns 842 ns 753401 > BM_OpenVPN_RAND 743 ns 743 ns 826690 > BM_Encrypt_AES_CBC_dummy1044 ns 1044 ns 631530 > BM_Encrypt_AES_CBC_RAND_bytes 1892 ns 1891 ns 346566 > BM_Encrypt_AES_CBC_prng_bytes 1818 ns 1817 ns 373970 > > (source https://gist.github.com/schwabe/029dc5e5a690df8e2e3f774a13ec7bce) Feature-ACK. The performance of the PRNGs once was much larger, *and* OpenVPN has moved along from CBC mode to (AES-)GCM. So there's not much reason left to keep our own prng implementation. > Signed-off-by: Arne Schwabe > --- > Changes.rst | 6 ++ > doc/man-sections/advanced-options.rst | 17 -- > src/openvpn/crypto.c | 88 +-- > src/openvpn/crypto.h | 20 -- > src/openvpn/init.c| 30 - > src/openvpn/options.c | 30 + > src/openvpn/options.h | 2 - > src/openvpn/ps.c | 5 +- > src/openvpn/ssl.c | 1 - > 9 files changed, 9 insertions(+), 190 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index b08bff3d7..174e233c8 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -94,6 +94,11 @@ TLS 1.0 and 1.1 are deprecated > Should backwards compatibility with older OpenVPN peers be > required, please see the ``--compat-mode`` instead. > > +``--prng`` has beeen removed > +OpenVPN used to implement its own PRNG based on a hash. However > implementing > +a PRNG is better left to a crypto library. So we use mbed TLS or OpenSSL > +PRNG instead now. That last sentence doesn't read well. Suggestion: "So we use the PRNG from mbed TLS or OpenSSL now." > void > prng_bytes(uint8_t *output, int len) > { > -static size_t processed = 0; > - > -if (nonce_md) > -{ > -const int md_size = md_kt_size(nonce_md); > -while (len > 0) > -{ > -const int blen = min_int(len, md_size); > -md_full(nonce_md, nonce_data, md_size + nonce_secret_len, > nonce_data); > -memcpy(output, nonce_data, blen); > -output += blen; > -len -= blen; > - > -/* Ensure that random data is reset regularly */ > -processed += blen; > -if (processed > PRNG_NONCE_RESET_BYTES) > -{ > -prng_reset_nonce(); > -processed = 0; > -} > -} > -} > -else > -{ > -ASSERT(rand_bytes(output, len)); > -} > +ASSERT(rand_bytes(output, len)); > } Hmm, this leaves just this tiny wrapper. Why not just remove that too, and just use ASSERT(rand_bytes()) in the callers? (I can live with the wrapper too, if you prefer to keep it.) > diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c > index a61176172..a0f8a00e9 100644 > --- a/src/openvpn/ps.c > +++ b/src/openvpn/ps.c > @@ -912,10 +912,7 @@ port_share_open(const char *host, > > /* no blocking on control channel back to parent */ > set_nonblock(fd[1]); > - > -/* initialize prng */ > -prng_init(NULL, 0); > - > + > /* execute the event loop */ Trailing whitespace inserted. Other from these details, this looks good to me. As long as the typos and whitespace is fixed before committing: Acked-by: Steffan Karger -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Completely remove DES checks
On 07/11/2021 10:01, Arne Schwabe wrote: We already removed the check in d67658fee for OpenSSL 3.0. This removes the checks entirely for all crypto libraries. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Looks good to me! Compiled and ran --test-crypto for DES/DES3, with mbedtls and OpenSSL 3. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove custom PRNG function
Remove the custom PRNG from OpenVPN and instead rely always on the random number generator from the SSL library. The only place that this is in a performance critical place is the CBC IV generation. Even with that in mind a micro benchmark shows no significant enough change with OpenSSL 3.0: Benchmark Time CPU Iterations BM_OpenSSL_RAND 842 ns 842 ns 753401 BM_OpenVPN_RAND 743 ns 743 ns 826690 BM_Encrypt_AES_CBC_dummy1044 ns 1044 ns 631530 BM_Encrypt_AES_CBC_RAND_bytes 1892 ns 1891 ns 346566 BM_Encrypt_AES_CBC_prng_bytes 1818 ns 1817 ns 373970 (source https://gist.github.com/schwabe/029dc5e5a690df8e2e3f774a13ec7bce) Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ doc/man-sections/advanced-options.rst | 17 -- src/openvpn/crypto.c | 88 +-- src/openvpn/crypto.h | 20 -- src/openvpn/init.c| 30 - src/openvpn/options.c | 30 + src/openvpn/options.h | 2 - src/openvpn/ps.c | 5 +- src/openvpn/ssl.c | 1 - 9 files changed, 9 insertions(+), 190 deletions(-) diff --git a/Changes.rst b/Changes.rst index b08bff3d7..174e233c8 100644 --- a/Changes.rst +++ b/Changes.rst @@ -94,6 +94,11 @@ TLS 1.0 and 1.1 are deprecated Should backwards compatibility with older OpenVPN peers be required, please see the ``--compat-mode`` instead. +``--prng`` has beeen removed +OpenVPN used to implement its own PRNG based on a hash. However implementing +a PRNG is better left to a crypto library. So we use mbed TLS or OpenSSL +PRNG instead now. + Compression no longer enabled by default Unless an explicit compression option is specified in the configuration, @@ -111,6 +116,7 @@ PF (Packet Filtering) support has been removed User-visible Changes - CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available. +- Option ``--prng`` is ignored as we rely on the SSL library radnom generator. Overview of changes in 2.5 == diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst index 24ea8ddb3..cdec95021 100644 --- a/doc/man-sections/advanced-options.rst +++ b/doc/man-sections/advanced-options.rst @@ -45,23 +45,6 @@ used when debugging or testing out special usage scenarios. Preserve most recently authenticated remote IP address and port number across :code:`SIGUSR1` or ``--ping-restart`` restarts. ---prng args - *(Advanced)* Change the PRNG (Pseudo-random number generator) parameters - - Valid syntaxes: - :: - - prng alg - prng alg nsl - - Changes the PRNG to use digest algorithm **alg** (default :code:`sha1`), - and set ``nsl`` (default :code:`16`) to the size in bytes of the nonce - secret length (between 16 and 64). - - Set ``alg`` to :code:`none` to disable the PRNG and use the OpenSSL - RAND\_bytes function instead for all of OpenVPN's pseudo-random number - needs. - --rcvbuf size Set the TCP/UDP socket receive buffer size. Defaults to operating system default. diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 0676c8491..1d242ac5a 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1681,96 +1681,10 @@ key_len_err: return 0; } -/* - * Random number functions, used in cases where we want - * reasonably strong cryptographic random number generation - * without depleting our entropy pool. Used for random - * IV values and a number of other miscellaneous tasks. - */ - -static uint8_t *nonce_data = NULL; /* GLOBAL */ -static const md_kt_t *nonce_md = NULL; /* GLOBAL */ -static int nonce_secret_len = 0; /* GLOBAL */ - -/* Reset the nonce value, also done periodically to refresh entropy */ -static void -prng_reset_nonce(void) -{ -const int size = md_kt_size(nonce_md) + nonce_secret_len; -#if 1 /* Must be 1 for real usage */ -if (!rand_bytes(nonce_data, size)) -{ -msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for PRNG"); -} -#else -/* Only for testing -- will cause a predictable PRNG sequence */ -{ -int i; -for (i = 0; i < size; ++i) -{ -nonce_data[i] = (uint8_t) i; -} -} -#endif -} - -void -prng_init(const char *md_name, const int nonce_secret_len_parm) -{ -prng_uninit(); -nonce_md = md_name ? md_kt_get(md_name) : NULL; -if (nonce_md) -{ -ASSERT(nonce_secret_len_parm >= NONCE_SECRET_LEN_MIN && nonce_secret_len_parm <= NONCE_SECRET_LEN_MAX); -nonce_secret_len =
[Openvpn-devel] [PATCH] Completely remove DES checks
We already removed the check in d67658fee for OpenSSL 3.0. This removes the checks entirely for all crypto libraries. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 15 src/openvpn/crypto_backend.h | 28 --- src/openvpn/crypto_mbedtls.c | 56 -- src/openvpn/crypto_openssl.c | 66 4 files changed, 165 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 1d242ac5a..e267e7a06 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -986,21 +986,6 @@ check_key(struct key *key, const struct key_type *kt) { return false; } - -/* - * Check for weak or semi-weak DES keys. - */ -{ -const int ndc = key_des_num_cblocks(kt->cipher); -if (ndc) -{ -return key_des_check(key->cipher, kt->cipher_length, ndc); -} -else -{ -return true; -} -} } return true; } diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 8bf6012a9..40984c559 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -156,34 +156,6 @@ bool crypto_pem_decode(const char *name, struct buffer *dst, */ int rand_bytes(uint8_t *output, int len); -/* - * - * Key functions, allow manipulation of keys. - * - */ - - -/** - * Return number of DES cblocks (1 cblock = length of a single-DES key) for the - * current key type or 0 if not a DES cipher. - * - * @param ktType of key - * - * @return Number of DES cblocks that the key consists of, or 0. - */ -int key_des_num_cblocks(const cipher_kt_t *kt); - -/* - * Check the given DES key. Checks the given key's length, weakness and parity. - * - * @param key Key to check - * @param key_len Length of the key, in bytes - * @param ndc Number of DES cblocks that the key is made up of. - * - * @return \c true if the key is valid, \c false otherwise. - */ -bool key_des_check(uint8_t *key, int key_len, int ndc); - /** * Encrypt the given block, using DES ECB mode * diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index a31ff5561..781da1ca9 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -386,62 +386,6 @@ rand_bytes(uint8_t *output, int len) return 1; } -/* - * - * Key functions, allow manipulation of keys. - * - */ - - -int -key_des_num_cblocks(const mbedtls_cipher_info_t *kt) -{ -int ret = 0; -if (kt->type == MBEDTLS_CIPHER_DES_CBC) -{ -ret = 1; -} -if (kt->type == MBEDTLS_CIPHER_DES_EDE_CBC) -{ -ret = 2; -} -if (kt->type == MBEDTLS_CIPHER_DES_EDE3_CBC) -{ -ret = 3; -} - -dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); -return ret; -} - -bool -key_des_check(uint8_t *key, int key_len, int ndc) -{ -int i; -struct buffer b; - -buf_set_read(, key, key_len); - -for (i = 0; i < ndc; ++i) -{ -unsigned char *key = buf_read_alloc(, MBEDTLS_DES_KEY_SIZE); -if (!key) -{ -msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); -goto err; -} -if (0 != mbedtls_des_key_check_weak(key)) -{ -msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); -goto err; -} -} -return true; - -err: -return false; -} - /* * * Generic cipher key type functions diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index bbfe15143..116c99c8e 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -552,72 +552,6 @@ rand_bytes(uint8_t *output, int len) return 1; } -/* - * - * Key functions, allow manipulation of keys. - * - */ - - -int -key_des_num_cblocks(const EVP_CIPHER *kt) -{ -int ret = 0; -const char *name = OBJ_nid2sn(EVP_CIPHER_nid(kt)); -if (name) -{ -if (!strncmp(name, "DES-", 4)) -{ -ret = EVP_CIPHER_key_length(kt) / sizeof(DES_cblock); -} -else if (!strncmp(name, "DESX-", 5)) -{ -ret = 1; -} -} -dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); -return ret; -} - -bool -key_des_check(uint8_t *key, int key_len, int ndc) -{ -#if OPENSSL_VERSION_NUMBER < 0x3000L -int i; -struct buffer b; - -buf_set_read(, key, key_len); - -for (i = 0; i < ndc; ++i) -{ -DES_cblock *dc = (DES_cblock *) buf_read_alloc(, sizeof(DES_cblock)); -if (!dc) -{ -crypto_msg(D_CRYPT_ERRORS, - "CRYPTO INFO: check_key_DES: insufficient key material"); -goto err; -} -if (DES_is_weak_key(dc)) -{ -crypto_msg(D_CRYPT_ERRORS, -