patch checks the decoded length to show an accurate error message.
v2: Remove now-unused macro and fix an off-by-one error.
Signed-off-by: Max Fillinger
---
src/openvpn/base64.h| 4
src/openvpn/tls_crypt.c | 18 +++---
src/openvpn/tls_crypt.h | 2 --
3 files changed, 15
patch checks the decoded length to show an accurate error message.
Signed-off-by: Max Fillinger
---
src/openvpn/base64.h| 4
src/openvpn/tls_crypt.c | 18 +++---
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/base64.h b/src/openvpn/base64.h
index
The manual page claims that the client metadata can be up to 735 bytes
(encoded as upt to 980 characters base64), but the actual maximum length
is 733 bytes which is also encoded as 980 characters in base64.
Signed-off-by: Max Fillinger
---
doc/man-sections/encryption-options.rst | 3 ++-
1
When running openvpn --show-tls with mbedtls, it showed a null pointer
error at the end because of this.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl_mbedtls.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v3: Don't break WolfSSL.
Signed-off-by: Max Fillinger
---
src/openvpn/openssl_compat.h | 8 +---
1
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
Signed-off-by: Max Fillinger
---
src/openvpn/openssl_compat.h | 8 +---
1 file changed, 5 insertions(+), 3
ed to call
EVP_MD_CTX_free() instead of cleanup.
Signed-off-by: Max Fillinger
---
src/openvpn/crypto_openssl.c | 38 ++--
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 5cd09e33..5c86268d 10
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
Signed-off-by: Max Fillinger
---
src/openvpn/openssl_compat.h | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/openssl_compat.h b/src
dows version of undo_ifconfig_ipv6
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 4 ++
src/openvpn/tun.c | 159 +++--
src/openvpn/tun.h | 8 +++
3 files changed, 95 insertions(+), 76 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b67
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
v4: Move undo_ifconfig{4,6}() out of #ifdef TARGET_LINUX.
v5: Keep ctx argument in close_tun().
Signed-off-by: Max Fillinger
---
src/openv
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
v4: Move undo_ifconfig{4,6}() out of #ifdef TARGET_LINUX.
Signed-off-by
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 6 +-
sr
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
v2: Fix tabs-vs-spaces.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 5 -
src/open
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 5 -
src/openvpn/tun.c | 37 +--
Signed-off-by: Max Fillinger
---
README.mbedtls | 18 ++
1 file changed, 18 insertions(+)
diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..d3466fa9 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,24 @@ This version depends on mbed TLS 2.0 (and requires
Signed-off-by: Max Fillinger
---
README.mbedtls | 17 +
1 file changed, 17 insertions(+)
diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..062ae470 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,23 @@ This version depends on mbed TLS 2.0 (and requires
Signed-off-by: Max Fillinger
---
README.mbedtls | 17 +
1 file changed, 17 insertions(+)
diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..b5604bb8 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,23 @@ This version depends on mbed TLS 2.0 (and requires
The previous commit was backported from master and needs this variable
to exist.
Signed-off-by: Max Fillinger
---
tests/unit_tests/openvpn/test_ncp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/unit_tests/openvpn/test_ncp.c
b/tests/unit_tests/openvpn/test_ncp.c
Signed-off-by: Max Fillinger
---
tests/unit_tests/openvpn/test_ncp.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tests/unit_tests/openvpn/test_ncp.c
b/tests/unit_tests/openvpn/test_ncp.c
index 6702133a..f4c28ffd 100644
--- a/tests/unit_tests/openvpn/test_ncp.c
done before trying to undo
it. It's behind an #ifdef because it's only used on Linux, and that was
the reason why it was removed before.
Signed-off-by: Max Fillinger
---
src/openvpn/tun.c | 6 +-
src/openvpn/tun.h | 3 +++
2 files changed, 8 insertions(+), 1 deletion(-)
diff -
This header was removed in mbedtls 3. Luckily, we weren't actually
using it, it seems.
Signed-off-by: Max Fillinger
---
src/openvpn/crypto_mbedtls.c | 1 -
src/openvpn/ssl_mbedtls.c| 2 --
2 files changed, 3 deletions(-)
diff --git a/src/openvpn/crypto_mbedtls.c b/src/op
On 07/11/2021 13:29, Arne Schwabe wrote:
The patch removes checking for weak keys and making DES just like any
other CBC cipher and not doing extra checks for this. It basically
removes the special treatment of DES.
After this, do we have any DES functionality left in OpenVPN? If so, we
sho
On 07/11/2021 10:01, Arne Schwabe wrote:
We already removed the check in d67658fee for OpenSSL 3.0. This removes the
checks entirely for all crypto libraries.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me!
Compiled and ran --test-crypto for DES/DES3, with mbedtls
for DES encryption for now.
Patch v4: add unit test, use 3DES to avoid legacy provider for now
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me, and the unit tests succeed with OpenSSL 1.1.1 and 3.
Small nitpick that can be fixed at compile time:
+if
e to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
With OpenSSL 3, OpenVPN accepts certs signed with SHA1 if and only if
"--tls-cert-profile in
On 19/10/2021 20:31, Arne Schwabe wrote:
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow sett
On 19/10/2021 20:31, Arne Schwabe wrote:
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.
This patch fixes the code path and restores its intended function.
Signed-off-by: Arne Schwabe
Acked-by: Max
On 19/10/2021 20:31, Arne Schwabe wrote:
With OpenSSL 3.0 the use of nid values is deprecated and new algorithms
do not even have NID values anymore.
This also works nicely with providers now:
openvpn --provider legacy:default --show-ciphers
shows more ciphers (e.g. BF-CBC) than just
On 26/10/2021 17:27, Max Fillinger wrote:
On 19/10/2021 20:31, Arne Schwabe wrote:
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn
On 19/10/2021 20:31, Arne Schwabe wrote:
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index a
chacha, &gc),
aes_chacha);
+}
Add space before (
Acked-by: Max Fillinger
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
On 19/10/2021 20:31, Arne Schwabe wrote:
Use the new name for the function as it indicates with
get0 the ownership of the returned value
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me.
Typo: "USe"
___
Ope
is actually
currently supported.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me!
Some small errors in the commit message:
"return a non Null algorithm": Should be "may return", I think.
second "EVP_get_cipherbyname&quo
When the EVP_PKEY object with the Diffie-Hellman parameters is passed
to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
pointer in the SSL_CTX. Therefore, we should not free it.
The EVP_PKEY will be freed automatically when we free the SSL_CTX.
Signed-off-by: Max Fillinger
On 19/10/2021 20:31, Arne Schwabe wrote:
This put the early initialisation and uninitialisation that needs to
happen between option parsing and post processing into small methods.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
It's easy to see that this does not change the beh
On 19/10/2021 20:31, Arne Schwabe wrote:
EC_Key methods are deprecated in OpenSSL 3.0. Use
EVP_PKEY_get_group_name instead to query the EC group name from an
EVP_PKEY and add a compatibility function for older OpenSSL versions.
Signed-off-by: Arne Schwabe
---
src/openvpn/openssl_compat.h | 42
Acked-by: Max Fillinger
Makes sense, why should we care about the parity bits when no-one else does?
Compiled and ran --test-crypto for DES/DES3 with OpenSSL 3.1.0, 1.1.1
and mbedtls 2.26.
___
Openvpn-devel mailing list
Openvpn-devel
.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Not much to say here. It compiles and I can see the warning when I use
the option.
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists
On 19/10/2021 20:31, Arne Schwabe wrote:
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looked at the patch, compiled with OpenSSL 3.1.0, tested that I can get
a server and client to talk to each
On 19/10/2021 20:31, Arne Schwabe wrote:
DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_o
On 19/10/2021 20:31, Arne Schwabe wrote:
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as en
new API does not have an easy to reset an HMAC, so we need
to keep the key around to emulate a reset functionality.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looked at the code, compiled with OpenSSL 3.1.0 and 1.1.1, and ran
--test-crypto for both.
Small typo in commit message
On 19/10/2021 20:31, Arne Schwabe wrote:
+if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0))
EVP_bf_ecb() is the Blowfish cipher, not DES.
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/li
will use our compat code.
Cc: Max Fillinger
Signed-off-by: Antonio Quartulli
Thanks again for cleaning up my mess!
Compile-tested with mbedtls versions
2.27.0
2.26.0
2.25.0
2.16.11
2.15.1
2.14.1
2.14.0
2.12.0
2.7.19
2.7.0
All good!
(Typo: "aqvoid" in the commit message, but th
add a compatibility function that runs
mbedtls_ctr_drbg_update and returns 0.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl_mbedtls.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 265ea36f
Replace open...@fox-it.com with open...@foxcrypto.com.
Signed-off-by: Max Fillinger
---
doc/doxygen/Makefile.am| 2 +-
doc/doxygen/doc_compression.h | 2 +-
doc/doxygen/doc_control_processor.h| 2 +-
doc/doxygen/doc_control_tls.h | 2 +-
doc
27;t
use a reloaded CRL if it initially failed to access the file.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 1e0e6170..6ce1d079 100644
--- a/src/openvpn/ssl.c
+++ b/s
. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c| 2 +-
src/openvpn/misc.c| 11 +++
src/openvpn/misc.h| 6 ++
src/openvpn/options.c | 8 +---
src/openvpn/ssl.c | 21 +++--
src/openvpn/ssl.h
r SSL renegotiation.
This commit fixes the build by ifdef'ing out the function call when
mbedtls was built without support for SSL renegotiation.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl_mbedtls.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_m
27;t
use a reloaded CRL if it initially failed to access the file.
In tls_process(), we stick with the previous behavior of logging a
warning and keeping the old CRL to ensure that the CRL file can be
updated on-the-fly.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl.c | 21 ---
files. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c| 3 ++-
src/openvpn/misc.c| 11 +++
src/openvpn/misc.h| 7 +++
src/openvpn/options.c | 8 +---
src/openvpn/ssl.c | 20 ++--
src/openvpn
RL file
cannot be accessed. Now that the path is handled correctly pre- and
post-chroot, there is no good reason why accessing it should fail.
This fixes bug 1).
Max Fillinger (2):
In init_ssl, open the correct CRL path pre-chroot
Abort if CRL file can't be stat-ed in init_ssl
src/open
d, I could fix the
CRL reloading bug in a less hacky manner and also make sure that we
don't modify the configs of active mbedtls_ssl_contexts.
[0] https://sourceforge.net/p/openvpn/mailman/message/37254045/
[1] https://sourceforge.net/p/openvpn/mailman/message/37254048/
Max Fillinger (1):
This commit fixes the following two issues:
The config belonging to a mbedtls_ssl_ctx struct is not supposed to be
changed after mbedtls_ssl_setup() has been called. Previously, we
modified the CRL structure in place when a new CRL was loaded, but a
pointer to this struct appears in configs that a
From: Uipko Berghuis
In mbedtls 2.16.0 mbedtls_ctr_drbg_update() changed to
mbedtls_ctr_drbg_update_ret(). Change the function name and handle
the new return value error code.
---
src/openvpn/ssl_mbedtls.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mb
From: Maximilian Fillinger
If the CRL file cannot be read during initialization, a NULL pointer is
passed to the mbedtls_ssl_config in key_state_ssl_init(). Then, if the
CRL file is successfully read later, the config won't have a pointer to
it. Therefore, the CRL won't actually take effect.
Thi
There is an issue with the mbedTLS version of OpenVPN where a CRL file
wouldn't be used when running in a chroot. This is due to a combination
of two bugs found by Adam Lukosek at Compumatica.
1) With mbedTLS, if the CRL file can't be opened during initialization,
OpenVPN will read the file whe
From: Steffan Karger
To improve the control channel performance under packet loss conditions,
add a more aggressive retransmit policy similar to what many TCP
implementations do: retransmit a packet if the ACK timeout expires (like
we already do), *or* if three ACKs for follow-up packets are rece
This is my second attempt at sending this patch, this time without
mixing up commit message and cover letter, and from an account that
(I hope) doesn't hate mailing lists.
This patch changes reliable_send() to resend a packet if at least three
later packets have been ACKed. This improves performan
Plaintext authentication is not exactly high security, but we might as
well memzero the credentials before leaving the function.
---
src/openvpn/socks.c | 23 ++-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 36df
60 matches
Mail list logo
