Hi André, Thank you for coding and sharing! I marked your original mail for later processing, just had not gotten to it yet. This is a cool feature, and it has been proposed before on this list (see http://thread.gmane.org/gmane.network.openvpn.devel/7384/focus=7395).
That patch did not make it in, primarily because we (or at least I) got distracted by an issue in the crypto code that thread pointed us to, where a non-constant time memcmp was used to compare HMAC's. Unfortunately, after fixing that issue the thread never got the follow-up it deserved. Returning to your patch, I did not fully review the code, but it at least has the same problem: you are using a non-constant time memcmp to compare HMAC's, which would introduce a possible side-channel vulnerability. The solution is simple: use memcmp_constant_time() from crypto.c. While taking a peak at your patch I tried to apply it on my local codebase, but got conflicts on both the master and release/2.3 branches. On what commit did you base the patch? It would be nice if it would apply clean to at least the master branch. Regards, -Steffan On 10/22/2013 10:26 AM, André Valentin wrote: > Hi, > > no comments for this patch? It is really cool if you roam from wifi to edge > on mobiles, > you are immediately reconnected to your vpn after a connection change. No 1 > minute wait > for openvpn to complete the openvpn authentication. (cause is the ~1s GSM > EDGE roundtrip > time) If you travel in a train through, this will enhance your experience > drastically. > > I would really appreciate any comments on this, or if you have any hints. > > With kind regards, > > André > > On 14.10.2013 23:20, André Valentin wrote: >> Add support for floating in tls mode using the HMAC of a packet. It costs >> a roundtrip through the clients. Because it is based on the HMAC, it is >> secure in ways of cryptography. Before the iteration starts, some sanity >> checks are done. > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
