[Openvpn-devel] [PATCH applied] Re: List ChaCha20-Poly1305 as stream cipher

Your patch has been applied to the master branch. "Does what it says on the lid"... before: CHACHA20-POLY1305 (256 bit key, 8 bit block, TLS client/server mode only) .. after: CHACHA20-POLY1305 (256 bit key, stream cipher, TLS client/server mode only) commit 447997dd83400bffc05db65a91f659dc

[Openvpn-devel] [PATCH applied] Re: Add support for tls-ciphersuites for TLS 1.3

Your patch has been applied to the master branch and release/2.4 branch (long-term compatibility, as agreed last weekend - and it's nicely isolated, so if you are not using the new option, nothing changes). WRT Steffan's formatting nits on v3 - these are unchanged here in v4, but the *next* TLS 1

Re: [Openvpn-devel] MinGW to build DLL not EXE

Thank you, Selva. After banging my head against the keyboard for the last 10 hours, only to find out I disposed the very solution you and David suggested because of a minor glitch not related to libtool and automake, I finally got it sorted out. Best regards, Simon From: Selva Nair Sent:

Re: [Openvpn-devel] [PATCH v4 3/3] Add better support for showing TLS 1.3 ciphersuites in --show-tls

Hi, On 10-10-18 17:36, Arne Schwabe wrote: > show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The ciphersuites > are only valid in tls-cipher or tls-ciphersuites. So this confusing and > not really helpful. > > This patch modifies show-tls to show separate lists for TLS 1.2 and > TLS 1.3. > > S

Re: [Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

Hi, On Sun, Oct 7, 2018 at 3:38 AM Gert Doering wrote: > Hi, > > On Sun, Mar 04, 2018 at 12:44:02PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > Openssl docs do not explicitly state these to be macros although they > > are currently defined as such. Use AC_CHECK_DECLS to test

Re: [Openvpn-devel] [PATCH v2] options.c: fix broken unary minus usage

Hi, On Wed, Oct 10, 2018 at 03:26:17PM +0300, Lev Stipakov wrote: > crypto_overhead += kt->hmac_length; > > -frame_add_to_extra_frame(frame, crypto_overhead); > +frame_add_to_extra_frame(frame, (unsigned int) crypto_overhead); Even if Arne already ACKed it, I have reservations abou

[Openvpn-devel] [PATCH applied] Re: Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR

Your patch has been applied to the master branch. Cursory review, looks all reasonable, and passes my local t_client tests plus a windows build ("just to be safe"). Spurious extra whitespace fixed on the go. There is one thing that Selva commented on on the first round of this patch in December

[Openvpn-devel] [PATCH applied] Re: interactive.c: fix usage of potentially uninitialized variable

Your patch has been applied to the master and release/2.4 branch (bugfix). Thanks, Selva, for the extra pair of eyes. I was fine with the v2, but had hoped to see an extra review from you in case I overlooked something ("you know this code best"). Test built on ubuntu 16.04. commit d1f0e2cf83c3

Re: [Openvpn-devel] [PATCH v2] interactive.c: fix usage of potentially uninitialized variable

Hi, Sorry I missed this patch cleaning up my mistake.. Gert has already reviewed and asked for this v2 so this may be redundant, but fwiw: On Mon, Oct 8, 2018 at 2:15 PM Lev Stipakov wrote: > From: Lev Stipakov > > In function netsh_dns_cmd() it is possible to jump on a label and > call free(

Re: [Openvpn-devel] MinGW to build DLL not EXE

HI, > > I have almost finished integrating tapctl.exe and openvpnmsica.dll > utilities > for MSI packaging into the OpenVPN/openvpn repo. However, I am totally new > with MinGW and would need some help. > > How do you tell the OpenVPN's build process to create a DLL file, not an > EXE? > As with

[Openvpn-devel] [PATCH v4 3/3] Add better support for showing TLS 1.3 ciphersuites in --show-tls

show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The ciphersuites are only valid in tls-cipher or tls-ciphersuites. So this confusing and not really helpful. This patch modifies show-tls to show separate lists for TLS 1.2 and TLS 1.3. Signed-off-by: Arne Schwabe --- PATCH V2: refactor common co

[Openvpn-devel] [PATCH v3 2/3] Add support for OpenSSL TLS 1.3 when using management-external-key

For TLS 1.0 to 1.2 OpenSSL calls us and requires a PKCS1 padded response, for TLS 1.3 it requires to an unpadded response. Since we can PCKS1 pad an unpadded response, we prefer to always query for an unpadded response from the management interface and add the PCKS1 padding ourselves when needed.

[Openvpn-devel] [PATCH v3 3/3] Implement the nopadding option to management-external-key for mbed TLS

Although mbed TLS does not have a TLS 1.3 API yet and we do not really know how mbed TLS will handle querying for TLS 1.3 signatures, being able to use the same API with OpenSSL and mbed TLS is a nice feature. Since mbed TLS does not expose a way to do pkcs1 padding, copy the trimmed down version

Re: [Openvpn-devel] [PATCH v3 3/3] Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR

Hi, On 10-10-18 16:25, Arne Schwabe wrote: > These defines are always defined when management is enabled. > > We still have --disable-management as configure option, so we need > to replace these with ENABLE_MANAGEMENT in some cases. > Very nice, cleans up a lot of cruft. > PATCH v3: Rebase di

Re: [Openvpn-devel] [PATCH v5] Revert to original password authentication after failed auth-token

Am 10.10.18 um 16:30 schrieb Arne Schwabe: > Auth-tokens can expire. For by reconnecting when the server uses > auth-gen-toke. > > Behaviour of OpenVPN client is to never fallback to the previous > authentication method and continue using the auth-token. Depending on > auth-retry it either quit or

[Openvpn-devel] [PATCH v5] Revert to original password authentication after failed auth-token

Auth-tokens can expire. For by reconnecting when the server uses auth-gen-toke. Behaviour of OpenVPN client is to never fallback to the previous authentication method and continue using the auth-token. Depending on auth-retry it either quit or tried endlessly with an expired token. Since auth-gen-

[Openvpn-devel] [PATCH v3 3/3] Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR

These defines are always defined when management is enabled. We still have --disable-management as configure option, so we need to replace these with ENABLE_MANAGEMENT in some cases. PATCH v3: Rebase directly on master Signed-off-by: Arne Schwabe --- src/openvpn/init.c| 4 ++-- src/op

Re: [Openvpn-devel] [PATCH v3 3/3] Add better support for showing TLS 1.3 ciphersuites in --show-tls

Hi, Thanks, merging these into a single function makes it cleaner. Still a few minor comments though: On 10-10-18 14:34, Arne Schwabe wrote: > show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The ciphersuites > are only valid in tls-cipher or tls-ciphersuites. So this confusing and > not really

Re: [Openvpn-devel] [PATCH] Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option

Am 23.07.18 um 05:45 schrieb James Bekkema: > This patch adds support for setting the default IPv6 gateway for routes using > the "route-ipv6-gateway” option. > > Currently if users try to use the "redirect-gateway ipv6” option, or a IPv6 > route without a gateway, without using "ifconfig-ipv6"

Re: [Openvpn-devel] [PATCH v2] options.c: fix broken unary minus usage

Am 10.10.18 um 14:26 schrieb Lev Stipakov: > From: Lev Stipakov > > In Visual Studio when unary minus is applied to unsigned, > result is still unsigned. This means that when we use result > as function formal parameter, we pass incorrect value. > > Fix by introducing frame_remove_from_extra_fra

[Openvpn-devel] [PATCH v3 3/3] Add better support for showing TLS 1.3 ciphersuites in --show-tls

show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The ciphersuites are only valid in tls-cipher or tls-ciphersuites. So this confusing and not really helpful. This patch modifies show-tls to show separate lists for TLS 1.2 and TLS 1.3. PATCH V2: refactor common code between mbed and OpenSSL into

[Openvpn-devel] [PATCH v2] options.c: fix broken unary minus usage

From: Lev Stipakov In Visual Studio when unary minus is applied to unsigned, result is still unsigned. This means that when we use result as function formal parameter, we pass incorrect value. Fix by introducing frame_remove_from_extra_frame function, which makes code semantically more clear and

Re: [Openvpn-devel] Summary of the community meeting (Wed, 10th Oct 2018)

On 10/10/18 13:20, Samuli Seppänen wrote: [...snip...] > -- > > Discussed dropping OpenSSL 1.0.1 support in OpenVPN. It was agreed that > it makes sense. We also made our support policies regarding RedHat more > clear: > > https://community.openvpn.net/openvpn/wiki/SupportedVersions Just clarifyi

[Openvpn-devel] [PATCH v2 3/3] Add better support for showing TLS 1.3 ciphersuites in --show-tls

show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The ciphersuites are only valid in tls-cipher or tls-ciphersuites. So this confusing and not really helpful. This patch modifies show-tls to show separate lists for TLS 1.2 and TLS 1.3. PATCH V2: refactor common code between mbed and OpenSSL into

[Openvpn-devel] Summary of the community meeting (Wed, 10th Oct 2018)

Hi, Here's the summary of the IRC meeting. --- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Wednesday 10th October 2018 Time: 11:30 CEST (9:30 UTC) Planned meeting topics for this meeting were here: The nex

Re: [Openvpn-devel] MinGW to build DLL not EXE

Hi, > Usually 'gcc -o file.dll -shared ...'. > What .dll are taking about, a plugin? Not an OpenVPN plugin actually. A separate standalone DLL file used in a later MSI packaging. Windows-only. I had a discussion with Samuli it would be best in a long term to have it in the OpenVPN/openvpn repo fo

Re: [Openvpn-devel] MinGW to build DLL not EXE

Simon Rozman wrote: I have almost finished integrating tapctl.exe and openvpnmsica.dll utilities for MSI packaging into the OpenVPN/openvpn repo. However, I am totally new with MinGW and would need some help. How do you tell the OpenVPN's build process to create a DLL file, not an EXE? Usuall

[Openvpn-devel] MinGW to build DLL not EXE

Hi! I have almost finished integrating tapctl.exe and openvpnmsica.dll utilities for MSI packaging into the OpenVPN/openvpn repo. However, I am totally new with MinGW and would need some help. How do you tell the OpenVPN's build process to create a DLL file, not an EXE? My working copy is here:

Re: [Openvpn-devel] [PATCH v3 2/2] List ChaCha20-Poly1305 as stream cipher

Hi, On 10/10/18 04:43, Steffan Karger wrote: > As Antonio pointed out, "8-bit block cipher" is a bit funny. So teach > print_cipher() to print such cipher as "stream cipher". > > Because I didn't want to write the same code twice, I decided to merge the > two print_cipher() implementations into o

Re: [Openvpn-devel] [PATCH 3/3] Add better support for showing TLS 1.3 ciphersuites in --show-tls

Hi, On 06-10-18 10:06, Arne Schwabe wrote: > show-tls shows mixed TLS 1.3 and TLS 1.2 ciphers. The ciphersuites > are only valid in tls-cipher or tls-ciphersuites. So this confusing and > not really helpful. > > This patch modifies show-tls to show separate lists for TLS 1.2 and > TLS 1.3. Featu

Re: [Openvpn-devel] [PATCH v4] Add support for tls-ciphersuites for TLS 1.3

Hi, This seems to be the exact same patch as v3. For future reference: this is v4 of 2/2 of the patch set. On 07-10-18 23:55, Arne Schwabe wrote: > OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these > interfaces are meant to be user facing or not exposed at all and we > expos

Re: [Openvpn-devel] [PATCH] buffer_list: add functions documentation

Hi, On 10-10-18 10:37, Antonio Quartulli wrote: > bufferlist_* functions have no documentation whatsoever and the name is > not always enough to fully understand what the function is doing. > For this reason and for the sake of having better documented code, add > function doc in buffer.h. Very g

[Openvpn-devel] [PATCH] buffer_list: add functions documentation

bufferlist_* functions have no documentation whatsoever and the name is not always enough to fully understand what the function is doing. For this reason and for the sake of having better documented code, add function doc in buffer.h. Signed-off-by: Antonio Quartulli --- Some doc might be extend

Re: [Openvpn-devel] [PATCH 5/5 v2] buffer_list_aggregate_separator(): simplify code

Hi, On 29/12/17 17:54, Steffan Karger wrote: > Clean up the function by slightly simplifying the logic. > > Mostly witespace changes, so best reviewed using 'git diff -w'. ^ missing 'h' here > > Signed-off-by: Steffan Karger > --- > v2: rebase on new version of preceding patches >

Re: [Openvpn-devel] [PATCH v2] Add message explaining early TLS client hello failure

Hi, On 26-09-18 14:01, Arne Schwabe wrote: > In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients > anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is > TLS 1.0 only without setting tls-version-min. > > We currently log only > OpenSSL: error:14209102:SSL > rou

[Openvpn-devel] [PATCH v6 2/7] tls-crypt-v2: add specification to doc/

This is a preliminary description of tls-crypt-v2. It should give a good impression about the reasoning and design behind tls-crypt-v2, but might need some polishing and updating. Signed-off-by: Steffan Karger --- v3: Include length in WKc v4: Clarify metadata handling v5: Typo fixes (thanks tin

[Openvpn-devel] [PATCH v6 6/7] tls-crypt-v2: implement tls-crypt-v2 handshake

This makes clients send-and-use, and servers receive-unwrap-and-use tls-crypt-v2 client keys, which completes the on-the-wire work. Signed-off-by: Steffan Karger --- v3: include length in WKc, rebase on curent master / v3 patch set v4: resolve merge conflict (fixes memory leak) v5: rebase on v5 p

[Openvpn-devel] [PATCH v6 4/7] tls-crypt-v2: add unwrap_client_key

Add helper functions to unwrap tls-crypt-v2 client keys. Signed-off-by: Steffan Karger --- v3: Include length in WKc v4: Rebase on v4 patch set v5: Rebase on v5 patch set v6: Change WKc length to ciphertext length (was plaintext) src/openvpn/buffer.h | 7 + src/openvpn/tl

[Openvpn-devel] [PATCH v6 7/7] tls-crypt-v2: add script hook to verify metadata

To allow rejecting incoming connections very early in the handshake, add a --tls-crypt-v2-verify option that allows administators to run an external command to verify the metadata from the client key. See doc/tls-crypt-v2.txt for more details. Because of the extra dependencies, this requires addin

[Openvpn-devel] [PATCH v6 5/7] tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode

Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake messages. Signed-off-by: Steffan Karger --- v3: rebase on curent master / v3 patch set v4: rebase on v4 patch set v5: rebase on v5 patch set v6: rebase on v6 patch set src/openvpn/ps.c | 3 ++- src/openvpn/ssl.

[Openvpn-devel] [PATCH v6 3/7] tls-crypt-v2: generate tls-crypt-v2 keys

As a first step towards a full tls-crypt-v2 implementation, add functionality to generate tls-crypt-v2 client and server keys. Signed-off-by: Steffan Karger --- v3: Include length in WKc v4: Fix option verification (use ce->tls_*, not options->ce.tls_*) v5: Rebase on patch set v5 v6: - Reword c

[Openvpn-devel] Topics for the community meeting (Wed, 10th Oct 2018)

Hi, We're going to have an IRC meeting starting at 11:30 CEST (9:30 UTC) on #openvpn-meeting irc.freenode.net. You do not have to be logged in to Freenode to join the channel. Current topic list along with basic information is here:

Re: [Openvpn-devel] [Openvpn-users] OpenVPN cipher issue?

Hi, to copy the reply from Steffan over to openvpn-users... On Tue, Oct 09, 2018 at 08:43:49PM +0200, Gert Doering wrote: > (copying in openvpn-devel, as this is something Steffan will want to > see...) [..] > Possibly this is when the first packet is sent by the client or when > the first packet

Re: [Openvpn-devel] [PATCH] options.c: fix broken unary minus usage

Hi, This was catched by Visual Studio. Moreover, with SDL enabled ( https://docs.microsoft.com/fi-fi/cpp/build/reference/sdl-enable-additional-security-checks?view=vs-2017 ) this warning is treated as an error. It is probably a good idea to trigger Visual Studio build on every commit to master (a

Re: [Openvpn-devel] [PATCH] Remove example unit tests

Hi, [ Talking to myself here... ] On 10-10-18 08:51, Steffan Karger wrote: > We have plenty real unit test that can be used as examples, so the > example tests are no longer needed. Let's get rid of them. NAK. The patch is wrong because it leaves around a trace of the example tests in configure.