Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

Hi Arne, I'm happy to resubmit the patch with further documentation to what I have already included with this patch, however I need to know what is likely to be accepted. Per my previous question and example, is it acceptable to keep using CR_TEXT and document the C and CR flags, or, as I th

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

Management goes another code path and management_client_auth directly calls send_auth_failed. I'm afraid in the case of renegotiation this is not relevant But I also haven't digged deep enough to actually understand if your is actually fixing the problem correctly. May I request that we resolve

Re: [Openvpn-devel] [PATCH] Add DNS SRV host discovery support

Hi, Arne Many thanks the review, please refer comments inline -- Best Regards, Vladislav Grishenko > -Original Message- > From: Arne Schwabe > Sent: Tuesday, August 25, 2020 2:10 PM > Am 25.08.20 um 00:15 schrieb Vladislav Grishenko: > > DNS SRV (rfc2782) support allows to use several Op

Re: [Openvpn-devel] [PATCH v4 2/2] Implement generating data channel keys via EKM/RFC 5705

This sentence is badly constructed, so, use some grammar to help it read correctly: On 25/08/2020 08:36, Arne Schwabe wrote: + * When the client sends the IV_PROTO_TLS_KEY_EXPORT flag and the server replies + * with `key-derivation tls-ekm` the RFC5705 key material exporter with the + * labe

Re: [Openvpn-devel] [PATCH] Add DNS SRV host discovery support

Am 25.08.20 um 00:15 schrieb Vladislav Grishenko: > DNS SRV (rfc2782) support allows to use several OpenVPN servers for a single > domain w/o explicit profile enumerating, to move services from host to host > with little fuss, and to designate some hosts as primary servers for a service > and other

[Openvpn-devel] [PATCH v4 2/2] Implement generating data channel keys via EKM/RFC 5705

OpenVPN currently uses its own (based on TLS 1.0) key derivation mechanism to generate the 256 bytes key data in key2 struct that are then used used to generate encryption/hmac/iv vectors. While this mechanism is still secure, it is not state of the art. Instead of modernising our own approach, th

[Openvpn-devel] [PATCH v4 1/2] Move openvpn specific key expansion into its own function

This moves the OpenVPN specific PRF into its own function also simplifies the code a bit by passing tls_session directly instead of 5 of its fields. Patch v2: Rebase Patch v4: rewrite/fix comments, fix potential not initialised before goto issue Signed-off-by: Arne Schwabe --- src/op

Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

Am 25.08.20 um 01:58 schrieb Eric Thorpe: > Hi Arne, > >> - to avoid the 256 byte management limit and multiple commands use maybe >> the same approach as client-auth that allows a longer frame, you can >> still limit that to 1024. > To be clear here, it isn't so much the limitation of the managem