This allows OpenVPN to load non-default providers. This is mainly
useful for loading the legacy provider with --provider legacy:default
Signed-off-by: Arne Schwabe
---
doc/man-sections/generic-options.rst | 10 ++
src/openvpn/crypto_backend.h | 7 +++
src/openvpn/crypto_mbed
Signed-off-by: Arne Schwabe
---
.github/workflows/build.yaml | 28 +---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 514ae66b2..d39ea8bfa 100644
--- a/.github/workflows/build.yaml
+++ b/.gi
Use the new name for the function as it indicates with
get0 the ownership of the returned value
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 2 +-
src/openvpn/openssl_compat.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/crypto_openssl.c b/s
Currently we never display the OpenSSL error stack when decoding a
PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure
might not be a wrong password but can actually be an unsupported
encoding, seeing the error stack is really helpful (example from OpenSSL 3.0):
error:0308010C:d
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API would be more complex than
just having two implementations. So this switches to a new hmac
implementation for OpenSSL 3.0.
Unfortunately the new API does not have an easy to reset an H
This code mainly sets the parity bits in the DES keys. As mbed TLS and
OpenSSL already ignore these bits in the DES key and since DES is
deprecated, remove this special DES code that is not even needed by
the libraries.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto.c | 46 --
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
ind
This just adds a very simple unit test to check that the HMAC
implementation produces a well known hash.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_crypto.c | 61 +++---
1 file changed, 54 insertions(+), 7 deletions(-)
diff --git a/tests/unit_tests/openvpn
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.
This patch fixes the code path and restores its intended function.
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 3 +++
1 file changed, 3 insertions(+
Even though DES is super outdated and also NTLM is super outdated,
eliminating the warnings for OpenSSL 3.0 is still a step in the right
direction and using the correct APIs.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 22 +++---
1 file changed, 19 insertions(+
The signature messages required by external key managed also break
the 1280 limit. To also avoid this surprise of different behaviour
with PKCS11 enabled/disable, always use the larger size.
Signed-off-by: Arne Schwabe
---
src/openvpn/error.h | 6 +-
1 file changed, 1 insertion(+), 5 deletio
With OpenSSL 3.0 the use of nid values is deprecated and new algorithms
do not even have NID values anymore.
This also works nicely with providers now:
openvpn --provider legacy:default --show-ciphers
shows more ciphers (e.g. BF-CBC) than just
openvpn --show-ciphers
when compiled with Op
In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm
even if the algorithm is not avaialble with the currently available
provider. Luckily EVP_get_cipherbyname can be used here as drop
in replacement and returns only non NULL if the algorithm is actually
currently supported.
Signed-off-
This patchset removes almost all deprecation warnings from OpenVPN that
related to OpenSSL 3.0. The patchset has already been tested with users
and OpenSSL 3.0 as part of my OpenVPN for Android client.
Some patches also improve interaction with new features of OpenSSL 3.0,
mainly with providers.
The test_check_ncp_ciphers_list test assumed that BF-CBC is always
available, which is no longer the case with OpenSSL 3.0. Rewrite the
test to not rely on BF-CBC to be available.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_ncp.c | 13 ++---
1 file changed, 10 insertion
DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 8
1 file changed, 8 ins
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
co
This put the early initialisation and uninitialisation that needs to
happen between option parsing and post processing into small methods.
Signed-off-by: Arne Schwabe
---
src/openvpn/openvpn.c | 23 ++-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/openvp
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index ab552efab..ac8287440 100644
--- a/src/openvpn/
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.
Signed-off-by: Arne S
OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of
SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups
using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to
say that --ecdh-curve is ingored and --tls-groups should be used.
Signed-off-by: Arne Schwabe
---
src/open
EC_Key methods are deprecated in OpenSSL 3.0. Use
EVP_PKEY_get_group_name instead to query the EC group name from an
EVP_PKEY and add a compatibility function for older OpenSSL versions.
Signed-off-by: Arne Schwabe
---
src/openvpn/openssl_compat.h | 42
src/o
Am 19.10.21 um 20:23 schrieb Arne Schwabe:
> This patchset removes almost all deprecation warnings from OpenVPN that
> related to OpenSSL 3.0. The patchset has already been tested with users
> and OpenSSL 3.0 as part of my OpenVPN for Android client.
I somehow managed to most patches twiced and no
Signed-off-by: Arne Schwabe
---
.github/workflows/build.yaml | 28 +---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 514ae66b2..d39ea8bfa 100644
--- a/.github/workflows/build.yaml
+++ b/.gi
With OpenSSL 3.0 the use of nid values is deprecated and new algorithms
do not even have NID values anymore.
This also works nicely with providers now:
openvpn --provider legacy:default --show-ciphers
shows more ciphers (e.g. BF-CBC) than just
openvpn --show-ciphers
when compiled with Op
This allows OpenVPN to load non-default providers. This is mainly
useful for loading the legacy provider with --provider legacy:default
Signed-off-by: Arne Schwabe
---
doc/man-sections/generic-options.rst | 10 ++
src/openvpn/crypto_backend.h | 7 +++
src/openvpn/crypto_mbed
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index ab552efab..ac8287440 100644
--- a/src/openvpn/
This just adds a very simple unit test to check that the HMAC
implementation produces a well known hash.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_crypto.c | 61 +++---
1 file changed, 54 insertions(+), 7 deletions(-)
diff --git a/tests/unit_tests/openvpn
DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 8
1 file changed, 8 ins
EC_Key methods are deprecated in OpenSSL 3.0. Use
EVP_PKEY_get_group_name instead to query the EC group name from an
EVP_PKEY and add a compatibility function for older OpenSSL versions.
Signed-off-by: Arne Schwabe
---
src/openvpn/openssl_compat.h | 42
src/o
OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of
SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups
using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to
say that --ecdh-curve is ingored and --tls-groups should be used.
Signed-off-by: Arne Schwabe
---
src/open
Engine support is deprecated in OpenSSL 3.0. No longer use the deprecated API
when running with OpenSSL 3.0
Signed-off-by: Arne Schwabe
---
configure.ac | 2 ++
src/openvpn/crypto_openssl.c | 13 +++--
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/config
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API would be more complex than
just having two implementations. So this switches to a new hmac
implementation for OpenSSL 3.0.
Unfortunately the new API does not have an easy to reset an H
The test_check_ncp_ciphers_list test assumed that BF-CBC is always
available, which is no longer the case with OpenSSL 3.0. Rewrite the
test to not rely on BF-CBC to be available.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_ncp.c | 13 ++---
1 file changed, 10 insertion
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.
Signed-off-by: Arne S
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.
Signed-off-by: Arne S
Currently we never display the OpenSSL error stack when decoding a
PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure
might not be a wrong password but can actually be an unsupported
encoding, seeing the error stack is really helpful (example from OpenSSL 3.0):
error:0308010C:d
This allows OpenVPN to load non-default providers. This is mainly
useful for loading the legacy provider with --provider legacy:default
Signed-off-by: Arne Schwabe
---
doc/man-sections/generic-options.rst | 10 ++
src/openvpn/crypto_backend.h | 7 +++
src/openvpn/crypto_mbed
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
co
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.
This patch fixes the code path and restores its intended function.
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 3 +++
1 file changed, 3 insertions(+
In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm
even if the algorithm is not avaialble with the currently available
provider. Luckily EVP_get_cipherbyname can be used here as drop
in replacement and returns only non NULL if the algorithm is actually
currently supported.
Signed-off-
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.
This patch fixes the code path and restores its intended function.
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 3 +++
1 file changed, 3 insertions(+
This patchset removes almost all deprecation warnings from OpenVPN that
related to OpenSSL 3.0. The patchset has already been tested with users
and OpenSSL 3.0 as part of my OpenVPN for Android client.
Some patches also improve interaction with new features of OpenSSL 3.0,
mainly with providers.
This code mainly sets the parity bits in the DES keys. As mbed TLS and
OpenSSL already ignore these bits in the DES key and since DES is
deprecated, remove this special DES code that is not even needed by
the libraries.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto.c | 46 --
This just adds a very simple unit test to check that the HMAC
implementation produces a well known hash.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_crypto.c | 61 +++---
1 file changed, 54 insertions(+), 7 deletions(-)
diff --git a/tests/unit_tests/openvpn
This put the early initialisation and uninitialisation that needs to
happen between option parsing and post processing into small methods.
Signed-off-by: Arne Schwabe
---
src/openvpn/openvpn.c | 23 ++-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/openvp
The test_check_ncp_ciphers_list test assumed that BF-CBC is always
available, which is no longer the case with OpenSSL 3.0. Rewrite the
test to not rely on BF-CBC to be available.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_ncp.c | 13 ++---
1 file changed, 10 insertion
Use the new name for the function as it indicates with
get0 the ownership of the returned value
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 2 +-
src/openvpn/openssl_compat.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/crypto_openssl.c b/s
Currently we never display the OpenSSL error stack when decoding a
PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure
might not be a wrong password but can actually be an unsupported
encoding, seeing the error stack is really helpful (example from OpenSSL 3.0):
error:0308010C:d
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
ind
Even though DES is super outdated and also NTLM is super outdated,
eliminating the warnings for OpenSSL 3.0 is still a step in the right
direction and using the correct APIs.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 22 +++---
1 file changed, 19 insertions(+
From: Selva Nair
Do not support the use of OPENSSL_NO_EC on Windows.
We build Windows releases with EC key support enabled in
OpenSSL and there is no reason to disable it in OpenVPN.
ECDSA signature for cryptoapicert is handled only with OpenSSL
1.1.0 or later. That restriction is retained.
Sa
Am 19.10.21 um 17:47 schrieb Gert Doering:
> Acked-by: Gert Doering
>
> Now this one is straightforward, even I can ACK it :-) - this change is
> good as it will avoid compile mishaps, and since we control what SSL
> build we want to use on Windows, we can enforce "always EC!". Not sure
> about
I like patches that remove lots of #define s and makes the rest easier
to understand :-) - as for "does it work?", I leave that to Arne. GH
at least tells me that it compiles fine.
Your patch has been applied to the master branch.
commit 6ad1fbce2bed1c5f8d2e29ab84f01b3939f8cca4
Author: Selva Nai
Acked-by: Gert Doering
Now this one is straightforward, even I can ACK it :-) - this change is
good as it will avoid compile mishaps, and since we control what SSL
build we want to use on Windows, we can enforce "always EC!". Not sure
about other platforms (maybe the Software Museum has OpenSSL
I have not tested this, as I have no cryptoapi-environment around
(and especially no "old tokens"). I have test built with GH Actions
and it succeeded both on MSVC and MinGW :-)
Your patch has been applied to the master branch.
commit 60c83cce885d2f89d0cc150b730b409538a59625
Author: Selva Nair
D
Acked-by: Gert Doering
Thanks. Tested, makes GH actions for MSVC work again.
Your patch has been applied to the master branch.
commit 93fadaa0268dbe81a8c7ad3e73b3d54a0cca8c9c
Author: Lev Stipakov
Date: Sat Oct 16 00:31:15 2021 +0300
GitHub Actions: use latest working lukka/run-vcpkg
Latest lukka/run-vcpkg@v10 seem to break non-manifest
mode with custom triplets, so revert to latest working version.
While on it, bump vcpkg commit.
Signed-off-by: Lev Stipakov
---
.github/workflows/build.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/work
From: Lev Stipakov
Latest lukka/run-vcpkg@v10 seem to break non-manifest
mode with custom triplets, so revert to latest working version.
While on it, bump vcpkg commit.
Signed-off-by: Lev Stipakov
---
.github/workflows/build.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff
Acked-by: Gert Doering
This is 2.5 only - tested via GH in my repo, before pushing to the
official repo. I have no idea what it does, but it does not affect
code... and it fixes the GH build errors we had before (so I can
proceed with merging and test building Selva's win/EC patches).
Your patc
From: Lev Stipakov
Latest lukka/run-vcpkg@v10 seem to break non-manifest
mode with custom triplets, so revert to latest working version.
While on it, bump vcpkg commit.
Signed-off-by: Lev Stipakov
---
.github/workflows/build.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff
Hi,
On Sun, Aug 01, 2021 at 07:41:25PM +0200, Gert Doering wrote:
> Acked-by: Gert Doering
>
> Since we never wanted to maintain our own patch, this is welcome.
>
> I have left out the hunk to .github/workflows/build.yaml, as that has
> been superseded by commit de8871f86db.
>
> (I have not te
Am 19.10.21 um 05:41 schrieb selva.n...@gmail.com:
> From: Selva Nair
>
> There is no advantage in injecting/redirecting errors into OpenSSL
> as we can, and we do, report these directly using our own logging
> functions. This code probably originated from CAPI engine where
> such usage made sens
Am 19.10.21 um 05:41 schrieb selva.n...@gmail.com:
> From: Selva Nair
>
> Some legacy tokens do not have drivers compatible with
> Windows Cryptography Next generation API (CNG) and require
> the old CAPI interface. These also do not support anything
> but RSA_PKCS1 signatures with MD5+SHA1 diges
Thanks. As with the 2.5 patch, removed the DEBUG #define, and changed
commit message to just refer to trac with "Trac: #1430"
Your patch has been applied to the master branch.
commit 077445d0d82128dc90e50043546d4a2d8647eb9c
Author: Selva Nair
Date: Fri Oct 15 13:53:30 2021 -0400
Fix some
Thanks.
I have adjusted the commit message ("should fix Trac #1430") and removed
the #define ENABLE_DEBUG 0, as instructed.
Your patch has been applied to the release/2.5 branch.
commit c699c0d85cf2028796cdb0592271f1167709e6ac
Author: Selva Nair
Date: Fri Oct 15 14:47:33 2021 -0400
Fix s
66 matches
Mail list logo
