[Openvpn-devel] [PATCH v2] Fix console prompts with redirected log

From: Lev Stipakov When openvpn nees to prompt user for a password (for example, to set management interface password), the prompt is written to standard error device. When log is redirected to a file, that prompt is written to that file and not to the "original" stderr. Moreover, on recent Insi

[Openvpn-devel] [PATCH applied] Re: Move auth_token_state from multi to key_state

Your patch has been applied to the master branch. I did some stare-at-code and testing of my own, and most of this patch is fairly straightforward - it's only that long because the auth-token-test module is really extensive, and due to the pointer change, lots of lines change. Also tested with th

[Openvpn-devel] [PATCH] Ensure tls session is authenticated before sending push reply

We ensure here that the tls session is authenticated before sending a push_reply This a part of to fix CVE-2020-15078 in the master branch. --- src/openvpn/push.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index b6f1252d2..b27f401

[Openvpn-devel] [PATCH applied] Re: Add connection_established as state in tls_multi->context_auth

Stared at the patch, seems to make sense. Tested on the t_server test rig, and behaves nicely - both alone, and together with 4/9 (the final patch needed to fix the CVE). Test rig has p2mp and p2p servers. Client tests also succeded (unsurprisingly). As discussed on IRC, added refererences to C

[Openvpn-devel] [PATCH applied] Re: Make waiting on auth an explicit state in the context state machine

Stared at the code a bit, discussed on IRC about "what state does what?" - so this new state is "TLS is ok, waiting for (deferred) authentication" and CAS_PENDING* is "waiting for (deferred) *client-connect* things" - which MUST NOT run before authentication is finished (= CVE...). With that exp

[Openvpn-devel] [PATCH applied] Re: Ensure tls session is authenticated before sending push reply

Acked-by: Gert Doering For whatever reason, this particular code path escaped previous patches, so now it's fixed as well. And verified - even with the previous 3 patches (and I was sure I had seen it fixed!) sometimes I hit the "PUSH_REPLY sent too fast" thing. Now, gone. Not tested on the c

[Openvpn-devel] [PATCH applied] Re: Add error reporting to get_console_input_win32().

Your patch has been applied to the master and release/2.5 branch (bugfix). commit 8f283648d90799683d9e8f58ca4776ae1e893fd8 (master) commit b6012d80a198b5d7e8c2f399b92a1299c660a326 (release/2.5) Author: Gert Doering Date: Fri Jun 18 20:12:46 2021 +0200 Add error reporting to get_console_inp

Re: [Openvpn-devel] [PATCH v2] Fix console prompts with redirected log

Hi, On Thu, Jun 24, 2021 at 11:39:18AM +0300, Lev Stipakov wrote: > From: Lev Stipakov > > When openvpn nees to prompt user for a password > (for example, to set management interface password), > the prompt is written to standard error device. > > When log is redirected to a file, that prompt i