[Openvpn-devel] OpenVPN 3 Linux client - v16 beta released

Hi, The OpenVPN 3 Linux v16 (beta) is now available. This release is mostly a bug-fix release with several known issues resolved and a few minor feature additions. Instructions how to install OpenVPN 3 Linux can be found here: Noticeab

[Openvpn-devel] Summary of the community meeting (20th October 2021)

Hi, Here's the summary of the IRC meeting. --- COMMUNITY MEETING Place: #openvpn-meeting on libera.chat Date: Wed 20th October 2021 Time: 14:00 CET (12:00 UTC) Planned meeting topics for this meeting were here: Your local meetin

Re: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api

On 19/10/2021 20:31, Arne Schwabe wrote: +if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0)) EVP_bf_ecb() is the Blowfish cipher, not DES. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/li

Re: [Openvpn-devel] [PATCH v3 12/21] [OSSL 3.0] Allow loading of non default providers

Hi, Not a code review but a general comment as this is a new option that warrants some discussion. On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe wrote: > This allows OpenVPN to load non-default providers. This is mainly > useful for loading the legacy provider with --provider legacy:default > W

Re: [Openvpn-devel] [PATCH v3 01/21] [OSSL 3.0] Use new EVP_MAC API for HMAC implementation

On 19/10/2021 20:31, Arne Schwabe wrote: The old API is deprecated in OpenSSL 3.0 and the new API does not yet exist in OpenSSL 1.1. Emulating the new API would be more complex than just having two implementations. So this switches to a new hmac implementation for OpenSSL 3.0. Unfortunately the

Re: [Openvpn-devel] [PATCH v3 02/21] [OSSL 3.0] Add --with-openssl-engine autoconf option (auto|yes|no)

On 19/10/2021 20:31, Arne Schwabe wrote: This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as en

Re: [Openvpn-devel] [PATCH v3 21/21] Always use 8192 bytes for ERR_BUF_SIZE

Hi, On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe wrote: > The signature messages required by external key managed also break > the 1280 limit. To also avoid this surprise of different behaviour > with PKCS11 enabled/disable, always use the larger size. > This may be enough in most cases, but to

Re: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api

Hi, On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe wrote: > Even though DES is super outdated and also NTLM is super outdated, > eliminating the warnings for OpenSSL 3.0 is still a step in the right > direction and using the correct APIs. > > Signed-off-by: Arne Schwabe > --- > src/openvpn/crypt

Re: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api

Hi, On Thu, Oct 21, 2021 at 01:09:14AM -0400, Selva Nair wrote: > PS: can't we just get rid of the use of DES altogether? Is there a newer NTLM auth variant that does not use DES? Otherwise it's "keep NTLM auth => keep DES"... gert -- "If was one thing all people took for granted, was convict

[Openvpn-devel] [PATCH applied] Re: Add message when decoding PKCS12 file fails.

Acked-by: Gert Doering "That was an easy one" :-) - error reporting is always useful, and the code change is trivial enough. Tested with "wrong password" only, which now prints: 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure 2021-10-21 08:24:01 Open

[Openvpn-devel] [PATCH applied] Re: Add small unit test for testing HMAC

Acked-by: Gert Doering Unit tests are good :-) - tested with OpenSSL 1.1.1 and mbedTLS builds [==] Running 4 test(s). [ RUN ] crypto_pem_encode_decode_loopback [ OK ] crypto_pem_encode_decode_loopback [ RUN ] crypto_translate_cipher_names [ OK ] crypto_translate_cip