Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

Hi, On 20-01-17 23:01, David Sommerseth wrote: > This actually tries to revert commit ec4dff3bbdcc9fedf7844 ... which is > quite surprising. > > [...snip...] > > And this too is also a revert of the same commit as above. > > Had it been just a simple rebase, I'd be willing to tackle that > on-t

[Openvpn-devel] [PATCH v2] Use SHA256 for the internal digest, instead of MD5

27;SHA256' not found". Signed-off-by: Steffan Karger --- v2: fix rebase error that erroneously reverted commit ec4dff3b src/openvpn/crypto.h | 6 +++--- src/openvpn/crypto_mbedtls.h | 1 + src/openvpn/crypto_openssl.h | 1 + src/openvpn/init.c | 10 +

Re: [Openvpn-devel] [PATCH v5] convert *_inline attributes to bool

Hi, One more real comment and two nitpicks: On 15-01-17 15:43, Antonio Quartulli wrote: > @@ -3233,39 +3258,63 @@ options_postprocess_filechecks(struct options > *options) > > [...] > > +errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE, > +

Re: [Openvpn-devel] [PATCH] git: Merge .gitignore files into a single file

Hi, On 20 January 2017 at 22:04, David Sommerseth wrote: > We already track a lot of files over the whole directory structure > in the main .gitignore file. But a few additional ones had been > added into some of the subdirectories. > > This unifies all these files into a master file for the who

[Openvpn-devel] [PATCH] Allow changing cipher from a ccd file

ipher to use for poor man's NCP. This patch allows working around that issue by allowing the 'cipher' directive to be used in --client-config-dir files. That way, a server admin can add ccd files to specify per-client which cipher to use. Signed-off-by: Steffan Karger --- src/openvp

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Hi, On 06-02-17 20:18, Olivier W wrote: > Should be compatible with all versions of OpenSSL and LibreSSL. > Similar to what is done in curl: > https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openssl.c#L603-L619 > > Error while compiling was: > "ssl_openssl.c:51

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Hi, On 07-02-17 09:45, Илья Шипицин wrote: > I have a question (sorry if I couldn't check myself): did you check that > SSL_get_privatekey() and SSL_free() won't crash when ssl is NULL ? > > what if we involve clang static analyzer for such things ? can we count > on it ? > > it is capab

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Hi, On 09-02-17 21:04, Olivier W wrote: > Hello, > Please find the new version of the patch. > > So, I added back the comment I had removed and new versions of OpenSSL > will use SSL_CTX_get0_privatekey() instead of SSL_new() + > SSL_get_privatekey() + SSL_free(). > > It successfully compile wit

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack. Similar to what is done in curl: https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/op

Hi, On 13-02-17 19:38, O2 Graphics wrote: > Use SSL_CTX_get0_privatekey() for OpenSSL >= 1.0.2 > > Signed-off-by: Olivier Wahrenberger > --- > src/openvpn/ssl_openssl.c | 14 +++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/src/openvpn/ssl_openssl.c b/src/open

Re: [Openvpn-devel] [PATCH] Feedback wanted: proof-of-concept recvmmsg() support

Hi David, Thanks for the comments. On 25-01-17 18:25, David Sommerseth wrote: > First of all, not all kernels carry these system calls, I believe they > were added in some of the 3.x kernels - but, IIRC, it has been > backported to at least the RHEL6 2.6.32 kernels. My memory is scarce > about t

[Openvpn-devel] [PATCH v2] Allow changing cipher from a ccd file

we would normally generate keys, this patch delays key generation for non-NCP p2mp servers until after reading the ccd file. Trac: #845 Signed-off-by: Steffan Karger --- v2: postpone p2mp non-NCP key generation, such that setting cipher in a ccd file for a non-NCP client actually work

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

Hi Emmanuel, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > The purpose of this RFC series is to make the latest master of OpenVPN > (2.5-git) linkable with OpenSSL v1.1.x. It may not be complete (I may > have missed something due to my work environment, but any missing pi

Re: [Openvpn-devel] [RFC PATCH v1 14/15] OpenSSL: check for the SSL reason, not the full error

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_* > constants. Moreover, new code might use different function > code for the same error. > > Thus, we extract the error reason from the error code before > we

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

On 19-02-17 15:58, David Sommerseth wrote: > On 19/02/17 13:03, Steffan Karger wrote: > >> As discussed in other threads, we do want to support building on RHEL6, >> which is why we would prefer to be compatible with (patched) OpenSSL >> 0.9.8. I haven't tested any

[Openvpn-devel] [PATCH] Fix segfault when using crypto lib without AES-256-CTR or SHA256

Hi, The attached patch from trac #825 fixes a silly bug in my --tls-crypt code. I already confirmed this in trac, but now also on the list: ACK to the attached patch. -Steffan >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001 From: "Simon (simix)" Date: Tue, 21 Feb 2017 2

Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509_STORE_CTX. We have to use the defined > functions to do so. > > Fortunately, these functions have existed since the dawn of

Re: [Openvpn-devel] [PATCH] Fix segfault when using crypto lib without AES-256-CTR or SHA256

Hi, On 21-02-17 22:12, Gert Doering wrote: > On Tue, Feb 21, 2017 at 08:42:57PM +0100, Steffan Karger wrote: >> ACK to the attached patch. > >> >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001 >> From: "Simon (simix)" > > All pr

Re: [Openvpn-devel] [PATCH] Fix segfault when using crypto lib without AES-256-CTR or SHA256

On 22-02-17 08:39, Gert Doering wrote: > On Wed, Feb 22, 2017 at 02:21:35AM +0100, David Sommerseth wrote: >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001 From: "Simon (simix)" >>> >>> Do we have a policy how to handle patches with missing author info? >> >> I see

Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX

On 22 February 2017 at 15:47, Christian Hesse wrote: > Steffan Karger on Tue, 2017/02/21 22:30: >> ACK. Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1 >> and 1.0.2. > > You answered to a patch in the middle of a series. Does this ACK apply to the > comp

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including SSL_CTX. We have to use the defined functions > to do so. > > Compatibility with OpenSSL 1.0 is kept by defining the corresponding >

Re: [Openvpn-devel] [RFC PATCH v1 02/15] OpenSSL: don't use direct access to the internal of X509_STORE

On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509_STORE. We have to use the defined functions > to do so. > > Compatibility with OpenSSL 1.0 is kept by defining the correspondin

Re: [Openvpn-devel] [RFC PATCH v1 03/15] OpenSSL: don't use direct access to the internal of X509_OBJECT

On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509_OBJECT. We have to use the defined > functions to do so. > > Compatibility with OpenSSL 1.0 is kept by defining the correspondi

Re: [Openvpn-devel] [RFC PATCH v1 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including RSA_METHOD. We have to use the defined > functions to do so. > > Compatibility with OpenSSL 1.0 is kept by defining the correspon

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

Hi James, On 22-02-17 19:48, James Yonan wrote: > mbedTLS 2 has a new feature that allows rejection of certificates if the > key size is too small or the signing hash is weak. > > The feature is controlled via struct mbedtls_x509_crt_profile. > > For example, you could specify that certificates

Re: [Openvpn-devel] [PATCH] Add openssl_compat.h to openvpn_SOURCES

On 23-02-17 09:49, Gert Doering wrote: > Commit b936ddfb63 introduced a new header file but forgot to include > it in the list of openvpn_SOURCES, so it did not get bundled in the > generated tarballs. > > Signed-off-by: Gert Doering > --- > src/openvpn/Makefile.am | 1 + > 1 file changed, 1 ins

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

On 23-02-17 10:31, Emmanuel Deloget wrote: >>> - configure.ac does something to CentOS 6 / RHEL 6 which makes configure >>>explode: >>> >>> ... >>> checking for linux/if_tun.h... yes >>> checking tap-windows.h usability... no >>> checking tap-windows.h presence... no >>> checking for tap-windo

[Openvpn-devel] [PATCH] OpenSSL: 1.1 fallout - fix configure on old autoconf

Older versions of autoconf generate an empty "else fi" block for empty fields in an AC_CHECK_FUNCS() macro. This breaks on e.g. RHEL6. Signed-off-by: Steffan Karger --- configure.ac | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac ind

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

On 23-02-17 22:41, James Yonan wrote: > On 23/02/2017 01:22, Steffan Karger wrote: >> On 22-02-17 19:48, James Yonan wrote: >>> mbedTLS 2 has a new feature that allows rejection of certificates if the >>> key size is too small or the signing hash is weak. >>&g

Re: [Openvpn-devel] [PATCH] Fix "--dev null"

Hi, On 24-02-17 14:52, Gert Doering wrote: > To test whether a server is reachable and all the key handling is > right, openvpn can connect with "--dev null --ifconfig-noexec" to > avoid needing to the client with elevated privileges. > > This was erroring out for no good reason (because the "set

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

Hi, On 24-02-17 22:28, James Yonan wrote: > On 24/02/2017 02:40, Steffan Karger wrote: >> On 23-02-17 22:41, James Yonan wrote: >>> On 23/02/2017 01:22, Steffan Karger wrote: >>>> On 22-02-17 19:48, James Yonan wrote: >>>>> mbedTLS 2 has a new feature

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

On 25-02-17 07:04, James Yonan wrote: > On 24/02/2017 16:10, Steffan Karger wrote: >> On 24-02-17 22:28, James Yonan wrote: >>> On 24/02/2017 02:40, Steffan Karger wrote: >>>> On 23-02-17 22:41, James Yonan wrote: >>>>> On 23/02/2017 01:22, Steffan

Re: [Openvpn-devel] [PATCH] travis-ci: add "make distcheck" to test scenario

Hi, On 23-02-17 19:22, Ilya Shipitsin wrote: > in rare cases openvpn is built from tarball, it happens during "installer > build" > process. "make distcheck" helps to prevent problems during such builds. > > Signed-off-by: Ilya Shipitsin > --- > .travis.yml | 1 + > 1 file changed, 1 insertion

Re: [Openvpn-devel] [PATCH] travis-ci: add "make distcheck" to test scenario, V2

On 25-02-17 19:00, Ilya Shipitsin wrote: > in rare cases openvpn is built from tarball, it happens during "installer > build" > process. "make distcheck" helps to prevent problems during such builds. > > V2: limit "make distcheck" to one build configuration > Signed-off-by: Ilya Shipitsin > --

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

On 28-02-17 06:09, James Yonan wrote: > On 27/02/2017 18:18, David Sommerseth wrote: > >> On 27/02/17 23:06, James Yonan wrote: >>> On 25/02/2017 08:40, Steffan Karger wrote: >> [...snip...] >>>> I'd say so. Something like: >>>> >>

Re: [Openvpn-devel] [PATCH v3 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

Hi, On 23-02-17 15:35, Emmanuel Deloget wrote: > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including RSA_METHOD. We have to use the defined > functions to do so. > > Compatibility with OpenSSL 1.0 is kept by defining the corresponding > functions when they

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509. We have to use the defined > functions to do so. > > In x509_verify_ns_cert_type() in particular, this means that we > cann

Re: [Openvpn-devel] [RFC PATCH v1 13/15] OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > The old symbols do not exist anymore but the library gained new > equivalent symbols (OSSL). Use them instead of the old ones > > Signed-off-by: Emmanuel Deloget > --- > src/openvpn/openssl_compat.h | 5 + > src/ope

Re: [Openvpn-devel] [RFC PATCH v2 15/15] OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()

Hi, On 20-02-17 15:32, Emmanuel Deloget wrote: > The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead > of clearing the context when the cipher parameter was !NULL, it now > clears the context unconditionnaly. As a result, subsequent calls > to the function with additional informatio

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, On 02-03-17 22:26, Gert Doering wrote: > On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote: >> So, what I propose instead is: >> * remove all the nsCertType code (except the option in add_option()) >> * update the help strings and man page to indicate that

[Openvpn-devel] [PATCH] Deprecate --ns-cert-type

. Since we want be able to migrate to OpenSSL 1.1, we should deprecate this option immediately. Signed-off-by: Steffan Karger --- Changes.rst | 13 +++-- doc/openvpn.8| 8 ++-- src/openvpn/init.c | 4 src/openvpn/options.c| 4 ++-- tests

Re: [Openvpn-devel] [PATCH applied] Re: OpenSSL: don't use direct access to the internal of RSA_METHOD

On 05-03-17 10:53, Gert Doering wrote: > Small side note: I assume that RSA_meth_new() can fail and return NULL > in OpenSSL 1.1? Because for 1.0, the "check_malloc_return(rsa_meth)" call > isn't necessary, as ALLOC_OBJ_CLEAR() would call ALLOC_OBJ() and that > already checks... (mentioning thi

Re: [Openvpn-devel] could be gitlab-ci an alternative to buildbot cloud?

Hi, On 05-03-17 15:25, Илья Шипицин wrote: > there was some buzz related to improvement of testing system, like > patchwork. > we tried gitlab-ci on our internal project, it looks very promising. > > since openvpn is already hosted on gitlab.com , > there's a possibility of >

[Openvpn-devel] [PATCH] Remove duplicate X509 env variables

variables from piling up, this commit removes any old X509 env variables if we start negotiating a new TLS session. Trac: #854 Signed-off-by: Steffan Karger --- src/openvpn/ssl.c| 3 +++ src/openvpn/ssl_verify.c | 17 + src/openvpn/ssl_verify.h | 3 +++ 3 files changed, 23

[Openvpn-devel] [PATCH] Fix types in WIN32 socket_listen_accept()

. Signed-off-by: Steffan Karger --- src/openvpn/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 6aa2e6d..672634a 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1146,7 +1146,7 @@ tcp_connection_established

[Openvpn-devel] [PATCH] Fix windows-specific format specifiers

A number of printf-like functions in windows-specific code used incorrect format specifiers, which could potentially lead to incorrect values being printed. Signed-off-by: Steffan Karger --- src/openvpn/route.c | 12 ++-- src/openvpn/socket.c | 6 +++--- src/openvpn/tun.c| 4

Re: [Openvpn-devel] [PATCH] Fix windows-specific format specifiers

On 09-03-17 13:23, Steffan Karger wrote: > A number of printf-like functions in windows-specific code used incorrect > format specifiers, which could potentially lead to incorrect values being > printed. Hm, some of these are not windows-specific, and cause problems for non-windo

[Openvpn-devel] [PATCH v2] Fix windows-build format specifiers

A number of printf-like functions used incorrect format specifiers for Windows builds, which could potentially lead to incorrect values being printed / used when calling executables. Signed-off-by: Steffan Karger --- v2: add OVPN_PRI_SKT define to print socket type across platforms src/openvpn

Re: [Openvpn-devel] [PATCH v2] Fix windows-build format specifiers

On 09-03-17 15:20, Antonio Quartulli wrote: > On Thu, Mar 09, 2017 at 03:00:43PM +0100, Steffan Karger wrote: >> A number of printf-like functions used incorrect format specifiers for >> Windows builds, which could potentially lead to incorrect values being >> printe

Re: [Openvpn-devel] [PATCH] travis-ci: remove unused files

On 05-03-17 18:21, Ilya Shipitsin wrote: > Those files were commited by mistake. I implemented building > dependencies in 4 separate scripts, later Steffan Karger combined > all 4 scripts into "build-deps.sh". > > Signed-off-by: Ilya Shipitsin > --- > .tra

[Openvpn-devel] [PATCH] Be less picky about keyUsage extensions

y if it is present. So this still enforces a correct keyUsage, but is a bit less picky about certificates that do not exactly match expectations. This patch should be applied together with the 'deprecate --ns-cert-type' patch I sent earlier. Signed-off-by: Steffan Karg

Re: [Openvpn-devel] [PATCH] Fix Building Using MSVC

Hi, On 15-03-17 22:00, Gert Doering wrote: > On Tue, Mar 14, 2017 at 09:26:52AM +1100, Eric Thorpe wrote: >> #ifdef HAVE_CONFIG_MSVC_LOCAL_H >> #include >> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c >> index 5549d70..bed39f3 100644 >> --- a/src/openvpn/crypto_ope

[Openvpn-devel] [PATCH] Fix non-C99-compliant builds: don't use const size_t as array length

Signed-off-by: Steffan Karger --- src/openvpn/crypto_openssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 5f28391..9139480 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c

Re: [Openvpn-devel] [PATCH] Make ENABLE_OCC no longer depend on !ENABLE_SMALL

Hi, On 19-03-17 19:41, Gert Doering wrote: > OCC is useful functionality which (according to LEDE devs) adds only > about 3k to the binary size - and if the embedded router folks can > afford this trade-off, everyone else can :-) > > Inspired by > https://git.lede-project.org/?p=source.git;a=com

Re: [Openvpn-devel] [PATCH] Make ENABLE_OCC no longer depend on !ENABLE_SMALL

On 20-03-17 19:28, Gert Doering wrote: > On Mon, Mar 20, 2017 at 07:20:50PM +0100, Steffan Karger wrote: >>> @@ -589,9 +589,7 @@ socket_defined(const socket_descriptor_t sd) >>> /* >>> * Should we include OCC (options consistency check) code? >>> */

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only configurations"

Hi, On 28 March 2017 at 08:50, Илья Шипицин wrote: > I opened https://github.com/OpenVPN/openvpn/pull/85 > for discussion > > thoughts ? I put the patch on my review list, but need to tackle other things first. Will get back to you. -Steffan ---

Re: [Openvpn-devel] [PATCH v2] Allow changing cipher from a ccd file

Hi, On 17-02-17 16:20, Steffan Karger wrote: > As described in msg <374a7eb7-f539-5231-623b-41f208ed8...@belkam.com> on > openvpn-devel@lists.sourceforge.net, clients that are compiled with > --disable-occ (included in --enable-small) won't send an options string. > Wit

Re: [Openvpn-devel] building HEAD + openssl 1.1 api fails @ "crypto.c:823:32: error: invalid application of ???sizeof??? to incomplete type ???cipher_ctx_t"

Hi, On 28-03-17 10:33, Emmanuel Deloget wrote: > ​I should be able to push a new version of the remaining patches in the > foreseeable future (let's say today or tomorrow, because I will be > unavailable at the end of this week). > > I found a solution to overcome the big X509_check_purpose() iss

Re: [Openvpn-devel] building HEAD + openssl 1.1 api fails @ "crypto.c:823:32: error: invalid application of ???sizeof??? to incomplete type ???cipher_ctx_t"

On 28-03-17 15:02, debbie10t wrote: > On 28/03/17 13:47, Gert Doering wrote: >> We need to communicate better what might affect users in new versions, so >> they can test and complain/adjust in time (like, the stricter CRL handling >> in 2.4, and - obviously - the --tls-remote bit) > > Suggestion:

Re: [Openvpn-devel] building HEAD + openssl 1.1 api fails @ "crypto.c:823:32: error: invalid application of ???sizeof??? to incomplete type ???cipher_ctx_t"

On 28-03-17 15:31, Samuli Seppänen wrote: > On 28/03/2017 16:08, Steffan Karger wrote: >> On 28-03-17 15:02, debbie10t wrote: >>> On 28/03/17 13:47, Gert Doering wrote: >>>> We need to communicate better what might affect users in new versions, so >>>>

Re: [Openvpn-devel] [PATCH] auth-token: Ensure tokens are always wiped on de-auth

Hi, On 28-03-17 21:19, David Sommerseth wrote: > If tls_deauthenticate() was called, it could in some scenarios leave the > authentication token for a session in memory. This change just ensures > auth-tokens are always wiped as soon as a TLS session is considered > broken. > > Signed-off-by: Da

Re: [Openvpn-devel] [PATCH v2] auth-token: Ensure tokens are always wiped on de-auth

Hi, On 28-03-17 22:53, David Sommerseth wrote: > If tls_deauthenticate() was called, it could in some scenarios leave the > authentication token for a session in memory. This change just ensures > auth-tokens are always wiped as soon as a TLS session is considered > broken. > > Signed-off-by: Da

Re: [Openvpn-devel] [PATCH] docs: Fixed man-page warnings discoverd by rpmlint

On 29-03-17 11:49, David Sommerseth wrote: > Running rpmlint against Fedora RPM packages revealed these warnings: > > W: manual-page-warning /usr/share/man/man8/openvpn.8.gz 2738: > a special character is not allowed in a name > W: manual-page-warning /usr/share/man/man8/openvpn.8.gz 2740

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

Hi, On 31-03-17 22:34, David Sommerseth wrote: > On 31/03/17 10:56, Илья Шипицин wrote: >> 2017-03-31 13:26 GMT+05:00 Samuli Seppänen > >: >> >> Hi, >> >> We still bundle EasyRSA 2 with our Windows installers and it is >> prominently advertised on our widely

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

Hi, On 3 April 2017 at 23:14, Selva Nair wrote: > > > On Mon, Apr 3, 2017 at 4:43 PM, David Sommerseth > wrote: >> >> On 03/04/17 16:12, Jan Just Keijser wrote: >> > Hi Samuli, >> > >> > On 03/04/17 15:53, Samuli Seppänen wrote: >>

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On 05-04-17 08:57, Gert Doering wrote: > On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: >> I've attached v2 now which works without any config change: > [..] >> I prefer this version as it allows everybody to profit from it without >> touching any config files. > > I can see th

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On 6 April 2017 at 12:26, David Sommerseth wrote: > On 06/04/17 11:45, Simon Matter wrote: >> >>> I like Arne's and David's suggestion - the existing option "as is" will >>> enable X% jitter, while a second parameter can specify a more specific >>> range. Following Arne's argument about user

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only configurations"

Hi, On 26-03-17 13:21, Ilya Shipitsin wrote: > Inspired by > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13032.html > build options are taken from regular windows installer builds Feature-ACK. Adding cross-compile builds for Windows on travis is a good plan. Initial fee

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only configurations"

Hi, On 09-04-17 12:54, Илья Шипицин wrote: > > 2017-04-09 13:44 GMT+05:00 Steffan Karger <mailto:stef...@karger.me>>: > > On 26-03-17 13:21, Ilya Shipitsin wrote: > > + TAP_CFLAGS="-I${PWD}/tap-windows-${TAP_WINDOWS_VERSION}/include" > L

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only configurations"

Hi, On 09-04-17 15:31, Илья Шипицин wrote: > > > @@ -70,7 +84,6 @@ if [ "${TRAVIS_OS_NAME}" != "osx" ]; then > > > fi > > > > > > # Download and build crypto lib > > > -mkdir -p download-cache > > > if [ "${SSLLIB}" = "openssl" ]; then > >

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only configurations"

Hi, [This will be my last on-list reply about this.] On 09-04-17 19:10, Илья Шипицин wrote: > > > 2017-04-09 21:58 GMT+05:00 Steffan Karger <mailto:stef...@karger.me>>: > > Hi, > > On 09-04-17 15:31, Илья Шипицин wrote: > > > >

[Openvpn-devel] [PATCH] Add --tls-cert-profile option for mbedtls builds

@lists.sourceforge.net/msg14214.html). This only implements the feature for mbed TLS builds, because for mbed it is both more easy to implement and the most relevant because mbed TLS 2+ is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. Signed-off-by: Steffan Karger

Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

On 11-04-17 10:55, David Sommerseth wrote: > On 11/04/17 06:26, Simon Matter wrote: >>> The warning provided to --cipher and --auth using the 'none' setting may >>> not have been too clearly understandable to non-developers or people not >>> fully understanding encryption and cryptography. This tr

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Hi, On 11-04-17 19:31, David Sommerseth wrote: > As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. > This also makes it possible to remove a few workaronds which was > needed earlier, as well as some left overs from v0.9.6. > > This also makes ./configure really stop running

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Hi, On 11-04-17 23:56, David Sommerseth wrote: > On 11/04/17 23:20, Steffan Karger wrote: >> On 11-04-17 19:31, David Sommerseth wrote: >>> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. >>> This also makes it possible to remove a few work

[Openvpn-devel] [PATCH v2] Add --tls-cert-profile option for mbedtls builds

@lists.sourceforge.net/msg14214.html). This only implements the feature for mbed TLS builds, because for mbed it is both more easy to implement and the most relevant because mbed TLS 2+ is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. Signed-off-by: Steffan Karger -

Re: [Openvpn-devel] [PATCH] cleanup: merge packet_id_alloc_outgoing() into packet_id_write()

On 19-12-16 00:01, Steffan Karger wrote: > The functions packet_id_alloc_outgoing() and packet_id_write() were > always called in tandem. Instead of forcing the caller to allocate a > packet_id_net to do so, merge the two functions. This simplifies the API > and reduces the chance on

Re: [Openvpn-devel] [PATCH v2] Add --tls-cert-profile option for mbedtls builds

On 12-04-17 13:35, Steffan Karger wrote: > Version 2.4.1 > = > - - ``--remote-cert-ku`` now only requires the certificate to have at least > the > - bits set of one of the values in the supplied list, instead of requiring > an > - exact match to one of t

Re: [Openvpn-devel] [PATCH v2] Add --tls-cert-profile option for mbedtls builds

On 13-04-17 15:09, David Sommerseth wrote: > I'm however a bit puzzled of the "non-changes" (well, the indenting is > changing, unless I'm blind to other changes) to --remote-cert-cu, > --remote-cert-tls and --ns-cert-type. If we want to change the > indenting, I think that should be kept in a sep

Re: [Openvpn-devel] [PATCH v2] Add --tls-cert-profile option for mbedtls builds

Hi, On 13-04-17 18:40, David Sommerseth wrote: > On 13/04/17 15:37, Steffan Karger wrote: >> On 13-04-17 15:09, David Sommerseth wrote: >>> On a more generic note to this patch. I wonder if we should keep >>> "legacy" the default in the v2.4 branch. In the

[Openvpn-devel] [PATCH (release/2.4)] Add --tls-cert-profile option for mbedtls builds

ster branch, this patch uses 'legacy' as the default profile following discussion on the openvpn-devel mailing list. Signed-off-by: Steffan Karger --- This patch is a cherry-picked and adjusted version of the v3 patch for master. The only difference being that this patch uses 

[Openvpn-devel] [PATCH v3] Add --tls-cert-profile option for mbedtls builds

@lists.sourceforge.net/msg14214.html). This only implements the feature for mbed TLS builds, because for mbed it is both more easy to implement and the most relevant because mbed TLS 2+ is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. Signed-off-by: Steffan Karger -

Re: [Openvpn-devel] [PATCH v2] Fix broken ./configure on systems without openssl.pc

Hi, On 17-04-17 11:01, David Sommerseth wrote: > [..] > > We should anyway in this case have a better check of OpenSSL version > available. So in the case pkg-config fails, it will run an additional > test looking for the OpenSSL version number in the opensslv.h header > file and check against th

Re: [Openvpn-devel] [PATCH v3] Fix broken ./configure on systems without openssl.pc

Hi, On 18-04-17 01:28, David Sommerseth wrote: > Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that > broke ./configure on systems which do not install the openssl.pc > pkg-config support file. This is typically an issue on most of the BSD > platforms, where the OpenSSL package

Re: [Openvpn-devel] [PATCH v4] Fix broken ./configure on systems without openssl.pc

Hi, On 22-04-17 00:07, David Sommerseth wrote: > Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that > broke ./configure on systems which do not install the openssl.pc > pkg-config support file. This is typically an issue on most of the BSD > platforms, where the OpenSSL package

Re: [Openvpn-devel] 2.4 sees all client certificates as expired when using crl-verify

On 22-04-17 20:24, debbie10t wrote: > > On 02/01/17 15:39, Steffan Karger wrote: >> On 02-01-17 16:24, SviMik wrote: >>> >>>> On 02-01-17 15:26, Gert Doering wrote: >>>>> On Mon, Jan 02, 2017 at 03:17:23PM +0100, Alberto Gonzalez >>>&

Re: [Openvpn-devel] [PATCH v4] Fix broken ./configure on systems without openssl.pc

On 22-04-17 17:27, David Sommerseth wrote: > On 22/04/17 13:29, Gert Doering wrote: >> On Sat, Apr 22, 2017 at 08:28:33AM +0200, Steffan Karger wrote: >>>> v4 - Move the CFLAGS/LDFLAGS declarations before the manual >>>> version test; otherwise we&#x

Re: [Openvpn-devel] [PATCH] Fix extract_x509_field_ssl for external objects

Hi, The change makes sense, so 'Feature-ACK', but one remark: On 20-04-17 16:41, Hristo Venev wrote: > @@ -191,16 +191,23 @@ extract_x509_field_ssl(X509_NAME *x509, const char > *field_name, char *out, > X509_NAME_ENTRY *x509ne = 0; > ASN1_STRING *asn1 = 0; > unsigned char *buf =

Re: [Openvpn-devel] [PATCH v5] Fix broken ./configure on systems without openssl.pc

Hi, On 24-04-17 22:57, Gert Doering wrote: > On Mon, Apr 24, 2017 at 04:39:10PM +0200, David Sommerseth wrote: >> This patch have been tested on Scientic Linux 7.3 (RHEL clone) and >> FreeBSD 10.3-RELEASE-p11. >> >> v5 - Remove the right OPENSSL_LIBS and preserve the old one >>- In PKG_CHECK_M

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only" configurations

Hi, On 25-04-17 09:50, Ilya Shipitsin wrote: > Inspired by > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13032.html > build options are taken from regular windows installer builds > > Signed-off-by: Ilya Shipitsin > --- > v2: moved download/build dependencies into functi

Re: [Openvpn-devel] [PATCH] travis-ci: add 2 mingw "build only" configurations

Hi, On 25-04-17 20:51, Илья Шипицин wrote: > 2017-04-25 22:49 GMT+05:00 Steffan Karger <mailto:stef...@karger.me>>: > > On 25-04-17 09:50, Ilya Shipitsin wrote: > > Inspired by > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13032.html

Re: [Openvpn-devel] [PATCH] v3, travis-ci: add 2 mingw "build only" configurations

; v3: fixed "trailing whitespaces" found by Samuli Seppänen. Added back "set > -u", > thanks to Steffan Karger. Changed repo manipulation to "apt-add-repository", > thanks > to Nathan Stratton Treadway. Thanks for not giving up - this looks a lot better

Re: [Openvpn-devel] [PATCH] crypto: Enable SHA256 fingerprint checking in --verify-hash

Hi, On 26-04-17 18:00, David Sommerseth wrote: > This enhances --verify-hash with an optional algorithm flag. If not > provided, it defaults to SHA1 to preserve backwards compatbilitity with > existing configurations. The only valid flags are SHA1 and SHA256. Feature-ACK. > In addition it move

Re: [Openvpn-devel] [PATCH] crypto: Enable SHA256 fingerprint checking in --verify-hash

On 03-05-17 22:15, Steffan Karger wrote: > On 26-04-17 18:00, David Sommerseth wrote: >> In addition it moves the hash verification away from memcmp() to >> memcmp_constant_time(). And slightly it enhances the layout of the >> --verify-hash section in the man page. >

[Openvpn-devel] [PATCH v2] cleanup: merge packet_id_alloc_outgoing() into packet_id_write()

verify the behaviour of packet_id_write(). Verifying that we assert out correctly required the change to mock_msg.c. Signed-off-by: Steffan Karger --- v2 - rebased onto current master branch src/openvpn/crypto.c | 20 ++-- src/openvpn/packet_id.c | 24

[Openvpn-devel] [PATCH] Don't run packet_id unit tests for --disable-crypto builds

Because there is no packet_id in those builds... This fixes 'make check' for --disable-crypto builds, caught by travis. Signed-off-by: Steffan Karger --- tests/unit_tests/openvpn/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit_tes

[Openvpn-devel] [PATCH] Fix Changes.rst layout

The extra space before each line made the 2.4.1 section stand out from the other sections. Signed-off-by: Steffan Karger --- Changes.rst | 24 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Changes.rst b/Changes.rst index 2a94990..c1583b3 100644 --- a

[Openvpn-devel] [PATCH] Document tls-crypt security considerations in man page

keys. That will make tls-crypt useful for VPN providers too.) Signed-off-by: Steffan Karger --- Note to non-crypto-geek reviewers: please verify that this text is clear enough to explain you when you need to replace tls-crypt keys. Note to crypto-geek reviewers: please check the numbers - s

Re: [Openvpn-devel] [PATCH] Document tls-crypt security considerations in man page

Hi, On 07-05-17 11:39, Magnus Kroken wrote: > Non-crypto geek here, comments inline. > > On 05.05.2017 22:30, Steffan Karger wrote: >> +control channel messages. A typical initial negotiation is about 10 packets >> +in each direction. Assuming both initial negotation a

[Openvpn-devel] [PATCH] Fix memory leak in x509_verify_cert_ku()

If keyUsage was only required to be present, but no specific value was required, we would omit to free the extracted string. This happens as of 2.4.1, if --remote-cert-tls is used. In that case we leak a bit of memory on each TLS (re)negotiation. Signed-off-by: Steffan Karger --- Changes.rst

Re: [Openvpn-devel] [PATCH] v4, travis-ci: add 2 mingw "build only" configurations

; v3: fixed "trailing whitespaces" found by Samuli Seppänen. Added back "set > -u", > thanks to Steffan Karger. Changed repo manipulation to "apt-add-repository", > thanks > to Nathan Stratton Treadway. > > v4: moved build/test l

  1   2   3   4   5   6   7   8   9   10   >