[Openvpn-devel] [PATCH] Fix overflow check in openvpn_decrypt()

2015-07-01 Thread steffan.karger
From: Steffan Karger Sebastian Krahmer from the SuSE security team reported that the buffer overflow check in openvpn_decrypt() was too strict according to the cipher update function contract: "The amount of data written depends on the block alignment of the encrypted data: as a result the amoun

[Openvpn-devel] [PATCH v2] Fix overflow check in openvpn_decrypt()

2015-07-29 Thread steffan.karger
From: Steffan Karger Sebastian Krahmer from the SuSE security team reported that the buffer overflow check in openvpn_decrypt() was too strict according to the cipher update function contract: "The amount of data written depends on the block alignment of the encrypted data: as a result the amoun

[Openvpn-devel] [PATCH] polarssl: require >= 1.3.8

2015-11-23 Thread steffan.karger
From: Steffan Karger Since commit 67a67e39, we use API calls that were introduced in polarssl 1.3.8. Update the configure check to reflect that. Signed-off-by: Steffan Karger --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac i

[Openvpn-devel] [PATCH] remove nonsense const specifier in nonfatal() return value

2015-11-24 Thread steffan.karger
From: Steffan Karger Return values are rvalues, and can not be changed anyway. Adding const does not make sense here at all. (What was I thinking...?) Signed-off-by: Steffan Karger --- src/openvpn/error.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/error.h

[Openvpn-devel] [PATCH v2] polarssl: optimize polar_ok() for non-errors

2016-01-07 Thread steffan.karger
From: Steffan Karger Adding polar_ok() was a good plan for improving error reporting, but also added two function calls (one to polar_log_func_line() and one to polar_log_err()) for each function call wrapped with polar_ok(). Especially in the critical path, this is a waste of time. To avoid thi

[Openvpn-devel] [PATCH v2] polarssl: improve logging

2016-01-07 Thread steffan.karger
From: Steffan Karger Add the functions polar_log_err(), polar_log_func_line() and a macro polar_ok(), to easily log human-readable PolarSSL errors from polarssl-specific code. This does not provide the full logging interface as msg(), because I would have to add a lot more of macro-magic to achi

[Openvpn-devel] [PATCH] hardening: add safe FD_SET() wrapper openvpn_fd_set()

2016-03-03 Thread steffan.karger
From: Steffan Karger On many platforms (not Windows, for once), FD_SET() can write outside the given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do that, add an ASSERT() to error out with a clear error message when this does happen. This patch was inspired by remarks about FD_

[Openvpn-devel] PolarSSL 1.2 support for OpenVPN 2.3

2013-01-17 Thread steffan.karger
Hi, >From PolarSSL 1.1 to 1.2 the cipher names have changed and the API changed a >bit. This causes the 2.3 release of OpenVPN to be in- compatible with PolarSSL >1.2. We've prepared three patches to add support for PolarSSL 1.2 to OpenVPN 2.3. The first two patches just improve error reportin

[Openvpn-devel] [PATCH 1/3] Improve PolarSSL key_state_read_{cipher, plain}text messages

2013-01-17 Thread steffan.karger
From: Steffan Karger Instead of logging the fact that an error occured, log the error string or (if the PolarSSL build does not include this feature) the error code. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c | 20 ++-- 1 file changed, 18 insertions(+), 2

[Openvpn-devel] [PATCH 2/3] Improve verify_callback messages

2013-01-17 Thread steffan.karger
From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src

[Openvpn-devel] [PATCH 3/3] PolarSSL-1.2 support

2013-01-17 Thread steffan.karger
From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port: PolarSSL-1.2 works as well as PolarSSL-1.1, but the new features have not been enabled. Blacklist PolarSSL-1.[0-2] for bugs when verifying certificate chains Signed-off-by: Jo

[Openvpn-devel] PolarSSL 1.2.3+ patches for 2.4 (no PolarSSL<1.2.3 support any more)

2013-01-21 Thread steffan.karger
Hi, As discussed on this mailinglist and the openvpn-devel IRC-channel, I created a new set of patches for the '2.4' or master branch. This drops support for versions of PolarSSL before 1.2.3, but considerably reduces the number of #ifdefs, that were required for backward compatibility with pol

[Openvpn-devel] [PATCH 1/3] Improve PolarSSL key_state_read_{cipher, plain}text messages

2013-01-21 Thread steffan.karger
From: Steffan Karger Instead of logging the fact that an error occured, log the error string or (if the PolarSSL build does not include this feature) the error code. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c | 20 ++-- 1 file changed, 18 insertions(+), 2

[Openvpn-devel] [PATCH 2/3] PolarSSL-1.2 support

2013-01-21 Thread steffan.karger
From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port: PolarSSL-1.2 works, but the new features have not been enabled. Everything before 1.2 is no longer supported. PolarSSL-1.2.[0-2] are blacklisted for bugs when verifying certifi

[Openvpn-devel] [PATCH 3/3] Improve verify_callback messages

2013-01-21 Thread steffan.karger
From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src

[Openvpn-devel] PolarSSL 1.2 support, while keeping config file compatibility

2013-03-18 Thread steffan.karger
Hi Everyone, The attached patches add PolarSSL 1.2 support to OpenVPN 2.3, while maintaining OpenVPN configuration file compatibility between the OpenSSL and PolarSSL builds. Patches 1-3 upgrade the supported PolarSSL versions to 1.2.5 or newer. Patch 4 adds data channel cipher name compatibil

[Openvpn-devel] [PATCH 4/5] Config compatibility patch. Added translate_cipher_name.

2013-03-18 Thread steffan.karger
From: Steffan Karger Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c to translate between OpenVPN(/OpenSSL) and PolarSSL data channel cipher algorithm names. OpenSSL does not require any translating, PolarSSL does for a small number of algorithms. This improves on config fil

[Openvpn-devel] [PATCH 2/5] Improve PolarSSL key_state_read_{cipher, plain}text messages

2013-03-18 Thread steffan.karger
From: Steffan Karger Instead of logging the fact that an error occured, log the error code and description (when available in the PolarSSL build). Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/o

[Openvpn-devel] [PATCH 3/5] Improve verify_callback messages

2013-03-18 Thread steffan.karger
From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src

[Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support

2013-03-18 Thread steffan.karger
From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port, new features have not been enabled. Only PolarSSL 1.2.5 and newer are accepted, as earlier versions contain unresolved (security) issues. Signed-off-by: Joachim Schipper Signe

[Openvpn-devel] [PATCH 5/5] Switch to IANA names for TLS ciphers.

2013-03-18 Thread steffan.karger
From: Steffan Karger Added translation table and functions to translate between TLS OpenSSL and IANA (IETF) cipher suite names. The previously used OpenSSL names are still accepted, but a deprecation warning is issued. Signed-off-by: Steffan Karger --- src/openvpn/ssl.c | 147 +++

[Openvpn-devel] [PATCH 1/6] PolarSSL-1.2 support

2013-03-22 Thread steffan.karger
From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port, new features have not been enabled. Only PolarSSL 1.2.5 and newer are accepted, as earlier versions contain unresolved (security) issues. Signed-off-by: Joachim Schipper Signe

[Openvpn-devel] Updated PolarSSL 1.2 support patch set

2013-03-22 Thread steffan.karger
Hi, This patch set replaces the earlier PolarSSL 1.2 support patches. It contains all the changes in response to feedback on the previous versions, and should be ready to be merged. -Steffan

[Openvpn-devel] [PATCH 4/6] Config compatibility patch. Added translate_cipher_name.

2013-03-22 Thread steffan.karger
From: Steffan Karger Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c to translate between OpenVPN(/OpenSSL) and PolarSSL data channel cipher algorithm names. OpenSSL does not require any translating, PolarSSL does for a small number of algorithms. This improves on config fil

[Openvpn-devel] [PATCH 3/6] Improve verify_callback messages

2013-03-22 Thread steffan.karger
From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src

[Openvpn-devel] [PATCH 5/6] Switch to IANA names for TLS ciphers.

2013-03-22 Thread steffan.karger
From: Steffan Karger Added translation table and functions to translate between TLS OpenSSL and IANA (IETF) cipher suite names. The previously used OpenSSL names are still accepted, but a deprecation warning is issued. Signed-off-by: Steffan Karger --- src/openvpn/ssl.c | 147 +++

[Openvpn-devel] [PATCH 2/6] Improve PolarSSL key_state_read_{cipher, plain}text messages

2013-03-22 Thread steffan.karger
From: Steffan Karger Instead of logging the fact that an error occured, log the error code and description (when available in the PolarSSL build). Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/o

[Openvpn-devel] [PATCH 6/6] Fixed autoconf script to properly detect missing pkcs11 with polarssl.

2013-03-22 Thread steffan.karger
From: Steffan Karger When polarssl is compiled without pkcs11 support, or a required pkcs11-helper library is missing, configure will now issue an error. Signed-off-by: Steffan Karger --- configure.ac | 54 +++--- 1 file changed, 43 insertions(

[Openvpn-devel] [PATCH 2/3] --management-external-key for PolarSSL

2013-09-19 Thread steffan.karger
From: Joachim Schipper Add --management-external-key support, compatible with the OpenSSL implementation. Needs the flexibility of ssl_set_own_cert_alt(), which is new in PolarSSL-1.2. Signed-off-by: Joachim Schipper Signed-off-by: Steffan Karger --- src/openvpn/ssl_polarssl.c | 100

[Openvpn-devel] --management-external-key for polarssl

2013-09-19 Thread steffan.karger
Hi, These three patches add --management-external-key support for polarssl builds. The code was originally written by Joachim Schipper for OpenVPN-NL, which is why he is mentioned as the author of the patches. I reworked it a bit to match the regular OpenVPN codebase better. Patch 1/3 is just a

[Openvpn-devel] [PATCH 3/3] external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids

2013-09-19 Thread steffan.karger
From: Joachim Schipper For TLSv1.2, we need to support various hashes. (GPL) code taken from PolarSSL pkcs11_sign(). Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c | 76 1 file changed, 69 insertions(+), 7 deletions(-) diff --git

[Openvpn-devel] [PATCH 1/3] Refactor tls_ctx_use_external_private_key()

2013-09-19 Thread steffan.karger
From: Joachim Schipper OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the context's certificate chain was stored on return, used by tls_ctx_use_external_private_key() only and free()d immediately thereafter. PolarSSL also supported this output parameter, but returned a poi

[Openvpn-devel] [PATCH] Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.

2013-10-22 Thread steffan.karger
From: Steffan Karger PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT implementation. See CVE-2013-5915 for details. This commit bumps the minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9 also introduced a memory leak, which is fixed in 1.2.10. Signed

[Openvpn-devel] [PATCH] PolarSSL 1.3

2014-02-27 Thread steffan.karger
Hi, The attached patches add support for PolarSSL 1.3. These patches are for master only, as they drop support for PolarSSL 1.2. Supporting both versions would require a lot of #ifdef's, so I opted for dropping 1.2. Along with PolarSSL 1.3 comes support for AES-NI and elliptic curve crypto. Polar

[Openvpn-devel] [PATCH 2/2] Improve error reporting during key/cert loading with PolarSSL.

2014-02-27 Thread steffan.karger
From: Steffan Karger Signed-off-by: Steffan Karger --- src/openvpn/ssl_polarssl.c | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index 3a0d8a0..2df1b30 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/

[Openvpn-devel] [PATCH 1/2] Upgrade to PolarSSL 1.3

2014-02-27 Thread steffan.karger
From: Steffan Karger This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL: * Support for EC-crypto in TLS (but not yet for external pkcs11/management keys) * Support for AES-NI (if PolarSSL is compiled with AES-NI s

[Openvpn-devel] [PATCH] Use tls-auth in sample config files

2015-02-22 Thread steffan.karger
From: Steffan Karger For two reasons: 1) May motivate people to use tls-auth in their setups 2) Verify tls-auth functionality when running 'make check' Signed-off-by: Steffan Karger --- sample/sample-config-files/client.conf | 2 +- sample/sample-config-files/loopback-client | 1 + sampl