Re: [Openvpn-devel] Question regarding easy-rsa

[Eric Crist]

Since this was sent to three separate lists:

I am active and review the reported bugs. I recently completed my second book 
on OpenVPN and should shortly have an opportunity to work more actively on the 
project. 

Eric Crist

> On May 19, 2017, at 5:52 PM, Mahawar, Sunil  wrote:
> 
> Hello Eric,
>  I loved easy-rsa tool and its user friendly interface. I 
> am using this utility for one of my project for OpenHPC 
> (http://openhpc.community ). However one of my colleague pointed out that 
> easy-rsa project is not an active project, its last release was 2 year back, 
> last commit was June 2016, and there are multiple open issues on git hub 
> (40), which are not yet addressed. So there was concern that any security 
> related vulnerability (if found) will not be fixed in timely manner. Because 
> of that I was asked to reevaluate easy-rsa utility for my use.
>  
> I am assuming you are an active maintainer/developer for easy-rsa, can you 
> please confirm? I am also assuming if there is any security related issue 
> comes in, you will drive those issue to closure, however so far I have not 
> seen any vulnerability in this project. Though I am not the expert, but I can 
> also provide my help if needed. Could you please confirm your involvement in 
> easy-rsa utility?
>  
> If you are not the right person then I am sorry for this email.
>  
>  
> Thanks & Regards
> -Sunil Mahawar
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] question about easy-rsa

[Eric Crist]

Thrice:

I am active and review the reported bugs. I recently completed my second book 
on OpenVPN and should shortly have an opportunity to work more actively on the 
project. 

Eric Crist

> On May 19, 2017, at 5:41 PM, Mahawar, Sunil  wrote:
> 
> Hi,
>  I loved easy-rsa tool and its user friendly interface. I am using this 
> tool for one of my project for OpenHPC (http://openhpc.community ). However 
> one my colleague pointed out that easy-rsa project is not an active project, 
> its last release was 2 year back, last commit was June 2016, and there are 
> multiple open issues on git hub (40), which are not yet addressed. So there 
> was concern that any security related vulnerability (if found) will not be 
> fixed in timely manner. Because of that I was asked to reevaluate easy-rsa 
> utility for my use.
> As per the documentation, easy-rsa development co-exists with OpenVPN, I am 
> assuming that openvpn community will take care of any vulnerability in 
> easy-rsa (if found). I will appreciate if someone on community confirm my 
> assumption that openvpn community will also be maintain easy-rsa any 
> vulnerability in this utility?
>  
>  
> Thanks & Regards
> -Sunil Mahawar
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> openvpn-us...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Question about easy-rsa

[debbie10t]

On 19/05/17 23:56, David Sommerseth wrote:
> On 20/05/17 00:45, Mahawar, Sunil wrote:
>> Hi,
>>
>>  I loved easy-rsa tool and its user friendly interface. I am using
>> this tool for one of my project for OpenHPC (http://openhpc.community ).
>> However one my colleague pointed out that easy-rsa project is not an
>> active project, its last release was 2 year back, last commit was June
>> 2016, and there are multiple open issues on git hub (40), which are not
>> yet addressed. So there was concern that any security related
>> vulnerability (if found) will not be fixed in timely manner. Because of
>> that I was asked to reevaluate easy-rsa utility for my use.
>>
>> As per the documentation, easy-rsa development co-exists with OpenVPN, I
>> am assuming that openvpn community will take care of any vulnerability
>> in easy-rsa (if found). I will appreciate if someone on community
>> confirm my assumption that openvpn community will also be maintain
>> easy-rsa any vulnerability in this utility?
>>
>
> It might not look so active, but there are people who are engaged

There are "person" .. but engagement has not been forthcoming ..

> and
> who I am quite sure will step up if it is truly needed to act upon any
> security issues.
>
> The upstream project is hosted here:
> 
>
> That said, there are not too much security issues easy-rsa itself may
> introduce.  It is basically just a shell script providing a more easy
> user interface to the openssl command line.  So as long as your OpenSSL
> installation is safe and good, there is not too much this tool can do to
> reduce that.
>
> The primary thing in easy-rsa influencing the security is the OpenSSL
> configuration file (openssl-1.0.cnf), and the secondary is how the
> various openssl command line calls is handled.  Except of that, it is a
> fairly simple program logic and lots of somewhat more helpful text.
>
>

It is time Easy-RSA received some *much* needed attention.

nudge-nudge-wink-wink .. say-no-more (for now)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Question about easy-rsa

[David Sommerseth]

On 20/05/17 00:45, Mahawar, Sunil wrote:
> Hi,
> 
>  I loved easy-rsa tool and its user friendly interface. I am using
> this tool for one of my project for OpenHPC (http://openhpc.community ).
> However one my colleague pointed out that easy-rsa project is not an
> active project, its last release was 2 year back, last commit was June
> 2016, and there are multiple open issues on git hub (40), which are not
> yet addressed. So there was concern that any security related
> vulnerability (if found) will not be fixed in timely manner. Because of
> that I was asked to reevaluate easy-rsa utility for my use.
> 
> As per the documentation, easy-rsa development co-exists with OpenVPN, I
> am assuming that openvpn community will take care of any vulnerability
> in easy-rsa (if found). I will appreciate if someone on community
> confirm my assumption that openvpn community will also be maintain
> easy-rsa any vulnerability in this utility?
> 

It might not look so active, but there are people who are engaged and
who I am quite sure will step up if it is truly needed to act upon any
security issues.

The upstream project is hosted here:


That said, there are not too much security issues easy-rsa itself may
introduce.  It is basically just a shell script providing a more easy
user interface to the openssl command line.  So as long as your OpenSSL
installation is safe and good, there is not too much this tool can do to
reduce that.

The primary thing in easy-rsa influencing the security is the OpenSSL
configuration file (openssl-1.0.cnf), and the secondary is how the
various openssl command line calls is handled.  Except of that, it is a
fairly simple program logic and lots of somewhat more helpful text.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Question regarding easy-rsa

[Mahawar, Sunil]

Hello Eric,
 I loved easy-rsa tool and its user friendly interface. I 
am using this utility for one of my project for OpenHPC 
(http://openhpc.community ). However one of my colleague pointed out that 
easy-rsa project is not an active project, its last release was 2 year back, 
last commit was June 2016, and there are multiple open issues on git hub (40), 
which are not yet addressed. So there was concern that any security related 
vulnerability (if found) will not be fixed in timely manner. Because of that I 
was asked to reevaluate easy-rsa utility for my use.

I am assuming you are an active maintainer/developer for easy-rsa, can you 
please confirm? I am also assuming if there is any security related issue comes 
in, you will drive those issue to closure, however so far I have not seen any 
vulnerability in this project. Though I am not the expert, but I can also 
provide my help if needed. Could you please confirm your involvement in 
easy-rsa utility?

If you are not the right person then I am sorry for this email.


Thanks & Regards
-Sunil Mahawar

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Question about easy-rsa

[Mahawar, Sunil]

Hi,
 I loved easy-rsa tool and its user friendly interface. I am using this 
tool for one of my project for OpenHPC (http://openhpc.community ). However one 
my colleague pointed out that easy-rsa project is not an active project, its 
last release was 2 year back, last commit was June 2016, and there are multiple 
open issues on git hub (40), which are not yet addressed. So there was concern 
that any security related vulnerability (if found) will not be fixed in timely 
manner. Because of that I was asked to reevaluate easy-rsa utility for my use.

As per the documentation, easy-rsa development co-exists with OpenVPN, I am 
assuming that openvpn community will take care of any vulnerability in easy-rsa 
(if found). I will appreciate if someone on community confirm my assumption 
that openvpn community will also be maintain easy-rsa any vulnerability in this 
utility?


Thanks & Regards
-Sunil Mahawar

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Problem with sig for 2.3.16?

[David Sommerseth]

On 19/05/17 21:23, Jonathan K. Bullard wrote:
[...snip...]
>> Right now the signature situation is a bit confusing, as 2.4.2 is still
>> signed with my new key, and 2.3.16 is using the secur...@openvpn.net
>> key. That is all documented here, though:
>>
>> 
> 
> OK, I get that, but the key file from the link David provided (and
> which was also in his reply to the email announcing 2.3.16):
> 
>  
> 
> is not identical to the "Security mailing list GPG key" I just
> downloaded from the "sig" page.
> 
> Is that a problem?

What is the difference you see?  To mem both looks identical when
importing them into GPG.  But I haven't dug too deep into the details.

One detail though, the "real" key ID is always the finger print.  Then
there is two types of key IDs, one short and one long.  But those are
just from the last bytes from the fingerprint.

Key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
Key ID - long:  12F5 F7B4 2F2B 01E7
Key ID - short:   2F2B 01E7


When I import both keys into the different brand new GPG key rings, I do
get the same result when listing these keys.  But I haven't dug too deep
into the context.  Plus the pgp.mit.edu site might have done some
non-critical, minor changes in how the key looks like - compared to
Samuli's version.

That said, this security key is based upon the recommended sub-key
approach [0].  That means that those of us among the developers can only
use that key for signing and decryption data and with a fairly short
lifetime (1 year).  They are not capable to sign other keys, updating
the lifetime of the keys or any operation requiring the master key.  So
I highly doubt Samuli have done anything special with that key.  Only I
have the master key, which is well stored on a protected medium which is
offline the very most of the time.


[0] 


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Please check the 2.3.15 downloads

[Matthias Andree]

Am 19.05.2017 um 10:47 schrieb Gert Doering:
>
> Apologies for the 2.3.15 mishap (and thanks to Mathias Andree for raising
> this issue yesterday already).

I just spread the word, originator of the information was Renato Botelho
aka. garga@  in the FreeBSD project.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Problem with sig for 2.3.16?

[Jonathan K. Bullard]

On Fri, May 19, 2017 at 1:44 PM, Samuli Seppänen  wrote:
> On 19/05/2017 17:50, David Sommerseth wrote:
>> On 19/05/17 16:28, Jonathan K. Bullard wrote:
>>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using
>>> openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the
>>> following:
>>>
>>>  gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz'
>>>  gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 
>>> 8CC2B034
>>>  gpg: Can't check signature: public key not found
>>>
>>> The signatures on openvpn-2.3.15.tar.gz (downloaded last week) and on
>>> openvpn-2.4.2.tar.gz both verify fine.
>>>
>>> I think this is because Samuli's new key's ID is not 8CC2B034, it is
>>> 40864578 (if I understand correctly what is meant by "ID".)
>>
>> Samuli have an old key (0x198D22A3, RSA-1024) and a new key (0x40864578,
>> RSA-2048).  He have switched to the new key and prefers to use that one.
>>
>> We decided just a few days ago that we will switch to use the
>> secur...@openvpn.net key for signing the officially released tarballs.
>>
>>
>>> Is 8CC2B034 the "Security mailing list GPGP key" on the "GnuPG Public
>>> Key" page [2]?
>> The proper key is:
>> pub   4096R/0x12F5F7B42F2B01E7 2017-02-09 [expires: 2027-02-07]
>> Key fingerprint = F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>> uid   OpenVPN - Security Mailing List 
>>
>> Which can also be found here:
>> 
>>
>>
>>> The link on that page to that key is broken (and includes
>>> Javascript!).
>>
>> Yes!  I discovered the same issue and reported it internally a couple of
>> hours ago.  I expect it to be fixed in not too long.
>>
>
> Hi,
>
> Joomla did not seem to like the fact that file name was
> secur...@openvpn.net.key.asc. So I renamed it as security.key.asc. That
> seems to work fine.

Thanks!

> Right now the signature situation is a bit confusing, as 2.4.2 is still
> signed with my new key, and 2.3.16 is using the secur...@openvpn.net
> key. That is all documented here, though:
>
> 

OK, I get that, but the key file from the link David provided (and
which was also in his reply to the email announcing 2.3.16):

 

is not identical to the "Security mailing list GPG key" I just
downloaded from the "sig" page.

Is that a problem?

(Sorry if this is something that's common knowledge.)

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] security/openvpn23 tarball size mismatch

[Gert Doering]

Hi,

(let's see if I can actually mail to the folks and lists on CC: or
not :) )

On Thu, May 18, 2017 at 09:27:04AM +0200, Matthias Andree wrote:
> Upstream maintainers will need to talk about this and may need to
> release 2.3.16 to resolve any uncertainties.

Which is what we did.  Rounded up a handful of minor bugfixes, and
released a single, well-defined and well-distributed 2.3.16 tarball.

Apologies again for the mess.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Problem with sig for 2.3.16?

[Samuli Seppänen]

On 19/05/2017 17:50, David Sommerseth wrote:
> On 19/05/17 16:28, Jonathan K. Bullard wrote:
>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using
>> openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the
>> following:
>>
>>  gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz'
>>  gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 
>> 8CC2B034
>>  gpg: Can't check signature: public key not found
>>
>> The signatures on openvpn-2.3.15.tar.gz (downloaded last week) and on
>> openvpn-2.4.2.tar.gz both verify fine.
>>
>> I think this is because Samuli's new key's ID is not 8CC2B034, it is
>> 40864578 (if I understand correctly what is meant by "ID".)
> 
> Samuli have an old key (0x198D22A3, RSA-1024) and a new key (0x40864578,
> RSA-2048).  He have switched to the new key and prefers to use that one.
> 
> We decided just a few days ago that we will switch to use the
> secur...@openvpn.net key for signing the officially released tarballs.
> 
> 
>> Is 8CC2B034 the "Security mailing list GPGP key" on the "GnuPG Public
>> Key" page [2]? 
> The proper key is:
> pub   4096R/0x12F5F7B42F2B01E7 2017-02-09 [expires: 2027-02-07]
> Key fingerprint = F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
> uid   OpenVPN - Security Mailing List 
> 
> Which can also be found here:
> 
> 
> 
>> The link on that page to that key is broken (and includes
>> Javascript!).
> 
> Yes!  I discovered the same issue and reported it internally a couple of
> hours ago.  I expect it to be fixed in not too long.
> 

Hi,

Joomla did not seem to like the fact that file name was
secur...@openvpn.net.key.asc. So I renamed it as security.key.asc. That
seems to work fine.

Right now the signature situation is a bit confusing, as 2.4.2 is still
signed with my new key, and 2.3.16 is using the secur...@openvpn.net
key. That is all documented here, though:



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Problem with sig for 2.3.16?

[Jonathan K. Bullard]

When I try to verify the signature on openvpn-2.3.16.tar.gz (using
openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the
following:

 gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz'
 gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 8CC2B034
 gpg: Can't check signature: public key not found

The signatures on openvpn-2.3.15.tar.gz (downloaded last week) and on
openvpn-2.4.2.tar.gz both verify fine.

I think this is because Samuli's new key's ID is not 8CC2B034, it is
40864578 (if I understand correctly what is meant by "ID".)

Is 8CC2B034 the "Security mailing list GPGP key" on the "GnuPG Public
Key" page [2]? The link on that page to that key is broken (and
includes Javascript!).

Best regards,

Jon

[1] https://openvpn.net/index.php/open-source/downloads.html
[2] https://openvpn.net/index.php/open-source/documentation/sig.html

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.3.16 released

[Samuli Seppänen]

On 19/05/2017 13:46, Jonathan K. Bullard wrote:
> On Fri, May 19, 2017 at 5:29 AM, Samuli Seppänen  wrote:
>>
>> The OpenVPN community project team is proud to release OpenVPN 2.3.16.
>> It can be downloaded from here:
>>
>> 
>>
>> This is a minor release that fixes a few bugs. This release was made
>> primarily because CloudFlare managed to serve obsolete pre-release
>> OpenVPN 2.3.15 tarballs which lack a fix for CVE-2017-7478:
> 
> Were all copies of openvpn-2.3.15.tar.gz that were downloaded from the
> website pre-release versions and not the final versions, or only some?
> 
> If only some were the pre-release version, is there a way to tell if a
> tarball was the pre-release version or was the actual version? (The
> SHA256s of both would be helpful here.)
> 
> (I will release three new versions of Tunnelblick with 2.3.16 anyway;
> I'd just like to know.)
> 
> Best regards to all,
> 
> Jon Bullard
> 

Hi Jonathan,

I asked what hashes the "correct" tarballs have on #openvpn-devel a few
hours ago. I don't yet have an answer, but I'm hoping the person who
does will answer both of us :).

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenSSL 1.1 patch set - status?

[Gert Doering]

Hi,

On Fri, May 19, 2017 at 12:37:17PM +0200, Emmanuel Deloget wrote:
> > I'm wondering where this got stuck - are you waiting for us to move
> > forward (like, missing review of parts of the patch set), or are we
> > waiting for you, and you've been busy?
> 
> Problem is that I'm working in a more-than-full-time manner on
> way-too-many-other subjects :)

Thanks for quickly sending us the current patch set.  Now it's on us again.

(And yes, we fully understand the "too many projects, too many complaining
customers, angry wife as well, and too little time" thing :) )


Over to Steffan now - I'm so happy that I do not have to understand
OpenSSL code... ;-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.3.16 released

[Jonathan K. Bullard]

On Fri, May 19, 2017 at 5:29 AM, Samuli Seppänen  wrote:
>
> The OpenVPN community project team is proud to release OpenVPN 2.3.16.
> It can be downloaded from here:
>
> 
>
> This is a minor release that fixes a few bugs. This release was made
> primarily because CloudFlare managed to serve obsolete pre-release
> OpenVPN 2.3.15 tarballs which lack a fix for CVE-2017-7478:

Were all copies of openvpn-2.3.15.tar.gz that were downloaded from the
website pre-release versions and not the final versions, or only some?

If only some were the pre-release version, is there a way to tell if a
tarball was the pre-release version or was the actual version? (The
SHA256s of both would be helpful here.)

(I will release three new versions of Tunnelblick with 2.3.16 anyway;
I'd just like to know.)

Best regards to all,

Jon Bullard

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 6/7] OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_CIPHER_CTX. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  2 ++
 src/openvpn/crypto.c |  4 ++--
 src/openvpn/crypto_backend.h | 14 ++
 src/openvpn/crypto_mbedtls.c | 13 +
 src/openvpn/crypto_openssl.c | 15 +--
 src/openvpn/openssl_compat.h | 28 
 6 files changed, 72 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9c7074d1..8a9a3ff3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -920,6 +920,8 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
 
AC_CHECK_FUNCS(
[ \
+   EVP_CIPHER_CTX_new \
+   EVP_CIPHER_CTX_free \
EVP_MD_CTX_new \
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 50e6a734..893879cf 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -830,7 +830,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
 if (kt->cipher && kt->cipher_length > 0)
 {
 
-ALLOC_OBJ(ctx->cipher, cipher_ctx_t);
+ctx->cipher = cipher_ctx_new();
 cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length,
 kt->cipher, enc);
 
@@ -879,7 +879,7 @@ free_key_ctx(struct key_ctx *ctx)
 if (ctx->cipher)
 {
 cipher_ctx_cleanup(ctx->cipher);
-free(ctx->cipher);
+cipher_ctx_free(ctx->cipher);
 ctx->cipher = NULL;
 }
 if (ctx->hmac)
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 8f03e2ba..3a911a47 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -301,6 +301,20 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher);
  */
 
 /**
+ * Allocate a new cipher context
+ *
+ * @return  a new cipher context
+ */
+cipher_ctx_t *cipher_ctx_new(void);
+
+/**
+ * Free a cipher context
+ *
+ * @param ctx   Cipher context.
+ */
+void cipher_ctx_free(cipher_ctx_t *ctx);
+
+/**
  * Initialise a cipher context, based on the given key and key type.
  *
  * @param ctx   Cipher context. May not be NULL
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index d6741523..4d38aadc 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -509,6 +509,19 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher)
  *
  */
 
+mbedtls_cipher_context_t *
+cipher_ctx_new(void)
+{
+mbedtls_cipher_context_t *ctx;
+ALLOC_OBJ(ctx, mbedtls_cipher_context_t);
+return ctx;
+}
+
+void
+cipher_ctx_free(mbedtls_cipher_context_t *ctx)
+{
+free(ctx);
+}
 
 void
 cipher_ctx_init(mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len,
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index fd599f40..0644f1c3 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -651,6 +651,19 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher)
  *
  */
 
+cipher_ctx_t *
+cipher_ctx_new(void)
+{
+EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+check_malloc_return(ctx);
+return ctx;
+}
+
+void
+cipher_ctx_free(EVP_CIPHER_CTX *ctx)
+{
+EVP_CIPHER_CTX_free(ctx);
+}
 
 void
 cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len,
@@ -658,8 +671,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int 
key_len,
 {
 ASSERT(NULL != kt && NULL != ctx);
 
-CLEAR(*ctx);
-
 EVP_CIPHER_CTX_init(ctx);
 if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
 {
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 8305ec5b..d1be9d78 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -96,6 +96,34 @@ EVP_MD_CTX_new(void)
 }
 #endif
 
+#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
+/**
+ * Free an existing cipher context
+ *
+ * @param ctx The cipher context
+ */
+static inline void
+EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c)
+{
+   free(c);
+}
+#endif
+
+#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
+/**
+ * Allocate a new cipher context object
+ *
+ * @returnA zero'ed cipher context object
+ */
+static inline EVP_CIPHER_CTX *
+EVP_CIPHER_CTX_new(void)
+{
+EVP_CIPHER_CTX *ctx = NULL;
+ALLOC_OBJ_CLEAR(ctx, EVP_CIPHER_CTX);
+return ctx;
+}
+#endif
+
 #if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA)
 /**
  * Fetch the default password callback user data from the SSL context
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

[Openvpn-devel] [PATCH 3/7] OpenSSL: don't use direct access to the internal of RSA

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including RSA. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  3 ++
 src/openvpn/openssl_compat.h | 84 
 src/openvpn/ssl_openssl.c| 24 -
 3 files changed, 103 insertions(+), 8 deletions(-)

diff --git a/configure.ac b/configure.ac
index a92e8142..e4c053c8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -929,6 +929,9 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
EVP_PKEY_id \
EVP_PKEY_get0_RSA \
EVP_PKEY_get0_DSA \
+   RSA_set_flags \
+   RSA_get0_key \
+   RSA_set0_key \
RSA_meth_new \
RSA_meth_free \
RSA_meth_set_pub_enc \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 0d82cf25..29cd13a4 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -176,6 +176,90 @@ EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
 }
 #endif
 
+#if !defined(HAVE_RSA_SET_FLAGS)
+/**
+ * Set the RSA flags
+ *
+ * @param rsa The RSA object
+ * @param flags   New flags value
+ */
+static inline void
+RSA_set_flags(RSA *rsa, int flags)
+{
+if (rsa)
+{
+rsa->flags = flags;
+}
+}
+#endif
+
+#if !defined(HAVE_RSA_GET0_KEY)
+/**
+ * Get the RSA parameters
+ *
+ * @param rsa The RSA object
+ * @param n   The @c n parameter
+ * @param e   The @c e parameter
+ * @param d   The @c d parameter
+ */
+static inline void
+RSA_get0_key(const RSA *rsa, const BIGNUM **n,
+ const BIGNUM **e, const BIGNUM **d)
+{
+if (n != NULL)
+{
+*n = rsa ? rsa->n : NULL;
+}
+if (e != NULL)
+{
+*e = rsa ? rsa->e : NULL;
+}
+if (d != NULL)
+{
+*d = rsa ? rsa->d : NULL;
+}
+}
+#endif
+
+#if !defined(HAVE_RSA_SET0_KEY)
+/**
+ * Set the RSA parameters
+ *
+ * @param rsa The RSA object
+ * @param n   The @c n parameter
+ * @param e   The @c e parameter
+ * @param d   The @c d parameter
+ * @return1 on success, 0 on error
+ */
+static inline int
+RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+{
+if ((rsa->n == NULL && n == NULL)
+|| (rsa->e == NULL && e == NULL))
+{
+return 0;
+}
+
+if (n != NULL)
+{
+BN_free(rsa->n);
+rsa->n = n;
+}
+if (e != NULL)
+{
+BN_free(rsa->e);
+rsa->e = e;
+}
+if (d != NULL)
+{
+BN_free(rsa->d);
+rsa->d = d;
+}
+
+return 1;
+}
+#endif
+
 #if !defined(HAVE_RSA_METH_NEW)
 /**
  * Allocate a new RSA method object
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 1c73641c..48479c0d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -975,8 +975,8 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned 
char *to, RSA *rsa, i
 static int
 rsa_finish(RSA *rsa)
 {
-RSA_meth_free(rsa->meth);
-rsa->meth = NULL;
+const RSA_METHOD *meth = RSA_get_method(rsa);
+RSA_meth_free((RSA_METHOD *)meth);
 return 1;
 }
 
@@ -1075,8 +1075,11 @@ tls_ctx_use_external_private_key(struct tls_root_ctx 
*ctx,
 pub_rsa = EVP_PKEY_get0_RSA(pkey);
 
 /* initialize RSA object */
-rsa->n = BN_dup(pub_rsa->n);
-rsa->flags |= RSA_FLAG_EXT_PKEY;
+const BIGNUM *n = NULL;
+const BIGNUM *e = NULL;
+RSA_get0_key(pub_rsa, , , NULL);
+RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
+RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
 if (!RSA_set_method(rsa, rsa_meth))
 {
 goto err;
@@ -1677,11 +1680,16 @@ print_details(struct key_state_ssl *ks_ssl, const char 
*prefix)
 EVP_PKEY *pkey = X509_get_pubkey(cert);
 if (pkey != NULL)
 {
-if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) 
!= NULL
-&& pkey->pkey.rsa->n != NULL)
+if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) 
!= NULL)
 {
-openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
- BN_num_bits(pkey->pkey.rsa->n));
+RSA *rsa = EVP_PKEY_get0_RSA(pkey);
+const BIGNUM *n = NULL;
+RSA_get0_key(rsa, , NULL, NULL);
+if (n != NULL)
+{
+openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
+ BN_num_bits(n));
+}
  

[Openvpn-devel] [PATCH 1/7] OpenSSL: don't use direct access to the internal of X509

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509. We have to use the defined
functions to do so.

In x509_verify_ns_cert_type() in particular, this means that we
cannot directly check for the extended flags to find whether the
certificate should be used as a client or as a server certificate.
We need to leverage the X509_check_purpose() API yet this API is
far stricter than the currently implemented check. So far, I have
not been able to find a situation where this stricter test fails
(although I must admit that I haven't tested that very well).

We double-check the certificate purpose using "direct access" to the
internal of the certificate object (of course, this is not a real
direct access, but we still fetch ASN1 strings within the X509 object
and we check the internal value of these strings). This allow us to
warn the user if there is a discrepancy between the X509_check_purpose()
return value and our internal, less strict check.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  1 +
 src/openvpn/openssl_compat.h | 15 ++
 src/openvpn/ssl_openssl.c|  3 +-
 src/openvpn/ssl_verify_openssl.c | 64 ++--
 4 files changed, 73 insertions(+), 10 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7d3fce5b..9d5e340b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -922,6 +922,7 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
[ \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
+   X509_get0_pubkey \
X509_STORE_get0_objects \
X509_OBJECT_free \
X509_OBJECT_get_type \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 92f014d5..29a7588c 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -74,6 +74,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
 }
 #endif
 
+#if !defined(HAVE_X509_GET0_PUBKEY)
+/**
+ * Get the public key from a X509 certificate
+ *
+ * @param x  X509 certificate
+ * @return   The certificate public key
+ */
+static inline EVP_PKEY *
+X509_get0_pubkey(const X509 *x)
+{
+return (x && x->cert_info && x->cert_info->key) ?
+   x->cert_info->key->pkey : NULL;
+}
+#endif
+
 #if !defined(HAVE_X509_STORE_GET0_OBJECTS)
 /**
  * Fetch the X509 object stack from the X509 store
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 645ccf51..a082c3cd 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1070,7 +1070,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
 }
 
 /* get the public key */
-ASSERT(cert->cert_info->key->pkey); /* NULL before 
SSL_CTX_use_certificate() is called */
+EVP_PKEY *pkey = X509_get0_pubkey(cert);
+ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
 pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
 
 /* initialize RSA object */
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 9b1533bc..4785f314 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -294,18 +294,20 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, 
struct gc_arena *gc)
 struct buffer
 x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc)
 {
-struct buffer hash = alloc_buf_gc(sizeof(cert->sha1_hash), gc);
-memcpy(BPTR(), cert->sha1_hash, sizeof(cert->sha1_hash));
-ASSERT(buf_inc_len(, sizeof(cert->sha1_hash)));
+const EVP_MD *sha1 = EVP_sha1();
+struct buffer hash = alloc_buf_gc(EVP_MD_size(sha1), gc);
+X509_digest(cert, EVP_sha1(), BPTR(), NULL);
+ASSERT(buf_inc_len(, EVP_MD_size(sha1)));
 return hash;
 }
 
 struct buffer
 x509_get_sha256_fingerprint(X509 *cert, struct gc_arena *gc)
 {
-struct buffer hash = alloc_buf_gc((EVP_sha256())->md_size, gc);
+const EVP_MD *sha256 = EVP_sha256();
+struct buffer hash = alloc_buf_gc(EVP_MD_size(sha256), gc);
 X509_digest(cert, EVP_sha256(), BPTR(), NULL);
-ASSERT(buf_inc_len(, (EVP_sha256())->md_size));
+ASSERT(buf_inc_len(, EVP_MD_size(sha256)));
 return hash;
 }
 
@@ -578,13 +580,57 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t 
*peer_cert, const int usage)
 }
 if (usage == NS_CERT_CHECK_CLIENT)
 {
-return ((peer_cert->ex_flags & EXFLAG_NSCERT)
-&& (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
+/*
+ * Unfortunately, X509_check_purpose() does some wierd thing that
+ * prevent it to take a const argument
+ */
+result_t result = X509_check_purpose((X509 *)peer_cert, 

[Openvpn-devel] [PATCH 7/7] OpenSSL: don't use direct access to the internal of HMAC_CTX

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including HMAC_CTX. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  4 +++
 src/openvpn/crypto.c |  4 +--
 src/openvpn/crypto_backend.h | 14 ++
 src/openvpn/crypto_mbedtls.c | 15 ++
 src/openvpn/crypto_openssl.c | 17 ++--
 src/openvpn/ntlm.c   | 12 
 src/openvpn/openssl_compat.h | 65 
 src/openvpn/ssl.c| 38 ++
 8 files changed, 140 insertions(+), 29 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8a9a3ff3..7875c4fb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -922,6 +922,10 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
[ \
EVP_CIPHER_CTX_new \
EVP_CIPHER_CTX_free \
+   HMAC_CTX_new \
+   HMAC_CTX_free \
+   HMAC_CTX_reset \
+   HMAC_CTX_init \
EVP_MD_CTX_new \
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 893879cf..a80c3f7f 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -854,7 +854,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
 }
 if (kt->digest && kt->hmac_length > 0)
 {
-ALLOC_OBJ(ctx->hmac, hmac_ctx_t);
+ctx->hmac = hmac_ctx_new();
 hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
 
 msg(D_HANDSHAKE,
@@ -885,7 +885,7 @@ free_key_ctx(struct key_ctx *ctx)
 if (ctx->hmac)
 {
 hmac_ctx_cleanup(ctx->hmac);
-free(ctx->hmac);
+hmac_ctx_free(ctx->hmac);
 ctx->hmac = NULL;
 }
 ctx->implicit_iv_len = 0;
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 3a911a47..3dc75ab9 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -584,6 +584,20 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst);
  */
 
 /*
+ * Create a new HMAC context
+ *
+ * @return  A new HMAC context
+ */
+hmac_ctx_t *hmac_ctx_new(void);
+
+/*
+ * Free an existing HMAC context
+ *
+ * @param  ctx   HMAC context to free
+ */
+void hmac_ctx_free(hmac_ctx_t *ctx);
+
+/*
  * Initialises the given HMAC context, using the given digest
  * and key.
  *
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 4d38aadc..f0698f61 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -841,6 +841,21 @@ md_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst)
 /*
  * TODO: re-enable dmsg for crypto debug
  */
+
+mbedtls_md_context_t *
+hmac_ctx_new(void)
+{
+mbedtls_md_context_t *ctx;
+ALLOC_OBJ(ctx, mbedtls_md_context_t);
+return ctx;
+}
+
+void
+hmac_ctx_free(mbedtls_md_context_t *ctx)
+{
+free(ctx);
+}
+
 void
 hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
   const mbedtls_md_info_t *kt)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 0644f1c3..b64f7f04 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -911,6 +911,19 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
  *
  */
 
+HMAC_CTX *
+hmac_ctx_new(void)
+{
+HMAC_CTX *ctx = HMAC_CTX_new();
+check_malloc_return(ctx);
+return ctx;
+}
+
+void
+hmac_ctx_free(HMAC_CTX *ctx)
+{
+HMAC_CTX_free(ctx);
+}
 
 void
 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
@@ -918,8 +931,6 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int 
key_len,
 {
 ASSERT(NULL != kt && NULL != ctx);
 
-CLEAR(*ctx);
-
 HMAC_CTX_init(ctx);
 HMAC_Init_ex(ctx, key, key_len, kt, NULL);
 
@@ -930,7 +941,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int 
key_len,
 void
 hmac_ctx_cleanup(HMAC_CTX *ctx)
 {
-HMAC_CTX_cleanup(ctx);
+HMAC_CTX_reset(ctx);
 }
 
 int
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 0c436812..4a4e8b9b 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -86,13 +86,13 @@ static void
 gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char 
*result)
 {
 const md_kt_t *md5_kt = md_kt_get("MD5");
-hmac_ctx_t hmac_ctx;
-CLEAR(hmac_ctx);
+hmac_ctx_t *hmac_ctx = hmac_ctx_new();
 
-hmac_ctx_init(_ctx, key, key_len, md5_kt);
-hmac_ctx_update(_ctx, (const unsigned char *)data, data_len);
-hmac_ctx_final(_ctx, (unsigned char *)result);
-hmac_ctx_cleanup(_ctx);
+hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+hmac_ctx_update(hmac_ctx, (const unsigned char *)data, data_len);
+

[Openvpn-devel] [PATCH 5/7] OpenSSL: don't use direct access to the internal of EVP_MD_CTX

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_MD_CTX. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  3 ++
 src/openvpn/crypto_backend.h | 14 
 src/openvpn/crypto_mbedtls.c | 12 +++
 src/openvpn/crypto_openssl.c | 18 --
 src/openvpn/httpdigest.c | 78 +++-
 src/openvpn/misc.c   | 14 
 src/openvpn/openssl_compat.h | 50 
 src/openvpn/openvpn.h|  2 +-
 src/openvpn/push.c   | 11 ---
 9 files changed, 150 insertions(+), 52 deletions(-)

diff --git a/configure.ac b/configure.ac
index d2dc1ffd..9c7074d1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -920,6 +920,9 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
 
AC_CHECK_FUNCS(
[ \
+   EVP_MD_CTX_new \
+   EVP_MD_CTX_free \
+   EVP_MD_CTX_reset \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
X509_get0_pubkey \
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 9b113d7b..8f03e2ba 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -508,6 +508,20 @@ int md_kt_size(const md_kt_t *kt);
 int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst);
 
 /*
+ * Allocate a new message digest context
+ *
+ * @return  a new zeroed MD context
+ */
+md_ctx_t *md_ctx_new(void);
+
+/*
+ * Free an existing, non-null message digest context
+ *
+ * @param ctx   Message digest context
+ */
+void md_ctx_free(md_ctx_t *ctx);
+
+/*
  * Initialises the given message digest context.
  *
  * @param ctx   Message digest context
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 942684ce..d6741523 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -766,6 +766,18 @@ md_full(const md_kt_t *kt, const uint8_t *src, int 
src_len, uint8_t *dst)
 return 0 == mbedtls_md(kt, src, src_len, dst);
 }
 
+mbedtls_md_context_t *
+md_ctx_new(void)
+{
+mbedtls_md_context_t *ctx;
+ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t);
+return ctx;
+}
+
+void md_ctx_free(mbedtls_md_context_t *ctx)
+{
+free(ctx);
+}
 
 void
 md_ctx_init(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 881a2d13..fd599f40 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -42,6 +42,7 @@
 #include "integer.h"
 #include "crypto.h"
 #include "crypto_backend.h"
+#include "openssl_compat.h"
 
 #include 
 #include 
@@ -844,13 +845,24 @@ md_full(const EVP_MD *kt, const uint8_t *src, int 
src_len, uint8_t *dst)
 return EVP_Digest(src, src_len, dst, _md_len, kt, NULL);
 }
 
+EVP_MD_CTX *
+md_ctx_new(void)
+{
+EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+check_malloc_return(ctx);
+return ctx;
+}
+
+void md_ctx_free(EVP_MD_CTX *ctx)
+{
+EVP_MD_CTX_free(ctx);
+}
+
 void
 md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
 {
 ASSERT(NULL != ctx && NULL != kt);
 
-CLEAR(*ctx);
-
 EVP_MD_CTX_init(ctx);
 EVP_DigestInit(ctx, kt);
 }
@@ -858,7 +870,7 @@ md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
 void
 md_ctx_cleanup(EVP_MD_CTX *ctx)
 {
-EVP_MD_CTX_cleanup(ctx);
+EVP_MD_CTX_reset(ctx);
 }
 
 int
diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c
index ae4a638f..2a66d9b8 100644
--- a/src/openvpn/httpdigest.c
+++ b/src/openvpn/httpdigest.c
@@ -81,27 +81,28 @@ DigestCalcHA1(
 )
 {
 HASH HA1;
-md_ctx_t md5_ctx;
+md_ctx_t *md5_ctx = md_ctx_new();
 const md_kt_t *md5_kt = md_kt_get("MD5");
 
-md_ctx_init(_ctx, md5_kt);
-md_ctx_update(_ctx, (const uint8_t *) pszUserName, 
strlen(pszUserName));
-md_ctx_update(_ctx, (const uint8_t *) ":", 1);
-md_ctx_update(_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
-md_ctx_update(_ctx, (const uint8_t *) ":", 1);
-md_ctx_update(_ctx, (const uint8_t *) pszPassword, 
strlen(pszPassword));
-md_ctx_final(_ctx, HA1);
+md_ctx_init(md5_ctx, md5_kt);
+md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName));
+md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
+md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword));
+md_ctx_final(md5_ctx, HA1);
 if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0)
 {
-md_ctx_init(_ctx, md5_kt);
-md_ctx_update(_ctx, 

[Openvpn-devel] [PATCH 2/7] OpenSSL: don't use direct access to the internal of EVP_PKEY

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_PKEY. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  3 +++
 src/openvpn/openssl_compat.h | 42 ++
 src/openvpn/ssl_openssl.c|  6 +++---
 3 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9d5e340b..a92e8142 100644
--- a/configure.ac
+++ b/configure.ac
@@ -926,6 +926,9 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
X509_STORE_get0_objects \
X509_OBJECT_free \
X509_OBJECT_get_type \
+   EVP_PKEY_id \
+   EVP_PKEY_get0_RSA \
+   EVP_PKEY_get0_DSA \
RSA_meth_new \
RSA_meth_free \
RSA_meth_set_pub_enc \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 29a7588c..0d82cf25 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -134,6 +134,48 @@ X509_OBJECT_get_type(const X509_OBJECT *obj)
 }
 #endif
 
+#if !defined(HAVE_EVP_PKEY_GET0_RSA)
+/**
+ * Get the RSA object of a public key
+ *
+ * @param pkeyPublic key object
+ * @returnThe underlying RSA object
+ */
+static inline RSA *
+EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+return pkey ? pkey->pkey.rsa : NULL;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_ID)
+/**
+ * Get the PKEY type
+ *
+ * @param pkeyPublic key object
+ * @returnThe key type
+ */
+static inline int
+EVP_PKEY_id(const EVP_PKEY *pkey)
+{
+return pkey ? pkey->type : EVP_PKEY_NONE;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_GET0_DSA)
+/**
+ * Get the DSA object of a public key
+ *
+ * @param pkeyPublic key object
+ * @returnThe underlying DSA object
+ */
+static inline DSA *
+EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+{
+return pkey ? pkey->pkey.dsa : NULL;
+}
+#endif
+
 #if !defined(HAVE_RSA_METH_NEW)
 /**
  * Allocate a new RSA method object
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index a082c3cd..1c73641c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1072,7 +1072,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
 /* get the public key */
 EVP_PKEY *pkey = X509_get0_pubkey(cert);
 ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
-pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
+pub_rsa = EVP_PKEY_get0_RSA(pkey);
 
 /* initialize RSA object */
 rsa->n = BN_dup(pub_rsa->n);
@@ -1677,13 +1677,13 @@ print_details(struct key_state_ssl *ks_ssl, const char 
*prefix)
 EVP_PKEY *pkey = X509_get_pubkey(cert);
 if (pkey != NULL)
 {
-if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
+if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) 
!= NULL
 && pkey->pkey.rsa->n != NULL)
 {
 openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
  BN_num_bits(pkey->pkey.rsa->n));
 }
-else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
+else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && 
EVP_PKEY_get0_DSA(pkey) != NULL
  && pkey->pkey.dsa->p != NULL)
 {
 openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 4/7] OpenSSL: don't use direct access to the internal of DSA

[Emmanuel Deloget]

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including DSA. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget 
---
 configure.ac |  1 +
 src/openvpn/openssl_compat.h | 28 
 src/openvpn/ssl_openssl.c| 13 +
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index e4c053c8..d2dc1ffd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -932,6 +932,7 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
RSA_set_flags \
RSA_get0_key \
RSA_set0_key \
+   DSA_get0_pqg \
RSA_meth_new \
RSA_meth_free \
RSA_meth_set_pub_enc \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 29cd13a4..fdfc4a27 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -260,6 +260,34 @@ RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 }
 #endif
 
+#if !defined(HAVE_DSA_GET0_PQG)
+/**
+ * Get the DSA parameters
+ *
+ * @param dsa The DSA object
+ * @param p   The @c p parameter
+ * @param q   The @c q parameter
+ * @param g   The @c g parameter
+ */
+static inline void
+DSA_get0_pqg(const DSA *dsa, const BIGNUM **p,
+ const BIGNUM **q, const BIGNUM **g)
+{
+if (p != NULL)
+{
+*p = dsa ? dsa->p : NULL;
+}
+if (q != NULL)
+{
+*q = dsa ? dsa->q : NULL;
+}
+if (g != NULL)
+{
+*g = dsa ? dsa->g : NULL;
+}
+}
+#endif
+
 #if !defined(HAVE_RSA_METH_NEW)
 /**
  * Allocate a new RSA method object
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 48479c0d..242ab397 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1691,11 +1691,16 @@ print_details(struct key_state_ssl *ks_ssl, const char 
*prefix)
  BN_num_bits(n));
 }
 }
-else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && 
EVP_PKEY_get0_DSA(pkey) != NULL
- && pkey->pkey.dsa->p != NULL)
+else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && 
EVP_PKEY_get0_DSA(pkey) != NULL)
 {
-openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
- BN_num_bits(pkey->pkey.dsa->p));
+DSA *dsa = EVP_PKEY_get0_DSA(pkey);
+const BIGNUM *p = NULL;
+DSA_get0_pqg(dsa, , NULL, NULL);
+if (p != NULL)
+{
+openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
+ BN_num_bits(p));
+}
 }
 EVP_PKEY_free(pkey);
 }
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenSSL 1.1 patch set - status?

[Emmanuel Deloget]

Hi Gert,


On Thu, May 18, 2017 at 10:49 PM, Gert Doering  wrote:
>
> Hi Emmanuel,
>
> On Mon, Mar 27, 2017 at 05:49:48PM +0200, Emmanuel Deloget wrote:
> > I'll post my new patches as soon as I get over every issues
> > that have been talked on the ML (is that even a valid
> > sentence?)
>
> I'm wondering where this got stuck - are you waiting for us to move
> forward (like, missing review of parts of the patch set), or are we
> waiting for you, and you've been busy?

Problem is that I'm working in a more-than-full-time manner on
way-too-many-other subjects :)

> We didn't really follow up on this from our end since the CVEs and
> 2.4.2 got in the way - but I think now would be a good time to move
> ahead with this...

I have a git tree out there that I have not fully tested yet. It
compiles OK with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2 and 1.1.0 but I
haven't checked the behavior.

The main difference with the previous version of the patch is the way
the certificate purpose is checked.

A) we do a fairly full check of the purpose using
X509_check_purpose(). This check is harder that the previous version

B) if that fails, we check for the certificate purpose using a lighter
method which is strictly equivalent to what was done before (it uses
X509_get_ext_d2i() to fetch the certificate type from within the
certificate).

The branch is available for viewing on github at
https://github.com/emmanuel-deloget/openvpn/tree/openssl-1.1-v6.

The followup emails contains the 7 patches which are needed to finish the work.

BR,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.3.16 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.16.
It can be downloaded from here:



This is a minor release that fixes a few bugs. This release was made
primarily because CloudFlare managed to serve obsolete pre-release
OpenVPN 2.3.15 tarballs which lack a fix for CVE-2017-7478:



The official OpenVPN 2.3.15 Windows installers have the fix.
Nevertheless, you are advised to upgrade your OpenVPN installations to
2.3.16 or 2.4.2.

A summary of the changes is available here:



A full list of changes is available here:



NOTE: The GPG key used to sign release files has changed:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



0x40864578.asc
Description: application/pgp-keys
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Please check the 2.3.15 downloads

[Gert Doering]

Hi,

On Fri, May 19, 2017 at 10:22:24AM +0200, Simon Matter wrote:
> I'm not sure what the correct 2.3.15 tarball is.
> 
> The one available from
> https://openvpn.net/index.php/open-source/downloads.html doesn't have the
> CVE-2017-7478 included.
> 
> Isn't there still something wrong there?

2.3.16 will be released today, to ensure there is exactly *one* tarball
out there with that version number plus GPG signature.

Apologies for the 2.3.15 mishap (and thanks to Mathias Andree for raising
this issue yesterday already).

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Please check the 2.3.15 downloads

[Simon Matter]

Hi,

I'm not sure what the correct 2.3.15 tarball is.

The one available from
https://openvpn.net/index.php/open-source/downloads.html doesn't have the
CVE-2017-7478 included.

Isn't there still something wrong there?

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel