Re: [Openvpn-devel] IRC community meeting summary (Feb 14th)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Wednesday, 14 February 2024 at 15:22, Frank Lichtenheld wrote: > Meeting summary for 14 February 2024: > * New: Easy-rsa in Windows installers > easy-rsa has included pre-built Windows binaries for a long time. But with > Windows 11 they do not seem to work correctly anymore in some cases. Just to clarify: Easy-RSA works perfectly as-is on W10 & W11 but requires Windows Admin access. Without Windows Admin Access, Easy-RSA on W11 does not work with the now 10 year old MKSH:sh.exe This is annoying but it isn't a complete deal-breaker. Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlzPXJCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC+Cwf+P7EBDJirKoBXV/SsOrzfNfFSR2hVOCqSN9jwFs+TIv/kD+UN eOT87L5EW3x/EpF0hRyNy0g83ePdR1ESN4C4mP1Jm9QJZzKgXX44uO4XH5C3 4FXWj/06vQRoaTO5Lk8Y+caLFn9kmpq57JCkorPOI3RjDIwcJcgZ66FweAY2 prSSCj33fzuGoJMWfdXfF4pEu55cV1Iawar2acYJOLlpn0NTFNtyqzVoC8lv k5FDHjzFuTooBvJ4g2hR8KDctaS/3tTjk4c3ZsVr+0F9n2SwsMmHz93YfONX iuvLv/vxGMrWViXv9gbYJMqqfagamWn7SZivlkFp/YxSBg+3vSPo1w== =+izN -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] IRC community meeting summary (Feb 14th)
Meeting summary for 14 February 2024: * *Updated: Pending Buildbot PRs* https://github.com/OpenVPN/openvpn-buildbot/pull/33 (Add license file) https://github.com/OpenVPN/openvpn-buildbot/pull/31 (changeFilter) https://github.com/OpenVPN/openvpn-buildbot/pull/32 (smoketest) /#33 has been merged. #32 has been merged, it was required to reset the buildbot database to get it working. #31 still pending/ * *New: Debian snapshot packages* Buildbot builds Debian packages, but they are not stored or even published anywhere. /mattock will work on this and produce a PoC. Looking into aptly. The current freight setup used for official releases on build.openvpn.net is old and limited/ * *Updated: Wiki migration* /Consensus seems to be that we should continue with Wiki.js. mattock will continue work on the PoCs and let djpig/uddr know when he is ready to move into the actual community infrastructure./ * *Updated: Server Side Testing* /No updates. Still not agreed on meeting./ * *New: Easy-rsa in Windows installers* easy-rsa has included pre-built Windows binaries for a long time. But with Windows 11 they do not seem to work correctly anymore in some cases. There is a plan to switch to a current version of busybox.exe instead. But the required changes to the Windows installer raise the question whether it is actually worth the effort? Does anyone use the included easy-rsa on Windows. /Decided to ask on openvpn-users ml and forums if people really care about easy-rsa in the Windows installers. Depending on the feedback we might drop it from the installer./ * *Closed: 2.6.9* /Release was done on Monday/ Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Implement support for AEAD tag at the end
From: Arne Schwabe Using the AEAD tag at the end is the standard way of doing AEAD. Several APIs even only support the tag at the end (e.g. mbed TLS). Having the tag at the front or end makes no difference for security but allows streaming HW implementations like NICs to be much more efficient as they do not need to buffer a whole packet content and encrypt it to finally write the tag but instead just add the calculated tag at the end of processing. Change-Id: I00821d75342daf3f813b829812d648fe298bea81 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/506 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 2fca131..9988ebe 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -104,14 +104,10 @@ ASSERT(cipher_ctx_reset(ctx->cipher, iv)); } -/* Reserve space for authentication tag */ -mac_out = buf_write_alloc(, mac_len); -ASSERT(mac_out); - dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, )); /* Buffer overflow check */ -if (!buf_safe(, buf->len + cipher_ctx_block_size(ctx->cipher))) +if (!buf_safe(, buf->len + mac_len + cipher_ctx_block_size(ctx->cipher))) { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", @@ -121,9 +117,16 @@ } /* For AEAD ciphers, authenticate Additional Data, including opcode */ -ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(), BLEN() - mac_len)); +ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(), BLEN())); dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", - format_hex(BPTR(), BLEN() - mac_len, 0, )); + format_hex(BPTR(), BLEN(), 0, )); + +if (!(opt->flags & CO_AEAD_TAG_AT_THE_END)) +{ +/* Reserve space for authentication tag */ +mac_out = buf_write_alloc(, mac_len); +ASSERT(mac_out); +} /* Encrypt packet ID, payload */ ASSERT(cipher_ctx_update(ctx->cipher, BEND(), , BPTR(buf), BLEN(buf))); @@ -133,6 +136,14 @@ ASSERT(cipher_ctx_final(ctx->cipher, BEND(), )); ASSERT(buf_inc_len(, outlen)); +/* if the tag is at end the end, allocate it now */ +if (opt->flags & CO_AEAD_TAG_AT_THE_END) +{ +/* Reserve space for authentication tag */ +mac_out = buf_write_alloc(, mac_len); +ASSERT(mac_out); +} + /* Write authentication tag */ ASSERT(cipher_ctx_get_tag(ctx->cipher, mac_out, mac_len)); @@ -353,7 +364,6 @@ static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; const struct key_ctx *ctx = >key_ctx_bi.decrypt; -uint8_t *tag_ptr = NULL; int outlen; struct gc_arena gc; @@ -406,19 +416,29 @@ /* keep the tag value to feed in later */ const int tag_size = OPENVPN_AEAD_TAG_LENGTH; -if (buf->len < tag_size) +if (buf->len < tag_size + 1) { -CRYPT_ERROR("missing tag"); +CRYPT_ERROR("missing tag or no payload"); } -tag_ptr = BPTR(buf); -ASSERT(buf_advance(buf, tag_size)); + +const int ad_size = BPTR(buf) - ad_start; + +uint8_t *tag_ptr = NULL; +int data_len = 0; + +if (opt->flags & CO_AEAD_TAG_AT_THE_END) +{ +data_len = BLEN(buf) - tag_size; +tag_ptr = BPTR(buf) + data_len; +} +else +{ +tag_ptr = BPTR(buf); +ASSERT(buf_advance(buf, tag_size)); +data_len = BLEN(buf); +} + dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, )); - -if (buf->len < 1) -{ -CRYPT_ERROR("missing payload"); -} - dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, )); /* Buffer overflow check (should never fail) */ @@ -427,20 +447,19 @@ CRYPT_ERROR("potential buffer overflow"); } -{ -/* feed in tag and the authenticated data */ -const int ad_size = BPTR(buf) - ad_start - tag_size; -ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size)); -dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", - format_hex(BPTR(buf) - ad_size - tag_size, ad_size, 0, )); -} + +/* feed in tag and the authenticated data */ +ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size)); +dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", + format_hex(ad_start, ad_size, 0, )); /* Decrypt and authenticate packet */ if (!cipher_ctx_update(ctx->cipher, BPTR(), , BPTR(buf), - BLEN(buf))) + data_len)) { CRYPT_ERROR("cipher update failed"); } + ASSERT(buf_inc_len(, outlen)); if (!cipher_ctx_final_check_tag(ctx->cipher,
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/521?usp=email to look at the new patch set (#2). Change subject: t_client.sh: Allow to skip tests .. t_client.sh: Allow to skip tests Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld --- M src/openvpn/error.h M tests/Makefile.am A tests/ntlm_support.c M tests/t_client.sh.in M tests/unit_tests/openvpn/mock_msg.c 5 files changed, 94 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/521/2 diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b13..0ef3263 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -33,6 +33,9 @@ #if _WIN32 #include +#else +/* for _exit() */ +#include #endif /* #define ABORT_ON_ERROR */ diff --git a/tests/Makefile.am b/tests/Makefile.am index b3b2d74..13a1013 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -19,6 +19,8 @@ if !WIN32 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +check_PROGRAMS = ntlm_support if HAVE_SITNL test_scripts += t_net.sh endif @@ -36,3 +38,15 @@ dist_noinst_DATA = \ t_client.rc-sample + +ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ +ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) +ntlm_support_SOURCES = ntlm_support.c \ + unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c new file mode 100644 index 000..8d81257 --- /dev/null +++ b/tests/ntlm_support.c @@ -0,0 +1,51 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "crypto.h" + +int +main(void) +{ +#if defined(ENABLE_CRYPTO_OPENSSL) +crypto_load_provider("legacy"); +crypto_load_provider("default"); +#endif +#ifdef NTLM +if (!md_valid("MD4")) +{ +msg(M_FATAL, "MD4 not supported"); +} +if (!md_valid("MD5")) +{ +msg(M_FATAL, "MD5 not supported"); +} +#else /* ifdef NTLM */ +msg(M_FATAL, "NTLM support not compiled in"); +#endif +} diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index 99e6f9c..7be1c8e 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -291,12 +291,14 @@ # main test loop # -- SUMMARY_OK= +SUMMARY_SKIP= SUMMARY_FAIL= for SUF in $TEST_RUN_LIST do # get config variables eval test_prep=\"\$PREPARE_$SUF\" +eval test_check_skip=\"\$SKIP_$SUF\" eval test_postinit=\"\$POSTINIT_CMD_$SUF\" eval test_cleanup=\"\$CLEANUP_$SUF\" eval test_run_title=\"\$RUN_TITLE_$SUF\" @@ -318,6 +320,15 @@ output_start "### test run $SUF: '$test_run_title' ###" fail_count=0 +if [ -n "$test_check_skip" ]; then +output "check whether we need to skip: '$test_check_skip'" +eval $test_check_skip || { +output "skip check failed, SKIP test $SUF." + SUMMARY_SKIP="$SUMMARY_SKIP $SUF" + echo
[Openvpn-devel] [M] Change in openvpn[master]: Print SSL peer signature information in handshake debug details
plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/365?usp=email ) Change subject: Print SSL peer signature information in handshake debug details .. Patch Set 10: (1 comment) File src/openvpn/ssl_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/365/comment/14a073b2_79023368 : PS8, Line 2225: * linking with an unresolved symbol */ > Yeah, as noted in the GitHub issue I found the reason. […] I made the check to be >= LibreSSL as they promised to have this in 3.9.0 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/365?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5 Gerrit-Change-Number: 365 Gerrit-PatchSet: 10 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Comment-Date: Wed, 14 Feb 2024 12:03:20 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel