[Openvpn-devel] Summary of the community meeting (13th February 2020)

Hi, Here's the summary of the IRC meeting. --- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Thu 13th February 2020 Time: 20:00 CET (19:00 UTC) Planned meeting topics for this meeting were here: Your local

[Openvpn-devel] [PATCH applied] Re: Allow unicode search string in --cryptoapicert option

Your patch has been applied to the master branch. Same as for ther other patch, no review, just MinGW test build (passes). commit aa6affe6df811db11577847366a569def0a3e314 Author: Selva Nair Date: Wed Feb 12 10:06:07 2020 -0500 Allow unicode search string in --cryptoapicert option

[Openvpn-devel] [PATCH applied] Re: Skip expired certificates in Windows certificate store

Your patch has been applied to the master branch. Haven't done any real testing, just test build on MinGW (to have "the other build environment"). Passes :-) commit 7b63984d51a2582ba2d406e46a7debb11df7f478 Author: Selva Nair Date: Wed Feb 12 10:06:06 2020 -0500 Skip expired certificates

[Openvpn-devel] [PATCH applied] Re: cryptoapi.c: fix run-time check failure in msvc debugger

Your patch has been applied to the master branch. (No testing done, but this is syntactically correct and does what it says on the tin) commit e84f430f8487cf42304fe29fd8746a91309b08d0 Author: Lev Stipakov Date: Thu Feb 13 11:55:39 2020 +0200 cryptoapi.c: fix run-time check failure in

[Openvpn-devel] [PATCH applied] Re: configure.ac: simplify AC_CHECK_FUNCS statements

Your patch has been applied to the master branch. Very lighty tested with FreeBSD and Linux builds with mbedtls/openssl "it builds and tests" (no idea if it produces the right result for the relevant library versions). commit 91d84530d7eb24718b99478ebac6ba40b0615b28 Author: Lev Stipakov Date:

Re: [Openvpn-devel] [PATCH v4 2/2] Allow unicode search string in --cryptoapicert option

Build and tested on Windows 10 - a cert with non-ASCII chars (äää) got picked. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4 2/2] Add unit tests for engine keys

Am 10.02.18 um 23:50 schrieb James Bottomley: > Testing engines is problematic, so one of the prerequisites built for > the tests is a simple openssl engine that reads a non-standard PEM > guarded key. The test is simply can we run a client/server > configuration with the usual sample key

Re: [Openvpn-devel] [PATCH] cryptoapi.c: fix run-time check failure in msvc debugger

Hi, On Thu, Feb 13, 2020 at 4:57 AM Lev Stipakov wrote: > > From: Lev Stipakov > > When using certificate without RSA_PKCS1_PSS_PADDING padding, > "saltlen" is passed unitialized to priv_enc_CNG(), which causes > > > Run-Time Check Failure #3 - The variable 'saltlen' is being used without >

Re: [Openvpn-devel] [PATCH] Add a warning for disabled DHCP media sense on Window

Am 14.03.18 um 17:17 schrieb Selva Nair: > Hi, > > On Wed, Mar 14, 2018 at 3:32 AM, Jiří Engelthaler wrote: >> Hi. >> You right. Disabled dhcp media sense can be set as global for all >> interfaces or in adapter specific setting if it supports it (TAP supports >> it). >> But for must users is

Re: [Openvpn-devel] [PATCH 4/4] Normalise ncp-ciphers option and restrict it to 127 bytes

Am 13.02.20 um 13:34 schrieb Lev Stipakov: > Hi, > > su 17. marrask. 2019 klo 20.13 Arne Schwabe (a...@rfc2549.org > ) kirjoitti: >> >> -        if (!cipher_kt_get(translate_cipher_name_from_openvpn(token))) >> +        /* translate_cipher_name_from_openvpn also

Re: [Openvpn-devel] [PATCH 2/4] Implement dynamic NCP negotiation

Am 13.02.20 um 12:45 schrieb Lev Stipakov: > Hi, > > su 17. marrask. 2019 klo 20.13 Arne Schwabe (a...@rfc2549.org > ) kirjoitti: > >> +#include "ssl_ncp.h" > > this file is missing from this patch. > >> +    const char *token = strsep(_ciphers, ":"); > > This breaks

Re: [Openvpn-devel] [PATCH 5/4] Add ncp files to Visual studio print

Am 18.11.19 um 09:45 schrieb Arne Schwabe: > Am 17.11.19 um 22:23 schrieb Arne Schwabe: >> Signed-off-by: Arne Schwabe >> --- >> src/openvpn/openvpn.vcxproj | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj >> index

[Openvpn-devel] [PATCH v2 4/5] Normalise ncp-ciphers option and restrict it to 127 bytes

In scenarios of mbed TLS vs OpenSSL we already normalise the ciphers that are send via the wire protocol via OCC to not have a mismatch warning between server and client. This is done by translate_cipher_name_from_openvpn. The same applies also to the ncp-ciphers list. Specifying non normalised

[Openvpn-devel] [PATCH v2 3/5] Move NCP related function into a seperate file and add unit tests

This allows unit test the NCP functions. The ssl.c file has too many dependencies to make unit testing of it viable. Patch V2: Removing the include "ssl_ncp.h" from options.c for V2 of implement dynamic NCP forces a new version of this patch to add the #include in this patch.

[Openvpn-devel] [PATCH v2 2/5] Implement dynamic NCP negotiation

Our current NCP version is flawed in the way that it can only indicate support for AES-256-GCM and AES-128-GCM. While configuring client and server with different ncp-cipher configuration directive works, the server will blindly push the first cipher of that list to the client if the client sends

Re: [Openvpn-devel] [PATCH 4/4] Normalise ncp-ciphers option and restrict it to 127 bytes

Hi, su 17. marrask. 2019 klo 20.13 Arne Schwabe (a...@rfc2549.org) kirjoitti: > > -if (!cipher_kt_get(translate_cipher_name_from_openvpn(token))) > +/* translate_cipher_name_from_openvpn also normalises the cipher name, > + * e.g. replacing AeS-128-gCm with AES-128-GCM > +

Re: [Openvpn-devel] [PATCH 2/4] Implement dynamic NCP negotiation

Hi, su 17. marrask. 2019 klo 20.13 Arne Schwabe (a...@rfc2549.org) kirjoitti: > +#include "ssl_ncp.h" this file is missing from this patch. > +const char *token = strsep(_ciphers, ":"); This breaks on Windows. Could you send v2 with strsep-compat and removed header (which is introduced

[Openvpn-devel] [PATCH v2 1/4] Only announce IV_NCP=2 when we are willing to support these ciphers

We currently always announce IV_NCP=2 when we support these ciphers even when we do not accept them. This lead to a server pushing a AES-GCM-128 cipher to clients and the client then rejecting it. Patch V2: Remove unecessary restoring of ncp_ciphers Signed-off-by: Arne Schwabe ---

[Openvpn-devel] [PATCH] cryptoapi.c: fix run-time check failure in msvc debugger

From: Lev Stipakov When using certificate without RSA_PKCS1_PSS_PADDING padding, "saltlen" is passed unitialized to priv_enc_CNG(), which causes > Run-Time Check Failure #3 - The variable 'saltlen' is being used without > being initialized. in VS debugger. Initialize saltlen (and other

Re: [Openvpn-devel] [PATCH] configure.ac: simplify AC_CHECK_FUNCS statements

Am 21.01.20 um 09:08 schrieb Lev Stipakov: > From: Lev Stipakov > > AC_CHECK_FUNCS checks availability of each function > in argument list and defines HAVE_function macro. > AC_CHECK_FUNC takes single function as an argument and > doesn't automatically define any macros. > > When we check for

Re: [Openvpn-devel] [PATCH v2] travis-ci: add arm64, s390x builds.

Am 03.02.20 um 10:59 schrieb Илья Шипицин: > > > пн, 3 февр. 2020 г. в 14:51, Steffan Karger > mailto:steffan.kar...@foxcrypto.com>>: > > On 03-02-2020 09:04, Илья Шипицин wrote: > > also, ARM64 builds are flaky. maybe we should add them as > allow_failures. > > What is flaky

Re: [Openvpn-devel] [PATCH v4 1/2] Skip expired certificates in Windows certificate store

Built and tested with MSVC on Windows 10 - code skips expired certificate and picks valid one. Tested that code doesn't explode if --cryptoapicert has unsupported value. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list