Hi,
On Fri, Apr 22, 2022 at 03:40:33PM +0200, Arne Schwabe wrote:
> +/**
> + * Move a packet authentication HMAC + related fields to or from the front
> + * of the buffer so it can be processed by encrypt/decrypt.
> + *
> + * Turning the on wire format that starts with the opcode to a format
> +
Acked-by: Gert Doering
trivial enough :-) - lightly tested.
Your patch has been applied to the master branch.
commit b372463931ed706005214c61ffeb75ff313bee22
Author: Arne Schwabe
Date: Fri Apr 22 16:29:35 2022 +0200
Remove EXPONENTIAL_BACKOFF define
Acked-by: Gert Doering
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c | 22 ++
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 4ebf5acc2..f58f3b727 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1366,10 +1366,7 @@
This changes this macro to a better named inline function. This
introduces a slight whitespace problem but the next refactoring will
move the incorrectly intended block to its own function anyway.
---
src/openvpn/ssl.c | 100 ++
1 file changed, 57
Acked-by: Gert Doering
Trivial enough. Single caller, constant argument ("true"), away it goes.
Only lightly tested.
Your patch has been applied to the master branch.
commit 911224dbac0f11bb22e007db0ae424e864489ef8
Author: Arne Schwabe
Date: Fri Apr 22 15:40:38 2022 +0200
Remove
> Arne Schwabe hat am 22.04.2022 15:40 geschrieben:
> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
> index 4fbe3c1a3..910268333 100644
> --- a/src/openvpn/mudp.c
> +++ b/src/openvpn/mudp.c
> @@ -39,6 +39,20 @@
> #include
> #endif
>
> +static bool
> +do_pre_decrypt_check(struct
Acked-by: Gert Doering
Trivial enough, and indeed, this sort of test code is better suited
in the cmocka unit tests nowadays than compiling a special openvpn
binary... have not tested it, just verified that only stuff between
#ifdef PID_TEST ... #endif gets ripped out.
Your patch has been
While calling this wrapper function is strictly more correct, these
indirection layer with tiny wrapper make the code more complex and
going through more layer than it really needs to.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 2 +-
src/openvpn/ssl.c | 14 +-
This implement creating a reset packet without needing to setup a full control
session.
---
src/openvpn/packet_id.h | 15 ++
src/openvpn/ssl.h | 6 ---
src/openvpn/ssl_pkt.c | 34 +++-
src/openvpn/ssl_pkt.h | 19 +++
Hi,
Sorry for the long delay in getting back to this..
On Tue, Feb 22, 2022 at 9:13 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> We use M_ERRNO flag in logging to display error code
> and error message. This has been broken on Windows,
> where we use error code from GetLastError() and
>
---
tests/unit_tests/openvpn/Makefile.am | 5 +-
tests/unit_tests/openvpn/mock_get_random.c | 10
tests/unit_tests/openvpn/test_packet_id.c | 55 ++
3 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/tests/unit_tests/openvpn/Makefile.am
This tests currently the existing functionality of test_tls_decrypt_lite
to check if a reset packet is valid or not.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/Makefile.am | 24 +-
tests/unit_tests/openvpn/test_pkt.c | 347 +++
2 files changed, 370
We have EXPONENTIAL_BACKOFF as default forever (8c47de7, 2.1.1c,
2010). Remove the other code path that is dead code.
---
src/openvpn/reliable.c | 5 -
src/openvpn/reliable.h | 2 --
2 files changed, 7 deletions(-)
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index
This is probably a result from earlier code that still needed to be
C89 compatible add probably added this to allow variable decleration
---
src/openvpn/ssl.c | 56 +++
1 file changed, 27 insertions(+), 29 deletions(-)
diff --git a/src/openvpn/ssl.c
This functions should accept the type of integer they say to write. Calling
the u32 function with an integer that is actually 32 bit unsigned gives
compiler warnings.
---
src/openvpn/buffer.h | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/buffer.h
This makes the tls_process_state function a bit easier to read allows
extending the read_incoming_tls_plaintext function later without
making tls_process_state even longer.
---
src/openvpn/ssl.c | 38 +++---
1 file changed, 23 insertions(+), 15 deletions(-)
diff
OpenVPN currently has a bit of a weakness in its early three way handshake
A single client reset packet (first packet of the handshake) will
- trigger creating session on the server side leading to poential
ressource exhaustian
- make the server respond with 3 answers trying to get an ACK
Enabling this test produces compile errors and by the looks of it the
test has been broken for many years.
---
src/openvpn/init.c | 5
src/openvpn/packet_id.c | 56 -
src/openvpn/packet_id.h | 10
3 files changed, 71 deletions(-)
diff
We move to the S_START when we have finished the three-way handshake. After
the three way handshake is done, the client will send the TLS Client Hello
packet.
Currently we consider the three way handshake only complete if all
outgoing packet have been acked (which in this case is the one
This adds an LRU cache for the last seen packets from the peer to send acks
to all recently packets. This also packets to be acknowledged even if a single
P_ACK_V1 gets lost, avoiding retransmissions. The downside is that we add up
to 28 byte to an P_ACK_V1 (7* packet_id) and up to 24 bytes to
Tls-crypt v2 is more complicated to implement a proper stateless
handshake. To allow state handshake this commit does
- introduce a new packet CONTROL_WKC_V1 that repeats the wrapped
client key.
- introduce a way to negotiate the support for this packet in the
three way handshake
Details
OpenVPN currently has a bit of a weakness in its early three way handshake
A single client reset packet (first packet of the handshake) will
- trigger creating session on the server side leading to poential
ressource exhaustian
- make the server respond with 3 answers trying to get an ACK
This function does most of the state transitions in the TLS state
machine. Moving it into its own function removes an intention area and
makes tls_process function easier to understand as the loop is more
obvious.
This is largely just a code move with small expection. bool active is
no longer
The current place that we reload is a bit more efficient since it only
triggers reload after a completed 3way handshake. On the other hand the
key_state_init is a much more logical place and with the upcoming
HMAC based UDP code and TCP code, the initialisation will only be done
after a 3way
Currently control packet size is controlled by tun-mtu in a very
non-obvious way since the control overhead is not taken into account
and control channel packet will end up with a different size than
data channel packet.
Instead we decouple this and introduce tls-mtu which defaults to
1250.
---
This ensure that control packets are actually are actually smaller than
tls-mtu. Since OpenVPN will consider a control message packet complete
when the TLS record is complete, we have to ensure that the SSL library
will still write one records, so the receiving side will only be able
to get/read
This returns not just the buffer of a reliable_entry but the whole
entry. This allows the caller to also inspect the original opcode
and packet id.
---
src/openvpn/reliable.c | 6 +++---
src/openvpn/reliable.h | 7 +++
src/openvpn/ssl.c | 7 ---
3 files changed, 10 insertions(+), 10
This makes the code a bit more structured and easier to read.
---
src/openvpn/ssl.c | 53 +--
1 file changed, 33 insertions(+), 20 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 80440c411..8ea7c06fa 100644
--- a/src/openvpn/ssl.c
This changes the C90 struct buffer declaration to a C99 style one. Also
move the state transition from S_INITIAL to S_PE_START into its own
function.
---
src/openvpn/ssl.c | 84 ---
1 file changed, 50 insertions(+), 34 deletions(-)
diff --git
This allows the the wrapping to be easier reused by a function that
does not have access to a full TLS session.
---
src/openvpn/ssl_pkt.c | 82 ++-
1 file changed, 50 insertions(+), 32 deletions(-)
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
This allows these functions to be relatively easily included into the
unit test without pulling ssl.c and all the dependencies of ssl.c into
a unit test.
Signed-off-by: Arne Schwabe
---
src/openvpn/Makefile.am | 1 +
src/openvpn/mudp.c | 1 +
This prepares for extending this function with the HMAC based session ID
check.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 4fbe3c1a3..910268333 100644
---
This allows us to keep the temporary data for a little bit longer
so we can use this to make further checks and ultimatively use the
state to craft the HMAC based RESET reply.
For now we do not use the extra information and keep behaviour
identical.
Signed-off-by: Arne Schwabe
---
This is a small cleanup to remove a superfluous argument
---
src/openvpn/reliable.c | 7 ++-
src/openvpn/reliable.h | 2 +-
src/openvpn/ssl.c | 2 +-
3 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index 274f937ab..2aae152bb
This allows only the parsing without verification to be reused in other
code parts.
---
src/openvpn/reliable.c | 60 --
src/openvpn/reliable.h | 22
src/openvpn/ssl.c | 1 -
3 files changed, 56 insertions(+), 27 deletions(-)
diff
Acked-by: Gert Doering
Sounds reasonable, and is standard. Test compiled on FreeBSD.
Your patch has been applied to the master and release/2.5 branch.
commit 0fed64a91d894b46105bf7e8b16edea4d90ab70c (master)
commit 70b6c69c8255ebd6e789e59b0fe8e106a35e9ad8 (release/2.5)
Author: Antonio
Thanks for fixing the minor issues. Re-tested, still "great stuff!!" ;-)
Your patch has been applied to the master branch.
commit 237ba888684e9b035e3b05d661dd44011be0dcb2
Author: Heiko Hund
Date: Thu Apr 21 18:43:30 2022 +0200
Add git pre-commit hook script to uncrustify
37 matches
Mail list logo