While calling this wrapper function is strictly more correct, these
indirection layer with tiny wrapper make the code more complex and
going through more layer than it really needs to.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 2 +-
src/openvpn/ssl.c | 14 +-
src
This implement creating a reset packet without needing to setup a full control
session.
---
src/openvpn/packet_id.h | 15 ++
src/openvpn/ssl.h | 6 ---
src/openvpn/ssl_pkt.c | 34 +++-
src/openvpn/ssl_pkt.h | 19 +++
tests/
---
tests/unit_tests/openvpn/Makefile.am | 5 +-
tests/unit_tests/openvpn/mock_get_random.c | 10
tests/unit_tests/openvpn/test_packet_id.c | 55 ++
3 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/tests/unit_tests/openvpn/Makefile.am
b/tests/unit_te
This tests currently the existing functionality of test_tls_decrypt_lite
to check if a reset packet is valid or not.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/Makefile.am | 24 +-
tests/unit_tests/openvpn/test_pkt.c | 347 +++
2 files changed, 370
We have EXPONENTIAL_BACKOFF as default forever (8c47de7, 2.1.1c,
2010). Remove the other code path that is dead code.
---
src/openvpn/reliable.c | 5 -
src/openvpn/reliable.h | 2 --
2 files changed, 7 deletions(-)
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index 2aae152bb..
This is probably a result from earlier code that still needed to be
C89 compatible add probably added this to allow variable decleration
---
src/openvpn/ssl.c | 56 +++
1 file changed, 27 insertions(+), 29 deletions(-)
diff --git a/src/openvpn/ssl.c b/s
This functions should accept the type of integer they say to write. Calling
the u32 function with an integer that is actually 32 bit unsigned gives
compiler warnings.
---
src/openvpn/buffer.h | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/buffer.h b/s
This makes the tls_process_state function a bit easier to read allows
extending the read_incoming_tls_plaintext function later without
making tls_process_state even longer.
---
src/openvpn/ssl.c | 38 +++---
1 file changed, 23 insertions(+), 15 deletions(-)
diff --
if an ACK is gone missing. (Similar to what cumulative
ACKs in other protocols achieve).
Arne Schwabe (28):
Remove tls_init_control_channel_frame_parameters wrapper function
Remove dead PID_TEST code
Move pre decrypt lite check to its own function
Add documentation for swap_hmac
Enabling this test produces compile errors and by the looks of it the
test has been broken for many years.
---
src/openvpn/init.c | 5
src/openvpn/packet_id.c | 56 -
src/openvpn/packet_id.h | 10
3 files changed, 71 deletions(-)
diff --
We move to the S_START when we have finished the three-way handshake. After
the three way handshake is done, the client will send the TLS Client Hello
packet.
Currently we consider the three way handshake only complete if all
outgoing packet have been acked (which in this case is the one
HARD_RESE
This adds an LRU cache for the last seen packets from the peer to send acks
to all recently packets. This also packets to be acknowledged even if a single
P_ACK_V1 gets lost, avoiding retransmissions. The downside is that we add up
to 28 byte to an P_ACK_V1 (7* packet_id) and up to 24 bytes to othe
Tls-crypt v2 is more complicated to implement a proper stateless
handshake. To allow state handshake this commit does
- introduce a new packet CONTROL_WKC_V1 that repeats the wrapped
client key.
- introduce a way to negotiate the support for this packet in the
three way handshake
Details
attacks. For tls-crypt-v2 client HMAC based
handshake is not used yet
Signed-off-by: Arne Schwabe
---
doc/doxygen/doc_protocol_overview.h | 2 +
src/openvpn/init.c | 11 +-
src/openvpn/mudp.c | 106 ++--
src/openvpn/multi.h | 3 +
src
This function does most of the state transitions in the TLS state
machine. Moving it into its own function removes an intention area and
makes tls_process function easier to understand as the loop is more
obvious.
This is largely just a code move with small expection. bool active is
no longer dire
The current place that we reload is a bit more efficient since it only
triggers reload after a completed 3way handshake. On the other hand the
key_state_init is a much more logical place and with the upcoming
HMAC based UDP code and TCP code, the initialisation will only be done
after a 3way handsh
Currently control packet size is controlled by tun-mtu in a very
non-obvious way since the control overhead is not taken into account
and control channel packet will end up with a different size than
data channel packet.
Instead we decouple this and introduce tls-mtu which defaults to
1250.
---
C
This ensure that control packets are actually are actually smaller than
tls-mtu. Since OpenVPN will consider a control message packet complete
when the TLS record is complete, we have to ensure that the SSL library
will still write one records, so the receiving side will only be able
to get/read th
This returns not just the buffer of a reliable_entry but the whole
entry. This allows the caller to also inspect the original opcode
and packet id.
---
src/openvpn/reliable.c | 6 +++---
src/openvpn/reliable.h | 7 +++
src/openvpn/ssl.c | 7 ---
3 files changed, 10 insertions(+), 10 d
This makes the code a bit more structured and easier to read.
---
src/openvpn/ssl.c | 53 +--
1 file changed, 33 insertions(+), 20 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 80440c411..8ea7c06fa 100644
--- a/src/openvpn/ssl.c
This changes the C90 struct buffer declaration to a C99 style one. Also
move the state transition from S_INITIAL to S_PE_START into its own
function.
---
src/openvpn/ssl.c | 84 ---
1 file changed, 50 insertions(+), 34 deletions(-)
diff --git a/src/open
This allows the the wrapping to be easier reused by a function that
does not have access to a full TLS session.
---
src/openvpn/ssl_pkt.c | 82 ++-
1 file changed, 50 insertions(+), 32 deletions(-)
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
This allows these functions to be relatively easily included into the
unit test without pulling ssl.c and all the dependencies of ssl.c into
a unit test.
Signed-off-by: Arne Schwabe
---
src/openvpn/Makefile.am | 1 +
src/openvpn/mudp.c | 1 +
src/openvpn
This prepares for extending this function with the HMAC based session ID
check.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 4fbe3c1a3..910268333 100644
This allows us to keep the temporary data for a little bit longer
so we can use this to make further checks and ultimatively use the
state to craft the HMAC based RESET reply.
For now we do not use the extra information and keep behaviour
identical.
Signed-off-by: Arne Schwabe
---
src/openvpn
This is a small cleanup to remove a superfluous argument
---
src/openvpn/reliable.c | 7 ++-
src/openvpn/reliable.h | 2 +-
src/openvpn/ssl.c | 2 +-
3 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index 274f937ab..2aae152bb 1
This allows only the parsing without verification to be reused in other
code parts.
---
src/openvpn/reliable.c | 60 --
src/openvpn/reliable.h | 22
src/openvpn/ssl.c | 1 -
3 files changed, 56 insertions(+), 27 deletions(-)
diff --gi
Am 20.04.22 um 10:18 schrieb yuanxun:
Hi
I recently encountered a bug when using the openvpn dco branch. When the
client connection reaches max_cliants, I reconnect one of the clients,
and the client will fail to reconnect when it reaches the set number of
reconnections. At this time, the cli
Am 14.04.22 um 12:03 schrieb yuanxun:
Recently found a problem with openvpn
environment:
Linux version 5.4.0-100-generic (buildd@lcy02-amd64-002) (gcc version
9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04))
OpenVPN 2.6_git [git:dco/a503c91735538f21] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [
Am 08.04.22 um 11:50 schrieb yuanxun:
Hi!
When will openvpn 2.6 with dco be released?
In the future. We do not commit to fixed dates.
What is the plan for the dco
version?
Release it in the future as part of OpenVPN 2.6.
If you need it now, feel free to use the master and/or dco branch.
Am 05.04.22 um 05:10 schrieb Leroy Tennison:
Thanks for your reply, I'm actually looking for something pretty
high-level like "the server (or client) sends their (whatever key) and
the client (or server) (creates a session key from it or whatever
happens) and that is used for encryption." I am
Am 04.04.22 um 22:32 schrieb Leroy Tennison via Openvpn-devel:
Trying to find information on how OpenVPN uses the keys generated for
the client and server to encrypt traffic and not having any success
(maybe I'm not searching for the right terms). Can someone explain or
point me to a URL expla
I am willing to work on making the netcfg service even less "OpenVPN 3
centric", and it has a potential to grow towards a generic VPN API on
Linux. The current D-Bus interface it uses is highly inspired by the
Android VPN API. But this won't happen in a short time and not in time
for the Op
6r1 to prime256v1 for
the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Allow non-standard EC groups with OpenSSL3
This statement just is not correct: This has not a lot to do with EC.
What about "Enable setting any TLS1.3 group [provided by the underlying
crypto libraries]. "?
A bit long for a commit subject. Maybe just:
Enable usage of TLS groups not identif
Am 27.03.22 um 17:52 schrieb Michael Baentsch:
Thanks again for your explanations: I finally figured out to correct my
git send-email configuration `smtpencryption` to be set to "ssl"
(instead of "tls": The latter caused a hang that I debugged for way too
long :-(. Maybe worth while adding to s
Am 25.03.22 um 08:21 schrieb Michael Baentsch:
Thanks very much for the quick and thorough feedback. Indeed your last
question is pivotal making the patch _much_ simpler (attached): The
problem manifests itself only in the presence of providers introduced in
OpenSSL3.0. At the same time, the cu
Am 24.03.22 um 14:40 schrieb Michael Baentsch:
Hello,
as per https://community.openvpn.net/openvpn/ticket/1460 the current
openvpn master fails when activating a TLS1.3 group implemented in an
external provider.
The patch attached fixes this and enables successful OpenSSL key
establishm
Commit 8c72d7981 changed the push_peer_info_detail to have an
additional level for P2P NCP and shifting most of the other levels
with 1. The check for UV_ and IV_PLAT_VER was not changed accordingly.
---
src/openvpn/ssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/open
Am 10.03.22 um 15:14 schrieb Jakob Curdes:
Hello all,
I think I have found a bug in the OpenVPN Windows client , can you help
me to determine if this is true and how to proceed?
We are trying to implement 2FA for several existing Firebox SSL VPNs
(which essentially uses OpenVPN on server and
Am 09.03.22 um 00:06 schrieb Heiko Hund:
+
+bool dns_server_priority_parse(long *priority, const char *str, bool pulled);
+struct dns_server* dns_server_get(struct dns_server **entry, long priority,
struct gc_arena *gc);
+void dns_domain_list_append(struct dns_domain **entry, char **domains, str
Am 08.03.22 um 15:45 schrieb Kristof Provost via Openvpn-devel:
On 8 Mar 2022, at 15:23, Antonio Quartulli wrote:
On 24/02/2022 17:55, Kristof Provost via Openvpn-devel wrote:
I've had to add a lot of '|| defined(TARGET_FREEBSD)', and I think the
code could be a bit cleaner if we'd make these c
In server mode it is not set and as a result mssfix value
is 3 bytes off.
Fix by setting this flag in multi.c when calculating
tunnel-specific options.
Acked-By: Arne Schwabe
This fixes the issue at hand. It would be better to refactor the whole
peerid in use signalling eventually but this is g
This allows to set the MSS value inside the tunnel to a user specified
value instead of calculating it form (somewhat) dynamic encapsoluation
overhead.
Also default to the MTU when tun-mtu does not have the default value
to ensure that packets are not larger than the tun-mtu. This only affects
pac
The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`,
@@ -193,6 +193,10 @@ configured in a compatible way between both the local and
remote side.
supported by the client will be pushed to clients that support cipher
negotiation.
+ For more details see the chapter on `Dat
message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 21.02.22 um 12:19 schrieb Frank Lichtenheld:
- Fix various formatting inconsistencies
- Explain what NCP means before using it.
- Also replace some of the usages of NCP
with the clearer "cipher negotiation".
Signed-off-by: Frank Lichtenheld
---
doc/man-sections/protocol-options.rst | 34
Patch v3: Rebase to master
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 1 +
src/openvpn/ssl.c | 7 ++-
src/openvpn/ssl.h | 3 +++
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 21adc3cf..e5fba621 100644
--- a/src/openvpn
This function has been accidentially not been deleted during the removal
of last bits of variable key size.
---
src/openvpn/crypto_openssl.c | 9 -
1 file changed, 9 deletions(-)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 8bc41792..1c99db0f 100644
--- a
duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.
Signed-off-by: Antonio Quartulli
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https
Am 17.02.22 um 10:25 schrieb Antonio Quartulli:
Hi,
On 17/02/2022 09:33, Kristof Provost wrote:
Hi,
I’m working on adding OpenVPN DCO support on FreeBSD (primarily for
use in pfSense).
This is very nice!
Cool!
A secondary question is how you’d prefer to receive patches, once I
get thing
We unconditionally include openssl/opensslv.h which fails if OpenSSL header
are not available.
Signed-off-by: Arne Schwabe
---
src/openvpn/xkey_common.h | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h
index e58748b4
27;!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe
Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*")
Reported-by: Richard T Bonhomme
Signed-off-by: Antonio Quart
27;!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe
Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*")
Reported-by: Richard T Bonhomme
Signed-off-by: Antonio Quart
These checks were not correctly updated. The check in auth-token
did nothing at all and the check in tls-crypt was the wrong check
but that was hidden by the condition being inverted as well.
Reported-By: tincnt...@protonmail.com
---
src/openvpn/auth_token.c | 2 +-
src/openvpn/crypto_backend
The buffer overhaul simplified the frame struct to a point that these
macros are either not used anymore or are not adding any benefit in
understanding the code anymore. Replace the macros with direct member
acessses.
Patch v2: Remove all FRAME_HEADROOM macros
---
src/openvpn/comp-lz4.c | 8
Some functions are only used when management is used or enable-small is
not used. Fix the ifdefs to correctly also include these helper
functions the ifdefs to avoid compile errors when using -Werror
---
src/openvpn/multi.c | 11 +--
src/openvpn/options.c | 7 +++
2 files changed, 8
Signed-off-by: Arne Schwabe
---
.github/workflows/build.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f1a75736..34d1dcce 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
---
tests/unit_tests/openvpn/test_crypto.c | 28 ++
1 file changed, 28 insertions(+)
diff --git a/tests/unit_tests/openvpn/test_crypto.c
b/tests/unit_tests/openvpn/test_crypto.c
index 7fb9d624..ca170547 100644
--- a/tests/unit_tests/openvpn/test_crypto.c
+++ b/tests/unit_
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_common.h | 17 +
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 42b63cd0..10a3f730 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
The buffer overhaul simplified the frame struct to a point that these
macros are either not used anymore or are not adding any benefit in
understanding the code anymore. Replace the macros with direct member
acessses.
---
src/openvpn/comp-lz4.c | 8
src/openvpn/crypto.c | 8
from
the real overhead.
Patch v2: Fix syntax in rst man page
Patch v5: fix segfault when get_ip_encap_overhead gets called early in
init_instance and note that these calls will always be
overwritten by NCP in tls_session_update_crypto_params
Signed-off-by: Arne Schwabe
... moves the crash onward to
0x555891b6 in datagram_overhead (proto=, af=10) at socket.h:617
617 overhead += (proto == PROTO_UDP) ? 8 : 20;
(gdb) where
#0 0x555891b6 in datagram_overhead (proto=, af=10) at socket.h:617
#1 get_ip_encap_overhead (lsi=0x0, options=0x555
Am 11.02.22 um 10:44 schrieb Gert Doering:
Hi,
On Thu, Feb 10, 2022 at 05:26:26PM +0100, Arne Schwabe wrote:
The current default is 1450, which translates to 1478 byte packets for udp4
and 1498 byte packets for udp6. This commit changes the mssfix default
to take the outer IP overhead into
encapsulation upper bound.
The change also disables an mssfix default if tun-mtu is set to a value
different than 1500.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtu.h | 2 +-
src/openvpn/options.c | 60 +--
src/openvpn/options.h | 2 +-
3 files
The warning that fragment/mssfix needs also tun-mtu set to 1500 makes
little sense. Remove it completely. Instead warn if there are incosistencies
between --fragment and mssfix.
Patch v2: clarify the mssfix and fragment mtu warning message
Patch v4: Rebase
Signed-off-by: Arne Schwabe
---
src
The previous commits removed any reads from this variable. So we can
now safely remove it.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 19 ---
src/openvpn/mtu.c | 1 -
src/openvpn/mtu.h | 13 -
src/openvpn/socks.c | 11 +--
src/openvpn/socks.h
This always uses the configured MTU size instead relying on the calculated
MTU size.
Patch v4: Fix a few overlooked TUN_MTU_SIZE.
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 2 +-
src/openvpn/init.c| 20 ++--
src/openvpn/mtu.c | 4 ++--
src/openvpn/mtu.h
Signed-off-by: Arne Schwabe
---
src/openvpn/comp.c | 7 --
src/openvpn/comp.h | 2 --
src/openvpn/crypto.c| 37 ---
src/openvpn/fragment.c | 3 ---
src/openvpn/init.c | 56 -
src/openvpn/mtu.c | 14
Signed-off-by: Arne Schwabe
---
src/openvpn/occ.c | 31 +++
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c
index 6fc5e003..b7670356 100644
--- a/src/openvpn/occ.c
+++ b/src/openvpn/occ.c
@@ -199,8 +199,11
Signed-off-by: Arne Schwabe
---
src/openvpn/comp.c| 8
src/openvpn/comp.h| 2 --
src/openvpn/forward.c | 4 ++--
src/openvpn/init.c| 39 +++
src/openvpn/mtu.c | 26 --
src/openvpn/mtu.h | 22
from
the real overhead.
Patch v2: Fix syntax in rst man page
Signed-off-by: Arne Schwabe
---
Changes.rst| 9 ++-
doc/man-sections/link-options.rst | 20 -
src/openvpn/forward.c | 3 +-
src/openvpn/fragment.c | 4
Am 04.02.22 um 17:51 schrieb Antonio Quartulli:
Hi,
On 05/11/2021 16:07, Arne Schwabe wrote:
When we try to make a configuration compatible to a version earlier
than 2.4.0 we probably need to have a --cipher configured since NCP
is not available. In configuration where --cipher is not
Am 28.01.22 um 12:15 schrieb Gert Doering:
Hi,
On Sat, Jan 01, 2022 at 05:25:20PM +0100, Arne Schwabe wrote:
This commit fixes the MSS calculation in CBC mode. This fix has two parts:
- Added rounding to a multiple of block size during calculation of overhead
- In CBC mode the packet ID is
c->options.ce.fragment, c->options.ce.mssfix);
+}
+if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
+&& c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
Note that fragment_encap is added in
[Openvpn-devel] [PATCH v3 09/14] Add mtu paramter to --fragment and
is enabled), because
along the chain of calls we already call cipher_get() which returns NULL
for FIPS-disabled ciphers.
For this reason, we can just remove any FIPS specific code from
print_cipher() and be done with it.
Acked-By: Arne Schwabe
Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
From: Selva Nair
- Call pkcs11h_certificate_signAny_ex() when available
so that the signature mechanism parameters can be pased.
(Required for RSA-PSS signature).
Signed-off-by: Selva Nair
---
src/openvpn/pkcs11_openssl.c | 123 ++
="digest" for signing.
That calculation is just too familiar.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
From: Selva Nair
D_XKEY = loglev(6, 69, M_DEBUG) is defined and used for
all low level debug messages from xkey_provider.c and
xkey_helper.c
As suggested by Arne Schwabe
Thanks for that.
Acked-By: Arne Schwabe
overhead calculated over 0 instead
of payload size
Signed-off-by: Arne Schwabe
---
src/openvpn/comp-lz4.c | 4 +-
src/openvpn/crypto.c | 4 +-
src/openvpn/forward.c| 8 +--
src/openvpn/init.c | 110 +++
src/openvpn/lzo.c
allers to check for NULL.
Thanks for finding this.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 21.01.22 um 21:49 schrieb Antonio Quartulli:
Signed-off-by: Antonio Quartulli
---
This patch combines some master commits in order to bring the GH script
up to the same state as the one in master (minus OpenSSL3 related
changes).
Acked-By: Arne Schwabe
to
understand.
Cc: Arne Schwabe
Signed-off-by: Antonio Quartulli
---
tests/unit_tests/openvpn/test_crypto.c | 52 +++---
1 file changed, 31 insertions(+), 21 deletions(-)
diff --git a/tests/unit_tests/openvpn/test_crypto.c
b/tests/unit_tests/openvpn/test_crypto.c
index
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Acked-By: Arne Schwabe
This could be merged/squashed into the commits that introduce those files.
Arne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https
, 105 insertions(+), 13 deletions(-)
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
digest support mocked in the client
capability flag.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
function cng_padding_type() is moved down to reduce number
of ifdef's.
Acked-By: Arne Schwabe
Note, I have not tested the CNG signing myself.
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/lis
be added when pkcs11-helper with our PR for specifying
CK_MECHANISM variable in sign operations is released.
(i.e., next release of pkcs11-helper).
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.s
uncated at the last step.
This really requires a smarter fix. As a quick relief, we just increase
the buffer size to 10240 when management support is compiled in. Should
be enough for PK_SIGN with undigested message.
Signed-off-by: Selva Nair
Acked-By: Ar
make xkey_digest non-static
Used in following commits to load CNG and pkcs11 keys
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
DigestSign() as opposed to Sign(). In
practice, signature operation always appears to result in
a DigestSign() call through the provider interface.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge
ignature as well. If the padding
treat it as an error instead of submitting the request to the
management-interface regardless.
This change is made only when xkey provider is in use, though such a check
would be appropriate always.
Acked-By: Arne Schwabe
___
KCS1_PADDING' are unchanged.
v2 changes: Fix typos and other sloppiness in documentation and
commit message.
Signed-off-by: Selva Nair
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
assembling it from the ASN.1 objects.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
in
the provider signature callback.
TODO:
- Allow passing the undigested message to management interface
- Add pkcs1 DigestInfo header when required
Signed-off-by: Selva Nair
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
le
signing with --management-external-key. The next commit
fixes that.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
provider,
no functionality gets delegated to it as yet.
v2 changes: Provider loading is reworked to activate only when external
keys are in use
This was 2/9 in v1
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn
For a usage of keymgmt_import(), see the helper function
implemented using it to load the management key in the next commit.
v2 changes: "origin" --> "xkey-origin"
This was 5/9 in v1
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
OpenSSL 3.0.1 that we target.
- Undigested message is passed to the backend sign operation when
possible. This would allow more flexibility as some backends
prefer to do the hash operation internally.
This was 4/9 in v1
Acked-By: Arne Schwabe
: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
501 - 600 of 2567 matches
Mail list logo