[Openvpn-devel] [PATCH] hardening: add safe FD_SET() wrapper openvpn_fd_set()

From: Steffan Karger On many platforms (not Windows, for once), FD_SET() can write outside the given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do that, add an ASSERT() to error out with a clear error message when this does happen. This patch was

[Openvpn-devel] [PATCH v2] polarssl: improve logging

From: Steffan Karger Add the functions polar_log_err(), polar_log_func_line() and a macro polar_ok(), to easily log human-readable PolarSSL errors from polarssl-specific code. This does not provide the full logging interface as msg(), because I would have to add a lot

[Openvpn-devel] [PATCH v2] polarssl: optimize polar_ok() for non-errors

From: Steffan Karger Adding polar_ok() was a good plan for improving error reporting, but also added two function calls (one to polar_log_func_line() and one to polar_log_err()) for each function call wrapped with polar_ok(). Especially in the critical path, this is a

[Openvpn-devel] [PATCH] remove nonsense const specifier in nonfatal() return value

From: Steffan Karger Return values are rvalues, and can not be changed anyway. Adding const does not make sense here at all. (What was I thinking...?) Signed-off-by: Steffan Karger --- src/openvpn/error.h | 2 +- 1 file changed, 1

[Openvpn-devel] [PATCH v2] Fix overflow check in openvpn_decrypt()

From: Steffan Karger Sebastian Krahmer from the SuSE security team reported that the buffer overflow check in openvpn_decrypt() was too strict according to the cipher update function contract: "The amount of data written depends on the block alignment of the encrypted

[Openvpn-devel] [PATCH] Use tls-auth in sample config files

From: Steffan Karger For two reasons: 1) May motivate people to use tls-auth in their setups 2) Verify tls-auth functionality when running 'make check' Signed-off-by: Steffan Karger --- sample/sample-config-files/client.conf | 2 +-

[Openvpn-devel] [PATCH 1/2] Upgrade to PolarSSL 1.3

From: Steffan Karger This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL: * Support for EC-crypto in TLS (but not yet for external pkcs11/management keys) * Support for AES-NI (if

[Openvpn-devel] [PATCH] PolarSSL 1.3

Hi, The attached patches add support for PolarSSL 1.3. These patches are for master only, as they drop support for PolarSSL 1.2. Supporting both versions would require a lot of #ifdef's, so I opted for dropping 1.2. Along with PolarSSL 1.3 comes support for AES-NI and elliptic curve crypto.

[Openvpn-devel] [PATCH 2/2] Improve error reporting during key/cert loading with PolarSSL.

From: Steffan Karger Signed-off-by: Steffan Karger --- src/openvpn/ssl_polarssl.c | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index

[Openvpn-devel] [PATCH 5/6] Switch to IANA names for TLS ciphers.

From: Steffan Karger Added translation table and functions to translate between TLS OpenSSL and IANA (IETF) cipher suite names. The previously used OpenSSL names are still accepted, but a deprecation warning is issued. Signed-off-by: Steffan Karger

[Openvpn-devel] [PATCH 6/6] Fixed autoconf script to properly detect missing pkcs11 with polarssl.

From: Steffan Karger When polarssl is compiled without pkcs11 support, or a required pkcs11-helper library is missing, configure will now issue an error. Signed-off-by: Steffan Karger --- configure.ac | 54

[Openvpn-devel] [PATCH 1/6] PolarSSL-1.2 support

From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port, new features have not been enabled. Only PolarSSL 1.2.5 and newer are accepted, as earlier versions contain unresolved (security) issues.

[Openvpn-devel] [PATCH 4/6] Config compatibility patch. Added translate_cipher_name.

From: Steffan Karger Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c to translate between OpenVPN(/OpenSSL) and PolarSSL data channel cipher algorithm names. OpenSSL does not require any translating, PolarSSL does for a small number of algorithms.

[Openvpn-devel] [PATCH 3/6] Improve verify_callback messages

From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file

[Openvpn-devel] Updated PolarSSL 1.2 support patch set

Hi, This patch set replaces the earlier PolarSSL 1.2 support patches. It contains all the changes in response to feedback on the previous versions, and should be ready to be merged. -Steffan

[Openvpn-devel] [PATCH 2/6] Improve PolarSSL key_state_read_{cipher, plain}text messages

From: Steffan Karger Instead of logging the fact that an error occured, log the error code and description (when available in the PolarSSL build). Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c |8 ++-- 1 file

[Openvpn-devel] [PATCH 5/5] Switch to IANA names for TLS ciphers.

From: Steffan Karger Added translation table and functions to translate between TLS OpenSSL and IANA (IETF) cipher suite names. The previously used OpenSSL names are still accepted, but a deprecation warning is issued. Signed-off-by: Steffan Karger

[Openvpn-devel] [PATCH 4/5] Config compatibility patch. Added translate_cipher_name.

From: Steffan Karger Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c to translate between OpenVPN(/OpenSSL) and PolarSSL data channel cipher algorithm names. OpenSSL does not require any translating, PolarSSL does for a small number of algorithms.

[Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support

From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port, new features have not been enabled. Only PolarSSL 1.2.5 and newer are accepted, as earlier versions contain unresolved (security) issues.

[Openvpn-devel] PolarSSL 1.2 support, while keeping config file compatibility

Hi Everyone, The attached patches add PolarSSL 1.2 support to OpenVPN 2.3, while maintaining OpenVPN configuration file compatibility between the OpenSSL and PolarSSL builds. Patches 1-3 upgrade the supported PolarSSL versions to 1.2.5 or newer. Patch 4 adds data channel cipher name

[Openvpn-devel] [PATCH 2/5] Improve PolarSSL key_state_read_{cipher, plain}text messages

From: Steffan Karger Instead of logging the fact that an error occured, log the error code and description (when available in the PolarSSL build). Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c |8 ++-- 1 file

[Openvpn-devel] [PATCH 3/5] Improve verify_callback messages

From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file

[Openvpn-devel] [PATCH 2/3] PolarSSL-1.2 support

From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port: PolarSSL-1.2 works, but the new features have not been enabled. Everything before 1.2 is no longer supported. PolarSSL-1.2.[0-2] are blacklisted for

[Openvpn-devel] [PATCH 1/3] Improve PolarSSL key_state_read_{cipher, plain}text messages

From: Steffan Karger Instead of logging the fact that an error occured, log the error string or (if the PolarSSL build does not include this feature) the error code. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c | 20

[Openvpn-devel] [PATCH 3/3] Improve verify_callback messages

From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file

[Openvpn-devel] PolarSSL 1.2 support for OpenVPN 2.3

Hi, >From PolarSSL 1.1 to 1.2 the cipher names have changed and the API changed a >bit. This causes the 2.3 release of OpenVPN to be in- compatible with PolarSSL >1.2. We've prepared three patches to add support for PolarSSL 1.2 to OpenVPN 2.3. The first two patches just improve error

[Openvpn-devel] [PATCH 1/3] Improve PolarSSL key_state_read_{cipher, plain}text messages

From: Steffan Karger Instead of logging the fact that an error occured, log the error string or (if the PolarSSL build does not include this feature) the error code. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_polarssl.c | 20

[Openvpn-devel] [PATCH 2/3] Improve verify_callback messages

From: Steffan Karger Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper --- src/openvpn/ssl_verify_polarssl.c |6 +++--- 1 file

[Openvpn-devel] [PATCH 3/3] PolarSSL-1.2 support

From: Steffan Karger Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port: PolarSSL-1.2 works as well as PolarSSL-1.1, but the new features have not been enabled. Blacklist PolarSSL-1.[0-2] for bugs when verifying