From: Steffan Karger
On many platforms (not Windows, for once), FD_SET() can write outside the
given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do
that, add an ASSERT() to error out with a clear error message when this
does happen.
This patch was
From: Steffan Karger
Add the functions polar_log_err(), polar_log_func_line() and a macro
polar_ok(), to easily log human-readable PolarSSL errors from
polarssl-specific code.
This does not provide the full logging interface as msg(), because I
would have to add a lot
From: Steffan Karger
Adding polar_ok() was a good plan for improving error reporting, but also
added two function calls (one to polar_log_func_line() and one to
polar_log_err()) for each function call wrapped with polar_ok().
Especially in the critical path, this is a
From: Steffan Karger
Return values are rvalues, and can not be changed anyway. Adding const
does not make sense here at all. (What was I thinking...?)
Signed-off-by: Steffan Karger
---
src/openvpn/error.h | 2 +-
1 file changed, 1
From: Steffan Karger
Sebastian Krahmer from the SuSE security team reported that the buffer
overflow check in openvpn_decrypt() was too strict according to the
cipher update function contract:
"The amount of data written depends on the block alignment of the
encrypted
From: Steffan Karger
For two reasons:
1) May motivate people to use tls-auth in their setups
2) Verify tls-auth functionality when running 'make check'
Signed-off-by: Steffan Karger
---
sample/sample-config-files/client.conf | 2 +-
From: Steffan Karger
This removes support for PolarSSL 1.2. The mimimum version of PolarSSL required
is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL:
* Support for EC-crypto in TLS (but not yet for external pkcs11/management keys)
* Support for AES-NI (if
Hi,
The attached patches add support for PolarSSL 1.3. These patches are for
master only, as they drop support for PolarSSL 1.2. Supporting both versions
would require a lot of #ifdef's, so I opted for dropping 1.2.
Along with PolarSSL 1.3 comes support for AES-NI and elliptic curve crypto.
From: Steffan Karger
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_polarssl.c | 18 ++
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index
From: Steffan Karger
Added translation table and functions to translate between TLS OpenSSL
and IANA (IETF) cipher suite names. The previously used OpenSSL names
are still accepted, but a deprecation warning is issued.
Signed-off-by: Steffan Karger
From: Steffan Karger
When polarssl is compiled without pkcs11 support, or a required
pkcs11-helper library is missing, configure will now issue an error.
Signed-off-by: Steffan Karger
---
configure.ac | 54
From: Steffan Karger
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
From: Steffan Karger
Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c
to translate between OpenVPN(/OpenSSL) and PolarSSL data channel
cipher algorithm names. OpenSSL does not require any translating,
PolarSSL does for a small number of algorithms.
From: Steffan Karger
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that
the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_verify_polarssl.c |6 +++---
1 file
Hi,
This patch set replaces the earlier PolarSSL 1.2 support patches. It contains
all the changes in response to feedback on the previous versions, and should be
ready to be merged.
-Steffan
From: Steffan Karger
Instead of logging the fact that an error occured, log the error code and
description (when available in the PolarSSL build).
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_polarssl.c |8 ++--
1 file
From: Steffan Karger
Added translation table and functions to translate between TLS OpenSSL
and IANA (IETF) cipher suite names. The previously used OpenSSL names
are still accepted, but a deprecation warning is issued.
Signed-off-by: Steffan Karger
From: Steffan Karger
Added translate_cipher name to crypto_openssl.c and crypto_polarssl.c
to translate between OpenVPN(/OpenSSL) and PolarSSL data channel
cipher algorithm names. OpenSSL does not require any translating,
PolarSSL does for a small number of algorithms.
From: Steffan Karger
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Hi Everyone,
The attached patches add PolarSSL 1.2 support to OpenVPN 2.3, while maintaining
OpenVPN configuration file compatibility between the OpenSSL and PolarSSL
builds.
Patches 1-3 upgrade the supported PolarSSL versions to 1.2.5 or newer.
Patch 4 adds data channel cipher name
From: Steffan Karger
Instead of logging the fact that an error occured, log the error code and
description (when available in the PolarSSL build).
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_polarssl.c |8 ++--
1 file
From: Steffan Karger
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that
the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_verify_polarssl.c |6 +++---
1 file
From: Steffan Karger
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port: PolarSSL-1.2 works, but the new features have not
been enabled. Everything before 1.2 is no longer supported.
PolarSSL-1.2.[0-2] are blacklisted for
From: Steffan Karger
Instead of logging the fact that an error occured, log the error string or (if
the PolarSSL build does not include this feature) the error code.
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_polarssl.c | 20
From: Steffan Karger
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that
the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_verify_polarssl.c |6 +++---
1 file
Hi,
>From PolarSSL 1.1 to 1.2 the cipher names have changed and the API changed a
>bit. This causes the 2.3 release of OpenVPN to be in- compatible with PolarSSL
>1.2.
We've prepared three patches to add support for PolarSSL 1.2 to OpenVPN 2.3.
The first two patches just improve error
From: Steffan Karger
Instead of logging the fact that an error occured, log the error string or (if
the PolarSSL build does not include this feature) the error code.
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_polarssl.c | 20
From: Steffan Karger
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that
the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper
---
src/openvpn/ssl_verify_polarssl.c |6 +++---
1 file
From: Steffan Karger
Add support for PolarSSL-1.2, which has changed the API in several places. This
is a minimal port: PolarSSL-1.2 works as well as PolarSSL-1.1, but the new
features have not been enabled.
Blacklist PolarSSL-1.[0-2] for bugs when verifying
29 matches
Mail list logo