Hi,
On 17-01-18 14:10, Emmanuel Deloget wrote:
> Calling EVP_KEY_id() before EVP_PKEY_get0_*() is unnecessary as
> the same check is also performed in the later.
>
> We also make the code a bit better by not calling the various
> EVP_PKEY_get0_*() functions twice (this needs a bit or reordering t
tting new more serious mistakes.)
Those who prefer a more silent build can use --disable-strict to revert
to the old default behaviour.
Signed-off-by: Steffan Karger
---
configure.ac | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 2c1
Hi,
On 20-01-18 17:52, Gert Doering wrote:
> On Sat, Jan 20, 2018 at 09:05:50AM -0500, Selva Nair wrote:
>> If/when the TLS1.2+ support for cryptoapicert is ready for merge, is
>> it a candidate for 2.4? Technically its a new feature but considering
>> the "popular belief" that TLS1.1 needs to be
Hi,
On 20-01-18 18:22, Selva Nair wrote:
> Does openvpn-vagrant include any VM provisioning with openssl-0.9.8?
> Until recently I had access to a few old debian boxes but now all
> updated and 0.9.8 testing is getting harder.
To test against various openssl versions, I statically compile against
Hi,
On 21-01-18 06:37, Selva Nair wrote:
>
> On Sat, Jan 20, 2018 at 11:41 AM, Steffan Karger wrote:
>>
>> This by default enables the compiler warnings any could previously
>> enable using the --enable-strict configure option. I think it is
>> okay to do so no
cert_context)
> {
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index b240e2e..220c2e5 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -3018,24 +3018,6 @@ options_postprocess_mutate(struct options *o)
> }
> #endif
>
Hi,
Sorry for taking so long to review. At least some early review comments:
On 04-12-17 22:16, j...@carroll.com wrote:
> From: Jim Carroll
>
> Signed-off-by: Jim Carroll
> ---
> INSTALL | 78
>
> Makefile.am
Hi,
Didn't we have this discussion before? Gert basically NAK'd removing
support for a library version in a dot-release, which I think is valid
reasoning (even though I really would like to drop 0.9.8).
Anyway, to fill in the facts:
On 22-01-18 15:55, David Sommerseth wrote:
> On 22/01/18 15:12
On 25-01-18 16:14, Selva Nair wrote:
> A more useful thing to do is to catch the case of user setting min =
> 1.2 (as in trac 977) and we changing max to 1.1 when key is in a
> legacy key store. That would cause a handshake failure with a cryptic
> error. Better to catch early with a helpful warnin
>key_spec == CERT_NCRYPT_KEY_SPEC)
> -{
> -NCryptFreeObject(cd->crypt_prov);
> -}
> -else
> -{
> -CryptReleaseContext(cd->crypt_prov, 0);
> - }
>
Hi,
On 24-01-18 06:06, selva.n...@gmail.com wrote:
> From: Selva Nair
>
> - Also add reference counting to CAPI_DATA (application data):
>
> When the application data is assigned to the private key
> we free it in the key's finish method. Proper error handling
> requires to keep track of
usage of uninitialized variables
or struct elements.
Signed-off-by: Steffan Karger
---
v2: Just move forward with warnings, don't add --disable-strict.
configure.ac | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 2c1937e5..4d415565 10
Hi,
On 27-01-18 17:47, Selva Nair wrote:
> As this is added by default (not in response to --enable/--disable
> directives), may be better to prepend to user's CFLAGS? I'm not sure
> what the standard practice is, though.. Considering the complexity of
> configury, preserving user's input is hard,
On 01-02-18 16:45, Steffan Karger wrote:
> +AX_CHECK_COMPILE_FLAG(
> +[-Wno-unused-function],
> +[CFLAGS="-Wno-unused-function ${CFLAGS}"]
> +)
> +AX_CHECK_COMPILE_FLAG(
> +[-Wno-unused-parameter],
> +[CFLAGS="-Wno-unused-parameter ${CFLAGS}&quo
usage of uninitialized variables
or struct elements.
Signed-off-by: Steffan Karger
---
v2: Just move forward with warnings, don't add --disable-strict.
v3: Nothing is as simple as it seems: put user-supplied CFLAGS behind
default flags, check that potential esotheric compiler supports
Hi,
On 02-02-18 05:43, Selva Nair wrote:
> On Thu, Feb 1, 2018 at 10:45 AM, Steffan Karger wrote:
>> [...]
>>
>> +AX_CHECK_COMPILE_FLAG([-Wall], [CFLAGS="-Wall ${CFLAGS}"])
>
> The three options could have checked together, but this is fine too.
>
we simply log a warning and
skip the personalisation if such highly unlikely errors occur.)
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_mbedtls.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 2a1215d
onst char *kd = keydirection2ascii(o->key_direction, remote, false);
> if (kd)
> {
> buf_printf(&out, ",keydir %s", kd);
>
'The right' here means 'what was in the config' instead of 'what we use
internally'. But I
We have a debug level packets dropped by the TLS layer - use that for this
packet drop too. This changes this message from 'verb 3' to 'verb 4'
(which should result in less user reports about this almost always
harmless warning).
Signed-off-by: Steffan Karger
---
src/ope
Not all supported windows formatting libs are C99 compliant and some do not
grasp %ll (similar to %zu). Use int64_t and PRIi64 to work around that.
Signed-off-by: Steffan Karger
---
src/openvpn/error.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/error.c
Hi,
On 18-02-18 20:04, Selva Nair wrote:
> On Fri, Feb 16, 2018 at 8:45 AM, Steffan Karger
> wrote:
>> Not all supported windows formatting libs are C99 compliant and some do not
>> grasp %ll (similar to %zu). Use int64_t and PRIi64 to work around that.
>>
>>
. Since this doesn't use new-and-shine autoconf features, it
should also work on the legacy platforms.
Signed-off-by: Steffan Karger
---
configure.ac| 18 ++-
m4/ax_check_compile_flag.m4 | 74 -
2 files changed, 10 insertions(+
s [status=%u
> if_index=%lu]",
> +msg(M_WARN, "TUN: %s address failed using service: %s [status=%u
> if_index=%d]",
> (add ? "adding" : "deleting"), strerror_win32(ack.error_number,
> &gc),
> ack.error_number, addr.iface.index);
>
nt in 'rsa', so
> -* we decrease it here with RSA_free(), or it will never be cleaned up. */
> -RSA_free(rsa);
> +cd->ref_count--; /* so that cd will get freed with the private key */
Would a call to CAPI_DATA_free() - effectively the
x, cd, pkey))
> +{
> +goto err;
> +}
> }
> -
> -if (!SSL_CTX_use_RSAPrivateKey(ssl_ctx, rsa))
> +else
> {
> +msg(M_WARN, "cryptoapicert requires an RSA certificate");
> goto err;
> }
Hi,
Thanks for reviewing!
On 23-02-18 10:17, Antonio Quartulli wrote:
> On 07/02/18 20:22, Steffan Karger wrote:
>> -mbedtls_sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false);
>> +if (0 != md_full(sha256_kt, cert->tbs.p, cert->tbs.len,
>>
Hi
On 23-02-18 00:02, Selva Nair wrote:
> On Thu, Feb 22, 2018 at 5:37 PM, Selva Nair wrote:
>>> +/** Return true if the addition of a and b would overflow. */
>>> +static inline bool
>>> +time_t_add_overflow(time_t a, time_t b) {
>>> +static_assert(((time_t) -1) < 0, "OpenVPN assumes time_t
This adds warnings for when a user or our code tries to set a maximum
TLS version that's smaller then the current configured minimum TLS
version.
(And fixes some related whitespace now I touch it anyway.)
Signed-off-by: Steffan Karger
---
src/openvpn/cryptoapi.c | 12 +---
Hi,
Patch looks good in general, and works as expected on my Win 10 test
box. Some minor comments below:
On 23-02-18 19:10, selva.n...@gmail.com wrote:
> From: Selva Nair
>
> Requires openssl 1.1.0 or higher
>
> Signed-off-by: Selva Nair
> ---
> v3 of 2/3 changed the context of one chunk, so
Hi,
On 20-02-18 17:22, Ilya Shipitsin wrote:
> currently patch of implementing RFC7512 URI Scheme is added during
> building windows installer. The same patch was added to travis-ci
> cross builds
I don't think this is a good idea. Most pkcs11-helper builds out in the
world are *without* this pa
1.1.0 */
> +
> static const CERT_CONTEXT *
> find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
> {
> @@ -642,9 +841,18 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx,
> const char *cert_prop)
> goto err;
> }
>
Hi,
On 20-02-18 11:00, Gert Doering wrote:
> On Tue, Feb 20, 2018 at 10:41:08AM +0100, Gert Doering wrote:
>> Your patch has been applied to the master and release/2.4 branch.
>>
>> Tested on FreeBSD 10, Linux and, indeed, AIX 7 :-) - Linux/gcc is nicely
>> clean, FreeBSD/clang finds a few that ar
LibreSSL compatible with the
OpenSSL 1.1 API. If they truly do that, it might also keep working.
For now, make sure people understand we do not really support LibreSSL.
Signed-off-by: Steffan Karger
---
src/openvpn/options.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/openvpn
[resending because the list rejected my mail from yesterday...]
On 1 March 2018 at 00:11, Steffan Karger wrote:
> +msg(M_WARN, "WARNING: This OpenVPN was built against LibreSSL. "
> +"This might work, but is *not* supported and can break at any time.")
G
Hi,
On 04-03-18 10:08, Gert Doering wrote:
> On Thu, Mar 01, 2018 at 12:11:23AM +0100, Steffan Karger wrote:
>> As discussed in the community meeting of 13-12-2017, we should warn our
>> users that LibreSSL is not officially supported. We expect that it
>> currently works,
return 1;
> +return 0;
>
> err:
> crypto_msg(M_FATAL, "Cannot enable SSL external private key capability");
> -return 0;
> +return 1;
> }
>
> #endif /* ifdef MANAGMENT_EXTERNAL_KEY */
>
Thanks for the patch, and pointing out this incons
Hi,
On 01-03-18 05:15, Selva Nair wrote:
> We can avoid all overflow and eliminate the check and the ASSERT
> by writing it as
>
> time_t wakeup = (et->last - local_now) + et->n; // parens added for clarity
>
> For the first subtraction to overflow, last and now have to differ by
>> INT_MAX (for
touching this code.)
Signed-off-by: Steffan Karger
---
src/openvpn/ssl.c | 29 +
src/openvpn/ssl_openssl.c | 2 +-
2 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 79b985e..25a7085 100644
--- a/src
ch like I recently submitted, to leave no doubt
about the state of our LibreSSL support. (Though I'd also like to
defend ourselves a bit, LibreSSL lured us into this mess by pretending
to be OpenSSL-compatible.)
> Steffan Karger: When the introduced block
> in 0e8a30c0b05c1e2b59a1dea0a6ea
On 04-03-18 23:23, Jeremie Courreges-Anglas wrote:
> On Sun, Mar 04 2018, Selva Nair wrote:
>> Libressl developers break API compatibility with openssl in such
>> perverse ways that there are no easy ways to support it. Take, for
>> example, the patch I just sent out which checks for certain func
On 05-03-18 00:13, Jeremie Courreges-Anglas wrote:
> On Sun, Mar 04 2018, Selva Nair wrote:
> --8<--
> [...]. OpenSSL itself only provided said setters (since 2015)[2]. The
> getters were added to OpenSSL later (Sep 2017)[3].
>
> [2]
> https://github.com/openssl/openssl/commit/7946ab33cecce60
Hi,
On 04-03-18 19:59, Jeremie Courreges-Anglas wrote:
> On Thu, Dec 14 2017, Steffan Karger wrote:
>
> [...]
>
>> NAK.
>>
>> Looking at this patch again I realize I have misunderstood the
>> intentions when first looking at it. I thought LibreSSL *did*
On 05-03-18 00:26, Steffan Karger wrote:
> Yes, I'd rather not use the workaround if not needed.
Bad wording. Read that as "I'm no longer opposed to a patch".
-Steffan
--
Check out the vibrant t
= 0. Then the above
> expression cannot overflow (provided time_t is at least as large
> as int).
>
> A similar expression in interval.h is also changed.
>
> (This patch grew out of patch 168 by Steffan Karger.)
>
> Signed-off-by: Selva Nair
> ---
> src/openvpn/
Hi,
On 06-03-18 23:16, Jonathan K. Bullard wrote:
> Can someone clarify which versions of OpenSSL OpenVPN supports (that
> is, "works with when linked statically")?
>
> From what I gather:
>
> * OpenVPN 2.3.18 supports OpenSSL 1.0.2n
> * OpenVPN 2.4.5 supports OpenSSL 1.0.2n and 1.1.0g
> * Op
de NCP cipher selection and key
generation. Doing it here removes the need for handling with multiple
received push requests. Technically, the check for .authenticated before
generating keys should even not be necessary, but I think it's good to
leave it in as a double-check to prevent future mist
touching this code.)
Signed-off-by: Steffan Karger
---
v2: error out with M_FATAL as suggested by Selva.
src/openvpn/ssl.c | 28
src/openvpn/ssl_openssl.c | 2 +-
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn
From: Steffan Karger
This is a preliminary description of tls-crypt-v2. It should give a good
impression about the reasoning and design behind tls-crypt-v2, but might
need some polishing and updating.
Signed-off-by: Steffan Karger
---
v2: update text for --tls-crypt-v2-genkey, fix typo
doc
touching this code.)
Signed-off-by: Steffan Karger
---
v2: error out with M_FATAL as suggested by Selva.
v3: rebase on master (without extra patches)
src/openvpn/ssl.c | 28
src/openvpn/ssl_openssl.c | 2 +-
2 files changed, 21 insertions(+), 9 deletions
Hi,
On 9 March 2018 at 04:38, Selva Nair wrote:
> I wanted to give this a quick test, but it doesn't apply.
>
> It seems you have patch 116 (Antonio's "inline-tag changed to bool"
> patch) in your local repo.
Oops, you're right - this was based on top of my local working branch,
which indeed inc
Hi,
One comment based on stare-at-code only:
On 12-03-18 02:17, selva.n...@gmail.com wrote:
> @@ -636,6 +640,8 @@ find_certificate_in_store(const char *cert_prop,
> HCERTSTORE cert_store)
> }
> if (!*++p) /* unexpected end of string */
> {
> +
Hi,
On 06-02-18 06:53, Selva Nair wrote:
> On Mon, Feb 5, 2018 at 7:52 PM, Jonathan K. Bullard
> wrote:
>> Hi, I'd like to reopen this patch -- it seems to have gotten lost.
>>
>> The patch is so old the line numbers are wrong but the code doesn't
>> seem to have changed.
>>
>> I'm top-posting b
Hi,
On 02-04-18 16:58, Selva Nair wrote:
> On Mon, Apr 2, 2018 at 8:37 AM, Steffan Karger wrote:
>> Also, this looks like a somewhat unrelated fix. I would have personally
>> preferred it in a separate patch (so we can e.g. backport it easily even
>> if we decide not not ba
Hi Antonio,
Sorry for taking so long to respond - life was getting in the way.
On 16-04-18 15:03, Antonio Quartulli wrote:
> there was a comment in my previous review that remained unanswer.
> Please, see it below
>
> On 09/03/18 04:23, Steffan Karger wrote:
> [CUT]
>>
Hi,
On 26-03-18 18:36, Ning Wei via Openvpn-devel wrote:
> Both of key_method_2_write and key_method_2_read take
> TLS_Channel_Bug_Size as buffer size. The current size, 2048 is not
> enough to read/write a long password response. I have notice the
> management interface has a much smaller than
Hi,
Hi,
On 02-05-18 20:40, Selva Nair wrote:
> On Wed, May 2, 2018 at 2:30 PM, Steffan Karger wrote:
>> On 26-03-18 18:36, Ning Wei via Openvpn-devel wrote:
>>> Both of key_method_2_write and key_method_2_read take
>>> TLS_Channel_Bug_Size as buffer size. Th
Hi,
On 04-05-18 17:45, Jan Just Keijser wrote:
> On 04/05/18 16:41, Derek Zimmer wrote:
>> What conclusions can we draw from this?
>>
> My main conclusion has always been that OpenVPN is limited by the number
> of user-to-kernel space transitions , not by anything else.
Same here. I guess this in
Hi,
On 09-04-18 11:10, Ilya Shipitsin wrote:
> both "compiler" and "exclude" are redundant, so remove them
Makes sense. Though now that you're touching this anyway, maybe also
add an OpenSSL 1.0.1 build? Since that's the oldest OpenSSL version we
support in the master branch, that's an interest
Hi Jason,
[ Dumping my thoughts so this doesn't remain completely unanswered for
even longer. ]
On 17-04-18 18:50, Jason A. Donenfeld wrote:
> OpenVPN traditionally works around CAs. However many TLS-based protocols also
> allow an alternative simpler mode in which rather than verify certificates
-auth key rollover. Feature-ACK.
> If no tls-auth option is specified in a given connection block,
> the global one, if any, is used.
>
> Trac: #720
> Cc: Steffan Karger
> Signed-off-by: Antonio Quartulli
> ---
> doc/openvpn.8 | 1 +
> src/openvpn/init.c| 10
Can be suppressed by adding a "nowarn" flag to the compress options, for
those that are really sure that compression is fine for their use case.
Signed-off-by: Steffan Karger
---
This patch is also meant to discuss how far we want to go in warning
users about using compression. I
;,
which should probably be improved. But I didn't want refactor that in
this patch.
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 16 +++---
src/openvpn/options.c | 85 ---
2 files changed, 65 insertions(+), 36 deletions(-)
diff -
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 10 ++
1 file changed, 10 insertions(+)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 4114f40..0e5d467 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2516,6 +2516,16 @@ If the
parameter is empty, compression will be turned of
Hi Antonio,
Thanks for the review!
On 15-06-18 09:03, Antonio Quartulli wrote:
> On 08/12/17 20:07, Steffan Karger wrote:
>> Needed for tls-crypt-v2, but isolated enough to be reviewed as a separate
>> patch.
>>
>> The encode API allocates memory, because it fits our
Hi,
On 15-06-18 09:46, Antonio Quartulli wrote:
>
>
> On 08/12/17 20:07, Steffan Karger wrote:
>> To avoid having to include misc.c - which is a dependency mess - in the
>> tls-crypt unit tests, move file-handing related functions to platform.c
>> (which is where o
Hi,
On 22-06-18 08:40, Steffan Karger wrote:
> On 15-06-18 09:46, Antonio Quartulli wrote:
>> ActuallyIf I understand correctly, this new mock'd component will
>> only be used when the other patches will be merged too.
>> Therefore, I guess this patch could be divide
> --
> v2: Add openssl-1.0.1u to build matrix (thanks to Steffan Karger),
> Add explicit apt-get update (it was disabled by default in travis-ci)
> ---
> ---
> .travis.yml | 17 -
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
> diff --git a/.t
On 24-06-18 06:03, Илья Шипицин wrote:
> Someone who has admin rights, can purge the cache
Done. As this is very easy to do, I'm fine with doing this manually
every now and then after we change our dependency versions.
-Steffan
--
Hi,
On 22-06-18 04:15, Rosen Penev wrote:
> These get included when deprecated APIs are enabled. This is true on at
> least version 1.0.2 and 1.1.0.
>
> Without deprecated APIs, OpenVPN fails to compile.
>
> Signed-off-by: Rosen Penev
> ---
> src/openvpn/ssl_openssl.c| 9 +
> s
Hi Kevin,
On 04-07-18 02:39, Kevin Kane via Openvpn-devel wrote:
> Thanks to Jon for making the introduction. My team works on
> post-quantum (PQ) cryptography, which is algorithms used by regular
> computers but which are resistant to attack by a sufficiently
> powerful quantum computer. This Ope
From: Steffan Karger
This is a preliminary description of tls-crypt-v2. It should give a good
impression about the reasoning and design behind tls-crypt-v2, but might
need some polishing and updating.
Signed-off-by: Steffan Karger
---
doc/tls-crypt-v2.txt | 164
From: Steffan Karger
Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake
messages.
Signed-off-by: Steffan Karger
---
src/openvpn/ps.c | 3 ++-
src/openvpn/ssl.c| 23 ++-
src/openvpn/ssl.h| 5 -
src/openvpn/ssl_common.h
From: Steffan Karger
This makes clients send-and-use, and servers receive-unwrap-and-use
tls-crypt-v2 client keys, which completes the on-the-wire work.
Signed-off-by: Steffan Karger
---
src/openvpn/init.c | 39 +-
src/openvpn/openvpn.h| 2 +
src
From: Steffan Karger
To avoid having to include misc.c - which is a dependency mess - in the
tls-crypt unit tests, move file-handing related functions to platform.c
(which is where other file-related functions already reside).
Note that platform_create_temp_file() needs random. To avoid
From: Steffan Karger
Add helper functions to unwrap tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger
---
src/openvpn/buffer.h | 7 +
src/openvpn/tls_crypt.c | 102 +
tests/unit_tests/openvpn/test_tls_crypt.c | 253
From: Steffan Karger
As a first step towards a full tls-crypt-v2 implementation, add
functionality to generate tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 51
src/openvpn/buffer.c| 63 +
src/openvpn/buffer.h| 6 +
src
From: Steffan Karger
To allow rejecting incoming connections very early in the handshake,
add a --tls-crypt-v2-verify option that allows administators to
run an external command to verify the metadata from the client key.
See doc/tls-crypt-v2.txt for more details.
Because of the extra
To avoid having to include misc.c - which is a dependency mess - in the
tls-crypt unit tests, move the command execution helper functions to a new
run_command.c module.
While at it, abstract away the script_security global variable.
Signed-off-by: Steffan Karger
---
src/openvpn/Makefile.am
From: Steffan Karger
Needed for tls-crypt-v2, but isolated enough to be reviewed as a separate
patch.
The encode API allocates memory, because it fits our typical gc-oriented
code pattern and the caller does not have to do multiple calls or
calculations to determine the required destination
uired because when moving from one remote to the
> other the key may change and thus the key context needs to
> be refreshed.
>
> To ensure that the `persist-key` logic will still work
> as expected, the tls-auth/crypt key is pre-loaded so that
> the keyfile is not required at ru
e when moving from one remote to the
> other the key may change and thus the key context needs to
> be refreshed.
>
> To ensure that the `persist-key` logic will still work
> as expected, the tls-auth/crypt key is pre-loaded so that
> the keyfile is not required at runtime.
th/crypt option is specified in a given connection
> block, the global settings, if any, are used.
>
> Trac: #720
> Cc: Steffan Karger
> Signed-off-by: Antonio Quartulli
> ---
> v2:
> - convert tls-auth keyfile to inline key if persist-key was specified
> v3:
> - squa
t key is pre-loaded so that
> the keyfile is not required at runtime.
>
> Trac: #720
> Cc: Steffan Karger
> Signed-off-by: Antonio Quartulli
> ---
> v2:
> - introduce this patch
> v3:
> - add key per-loading logic to this patch to avoid temporary features
> breakag
e when moving from one remote to the
> other the key may change and thus the key context needs to
> be refreshed.
>
> To ensure that the `persist-key` logic will still work
> as expected, the tls-auth/crypt key is pre-loaded so that
> the keyfile is not required at runtime.
Hi,
The following three patches contain a number of minor fixes. They were
originally written by Gert van Dijk, but I have the honor to provide
them to you. So I added the signed-off-by line. All improvements are
Gert's, all bugs are my fault ;-)
-Steffan
From: Gert van Dijk
Signed-off-by: Steffan Karger
---
doc/doxygen/doc_protocol_overview.h | 2 +-
src/openvpn/ssl.c | 4 ++--
src/openvpn/ssl.h | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/doxygen/doc_protocol_overview.h
b/doc
From: Gert van Dijk
Signed-off-by: Steffan Karger
---
src/openvpn/reliable.c | 2 +-
src/openvpn/reliable.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index b62ab54..d295076 100644
--- a/src/openvpn/reliable.c
+++ b
From: Gert van Dijk
Signed-off-by: Steffan Karger
---
src/openvpn/reliable.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index d295076..a7f4ed9 100644
--- a/src/openvpn/reliable.c
+++ b/src/openvpn/reliable.c
@@ -462,7
Hi,
On 20-07-18 13:20, Antonio Quartulli wrote:
> Hi,
>
> On 05/07/18 01:53, Steffan Karger wrote:
> [CUT]
>
>> +bool
>> +crypto_pem_decode(const char *name, struct buffer *dst,
>> + const struct buffer *src)
>> +{
>> +bool r
From: Steffan Karger
Needed for tls-crypt-v2, but isolated enough to be reviewed as a separate
patch.
The encode API allocates memory, because it fits our typical gc-oriented
code pattern and the caller does not have to do multiple calls or
calculations to determine the required destination
Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake
messages.
Signed-off-by: Steffan Karger
---
v3: rebase on curent master / v3 patch set
src/openvpn/ps.c | 3 ++-
src/openvpn/ssl.c| 23 ++-
src/openvpn/ssl.h| 5 -
src
Rewrite buf_write_string_file to buffer_write_file, which is simpler to
use and can deal with not-null-terminated strings. Mostly implemented so
this can be easily reused for tls-crypt-v2 (client) key files.
Signed-off-by: Steffan Karger
---
v3: split change out of "generate client key&qu
As a first step towards a full tls-crypt-v2 implementation, add
functionality to generate tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger
---
v3: Include length in WKc
doc/openvpn.8 | 51 +
src/openvpn/init.c | 35 +-
src/openvpn/integer.h | 10 ++
src
adding a mock
parse_line() to the tls-crypt unit tests.
Signed-off-by: Antonio Quartulli
Signed-off-by: Steffan Karger
---
v3: rebase on curent master / v3 patch set
Changes.rst | 12 ++
doc/openvpn.8 | 35 ++--
src/openvpn
This is a preliminary description of tls-crypt-v2. It should give a good
impression about the reasoning and design behind tls-crypt-v2, but might
need some polishing and updating.
Signed-off-by: Steffan Karger
---
v3: Include length in WKc
doc/tls-crypt-v2.txt | 170
Add helper functions to unwrap tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger
---
v3: Include length in WKc
src/openvpn/buffer.h | 7 +
src/openvpn/tls_crypt.c | 120 ++
tests/unit_tests/openvpn/test_tls_crypt.c | 253
This makes clients send-and-use, and servers receive-unwrap-and-use
tls-crypt-v2 client keys, which completes the on-the-wire work.
Signed-off-by: Steffan Karger
---
v3: include length in WKc, rebase on curent master / v3 patch set
src/openvpn/init.c| 41
Hi,
Thanks for the review. Responses inline.
On 02-08-18 11:10, Antonio Quartulli wrote:
> On 26/07/18 00:08, Steffan Karger wrote:
>> diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
>> index 0972139..20e2b9c 100644
>> --- a/src/openvpn/buffer.c
>>
Hi,
On 02-08-18 12:59, Antonio Quartulli wrote:
> On 26/07/18 00:08, Steffan Karger wrote:
>> This is a preliminary description of tls-crypt-v2. It should give a good
>> impression about the reasoning and design behind tls-crypt-v2, but might
>> need some polishing and updat
Rewrite buf_write_string_file to buffer_write_file, which is simpler to
use and can deal with not-null-terminated strings. Mostly implemented so
this can be easily reused for tls-crypt-v2 (client) key files.
Signed-off-by: Steffan Karger
---
v3: split change out of "generate client key&qu
401 - 500 of 1428 matches
Mail list logo