hand.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 1ceb411..c18d88b 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1320,7 +1320,7 @@ prng_bytes (ui
", which is not pretty but does work.)
Signed-off-by: Steffan Karger
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 40df8a1..d3b3fa9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1110,7 +1110,7 @@ if test "${enab
code again, I also realized a
strcpy() makes more sense in setenv_str_incr() than the memcpy() from
the previous patch. (Both work just fine, but this should be easier
to read.)
-Steffan
From 44a5af585953d5384d3bbd64e55c1de6343919d8 Mon Sep 17 00:00:00 2001
From: Steffan Karger
Date: Sun, 29 Nov
diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl.c | 3 +++
src/openvpn/ssl_backend.h | 9 +
src/openvpn/ssl_openssl.c
select group of people that do use an up-to-date openvpn, but do not
update their openssl. I don't think that's worth it. So just disable the
code for older openssl versions.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_openssl.c | 2 ++
1 file changed, 2 insertions(+)
diff -
Hi,
On Tue, Dec 15, 2015 at 9:42 AM, Jan Just Keijser wrote:
> On 14/12/15 23:14, Steffan Karger wrote:
>> The SSL_CTX_get0_certificate() function I used in 091edd8e is available in
>> OpenSSL 1.0.2+ only. Older versions seem to not have a useful
>> alternative.
>>
The SSL_CTX_get0_certificate() function I used in 091edd8e is available
in
OpenSSL 1.0.2+ only. Older versions seem to not have a useful
alternative.
The remaining option would then be to create a cache for our parsed
certificate, but that would mean adding more struc
Hi,
On Tue, Dec 15, 2015 at 6:24 PM, Jan Just Keijser wrote:
> ah well, in that case I would simply write out get0_certificate again: the
> code for that function actually is:
>
> 3011 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
> 3012 {
> 3013 if (ctx->cert != NULL)
> 3014 ret
Hi Philip,
On Mon, Nov 30, 2015 at 4:03 AM, Phillip Smith wrote:
> This patch uses the generic "host1.example.com" and "host2.example.com" to
> replace the current "may" and "june" hostname examples. Generic names chosen
> rather than other names like "server"/"client" or
> "head-office"/"remote
On Tue, Dec 15, 2015 at 8:46 PM, David Sommerseth
wrote:
> On 30/11/15 04:03, Phillip Smith wrote:
>> This patch uses the generic "host1.example.com" and "host2.example.com" to
>> replace the current "may" and "june" hostname examples. Generic names chosen
>> rather than other names like "server"/
Hi Arne,
Some comments after a first review:
On Thu, Dec 10, 2015 at 1:39 PM, Arne Schwabe wrote:
> V2: Fix an unintended change in the old lz4 decompress code.
>
> [..snip...]
>
> +static void
> +lz4_compress (struct buffer *buf, struct buffer work,
> + struct compress_context *comp
On Tue, Dec 15, 2015 at 10:41 PM, Jan Just Keijser wrote:
> On 15/12/15 08:53, Gert Doering wrote:
>> On Tue, Dec 15, 2015 at 01:12:49AM +0100, David Sommerseth wrote:
>>> Just tried to build openvpn on one of my laptops (Scientific Linux 7.1,
>>> openssl-1.0.1e-42.el7). And it explodes when reac
d-off-by: Steffan Karger
---
README.polarssl | 2 +-
configure.ac | 4 +-
include/openvpn-plugin.h | 4 +-
src/openvpn/crypto_polarssl.c | 13 +-
src/openvpn/pkcs11_polarssl.c | 26 ++--
src/openvpn/ssl_polarssl.c
er openssl versions.
(This is a combination of commits 091edd8e and 644f2cdd from the master
branch, adjusted to apply to the release/2.3 branch cleanly)
Signed-off-by: Steffan Karger
---
src/openvpn/ssl.c | 3 +++
src/openvpn/ssl_backend.h | 9 +
src/openvpn/ssl_opens
When I compile with --enable-strict, I only want to see warnings that are
relevant. So, change httpdigest.c to use the correct types when possible
and make any remaining casts explicit.
This commit should not change behaviour.
Signed-off-by: Steffan Karger
---
src/openvpn/httpdigest.c | 46
Easy change to make logging output more useful.
Signed-off-by: Steffan Karger
---
src/openvpn/error.c | 4 ++--
src/openvpn/error.h | 5 +++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 66f37f3..6daf465 100644
--- a/src/openvpn
Easy change to make logging output more useful.
v2: don't print the failed condition if ENABLE_SMALL is defined.
Signed-off-by: Steffan Karger
---
src/openvpn/error.c | 7 +--
src/openvpn/error.h | 9 +++--
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/op
*, instead
of uint8_t.
Signed-off-by: Steffan Karger
---
src/openvpn/httpdigest.c | 46 --
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c
index 78b8344..908d259 100644
--- a/src/openvpn
builds and (basic)
tests for all branches this commit is applied to, and enables coverity
analysis for the coverity_scan branch (since we can only do a limited
number of coverity scans per week with our FOSS account).
Signed-off-by: Steffan Karger
---
.travis.yml | 34
#openvpn-devel, don't use a 'colon' var, but
just add casts.
Signed-off-by: Steffan Karger
---
src/openvpn/httpdigest.c | 44 ++--
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/src/openvpn/httpdigest.c b/src/openvpn/htt
Hi,
On Wed, Dec 23, 2015 at 4:11 PM, Jan Just Keijser wrote:
> Steffan Karger wrote:
>>
>> [...]
>> Just use mbedtls ;-)
>>
>> OpenSSL 1.0.2 has been released almost a year ago, so upcoming distro
>> releases will probably contain 1.0.2+ (e.g. Ubuntu 15.10
On Tue, Dec 22, 2015 at 1:12 AM, Phillip Smith wrote:
> This patch uses generic "bob.example.com" and "alice.example.com" hostnames to
> replace the current "may" and "june" examples. Generic names chosen rather
> than
> other names like "server"/"client" or "head-office"/"remote-office" etc whic
On 26-12-15 10:19, Gert Doering wrote:
On Wed, Dec 23, 2015 at 04:11:17PM +0100, Jan Just Keijser wrote:
I justed wanted to get back to this one one more time: attached is a
patch to ssl_openssl.c that works in combination with Steffan's patch to
check for expired certificates. This new patch-pa
/2.3 branch (which is part of 2.3.9).
While touching this function, I also made this function conform to the
openvpn coding style.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_openssl.c | 15 +++
src/openvpn/ssl_polarssl.c | 6 ++
2 files changed, 17 insertions(+), 4
/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_openssl.c | 18
Hi Arne,
Some final comments (mostly just nitpicking). Other than this, I think
the patch is ready to be merged. I tested it against James' openvpn 3
test server.
On 02-01-16 11:20, Arne Schwabe wrote:
+static void
+lz4_compress (struct buffer *buf, struct buffer work,
+ struct
On Sun, Jan 3, 2016 at 6:27 PM, Arne Schwabe wrote:
> + /* did compression save us anything? Include 2 byte compression header
> + in calculation */
> + {
> +if (compressed && work.len + 2 < buf->len)
> + {
> + ASSERT(buf_prepend(&work, 2));
> + uint8_t *head = BPTR (&w
simple check to the polar_ok() macro that
reduces it to a single branch.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto_polarssl.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_polarssl.h
index 92c2c30..e6db445 100644
the release/2.3 branch.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto_polarssl.c | 60 -
src/openvpn/crypto_polarssl.h | 40 ++
src/openvpn/ssl_polarssl.c| 70 ++-
src/openvpn
ors dumped to log.
This is commit is a combined cherry-pick of commits e795d6ba and
98ea2ec5 from the master branch, adjusted to the release/2.3 branch.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto_openssl.c | 51 +---
src/openvpn/crypto_openssl.h | 25 ++
s
levels, but those are extremely verbose.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_polarssl.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index 339d1fb..58b2116 100644
--- a/src/openvpn/ssl_polarssl.c
As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot. This depends on OS, OS version and ssl library
configuration. Update the manpage to better explain this.
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 13 +
1 file changed, 5
The md_info_t will become an opaque struct in mbed TLS 2.x, start using
the wrapper function in preparation to a future upgrade to 2.x.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto_polarssl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/openvpn
As of 1.3.0, polarssl/mbedtls now by default uses a 128 bit key for the
blowfish cipher (as opposed to the 32-bit (!) default they had previously).
Since we require polar 1.3+, we no longer need this fixup code.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto_polarssl.c | 2 --
1 file
a bug that
would cause a user-specified OPENSSL_{CRYPTO,SSL}_LIBS to be overwritten
by AC_CHECK_LIB if there are openssl headers available in the PATH.
Signed-off-by: Steffan Karger
---
Changes.rst | 8
INSTALL | 12 ++---
configur
Hi,
On Sun, Jan 10, 2016 at 3:23 PM, Niels Ole Salscheider
wrote:
> On Sunday, 10 January 2016, 15:15:49 CET, Arne Schwabe wrote:
>> On 10.01.2016 14:44, Niels Ole Salscheider wrote:
>> > Signed-off-by: Niels Ole Salscheider
>> > ---
>> >
>> > src/openvpn/ssl_openssl.c | 4 ++--
>> > 1 file cha
Hi,
For a while now I've been spending some time on adding AEAD support to
OpenVPN. I published a branch containing my most recent patch set on
github:
https://github.com/syzzer/openvpn/tree/aead-cipher-modes11
The meat of it is in this commit, of which the commit message provides
useful in
On Sun, Jan 10, 2016 at 5:24 PM, Steffan Karger wrote:
> preliminary comments and test results are very much welcome.
Based on feedback from Gert ('you don't need to send IV_NCP=2 as a
server for server-side NCP support') and Arne ('peer-info can be
NULL'), I just pu
of get_user_pass().
Signed-off-by: Steffan Karger
---
src/openvpn/socks.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 72bdf55..cef7a35 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -103,10 +103,13
A missing , in the previous configure.ac patch caused the autodetection to
fail. While fixing that, I noticed I can simplify the check by using the
documented ${ac_cv_search_function} cache variable instead of the nested
AC_SEARCH_LIBS.
Signed-off-by: Steffan Karger
---
configure.ac | 22
On Fri, Jan 22, 2016 at 9:40 AM, Илья Шипицин wrote:
> who can add it to https://travis-ci.org/openvpn/ ?
Samuli can do this - I do not have sufficient rights on the
openvpn-gui repository.
-Steffan
On Thu, Feb 4, 2016 at 4:40 PM, Selva Nair wrote:
> On Thu, Feb 4, 2016 at 4:38 AM, Gert Doering wrote:
>> Thanks. I take this as an ACK from your for the service change, and
>> Arne's mail as an ACK for the openvpn side, and merge it tonight.
>>
>> Then we can go about improving things further
Hi,
These patches add support for GCM mode ciphers to OpenVPN. These are
originally inspired by the patch from kruton (trac #301, and
http://thread.gmane.org/gmane.network.openvpn.devel/7653), but most of the
original code has been rewritten.
As discussed in various IRC meetings and at the hacka
sense at all.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 9 ++---
src/openvpn/init.c| 25 +++--
src/openvpn/openvpn.h | 1 +
3 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index c18d88b..806a995
Since otherwise we'll have to perform the check before each call.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto_backend.h | 8
src/openvpn/crypto_openssl.c | 2 +-
src/openvpn/crypto_polarssl.c | 4 +---
3 files changed, 6 insertions(+), 8 deletions(-)
diff --git
along a pointer to the related crypto_options.
This paves the way for an efficient GCM cipher mode implementation, but is
probably fruitful too for threading and/or cipher negotiation.
Signed-off-by: Steffan Karger
---
src/openvpn/forward.c| 18 ++
src/openvpn/init.c | 21
key_ctx_bi inside crypto_options. Makes the code a little simpler too.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 8
src/openvpn/crypto.h | 2 +-
src/openvpn/init.c | 4 ++--
src/openvpn/ssl.c| 32 ++--
src/openvpn/ssl.h
something to the work buffer.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 55 ++--
1 file changed, 32 insertions(+), 23 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index db52182..e92125e 100644
--- a/src/openvpn
In preparation for AEAD cipher modes, which will need the same
functionality.
Should not change any behaviour.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 52 +---
1 file changed, 37 insertions(+), 15 deletions(-)
diff --git a/src
Decouples struct key_state and struct crypto_options. No longer updating
self-referential pointers!
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 45 -
src/openvpn/crypto.h | 10 --
src/openvpn/init.c | 11
This keeps naming consistent. For example, instead of id-aes128-GCM use
AES-128-GCM, which is more like AES-128-CBC.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 40 +++-
src/openvpn/crypto_backend.h | 30
inuation' infrastructure. Note that we
should not reduce safe_cap in send_push_reply, because it was never
increased to account for peer-id.
This is a preliminary patch, which will be followed by more patches to add
client support, and configurability.
Sign
simply use TLS mode.
Signed-off-by: Steffan Karger
---
configure.ac | 30 +++-
src/openvpn/crypto.c | 353 +++---
src/openvpn/crypto.h | 65 ++--
src/openvpn/crypto_backend.h | 69 +
src/openvpn/crypto_opens
Hi,
On Mon, Feb 8, 2016 at 4:55 PM, Arne Schwabe wrote:
> Am 07.02.16 um 20:47 schrieb Steffan Karger:
>> In preparation for AEAD cipher modes, which will need the same
>> functionality.
>>
>> Should not change any behaviour.
>
> ACK. Passing gc instead of using
On Tue, Feb 9, 2016 at 4:16 PM, David Sommerseth
wrote:
> On 08/02/16 17:03, Arne Schwabe wrote:
>> Am 07.02.16 um 20:47 schrieb Steffan Karger:
>>> This keeps naming consistent. For example, instead of id-aes128-GCM use
>>> AES-128-GCM, which is more like AES-128-CBC
10 @@ Set
> .B alg=none
> to disable authentication.
>
> +If a AEAD
> +.B \-\-cipher
> +is selected like AES-128-GCM is used the authentication of that cipher
> is used for the data channel packets.
> +
> For more information on HMAC see
> .I http://www.cs.ucsd.edu/users/mihi
:00:00 2001
From: Steffan Karger
Date: Mon, 15 Feb 2016 08:08:41 +0100
Subject: [PATCH] Add Changes.rst entry for AEAD cipher modes
Signed-off-by: Steffan Karger
---
Changes.rst | 7 +++
1 file changed, 7 insertions(+)
diff --git a/Changes.rst b/Changes.rst
index dd9b9b2..af70d14 100644
--
Hi,
Thanks for the review. Attached a v2 of the patch, and responses inline below.
On Mon, Feb 15, 2016 at 8:58 PM, Gert Doering wrote:
> On Sun, Feb 07, 2016 at 08:47:18PM +0100, Steffan Karger wrote:
>> This patch:
>> * Makes the server advertise "IV_NCP=2", if --pu
Hi d33tah,
On Thu, Feb 18, 2016 at 2:28 PM, Jacek Wielemborek wrote:
> I had been fascinated by afl-fuzz for quite a couple months so far and
> based on how efficient it is in finding bugs in open source projects,
> I'd like to ask the OpenVPN community whether somebody here tried out
> this tool
On 20 Feb 2016 10:03 am, "Steffan Karger" wrote:
> On 20 Feb 2016 9:19 am, "Gert Doering" wrote:
> > On Sat, Feb 20, 2016 at 11:40:28AM +0530, Shubham Chauhan wrote:
> > > the --float option seems to be interesting!
> > >
> > > Help me un
On 20 Feb 2016 9:19 am, "Gert Doering" wrote:
> On Sat, Feb 20, 2016 at 11:40:28AM +0530, Shubham Chauhan wrote:
> > the --float option seems to be interesting!
> >
> > Help me understand one scenario.
> > If I want to transfer a VPN session from one VPN server to another,
keeping
> > the same ope
* Remove stale function declaration.
This slipped into the AEAD cipher modes patch, but the function is
now implemented as a static function is ssl.c.
* Add ASSERT() to ensure frame is not NULL.
* Fix "ENCRYPT TO" log message in openvpn_encrypt_aead().
Signed-off-by: Stef
se
This commit should not change any behaviour except for log messages.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 44
1 file changed, 8 insertions(+), 36 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 6
stale references to 'passphrase' - we no longer support those
This commit should not change any behaviour except for log messages.
v2: Leave message about dropped passphrase support in place - this option
was dropped in 2.4, so it is indeed better to be clear about it.
Signed-off-by:
As reported in trac #582, the OCSP_check.sh script should use grep -E,
instead of grep -F when it uses ^ in the expression.
Signed-off-by: Steffan Karger
---
contrib/OCSP_check/OCSP_check.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/contrib/OCSP_check/OCSP_check.sh
tric tun/link MTU's,
such as in trac ticket #647.
Signed-off-by: Steffan Karger
---
src/openvpn/forward.c | 1 -
src/openvpn/socket.c | 9 +++--
src/openvpn/socket.h | 4 +---
3 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forwa
remove once we
drop support for OpenSSL 1.0.1.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index bd86679..269ec4b 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@
Hi,
On Sat, Mar 5, 2016 at 3:34 PM, Arne Schwabe wrote:
> While crl files can change regulary and it is usually not a good idea to
> statically include them into config files, handling multiple files and
> updating files on mobile files is tiresome/problematic. Inlining a static
> version of t
This fixes the build for OpenSSL < 1.0.1 (broken by commit 3654d953),
which has no AEAD support.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 269ec4b..f15ac35 100644
--
On Thu, Mar 3, 2016 at 9:19 AM, James Yonan wrote:
> We add the flags parameter without changing the signature of
> the function by repurposing the space_break parameter into
> space_break_flags where the lower 8 bits are used for the
> previous space_break parameter and the higher bits are used
>
Hi,
On Thu, Mar 3, 2016 at 9:19 AM, James Yonan wrote:
> + char *sha1_fingerprint = format_hex_ex(x509->sha1_hash,
> SHA_DIGEST_LENGTH, 0, 1 | FHE_CAPS, ":", &gc);
This line could use some wrapping. Perhaps Gert can fix this when applying?
Otherwise, ACK.
-Steffan
On Sun, Mar 6, 2016 at 8:39 PM, Arne Schwabe wrote:
> While crl files can change regulary and it is usually not a good idea to
> statically include them into config files, handling multiple files and
> updating files on mobile files is tiresome/problematic. Inlining a static
> version of the cr
Let's move it outside of this #ifdef.
The attached patch takes all these remarks into account. The upsides
of my alternative are less code, and no lists to maintain. The
downside is less error reporting. I'm curious to hear what you think
of the alternative implementation.
-Steffan
From
formance impact when compiler optimizations are fully
disabled ('-O0'), but should otherwise be as fast as using a macro.
Signed-off-by: Steffan Karger
---
src/openvpn/error.c | 2 +-
src/openvpn/error.h | 17 +++--
src/openvpn/plugin.c | 2 +-
3 files changed, 13 inser
}
1666 return NULL;
1667 }
This function is only used by argv_printf_arglist(), and in a very specific
case, so it might be that this leak can not even occur. But coverity is
clearly right that this is a bug, so let's just fix it.
Signed-off-by: Steffan Karger
---
src/openvpn/misc.c |
. Fortunately, memcpy() inplementations usually do not actually
derefence the src (or dst) pointer for zero-length copies.
And since I'm touching this code now anyway, remove a slightly confusing
jump back to a cleanup label in openvpn_encrypt_aead().
Signed-off-by: Steffan Karger
---
src/op
Hi list,
I just noticed I sent my previous reply only to James, instead of to
the list. See below.
On Sat, Mar 5, 2016 at 10:23 AM, Steffan Karger wrote:
> Hi James,
>
> On Thu, Mar 3, 2016 at 9:19 AM, James Yonan wrote:
>> Signed-off-by: James Yonan
>>
Commit 66407e11 changed the name of the cfb_ofb_allowed parameter of the
init_key_type() implementation to 'tls_mode', but forgot to do the same in
the function declaration.
Signed-off-by: Steffan Karger
---
src/openvpn/crypto.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
d-off-by: Steffan Karger
---
doc/openvpn.8 | 4 +++-
src/openvpn/ssl_openssl.c | 14 --
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 76b04f6..7d5dc5b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4696,7 +4696,9 @@
this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 5 +++--
src/openvpn/ssl.c | 5 +
src/openvpn/ssl_openssl.c | 17 +++--
3 files changed, 19 insertions(
this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.
v2: add Changes.rst entry.
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 5 +++--
src/openvpn/ssl.c | 5 +
src/openvpn/ssl_openssl.c | 17 +++--
3
: add Changes.rst entry.
Signed-off-by: Steffan Karger
---
doc/openvpn.8 | 4 +++-
src/openvpn/ssl_openssl.c | 14 --
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 76b04f6..7d5dc5b 100644
--- a/doc/openvpn.8
+++ b/doc/open
added Changes.rst entry.
Signed-off-by: Steffan Karger
---
Changes.rst | 6 ++
doc/openvpn.8 | 4 +++-
src/openvpn/ssl_openssl.c | 14 --
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index cb900dc..64b134e 1
work with:
* 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1)
* static key mode
* TLS mode with PEM key file
* TLS mode with password protected PEM key file
* TLS mode with management-external-key
* TLS mode with PKCS#11
* TLS mode with inline ca/key/cert/dh
Signed-off-by
The patch looks huge, but it's just file renames, and required changes in
includes / Makefiles. Use 'git diff -C' or a tool like gitk to easily
review this patch.
Signed-off-by: Steffan Karger
---
src/openvpn/Makefile.am |8 +-
src/openvpn/crypto_backend.h
Hi,
On Sun, Dec 20, 2015 at 8:12 PM, Selva Nair wrote:
> Trying to keep the footrpint small, this patch adds to the
> convoluted code-flow in get_user_pass_cr(). Cleanup left for later.
> -8<-
>
> Currently prompting for a response to static-challenge
> gets skipped when the username and
Hi Selva,
On 18-04-16 00:03, Selva Nair wrote:
> - Windows 7 (64 bit): success, but see below
>
> Installs without error and works fine.
> However, the driver details says that its _not_ digitally signed, but
> the driver properties window shows "Digitally signed by OpenVPN
> Technologies Inc."
This fixes some formatting issues, and updates the text for the cipher list
restriction to match the restrictions of 2.3 (rather than those of master
wrt 2.3).
Signed-off-by: Steffan Karger
---
Changes.rst | 19 ---
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a
Hi,
On Tue, Apr 19, 2016 at 9:01 PM, Jens wrote:
> The AUTH-PAM plugin contains the function `searchandreplace`. The buffer
> allocated there can be overflown if the parameter `replace_with` is to long
> (depending on the format string).
>
> E.g.:
>
> searchandreplace(to search :=“X”, searchf
On Thu, Apr 21, 2016 at 8:51 AM, Jens wrote:
> Passing very long usernames/passwords for pam authentication could possibly
> lead to a stack based buffer overrun in the auth-pam plugin.
>
> Adds a dependency to C99 (includes stdbool.h)
>
> Signed-off-by: Jens Neuhalfen
> ---
> src/plugins/auth-
On 21 Apr 2016 7:25 p.m., "Gert Doering" wrote:
> ... you need to #include to get that symbol...
>
> Steffan: for the sake of "avoid yet another full loop and a v3", could
> you just ACK this change as well?
Yes, ACK.
-Steffan
On Thu, Apr 21, 2016 at 10:36 PM, Gert Doering wrote:
> On Thu, Apr 21, 2016 at 10:27:50PM +0200, Jan Just Keijser wrote:
>> there are a few notes about this patch:
>>
>> - I've tested it on Linux only
>> - it works when pushing both --cipher andi/or --auth
>> - works by re-doing part of the encry
On Thu, Apr 21, 2016 at 9:12 AM, Jens wrote:
> What are your thoughts? Should we add unit tests at all? What would be your
> preferred way for dependency management. Please defer discussion on /which/
> unit testing framework to use until we have an agreement on the /if/ and
> /how/ (just to pr
On Wed, Apr 27, 2016 at 7:51 PM, Gert Doering wrote:
> While I totally love to just merge stuff other folks have reviewed, this
> patch just doesn't apply to my tree :-( - and the rejects are too many
> to try to mangle by hand.
>
> Patching file configure.ac using Plan A...
> Hunk #1 failed at 29
On Wed, Apr 27, 2016 at 1:00 PM, Arne Schwabe wrote:
> Am 17.04.16 um 21:35 schrieb Steffan Karger:
>> #ifdef HAVE_AEAD_CIPHER_MODES
>
> Are there actually mBedTLS >=2.0 without this?
It's possible to compile mbed TLS without GCM, yes. Though I could
On Fri, Apr 29, 2016 at 1:20 PM, Jens Neuhalfen
wrote:
> >From e343a78173ad2b3d31384ece1e7fe245215a5c72 Mon Sep 17 00:00:00 2001
> From: Jens Neuhalfen
> Date: Fri, 29 Apr 2016 13:16:36 +0200
> Subject: [PATCH] ignore the local config file t_client.rc in git
>
> t_client.rc is a config file used
tls.
This patch makes sure the configure tests link to all three. The build
process itself already did.
Signed-off-by: Steffan Karger
---
configure.ac | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 3b8bf96..f1dc8af 100644
--- a/configur
On Mon, May 2, 2016 at 9:44 AM, Samuli Seppänen wrote:
>
>> 1) add travis-ci support (there are few tests in "t" and we can run
>> cppcheck)
>
> I assume cppcheck produces the same results regardless of the
> OS/distribution it is running on. If this is the case, then we should
> add cppcheck test
HI,
On Mon, May 2, 2016 at 11:38 AM, Илья Шипицин wrote:
> it is already running at "coverity_scan" branch:
> https://travis-ci.org/OpenVPN/openvpn/builds/120718429
>
> so, it definitely good
Well, "it seems to work" is one thing, but a review should also cover
whether some change or addition is
uot;.
Signed-off-by: Steffan Karger
---
Changes.rst | 5 -
src/openvpn/ssl_verify_mbedtls.c | 20 +---
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index 5034b15..dc9131b 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -
601 - 700 of 1428 matches
Mail list logo
