As Bennett is quick to point out, The History Boys is not a realist play.
That is no surprise since people just want a basic way to get their finances.
Should I even bother pulling a quote out here?
Wired Magazine talks to him, and learns that he wrote the bulk of The Echo
Makers on a tablet PC r
Hi all,
please forgive me if I'm wrong, but there seems quite "little activity"
on bug tracking page from the developers.
E.g. one month ago I opened a bug report for a (suspected) bug present
in file checking (bug #299) which is still "new" and even not commented.
I don't want to be rude, but I
Hi Gert,
schrieb Gert Doering:
> Hi,
>
> On Sun, Jun 30, 2013 at 08:00:39PM +0200, Max Muster wrote:
>> please forgive me if I'm wrong, but there seems quite "little activity"
>> on bug tracking page from the developers.
>> E.g. one month ago I opened
Dear list,
may I ask for your attention or feedback on the faulty file checking if
"chroot" option is enabled?
The "check_file_access" in src/openvpn/options.c will check for the
existence of the "client-config-dir".
This fails if used in conjunction with the "chroot" option, because the
path in
Did not look into the patch in detail, but it should fix bug #299, too.
Hopfully this will get some more response than my approach there ;-)
Regards
Joerg
Gesendet: Sonntag, 15. September 2013 um 11:42 Uhr
Von: "Josh Cepek"
An: openvpn-devel@lists.sourceforge.net
Betreff:
Sorry, my fault, didn't realize bug reports were already "merged".
Joerg
Gesendet: Montag, 16. September 2013 um 11:29 Uhr
Von: max.mus...@kaffeeschluerfer.com
An: "Josh Cepek"
Cc: openvpn-devel@lists.sourceforge.net
Betreff: Re: [Openvpn-devel] [PATCH] Fix file access checks when using --
Hi Davide,
nice idea. But I think I found two small bugs:
First, it won't compile in a config w/o ENABLE_CLIENT_CR defined (there is no "sc_info").
Second, if I'm not mistaken, name and password are not copied correctly:
If # of charachters is (pos - prev), the last charakter is at [pos - pre
oops, just took my "debug" version of src/openvpn/ssl.c ...
Of course output of string length and especially password in log file is
not intended ;-)
Joerg
Original-Nachricht
Betreff: Re: [Openvpn-devel] [PATCH] Allow inlining of --auth-user-pass
Von: max.mus...@kaffeeschluerfe
cannot be in a file if using
--static-challenge");
+#endif
[...]
A quick test did work with and without user authentication (only tested inline
settzing, not with a file).
Joerg
Original-Nachricht
Gesendet: Samstag, 05. Oktober 2013 um 15:57 Uhr
Von: "Max Muster"
Hi Davide,
I had some time today, so I did some changes ("improvements", I hope
;-)) to your code:
First thing you do in add_option() if inline is used: auth_pass_file is
set (to "stdin").
So there is no need to check for both (options->auth_user_pass_file ||
options->auth_user_pass_file_inline),
Yes, your right, there is this one "debugging" line left
(it was just to be sure, the setting of auth_user_pass_file to "stdin"
is the first thing done).
Original-Nachricht
Betreff: Re: [Openvpn-devel] [PATCH] Allow inlining of --auth-user-pass
Von: D
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 5 -
src/openvpn/tun.c | 37 +--
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
v2: Fix tabs-vs-spaces.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 5 -
src/open
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 6 +-
sr
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
This change also allows us to drop the second argument from close_tun().
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
v4: Move undo_ifconfig{4,6}() out of #ifdef TARGET_LINUX.
Signed-off-by
--ifconfig-noexec isn't set. This is symmetric to how open_tun() and
do_ifconfig() are used.
v2: Fix tabs-vs-spaces.
v3: Fix another style mistake.
v4: Move undo_ifconfig{4,6}() out of #ifdef TARGET_LINUX.
v5: Keep ctx argument in close_tun().
Signed-off-by: Max Fillinger
---
src/openv
dows version of undo_ifconfig_ipv6
Signed-off-by: Max Fillinger
---
src/openvpn/init.c | 4 ++
src/openvpn/tun.c | 159 +++--
src/openvpn/tun.h | 8 +++
3 files changed, 95 insertions(+), 76 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b67
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
Signed-off-by: Max Fillinger
---
src/openvpn/openssl_compat.h | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/openssl_compat.h b/src
ed to call
EVP_MD_CTX_free() instead of cleanup.
Signed-off-by: Max Fillinger
---
src/openvpn/crypto_openssl.c | 38 ++--
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 5cd09e33..5c86268d 10
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
Signed-off-by: Max Fillinger
---
src/openvpn/openssl_compat.h | 8 +---
1 file changed, 5 insertions(+), 3
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v3: Don't break WolfSSL.
Signed-off-by: Max Fillinger
---
src/openvpn/openssl_compat.h | 8 +---
1
When running openvpn --show-tls with mbedtls, it showed a null pointer
error at the end because of this.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl_mbedtls.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index
The manual page claims that the client metadata can be up to 735 bytes
(encoded as upt to 980 characters base64), but the actual maximum length
is 733 bytes which is also encoded as 980 characters in base64.
Signed-off-by: Max Fillinger
---
doc/man-sections/encryption-options.rst | 3 ++-
1
patch checks the decoded length to show an accurate error message.
Signed-off-by: Max Fillinger
---
src/openvpn/base64.h| 4
src/openvpn/tls_crypt.c | 18 +++---
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/base64.h b/src/openvpn/base64.h
index
patch checks the decoded length to show an accurate error message.
v2: Remove now-unused macro and fix an off-by-one error.
Signed-off-by: Max Fillinger
---
src/openvpn/base64.h| 4
src/openvpn/tls_crypt.c | 18 +++---
src/openvpn/tls_crypt.h | 2 --
3 files changed, 15
Plaintext authentication is not exactly high security, but we might as
well memzero the credentials before leaving the function.
---
src/openvpn/socks.c | 23 ++-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 36df
This is my second attempt at sending this patch, this time without
mixing up commit message and cover letter, and from an account that
(I hope) doesn't hate mailing lists.
This patch changes reliable_send() to resend a packet if at least three
later packets have been ACKed. This improves performan
From: Steffan Karger
To improve the control channel performance under packet loss conditions,
add a more aggressive retransmit policy similar to what many TCP
implementations do: retransmit a packet if the ACK timeout expires (like
we already do), *or* if three ACKs for follow-up packets are rece
There is an issue with the mbedTLS version of OpenVPN where a CRL file
wouldn't be used when running in a chroot. This is due to a combination
of two bugs found by Adam Lukosek at Compumatica.
1) With mbedTLS, if the CRL file can't be opened during initialization,
OpenVPN will read the file whe
From: Maximilian Fillinger
If the CRL file cannot be read during initialization, a NULL pointer is
passed to the mbedtls_ssl_config in key_state_ssl_init(). Then, if the
CRL file is successfully read later, the config won't have a pointer to
it. Therefore, the CRL won't actually take effect.
Thi
From: Uipko Berghuis
In mbedtls 2.16.0 mbedtls_ctr_drbg_update() changed to
mbedtls_ctr_drbg_update_ret(). Change the function name and handle
the new return value error code.
---
src/openvpn/ssl_mbedtls.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mb
This commit fixes the following two issues:
The config belonging to a mbedtls_ssl_ctx struct is not supposed to be
changed after mbedtls_ssl_setup() has been called. Previously, we
modified the CRL structure in place when a new CRL was loaded, but a
pointer to this struct appears in configs that a
d, I could fix the
CRL reloading bug in a less hacky manner and also make sure that we
don't modify the configs of active mbedtls_ssl_contexts.
[0] https://sourceforge.net/p/openvpn/mailman/message/37254045/
[1] https://sourceforge.net/p/openvpn/mailman/message/37254048/
Max Fillinger (1):
RL file
cannot be accessed. Now that the path is handled correctly pre- and
post-chroot, there is no good reason why accessing it should fail.
This fixes bug 1).
Max Fillinger (2):
In init_ssl, open the correct CRL path pre-chroot
Abort if CRL file can't be stat-ed in init_ssl
src/open
files. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c| 3 ++-
src/openvpn/misc.c| 11 +++
src/openvpn/misc.h| 7 +++
src/openvpn/options.c | 8 +---
src/openvpn/ssl.c | 20 ++--
src/openvpn
27;t
use a reloaded CRL if it initially failed to access the file.
In tls_process(), we stick with the previous behavior of logging a
warning and keeping the old CRL to ensure that the CRL file can be
updated on-the-fly.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl.c | 21 ---
r SSL renegotiation.
This commit fixes the build by ifdef'ing out the function call when
mbedtls was built without support for SSL renegotiation.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl_mbedtls.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_m
. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger
---
src/openvpn/init.c| 2 +-
src/openvpn/misc.c| 11 +++
src/openvpn/misc.h| 6 ++
src/openvpn/options.c | 8 +---
src/openvpn/ssl.c | 21 +++--
src/openvpn/ssl.h
27;t
use a reloaded CRL if it initially failed to access the file.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 1e0e6170..6ce1d079 100644
--- a/src/openvpn/ssl.c
+++ b/s
Replace open...@fox-it.com with open...@foxcrypto.com.
Signed-off-by: Max Fillinger
---
doc/doxygen/Makefile.am| 2 +-
doc/doxygen/doc_compression.h | 2 +-
doc/doxygen/doc_control_processor.h| 2 +-
doc/doxygen/doc_control_tls.h | 2 +-
doc
add a compatibility function that runs
mbedtls_ctr_drbg_update and returns 0.
Signed-off-by: Max Fillinger
---
src/openvpn/ssl_mbedtls.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 265ea36f
will use our compat code.
Cc: Max Fillinger
Signed-off-by: Antonio Quartulli
Thanks again for cleaning up my mess!
Compile-tested with mbedtls versions
2.27.0
2.26.0
2.25.0
2.16.11
2.15.1
2.14.1
2.14.0
2.12.0
2.7.19
2.7.0
All good!
(Typo: "aqvoid" in the commit message, but th
On 19/10/2021 20:31, Arne Schwabe wrote:
+if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0))
EVP_bf_ecb() is the Blowfish cipher, not DES.
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/li
new API does not have an easy to reset an HMAC, so we need
to keep the key around to emulate a reset functionality.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looked at the code, compiled with OpenSSL 3.1.0 and 1.1.1, and ran
--test-crypto for both.
Small typo in commit message
On 19/10/2021 20:31, Arne Schwabe wrote:
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as en
On 19/10/2021 20:31, Arne Schwabe wrote:
DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_o
On 19/10/2021 20:31, Arne Schwabe wrote:
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looked at the patch, compiled with OpenSSL 3.1.0, tested that I can get
a server and client to talk to each
.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Not much to say here. It compiles and I can see the warning when I use
the option.
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists
Acked-by: Max Fillinger
Makes sense, why should we care about the parity bits when no-one else does?
Compiled and ran --test-crypto for DES/DES3 with OpenSSL 3.1.0, 1.1.1
and mbedtls 2.26.
___
Openvpn-devel mailing list
Openvpn-devel
On 19/10/2021 20:31, Arne Schwabe wrote:
EC_Key methods are deprecated in OpenSSL 3.0. Use
EVP_PKEY_get_group_name instead to query the EC group name from an
EVP_PKEY and add a compatibility function for older OpenSSL versions.
Signed-off-by: Arne Schwabe
---
src/openvpn/openssl_compat.h | 42
On 19/10/2021 20:31, Arne Schwabe wrote:
This put the early initialisation and uninitialisation that needs to
happen between option parsing and post processing into small methods.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
It's easy to see that this does not change the beh
When the EVP_PKEY object with the Diffie-Hellman parameters is passed
to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
pointer in the SSL_CTX. Therefore, we should not free it.
The EVP_PKEY will be freed automatically when we free the SSL_CTX.
Signed-off-by: Max Fillinger
is actually
currently supported.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me!
Some small errors in the commit message:
"return a non Null algorithm": Should be "may return", I think.
second "EVP_get_cipherbyname&quo
On 19/10/2021 20:31, Arne Schwabe wrote:
Use the new name for the function as it indicates with
get0 the ownership of the returned value
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me.
Typo: "USe"
___
Ope
chacha, &gc),
aes_chacha);
+}
Add space before (
Acked-by: Max Fillinger
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
On 19/10/2021 20:31, Arne Schwabe wrote:
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index a
On 26/10/2021 17:27, Max Fillinger wrote:
On 19/10/2021 20:31, Arne Schwabe wrote:
We do not support CTS algorithms (cipher text stealing) algorithms.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn
On 19/10/2021 20:31, Arne Schwabe wrote:
With OpenSSL 3.0 the use of nid values is deprecated and new algorithms
do not even have NID values anymore.
This also works nicely with providers now:
openvpn --provider legacy:default --show-ciphers
shows more ciphers (e.g. BF-CBC) than just
On 19/10/2021 20:31, Arne Schwabe wrote:
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.
This patch fixes the code path and restores its intended function.
Signed-off-by: Arne Schwabe
Acked-by: Max
On 19/10/2021 20:31, Arne Schwabe wrote:
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow sett
e to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
With OpenSSL 3, OpenVPN accepts certs signed with SHA1 if and only if
"--tls-cert-profile in
for DES encryption for now.
Patch v4: add unit test, use 3DES to avoid legacy provider for now
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me, and the unit tests succeed with OpenSSL 1.1.1 and 3.
Small nitpick that can be fixed at compile time:
+if
On 07/11/2021 10:01, Arne Schwabe wrote:
We already removed the check in d67658fee for OpenSSL 3.0. This removes the
checks entirely for all crypto libraries.
Signed-off-by: Arne Schwabe
Acked-by: Max Fillinger
Looks good to me!
Compiled and ran --test-crypto for DES/DES3, with mbedtls
On 07/11/2021 13:29, Arne Schwabe wrote:
The patch removes checking for weak keys and making DES just like any
other CBC cipher and not doing extra checks for this. It basically
removes the special treatment of DES.
After this, do we have any DES functionality left in OpenVPN? If so, we
sho
This header was removed in mbedtls 3. Luckily, we weren't actually
using it, it seems.
Signed-off-by: Max Fillinger
---
src/openvpn/crypto_mbedtls.c | 1 -
src/openvpn/ssl_mbedtls.c| 2 --
2 files changed, 3 deletions(-)
diff --git a/src/openvpn/crypto_mbedtls.c b/src/op
done before trying to undo
it. It's behind an #ifdef because it's only used on Linux, and that was
the reason why it was removed before.
Signed-off-by: Max Fillinger
---
src/openvpn/tun.c | 6 +-
src/openvpn/tun.h | 3 +++
2 files changed, 8 insertions(+), 1 deletion(-)
diff -
Signed-off-by: Max Fillinger
---
tests/unit_tests/openvpn/test_ncp.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tests/unit_tests/openvpn/test_ncp.c
b/tests/unit_tests/openvpn/test_ncp.c
index 6702133a..f4c28ffd 100644
--- a/tests/unit_tests/openvpn/test_ncp.c
The previous commit was backported from master and needs this variable
to exist.
Signed-off-by: Max Fillinger
---
tests/unit_tests/openvpn/test_ncp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/unit_tests/openvpn/test_ncp.c
b/tests/unit_tests/openvpn/test_ncp.c
Signed-off-by: Max Fillinger
---
README.mbedtls | 17 +
1 file changed, 17 insertions(+)
diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..b5604bb8 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,23 @@ This version depends on mbed TLS 2.0 (and requires
Signed-off-by: Max Fillinger
---
README.mbedtls | 17 +
1 file changed, 17 insertions(+)
diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..062ae470 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,23 @@ This version depends on mbed TLS 2.0 (and requires
Signed-off-by: Max Fillinger
---
README.mbedtls | 18 ++
1 file changed, 18 insertions(+)
diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..d3466fa9 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,24 @@ This version depends on mbed TLS 2.0 (and requires
71 matches
Mail list logo
