[Openvpn-devel] [PATCH v2] Remove auth_user_pass.wait_for_push variable

2020-12-02 Thread Arne Schwabe
e path and also the new name aligns with ssl_clean_auth_token. Also fix a leftover wait_for_push in that function Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 2 +- src/openvpn/manage.c | 1 - src/openvpn/misc.h | 1 - src/openvpn/ssl.c| 10 -- src/openvpn

[Openvpn-devel] [PATCH] Remove auth_user_pass.wait_for_push variable

2020-12-02 Thread Arne Schwabe
if username/password are queried after an expired auth-token. Instead using that variable use session->opt->pull directly. Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 1 - src/openvpn/misc.h | 1 - src/openvpn/ssl.c| 7 +++ 3 files changed, 3 insertions(+), 6 deletions(-)

[Openvpn-devel] [PATCH] Fix auth-token not being updated if auth-nocache is set

2020-11-30 Thread Arne Schwabe
and it makes it a bit nicer to read. Signed-off-by: Arne Schwabe --- src/openvpn/misc.c | 9 +++-- src/openvpn/misc.h | 11 +++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 1038b383..c0c72dd7 100644 --- a/src/openvpn/misc.c

[Openvpn-devel] [PATCH v2] Fix port-share option with TLS-Crypt v2

2020-11-30 Thread Arne Schwabe
The port-share option assumed that all openvpn initial reset packets are between 14 and 255 bytes long. This is not true for tls-crypt-v2. Patch V2: use correct length for TLS-Crypt v2, use length variable non-tlscryptv2 test Signed-off-by: Arne Schwabe --- src/openvpn/ps.c | 34

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-11-26 Thread Arne Schwabe
Am 26.11.20 um 10:41 schrieb Tony He: > Hi Arne, > >>Since the original thread was not on the mailing list I am missing your >>goal but if your crypto acelator already works with OpenSSL, then it >>will also work with the "normal" OpenVPN > > Yes, it wokrs with "normal" OpenVPN(OpenVPN2), but

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-11-26 Thread Arne Schwabe
Am 26.11.20 um 01:46 schrieb Tony He: >>OpenSSL directly talks to the crypto engine via a proprietary interface >>that the FW/driver exposes to userspace. The *data* flow does not cross >>the linux kernel crypto API > > No, OpenSSL doesn't directly talk to the  crypto engine via a > proprietary

Re: [Openvpn-devel] [PATCH] Change travis build scripts to use https when fetching prerequisites.

2020-11-24 Thread Arne Schwabe
Am 24.11.20 um 17:13 schrieb Gert Doering: > Reported by "jub0bs" on hackerone.com (#1039504) > > Signed-off-by: Gert Doering > --- Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists

Re: [Openvpn-devel] [PATCH v9] Add DNS SRV remote host discovery support

2020-11-23 Thread Arne Schwabe
> > If DNS SRV name can't be resolved or no valid records were returned, > client will move on to the next connection entry. > > v9: > add get_cached_srv_entry() for servinfo vs addrinfo cache split > add check for mixed --remote and --remote-srv > add doxygen dns srv functions comments > use query_servinfo() for both unix and windows > fix undefined NS_MAXMSG issue on macOS > fix man > > Acked-By: Arne Schwabe This addresses the concerns that I had with the last version. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Fix port-share option with TLS-Crypt v2

2020-11-20 Thread Arne Schwabe
The port-share option assumed that all openvpn initial reset packets are between 14 and 255 bytes long. This is not true for tls-crypt-v2. --- src/openvpn/ps.c | 34 ++ 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ps.c

Re: [Openvpn-devel] [PATCH 3/5] Allow running a default configuration with TLS libraries without BF-CBC

2020-10-30 Thread Arne Schwabe
Am 07.09.20 um 18:22 schrieb Arne Schwabe: > Modern TLS libraries might drop Blowfish by default or distributions OpenSSL 3.0 will be one of these that only provides Blowfish if you load the legacy provider (not included by default) signature.asc Description: OpenPGP digital signat

Re: [Openvpn-devel] [PATCH 2/5] xmit_hold is only required for port_share

2020-10-26 Thread Arne Schwabe
Am 24.10.20 um 21:43 schrieb Gert Doering: > Hi, > > On Fri, Oct 23, 2020 at 01:34:28PM +0200, Arne Schwabe wrote: >> Make options.c only set xmit_hold when port_share is active to least >> document this dependency. I have not actually tested if this dependenc

[Openvpn-devel] [PATCH 8/8] Make any auth failure tls_authentication_status return auth failed

2020-10-23 Thread Arne Schwabe
for the client is most times unexpected behaviour from the user (admin). Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 12 ++-- src/openvpn/ssl_verify.c | 25 + 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/src/openvpn/multi.c b/src

[Openvpn-devel] [PATCH 5/8] Clean up tls_authentication_status and document it

2020-10-23 Thread Arne Schwabe
-off-by: Arne Schwabe --- src/openvpn/push.c | 3 +- src/openvpn/ssl.c| 2 +- src/openvpn/ssl_verify.c | 108 +++ src/openvpn/ssl_verify.h | 35 + 4 files changed, 70 insertions(+), 78 deletions(-) diff --git a/src/openvpn/push.c

[Openvpn-devel] [PATCH 2/8] Replace key_scan array of static points with inline function

2020-10-23 Thread Arne Schwabe
the implicit indirection with the pointer array with an explicit indirection with the inline function also makes the code a bit easier to follow. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c| 20 +++- src/openvpn/ssl_common.h | 26 +- src/openvpn

[Openvpn-devel] [PATCH 4/8] Improve keys out of sync message

2020-10-23 Thread Arne Schwabe
The current message basically lacks the information to actually figure out why the keys are out of sync. This adds the missing information to that diagnostic message. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 27 +++ 1 file changed, 23 insertions(+), 4

[Openvpn-devel] [PATCH 6/8] Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED

2020-10-23 Thread Arne Schwabe
The macro's name suggests that the key is enabled and being used. But the macro actually something different but similar enough that the name was probably right at some point. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c| 6 +++--- src/openvpn/ssl_verify.c | 2 +- src/openvpn

[Openvpn-devel] [PATCH 7/8] Send AUTH_FAILED message to clients on renegotiation failures

2020-10-23 Thread Arne Schwabe
This changes the exit in server mode on renegotiation to an exit that also sends an AUTH_FAILED to the client. Any previously set failed auth reason is passed to the client. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff

[Openvpn-devel] [PATCH 3/8] Add more documentation about our internal TLS functions

2020-10-23 Thread Arne Schwabe
Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 618cc9cc..98ce38f9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1109,7 +1109,10 @@ tls_session_init(struct

[Openvpn-devel] [PATCH 2/5] xmit_hold is only required for port_share

2020-10-23 Thread Arne Schwabe
Make options.c only set xmit_hold when port_share is active to least document this dependency. I have not actually tested if this dependency is actually true (or if port_share could work without xmit_hold). Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 5 - 1 file changed, 4

[Openvpn-devel] [PATCH 5/5] Remove NULL checks before calling free

2020-10-23 Thread Arne Schwabe
*_free methods are also safe to call with NULL and pkcs11h_certificate_freeCertificateIdList is also safe to be called with NULL. Signed-off-by: Arne Schwabe --- .../client-connect/sample-client-connect.c| 5 +- src/openvpn/buffer.c | 5 +- src/openvpn/error.c

[Openvpn-devel] [PATCH 1/5] Inline function tls_get_peer_info

2020-10-23 Thread Arne Schwabe
All other places in our code also directly access peer_info and this function does not contribute to code clarity. Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 2 +- src/openvpn/ssl.h | 8 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/src/openvpn/multi.c b

[Openvpn-devel] [PATCH 4/5] Remove explicit setting of peer_id to false

2020-10-23 Thread Arne Schwabe
Almost everywhere in OpenVPN we rely on zero initialisation to initialise all bool attributes to false. ret is cleared by ALLOC_OBJ_CLEAR(ret, struct tls_multi); Having this one variable treated different is a bit confusing. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 3 --- 1 file

[Openvpn-devel] [PATCH 3/5] Align reliable_free with other free methods to accept NULL

2020-10-23 Thread Arne Schwabe
The semantic of most free methods is to free a pointer and all its contents and also free the pointer itself. Align reliable_free to this semantic. Also clean up the other free uses in key_state_free. Signed-off-by: Arne Schwabe --- src/openvpn/reliable.c | 5 + src/openvpn/reliable.h

[Openvpn-devel] [PATCH] Remove --disable-def-auth configure argument

2020-10-23 Thread Arne Schwabe
for management interface there are so many features not directly related to deferred that depend on MANAGEMENT_DEF_AUTH (like client-kill) that supporting management without deferred auth is not worth it anymore. And removing this remover a high number of ifdefs in manage.c/h Signed-off-by: Arne

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

2020-10-21 Thread Arne Schwabe
> /* > * Send restart message from server to client. > */ > diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h > index 96897e48..b5cc9dc9 100644 > --- a/src/openvpn/ssl_common.h > +++ b/src/openvpn/ssl_common.h > @@ -576,6 +576,7 @@ struct tls_multi > > char

Re: [Openvpn-devel] [PATCH v8] Add DNS SRV remote host discovery support

2020-10-20 Thread Arne Schwabe
Am 05.10.20 um 00:36 schrieb Vladislav Grishenko: > DNS SRV remote host discovery allows to have multiple OpenVPN servers for > a single domain w/o explicit profile enumeration, to move services from > host to host with little fuss, and to designate hosts as primary servers > for a service and

Re: [Openvpn-devel] [PATCH] Fix compilation on pre-EKM mbedTLS libraries.

2020-10-09 Thread Arne Schwabe
Am 09.10.20 um 22:33 schrieb Gert Doering: > commit f0734e49956217 simplified key_state_export_keying_material(), > changing the function prototype. For older mbedTLS versions, there > is "always fail" dummy function which was overlooked in that change. > > Fix prototype. > > Signed-off-by:

Re: [Openvpn-devel] [PATCH] Simplify key material exporter backend API

2020-10-09 Thread Arne Schwabe
ws for this, so submitted as a > patch afterwards.) > Acked-By: Arne Schwabe signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v5] Implement generating data channel keys via EKM/RFC 5705

2020-10-09 Thread Arne Schwabe
if you try to use it. Signed-off-by: Arne Schwabe Patch v2: rebase/change to V2 of EKM refactoring Patch v3: add Changes.rst Patch v4: Rebase on master. Patch v5: Refuse internal label to be used with --keying-material-exporter, polishing/fixes suggested by Steffan integrated Signed-off

Re: [Openvpn-devel] [PATCH v4 2/2] Implement generating data channel keys via EKM/RFC 5705

2020-10-09 Thread Arne Schwabe
Am 09.10.20 um 11:23 schrieb Steffan Karger: > Hi, > > On 25-08-2020 09:36, Arne Schwabe wrote: >> OpenVPN currently uses its own (based on TLS 1.0) key derivation >> mechanism to generate the 256 bytes key data in key2 struct that >> are then used used to generate

[Openvpn-devel] [PATCH v3] Allow 'none' cipher being specified in --data-ciphers

2020-10-08 Thread Arne Schwabe
. If --cipher none is also specified in the configuration, the workaround of commit e539c95dc will also apply to cipher none. Patch V2: Also work correctly if remote_cipher is NULL. Patch V3: fix unit tests, add note about corner case Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 8

[Openvpn-devel] [PATCH] Add function for common env setting of verify user/pass calls

2020-10-05 Thread Arne Schwabe
external auth method, the environment would not be setup for connect-client calls. This patch also removes an indentation level in most of touched functions so diffing without whitespaces is recommended for review. Signed-off-by: Arne Schwabe --- src/openvpn/ssl_verify.c | 176

[Openvpn-devel] [PATCH] Ignore deprecation warning for daemon on macOS

2020-10-05 Thread Arne Schwabe
macOS warns that we should posix_spawn instead. However posix_spawn would require a major redesign of code to daemonise or drop the --daemon feature on macOS. Ignore the clang warning in order to allow -Werror compile on macOS. Signed-off-by: Arne Schwabe --- src/openvpn/init.c

Re: [Openvpn-devel] [PATCH v5] Support X509 field list to be username

2020-10-05 Thread Arne Schwabe
> } > +else if (strcmp(LN_serialNumber,x509_username_field) == 0) > +{ Whitespace error after , Otherwise the patch looks good now. (We had informal reviews on IRC that prompted the newer versions) Acked-By: Arne Schwabe signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] with IPv6 VPN connection, IPv4 traffic does not get router over VPN

2020-10-02 Thread Arne Schwabe
Am 02.10.20 um 15:26 schrieb François Kooman: > Hi all, > > After testing connecting over native IPv6 to the VPN server, it turns > out the IPv4 traffic is not routed over the VPN. This worked in older > versions of OpenVPN (2.4.x) but no longer in OpenVPN 2.5rc2. I am > testing with Windows 8.1,

Re: [Openvpn-devel] [PATCH] compat/lz4: Update to v1.9.2

2020-10-02 Thread Arne Schwabe
Am 02.10.20 um 12:03 schrieb Илья Шипицин: > > > пт, 2 окт. 2020 г. в 13:51, Arne Schwabe <mailto:a...@rfc2549.org>>: > > Am 01.10.20 um 17:46 schrieb David Sommerseth: > > It's a long while since the bundled lz4 library has received an >

Re: [Openvpn-devel] [PATCH] compat/lz4: Update to v1.9.2

2020-10-02 Thread Arne Schwabe
problematic as before. For master I would like to see this compat-lz4.* removed instead of being updated. For the 2.5.0 release it is too late to remove, so okay for that. Acked-By: Arne Schwabe signature.asc Description: OpenPGP digital signature ___ O

Re: [Openvpn-devel] [PATCH v3] Speedup TCP remote hosts connections

2020-10-02 Thread Arne Schwabe
ait more than it > v3: teach management_sleep() to handle zero timeout and reject negative > use 1s timeout for connection and 0s timeout for management events I like this version much more. It doesn't add extra complexity. Acked-By: Arne Schwabe signature.asc Descriptio

Re: [Openvpn-devel] [PATCH v7] Selectively reformat too long lines

2020-10-01 Thread Arne Schwabe
changes adds new PROTO_AUTO, so existing proto_names array is > reformatted as well. > > v7: prefer line breaks before long string parameters > reformat proto_names array > Acked-By: Arne Schwabe Also Antonio has no further concerns. signature.asc Description

Re: [Openvpn-devel] [PATCH] Improve error msg when all TAP adapters are in use "or disabled"

2020-10-01 Thread Arne Schwabe
ut a more specific error message? I'm not > sure what errors are triggered by CreateFile, so just wondering.. Since we didn't do better I would suggest we merge the original patch as it is not adding any extra complexity and improves things. Acked-By: Arne Schwabe signature.asc Descrip

Re: [Openvpn-devel] [PATCH 1/1] Exit management interface loop early on receiving 'remote MOD' message.

2020-10-01 Thread Arne Schwabe
Am 03.07.19 um 16:50 schrieb Daniel Kaldor: > OpenVPN using management interface and running with > 'management-query-remote' in the config will wait for a 'remote MOD' > or 'remote ACCEPT' message before continuing with connection. > > Logs indicate that this stage of the connection process

Re: [Openvpn-devel] Add --up-pre with the same functionality as --down-pre

2020-10-01 Thread Arne Schwabe
Am 22.11.17 um 17:58 schrieb Simon Matter: > Hi, > > In our situation we have the requirement to run scripts before tun/tap is > opened, not after. While this could be hacked into the init script, the > proper way seems to add it to openvpn as --up-pre option. That's > independent from any init

Re: [Openvpn-devel] NAT client-ip

2020-10-01 Thread Arne Schwabe
Am 14.09.20 um 03:23 schrieb Rafael Gava: > Hello guys, > > A couple years ago I submitted this patch which allows the user to set > the 'client-ip' as a convenient way to use the leased IP address > received from OpenVPN server in NAT configuration. For example: > > client-nat snat client-ip

Re: [Openvpn-devel] [PATCH] Speedup TCP remote hosts connections

2020-10-01 Thread Arne Schwabe
Am 28.09.20 um 01:32 schrieb Vladislav Grishenko: > For non-blocking TCP/Unix connection, OpenVPN checks was it established in > loop and if not - sleeps or handles management for next one second. Since > the first check is made right after the connection attempt, it will likely > be always

[Openvpn-devel] [PATCH 04/11] Introduce management client state for AUTH_PENDING notifications

2020-09-30 Thread Arne Schwabe
This allows a UI client to display the correct state. Technically the client is still waiting for PUSH_REPLY but for every practical concern this is a different state as we are waiting for the pending authentication to finish. Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 3 +++ src

[Openvpn-devel] [PATCH 05/11] Change parameter of send_auth_pending_messages from context to tls_multi

2020-09-30 Thread Arne Schwabe
This prepares send_auth_pending_messages to be used a in context that does not have context c available but also does not need to schedule an immediate sending of the message (auth plugin/script) Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 17 + src/openvpn/forward.h

[Openvpn-devel] [PATCH 03/11] Implement server side of AUTH_PENDING with extending timeout

2020-09-30 Thread Arne Schwabe
Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 26 +-- src/openvpn/manage.h | 3 ++- src/openvpn/multi.c | 27 +++- src/openvpn/push.c | 55 +--- src/openvpn/push.h | 10 src/openvpn

[Openvpn-devel] [PATCH 09/11] Implement deferred auth for scripts

2020-09-30 Thread Arne Schwabe
Signed-off-by: Arne Schwabe --- Changes.rst | 9 + doc/man-sections/script-options.rst | 14 +++- src/openvpn/ssl_verify.c| 56 - 3 files changed, 70 insertions(+), 9 deletions(-) diff --git a/Changes.rst b/Changes.rst

[Openvpn-devel] [PATCH 02/11] Implement client side handling of AUTH_PENDING message

2020-09-30 Thread Arne Schwabe
authentication 60s are quite short. To avoid not detecting network problem in this phase, we use the constant sending of PUSH_REQUEST/AUTH_PENDING as keepalive signal and still timeout the session after the handshake window time. Signed-off-by: Arne Schwabe --- doc/man-sections/server-options.rst

[Openvpn-devel] [PATCH 07/11] Refactor extract_var_peer_info into standalone function and add ssl_util.c

2020-09-30 Thread Arne Schwabe
Signed-off-by: Arne Schwabe --- src/openvpn/Makefile.am | 1 + src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 6 +++ src/openvpn/ssl.c| 2 +- src/openvpn/ssl_ncp.c| 20 ++ src/openvpn/ssl_util.c

[Openvpn-devel] [PATCH 00/11] Pending authentication improvements

2020-09-30 Thread Arne Schwabe
/schwabe/auth_pending Arne Schwabe (11): Change pull request timeout use a timeout rather than a number Implement client side handling of AUTH_PENDING message Implement server side of AUTH_PENDING with extending timeout Introduce management client state for AUTH_PENDING notifications Change

[Openvpn-devel] [PATCH 11/11] Add example script demonstrating TOTP via auth-pending

2020-09-30 Thread Arne Schwabe
Signed-off-by: Arne Schwabe --- Changes.rst | 2 + doc/man-sections/script-options.rst | 3 + sample/sample-scripts/totpauth.py | 107 3 files changed, 112 insertions(+) create mode 100755 sample/sample-scripts/totpauth.py diff --git

[Openvpn-devel] [PATCH 08/11] Allow pending auth to be send from a auth plugin

2020-09-30 Thread Arne Schwabe
Signed-off-by: Arne Schwabe --- doc/man-sections/generic-options.rst | 3 +- include/openvpn-plugin.h.in | 8 ++ src/openvpn/ssl.c| 2 +- src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 165 --- src

[Openvpn-devel] [PATCH] Allow 'none' cipher being specified in --data-ciphers

2020-09-30 Thread Arne Schwabe
fixes that we use '[null-cipher]' instead 'none' when setting remote_cipher Patch V2: Also work correctly if remote_cipher is NULL. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 8 src/openvpn/ssl_ncp.c | 16 +++- tests/unit_tests/openvpn

[Openvpn-devel] [PATCH 06/11] Add S_EXITCODE flag for openvpn_run_script to report exit code

2020-09-30 Thread Arne Schwabe
This allows to use script that have more than just fail/sucess but also deferred as status Signed-off-by: Arne Schwabe --- src/openvpn/platform.c| 35 +++ src/openvpn/platform.h| 5 - src/openvpn/run_command.c | 25 - src

[Openvpn-devel] [PATCH 10/11] Implement --client-crresponse script options and plugin interface

2020-09-30 Thread Arne Schwabe
This is allows scripts and pluginsto parse/react to a CR_RESPONSE message Signed-off-by: Arne Schwabe --- Changes.rst | 7 doc/man-sections/script-options.rst | 28 - include/openvpn-plugin.h.in | 7 +++- src/openvpn/init.c

[Openvpn-devel] [PATCH 01/11] Change pull request timeout use a timeout rather than a number

2020-09-30 Thread Arne Schwabe
a pending authentication. As a user visible change we print the the time we waited for a timeout instead Also update the man page to actually document that hand-window controls this timeout. Signed-off-by: Arne Schwabe --- doc/man-sections/tls-options.rst | 4 src/openvpn/forward.c

Re: [Openvpn-devel] [PATCH] Fix update_time() and openvpn_gettimeofday()

2020-09-22 Thread Arne Schwabe
> --- a/src/openvpn/otime.h > +++ b/src/openvpn/otime.h > @@ -78,13 +78,9 @@ openvpn_gettimeofday(struct timeval *tv, void *tz) > static inline void > update_time(void) > { > -#ifdef _WIN32 > -/* on _WIN32, gettimeofday is faster than time(NULL) */ > +/* can't use time(NULL), now_usec

[Openvpn-devel] [PATCH v2] Allow 'none' cipher being specified in --data-ciphers

2020-09-21 Thread Arne Schwabe
fixes that we use '[null-cipher]' instead 'none' when setting remote_cipher Patch V2: Also work correctly if remote_cipher is NULL. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 8 src/openvpn/ssl_ncp.c | 16 +++- tests/unit_tests/openvpn

[Openvpn-devel] [PATCH] Allow 'none' cipher being specified in --data-ciphers

2020-09-21 Thread Arne Schwabe
fixes that we use '[null-cipher]' instead 'none' when setting remote_cipher Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 7 +++ src/openvpn/ssl_ncp.c | 16 +++- tests/unit_tests/openvpn/test_ncp.c | 10 -- 3 files changed, 30 insertions

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

2020-09-17 Thread Arne Schwabe
Am 17.09.20 um 17:50 schrieb Juliusz Sosinowicz: > Could you describe how you generated this warning? Looking into our > sources, we do call SHA1 just SHA in wolfSSL. Other variants have names > in the format of SHA. Just connecting to a server. Arne signature.asc Description: OpenPGP digital

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

2020-09-16 Thread Arne Schwabe
Am 16.09.20 um 11:45 schrieb Juliusz Sosinowicz: > Hi Arne, > > a quick update. A PR is now open in wolfSSL with fixes for OpenVPN master. This is the version that I could actually take a deeper look at, so here are my results. It generally works but there seems some loose ends: I am still

Re: [Openvpn-devel] [PATCH] Fix --show-gateway for IPv6 on NetBSD/i386.

2020-09-13 Thread Arne Schwabe
acro from - use > that, and avoid trying to second-guess OS requirements. > > While at it, add M_ERRNO to ominous "GDG6: problem writing to routing socket" > error message to differenciate between "EINVAL" and other errors. Have not tested it but looks sane and using OS

Re: [Openvpn-devel] [PATCH] Fix handling of 'route remote_host' for IPv6 transport case.

2020-09-11 Thread Arne Schwabe
e "status = false" returns from > get_special_addr(). > > I have just added the "if (!status)" check, not done refactoring for > init_route() to see whether I could make it "more pretty". > > Looks good. Acked-By: Arne Schwabe signature.asc Des

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

2020-09-10 Thread Arne Schwabe
Am 10.09.20 um 14:11 schrieb Juliusz Sosinowicz: > Hi Arne, > > I understand your concern and apologize for the delay. We have been busy > with the release of wolfSSL 4.5.0. I will make sure that the fixes > necessary for OpenVPN support will be prioritized. > > Sincerely > Juliusz I think the

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

2020-09-10 Thread Arne Schwabe
Am 22.07.20 um 16:02 schrieb Juliusz Sosinowicz: > Hi Arne, > > thank you for your feedback. I tested the patch on the latest master > version at the time of writing and it looks like these requirements were > added in the last week which is why I wasn't able to address them > before.I will look

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-10 Thread Arne Schwabe
Am 09.09.20 um 20:23 schrieb tincanteksup: > > > On 09/09/2020 11:21, Arne Schwabe wrote: >> Am 09.09.20 um 10:04 schrieb François Kooman: >>> On 9/8/20 6:38 PM, Arne Schwabe wrote: >>>> I really wonder which large deployment want to do that instead of a C

Re: [Openvpn-devel] [PATCH] Fix TUNSETGROUP compatibility with very old Linux systems.

2020-09-10 Thread Arne Schwabe
se if (ioctl(tt->fd, TUNSETGROUP, platform_state_group.gr->gr_gid) > < 0) > { > -msg(M_ERR, "Cannot ioctl TUNSETOWNER(%s) %s", groupname, dev); > +msg(M_ERR, "Cannot ioctl TUNSETGROUP(%s) %s", groupname, dev); >

Re: [Openvpn-devel] [PATCH v2] Add DNS SRV host discovery support

2020-09-09 Thread Arne Schwabe
> I see your point, thank you. > Fallback is done just to conform RFC 2782 suggestion, personally I feel it's > hardly be used with controllable client profiles when it's known that > domain.tld does dns srv. Yes. And see the point in that RFC. I would rather document that for out fallback the

Re: [Openvpn-devel] [PATCH v2] Add DNS SRV host discovery support

2020-09-09 Thread Arne Schwabe
Am 26.08.20 um 18:51 schrieb Vladislav Grishenko: > DNS SRV host discovery allows to have multiple OpenVPN servers for a single > domain w/o explicit profile enumeration, to move services from host to host > with little fuss, and to designate hosts as primary servers for a service > and others as

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-09 Thread Arne Schwabe
Am 09.09.20 um 10:04 schrieb François Kooman: > On 9/8/20 6:38 PM, Arne Schwabe wrote: >> I really wonder which large deployment want to do that instead of a CA. >> I really understand the need for small and simple deployments. But for >> larger deployments a CA +

Re: [Openvpn-devel] [PATCH] Document that --push-remove is generally more suitable than --push-reset

2020-09-08 Thread Arne Schwabe
Am 08.09.20 um 19:04 schrieb André: > Hi, > > My vote would be to deprecate --push-reset > (same for --route-nopull) > Route-nopull is still a very useful option that has no good replacement. I regularly use it when the server should not mess up my routing table. Arne signature.asc

Re: [Openvpn-devel] [PATCH] Document that --push-remove is generally more suitable than --push-reset

2020-09-08 Thread Arne Schwabe
Am 08.09.20 um 18:35 schrieb Gert Doering: > Hi, > > On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote: >> It would be good if --push-reset would actually not remove certain critical >> options, but this is anyhow a good heads-up for our users. > > Well, that ticket sat there 10

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-08 Thread Arne Schwabe
> One of the nice features of Jason's patch was that also for big(ger) > deployments you could get rid of the CA if you have another channel to > establish trust between client and server. I really wonder which large deployment want to do that instead of a CA. I really understand the need for

[Openvpn-devel] [PATCH 2/4] Implement peer-fingerprint to check fingerprint of peer certificate

2020-09-08 Thread Arne Schwabe
This options allows to pin a certificate or a number of certificate. It also prepares for doing TLS authentication without a CA and just self-signed certificates. Signed-off-by: Arne Schwabe --- Changes.rst | 7 ++ doc/man-sections/inline-files.rst | 4 ++-- doc/man

[Openvpn-devel] [PATCH 3/4] Support fingerprint authentication without CA certificate

2020-09-08 Thread Arne Schwabe
t clientcert.pem --key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind Signed-off-by: Jason A. Donenfeld Patch V2: Changes in V2 (by Arne Schwabe): - Only check peer certificates, not all cert levels, if you need multiple levels of certificate you should

[Openvpn-devel] [PATCH 1/4] Extend verify-hash to allow multiple hashes

2020-09-08 Thread Arne Schwabe
For a new syntax introduced now it does not make much sense to support deprecated and old hashes, so support only SHA-256. Also give a warning about SHA1 hash being deprecated to verify certificates as it is now "industry standard". Signed-off-by: Arne Schwabe --- doc/man-secti

[Openvpn-devel] [PATCH 4/4] Document the simple self-signed certificate setup in examples

2020-09-08 Thread Arne Schwabe
Also remove the static key setup example as it is less secure and we want to avoid it for new setups as we want to slowly deprecate these. Signed-off-by: Arne Schwabe --- Changes.rst | 5 doc/man-sections/examples.rst| 46 doc/man

[Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-08 Thread Arne Schwabe
on an a inlined section. The downside is that this requires a server restart on adding a client but the upside is that no script-security or external scripts are necessary and server/client setup become symmetric. Arne Schwabe (3): Extend verify-hash to allow multiple hashes Implement peer

Re: [Openvpn-devel] [PATCH] Document that --push-remove is generally more suitable than --push-reset

2020-09-08 Thread Arne Schwabe
asonably fixed, because the list of "critical" options depends on > overall server config. > > So just document the fact, and point people towards --push-remove as > a more selective tool. > Acked-By: Arne Schwabe signature.asc Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH] Fix error detection / abort in --inetd corner case.

2020-09-08 Thread Arne Schwabe
dy, and trigger a M_FATAL abort > on "errno == ENOTSOCK" ("The argument s is a file, not a socket"). > > While at it, uncrustify the --bind-dev code (whitespace only). Yes. Ack. I am happy when we can finally get rid of --inetd. Acked-By: Arne Schwabe

[Openvpn-devel] [PATCH 3/5] Allow running a default configuration with TLS libraries without BF-CBC

2020-09-07 Thread Arne Schwabe
in the default configuration. Signed-off-by: Arne Schwabe --- src/openvpn/init.c| 18 +-- src/openvpn/options.c | 51 --- 2 files changed, 54 insertions(+), 15 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index dff090b1

[Openvpn-devel] [PATCH 5/5] Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode

2020-09-07 Thread Arne Schwabe
for older TLS libraries, the separation makes it easier it remove that code invdidually. No FIPS conformitiy testing etc has been done, this is only about allowing OpenVPN on a system where FIPS mode has been enabled system wide (e.g. on RHEL derivates). Signed-off-by: Arne Schwabe --- src

[Openvpn-devel] [PATCH 4/5] Check return values in md_ctx_init and hmac_ctx_init

2020-09-07 Thread Arne Schwabe
Without this OpenVPN will later segfault on a FIPS enabled system due to the algorithm available but not allowed. Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src

[Openvpn-devel] [PATCH] Ignore --cipher for cipher negotiation in server client mode

2020-09-07 Thread Arne Schwabe
OpenVPN will ignore --cipher in lieu of the replacement data-ciphers for cipher negioation. Signed-off-by: Arne Schwabe --- doc/man-sections/protocol-options.rst | 6 -- src/openvpn/options.c | 26 -- 2 files changed, 8 insertions(+), 24 deletions

[Openvpn-devel] [PATCH] Cleanup print_details and add signature/ED certificate print

2020-09-07 Thread Arne Schwabe
details about ED certificates: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 253 bit ED25519, signature: ED25519 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 118 +- 1 file changed, 78 insertions(+), 40

Re: [Openvpn-devel] [PATCH 2/2] Also announce IV_CIPHERS as client in OpenVPN 2.4

2020-08-30 Thread Arne Schwabe
> +++ b/src/openvpn/ssl.c > @@ -2311,7 +2311,18 @@ push_peer_info(struct buffer *buf, struct tls_session > *session) > if (session->opt->ncp_enabled > && (session->opt->mode == MODE_SERVER || session->opt->pull)) > { > +/* We keep announcing IV_NCP=2 in

[Openvpn-devel] [PATCH 0/2] Backport/implement IV_CIPHERS support for OpenVPN 2.4

2020-08-30 Thread Arne Schwabe
This is basically to improve 2.4 client to OpenVPN 2.5 server compatibility. The commit message of patch 2/2 explains the motivations and details more. Arne Schwabe (2): Normalise ncp-ciphers option and restrict it to 127 bytes Also announce IV_CIPHERS as client in OpenVPN 2.4 doc/openvpn.8

[Openvpn-devel] [PATCH 1/2] Normalise ncp-ciphers option and restrict it to 127 bytes

2020-08-30 Thread Arne Schwabe
added to ssl.h/ssl.c instead ssl_ncp.c/.h Signed-off-by: Arne Schwabe --- doc/openvpn.8 | 2 + src/openvpn/options.c | 9 src/openvpn/ssl.c | 63 +++ src/openvpn/ssl.h | 23 + src/openvpn/ssl_ncp.h | 116

[Openvpn-devel] [PATCH 2/2] Also announce IV_CIPHERS as client in OpenVPN 2.4

2020-08-30 Thread Arne Schwabe
break existing 2.4 setups. Server support for IV_CIPHERS is not added since it would be quite intrusive and users should rather upgrade to 2.5 on the server if they want the full benefits. This commit cherry picks a few parts of 868b200c3aef6ee5acfdf679770832018ebc7b70 Signed-off-by: Arne Schwabe

[Openvpn-devel] [PATCH v2] Fix client NCP OCC fallback when server and client cipher are identical

2020-08-30 Thread Arne Schwabe
ame) is always a valid cipher we always need to perform this check. V2: Only call tls_item_in_cipher_list if remote_cipher is non-null to avoid calling strcmp with NULL. Reported-By: Rafael Gava Signed-off-by: Arne Schwabe --- src/openvpn/ssl_ncp.c | 11 --- 1 file changed, 4 insertions(+)

[Openvpn-devel] [PATCH] Fix client NCP OCC fallback when server and client cipher are identical

2020-08-30 Thread Arne Schwabe
ame) is always a valid cipher we always need to the check. Reported-By: Rafael Gava Signed-off-by: Arne Schwabe --- src/openvpn/ssl_ncp.c | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index c9ab85ce..d82419fb 100

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

2020-08-30 Thread Arne Schwabe
Am 29.08.20 um 21:19 schrieb Rafael Gava: > Hi Arne, > > This thread has a could days but I'm testing the version 2.5-beta2 and > I'm getting the following error: > > 2020-08-29 16:02:53 us=643016 OPTIONS ERROR: failed to negotiate cipher > with server.  Add the server's cipher ('BF-CBC') to

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

2020-08-27 Thread Arne Schwabe
Am 27.08.20 um 01:57 schrieb Eric Thorpe: > Hi Arne, > >> That code/commit message is explicitly talking about renegotiation. So >> if that is also broken, there seems to be something else wrong. > You are quite correct, I've muddled this up with a different issue I've > been working through with

Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

2020-08-27 Thread Arne Schwabe
Am 27.08.20 um 01:34 schrieb Eric Thorpe: > Hi Arne, > > The first we are trying to migrate across is U2F - > https://www.sparklabs.com/support/kb/article/yubikey-u2f-two-factor-authentication-with-openvpn-and-viscosity/ >

Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

2020-08-26 Thread Arne Schwabe
Am 26.08.20 um 03:15 schrieb Eric Thorpe: > Hi Arne, > > I'm happy to resubmit the patch with further documentation to what I > have already included with this patch, however I need to know what is > likely to be accepted. > > Per my previous question and example, is it acceptable to keep using

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

2020-08-26 Thread Arne Schwabe
Am 26.08.20 um 03:12 schrieb Eric Thorpe: >> Management goes another code path and management_client_auth directly >> calls send_auth_failed. > I'm afraid in the case of renegotiation this is not relevant That code/commit message is explicitly talking about renegotiation. So if that is also

Re: [Openvpn-devel] [PATCH] Add DNS SRV host discovery support

2020-08-25 Thread Arne Schwabe
Am 25.08.20 um 00:15 schrieb Vladislav Grishenko: > DNS SRV (rfc2782) support allows to use several OpenVPN servers for a single > domain w/o explicit profile enumerating, to move services from host to host > with little fuss, and to designate some hosts as primary servers for a service > and

[Openvpn-devel] [PATCH v4 2/2] Implement generating data channel keys via EKM/RFC 5705

2020-08-25 Thread Arne Schwabe
if you try to use it. Signed-off-by: Arne Schwabe Patch v2: rebase/change to V2 of EKM refactoring Patch v3: add Changes.rst Signed-off-by: Arne Schwabe --- Changes.rst | 11 +++ doc/doxygen/doc_key_generation.h | 14 +++-- src/openvpn/crypto.h | 4

[Openvpn-devel] [PATCH v4 1/2] Move openvpn specific key expansion into its own function

2020-08-25 Thread Arne Schwabe
This moves the OpenVPN specific PRF into its own function also simplifies the code a bit by passing tls_session directly instead of 5 of its fields. Patch v2: Rebase Patch v4: rewrite/fix comments, fix potential not initialised before goto issue Signed-off-by: Arne Schwabe --- src

  1   2   3   4   5   6   7   8   9   10   >