[Openvpn-devel] [PATCH] Pass correct buffer size to GetModuleFileNameW()

2017-05-11 Thread selva . nair
From: Selva Nair Fixes finding 5.6 of OSTIF/Quarkslab audit Signed-off-by: Selva Nair --- src/openvpn/win32.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 0cbf5fd..9a03681

[Openvpn-devel] [PATCH 2/3 (release/2.2)] cleanup: merge packet_id_alloc_outgoing() into packet_id_write()

2017-05-11 Thread Steffan Karger
From: Steffan Karger The functions packet_id_alloc_outgoing() and packet_id_write() were always called in tandem. Instead of forcing the caller to allocate a packet_id_net to do so, merge the two functions. This simplifies the API and reduces the chance on mistakes

[Openvpn-devel] OpenVPN 2.4.2 released (with security fixes)

2017-05-11 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.4.2. It can be downloaded from here: OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering

[Openvpn-devel] OpenVPN 2.3.15 released (with security fixes)

2017-05-11 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.3.15. It can be downloaded from here: OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering

Re: [Openvpn-devel] [PATCH applied] Don't assert out on receiving too-large control packets (CVE-2017-7478)

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This resolves the issue in my tests, code looks sane ... so ACK! Your patch has been applied to the following branches commit 5774cf4c25e1d8bf4e544702db8f157f111c9d93 (master) commit 66b99a0753352c5cc43e11e39835b6423112df98 (release/2.4)

Re: [Openvpn-devel] [PATCH applied] Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK. Your patch has been applied to the release/2.3 branch commit b727643cdf4e078f132a90e1c474a879a5760578 Author: Steffan Karger Date: Tue May 9 21:30:07 2017 +0200 Drop packets instead of assert out if packet id rolls over

Re: [Openvpn-devel] [PATCH applied] Introduce and use secure_memzero() to erase secrets

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK. Verified that the code itself is the same as in master and release/2.4. There are a few difference where secure_memzero() are used, which is natural due to the differences between the 2.3 and newer releases. Overall, it looks good. Your

[Openvpn-devel] [PATCH 1/2 (master)] Don't assert out on receiving too-large control packets (CVE-2017-7478)

2017-05-11 Thread Steffan Karger
Commit 3c1b19e0 changed the maximum size of accepted control channel packets. This was needed for crypto negotiation (which is needed for a nice transition to a new default cipher), but exposed a DoS vulnerability. The vulnerability was found during the OpenVPN 2.4 code audit by Quarkslab

[Openvpn-devel] [PATCH (release/2.3)] Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)

2017-05-11 Thread Steffan Karger
Previously, if a mode was selected where packet ids are not allowed to roll over, but renegotiation does not succeed for some reason (e.g. no password entered in time, certificate expired or a malicious peer that refuses the renegotiaion on purpose) we would continue to use the old keys. Until

[Openvpn-devel] [PATCH (release/2.3)] Don't assert out on receiving too-large control packets (CVE-2017-7478)

2017-05-11 Thread Steffan Karger
Commit 358f513c changed the maximum size of accepted control channel packets. This was needed for crypto negotiation (which is needed for a nice transition to a new default cipher), but exposed a DoS vulnerability. The vulnerability was found during the OpenVPN 2.4 code audit by Quarkslab

[Openvpn-devel] [PATCH 2/2 (master)] Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)

2017-05-11 Thread Steffan Karger
Previously, if a mode was selected where packet ids are not allowed to roll over, but renegotiation does not succeed for some reason (e.g. no password entered in time, certificate expired or a malicious peer that refuses the renegotiaion on purpose) we would continue to use the old keys. Until

Re: [Openvpn-devel] [PATCH applied] Document that OpenVPN 2.3 does not check the CRL signature

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK. Your patch has been applied to the release/2.3 branch commit 51d936d0c762a280923c9267c2b4fa154f905b9a Author: Steffan Karger Date: Wed May 10 21:50:44 2017 +0200 Document that OpenVPN 2.3 does not check the CRL signature

Re: [Openvpn-devel] [PATCH (release/2.3)] Don't assert out on receiving too-large control packets (CVE-2017-7478)

2017-05-11 Thread Gert Doering
Hi, On Thu, May 11, 2017 at 11:00:57AM +0200, Steffan Karger wrote: > Commit 358f513c changed the maximum size of accepted control channel > packets. This was needed for crypto negotiation (which is needed for a > nice transition to a new default cipher), but exposed a DoS > vulnerability. The

Re: [Openvpn-devel] [PATCH applied] Don't assert out on receiving too-large control packets (CVE-2017-7478)

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK from me as well on this one. As Gert already said, patch is identical to what we applied in master and release/2.4. The Changes.rst file was updated on-the-fly, removing references to tls-crypt, which isn't available in the v2.3 releases.

Re: [Openvpn-devel] [PATCH applied] Set a low interface metric for tap adapter when block-outside-dns is in use

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Your patch has been applied to the following branches commit 27aa87283f6e766507287649aa5a63f1f5172645 (master) commit 3c28855760c389d15384238d0e089132da98949b (release/2.4) Author: ValdikSS Date: Wed May 10 21:47:53 2017 +0300 Set a low

Re: [Openvpn-devel] [PATCH applied] Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)

2017-05-11 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK. Your patch has been applied to the following branches commit e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (master) commit 591a4e574c43cb9e820950f15dcaabda261def78 (release/2.4) Author: Steffan Karger Date: Tue May 9 21:30:09 2017 +0200

[Openvpn-devel] [PATCH 1/3 (release/2.2)] Update sample-keys

2017-05-11 Thread Steffan Karger
So 'make check' works again - the old keys were expired. These are now the same keys as we use in release/2.3, release/2.4 and master. Signed-off-by: Steffan Karger --- sample-keys/ca.crt | 48 -- sample-keys/ca.key | 67 +++--

[Openvpn-devel] [PATCH 2/3 (release/2.2)] cleanup: merge packet_id_alloc_outgoing() into packet_id_write()

2017-05-11 Thread Steffan Karger
From: Steffan Karger The functions packet_id_alloc_outgoing() and packet_id_write() were always called in tandem. Instead of forcing the caller to allocate a packet_id_net to do so, merge the two functions. This simplifies the API and reduces the chance on mistakes