Hi,
On Thu, Dec 15, 2022 at 08:01:36PM +0100, Arne Schwabe wrote:
> This changes the password check on the management interface to be constant
> time. Normally the management port should not be exposed in a way that allows
> an attacker to even interact with it but making the check constant time
Am 15.12.2022 um 20:01 schrieb Arne Schwabe:
From: David Sommerseth
If the key_state_gen_auth_control_files() call fails, the code would
just return without freeing the argv container. Instead the code should
jump to an appropriate exit point where memory is being released.
Also adjust the
From: Selva Nair
Signed-off-by: Selva Nair
---
Tested on Windows which is the only platform that currently
supports stats from DCO in client mode.
src/openvpn/init.c| 11 +++
src/openvpn/init.h| 2 ++
src/openvpn/manage.c | 9 +
src/openvpn/manage.h | 3 +++
The OpenVPN community project team is proud to release OpenVPN 2.6_beta2.
This is the second Beta release for the feature release 2.6.0.
Changes since Beta 1:
* Transport statistics (bytes in/out) for DCO environments.
Currently only for Windows clients and FreeBSD servers.
Other platforms
Hi!
In the old 2.4 version days, we used a private patch which accomplished the
following:
Every clients gets a fwmark and a mask assigned via the config or a ccd file
Outbound packets
-If the systems sends a packet, it always has a fwmark assigned
-If such a packet goes thru the tun/dco
Am 14.12.22 um 23:42 schrieb Lev Stipakov:
From: Lev Stipakov
BYTECOUNT on management interface is used to display client stats,
for example by openvpn-gui. At the moment BYTECOUNT is sent if
there is a traffic. With DCO, userspace process doesn't see data
channel traffic, BYTECOUNT is not
Hi,
*sigh* - "Marc Becker via Openvpn-devel", this so messes up my workflow...
(can DMARC please go somewhere and die, alone, with no friends?).
I had to reapply these patches 1/3 and 2/3 to get the author right,
so you'll see new commit IDs.
For 1/3, these are:
On Thu, Dec 15, 2022 at
Hi,
On Thu, Dec 15, 2022 at 09:04:18AM +0100, Gert Doering wrote:
> Your patch has been applied to the master and release/2.6 branch.
>
> commit 5954f03bb321a969ea6edbdd353e1dd4f61ac8f0 (master)
> commit d0141344b0c21747ba18be64470236066da62f33 (release/2.6)
Same thing here: fixing DMARC
I have not tested this at all, as I do not have the necessary infrastructure.
It does not affect non-WIN32 builds, so what I'll do is to feed this +
the vcpkg patch to my github instance, so it can be tested for windows,
and only then push to the "real" repos.
Your patch has been applied to the
Lev warned me that there are whitespace errors in the "inside" patch,
so had to apply this with "git am --whitespace=nowarn"...
Pushed to my github instance, had GHA build something, and it claims
"success"...
https://github.com/cron2/openvpn/actions/runs/3702355587
Hi,
> In non-dco use, the stats as persisted by the management interface are not
> reset throughout the lifetime of the process. With dco, what the driver
> provides is "Peer Stats" which is reset in OvpnPeerNew() (linux appears to
> do the same). A quick option > would be to move the
Hi,
On 15/12/2022 10:31, Lev Stipakov wrote:
Hi,
In non-dco use, the stats as persisted by the management interface are not reset throughout
the lifetime of the process. With dco, what the driver provides is "Peer Stats"
which is reset in OvpnPeerNew() (linux appears to do the same). A
I have test compiled this on Gentoo with pkcs-helper-1.27.0-r1, and
"it compiled". I'm aware that this is not actually excercising any
of the new code paths, but "stare at code" sees nothing explosive,
and I trust Selva's review.
Your patch has been applied to the master and release/2.6 branch.
Arne, thanks for the review and ACK.
I have done quite a bit of stare-at-code on this patch myself, and think
I understand what it does - change from "whenever userland updates the
counters, check if mgmt needs to be informed" to "inform mgmt via the
coarse timers", because there are no more
Hi,
> So it seems as the timer activation got delayed somehow
> -> this is something we need to come back to, when Linux/FreeBSD DCO
> stats get implemented. Starting with "management-hold", then "bytecount",
> then "hold release" gave me counters right away. Mysteries...
This is because we do
Hi,
On Thu, Dec 15, 2022 at 07:49:53AM -0500, Selva Nair wrote:
> Possibly we can merge the current patch
> for openvpn.exe and then improve it later in bug-fix releases of 2.6?
This was my thinking as well - so the patch is in, and provides at
least some statistics, and room for improvements
Hi,
On Thu, Dec 15, 2022 at 5:15 AM Antonio Quartulli wrote:
> Hi,
>
> On 15/12/2022 10:31, Lev Stipakov wrote:
> > Hi,
> >
> >> In non-dco use, the stats as persisted by the management interface are
> not reset throughout the lifetime of the process. With dco, what the driver
> provides is
Hi,
On 15/12/2022 13:55, Gert Doering wrote:
Hi,
On Thu, Dec 15, 2022 at 07:49:53AM -0500, Selva Nair wrote:
Possibly we can merge the current patch
for openvpn.exe and then improve it later in bug-fix releases of 2.6?
This was my thinking as well - so the patch is in, and provides at
least
Acked-by: Gert Doering
Stare-at-code suggests that this might work. I haven't tested this, but
Selva did, and the "on reconnect the timers get lost" issue is being
addressed by Lev in the win-dco driver itself - so, good to go.
I have pushed to github, to see if it passes compile & actions
Hi,
On Thu, Dec 15, 2022 at 02:48:49PM +0200, Lev Stipakov wrote:
> > So it seems as the timer activation got delayed somehow
> > -> this is something we need to come back to, when Linux/FreeBSD DCO
> > stats get implemented. Starting with "management-hold", then "bytecount",
> > then "hold
Reported-By: Trail of Bits
Signed-off-by: Arne Schwabe
---
src/openvpn/misc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index d78106cdc..551606e0e 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -258,6 +258,7 @@
NTLMv1 is ancient and not considered secure anymore and we are not
aware of any users or software still requiring this feature.
Additionally it currently depends on our "doing single DES using
3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing
NTLMv1 will also allow us to remove
This patch set addresses some issues found by Trail of Bits in an
audit of OpenVPN 2.x. This audit is currently not public but the
intention is to publish it.
The audit contained no vulnerability or problem that was deemed a
vulnerability that needed a CVE or coordinated release. Therefore,
this
Signed-off-by: Arne Schwabe
---
src/openvpn/misc.h | 1 +
src/openvpn/ntlm.c | 13 +
2 files changed, 14 insertions(+)
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 2a6c0b8b3..6a883f70a 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -67,6 +67,7 @@ struct
This fixes two places were we do not have enough space in the array
of parameters given to parse_line for the final NULL parameter that
signal the end of the parsed argument errors.
Both these cases can lead to a buffer overflow. But both of these
cases require root/admin access to OpenVPN:
-
These empty blocks are intentional but trigger code checkers and
were pointed out by Trail of Bits in the security audits. Add comments
to them or eliminate them whatever makes more sense.
For fallthrough C23 [1] has a standard way to signal that but we not
adding a C23 feature to our codebase,
Reported-By: Trail of Bits
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 3 ---
src/openvpn/multi.c | 2 --
2 files changed, 5 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 7924fd5c6..c04511ee1 100644
--- a/src/openvpn/forward.c
+++
From: David Sommerseth
If the key_state_gen_auth_control_files() call fails, the code would
just return without freeing the argv container. Instead the code should
jump to an appropriate exit point where memory is being released.
Also adjust the related comment, to indicate that these deferred
This changes the password check on the management interface to be constant
time. Normally the management port should not be exposed in a way that allows
an attacker to even interact with it but making the check constant time as
an additional layer of security is always good.
Reported-by: Connor
29 matches
Mail list logo