Re: [Openvpn-devel] [PATCH] Change CTR DRBG update function call to new mbedtls 2.16.0 API

> Am 02.04.21 um 15:26 schrieb Max Fillinger: > > From: Uipko Berghuis > > > > In mbedtls 2.16.0 mbedtls_ctr_drbg_update() changed to > > mbedtls_ctr_drbg_update_ret(). Change the function name and handle the > > new return value error code. > > --- > > src/openvpn/ssl_mbedtls.c | 5 - > > 1

Re: [Openvpn-devel] [PATCH 1/1] Let mbedtls_ssl_configs find reloaded CRLs

> > } > > > > void > > +make_empty_crl(struct tls_root_ctx *ctx) > > +{ > > +if (ctx->crl == NULL) > > +{ > > +ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl); > > +} > > +else > > +{ > > +mbedtls_x509_crl_free(ctx->crl); > > +} > > +} > > + > > This function

Re: [Openvpn-devel] [PATCH 1/1] Rework mbedtls CRL handling

Hi Antonio, Thanks for taking a look! > Mh... I have tried to reproduce this issue, but I was not able to. > Would you be able to provide me with the exact steps to hit this > situation? This bug happens only if the CRL file can't be opened in init_ssl(). (Un-openable CRL files and un-parseable

Re: [Openvpn-devel] [PATCH] Replace deprecated mbedtls DRBG update function

> From: Arne Schwabe [mailto:a...@rfc2549.org] > Sent: dinsdag 10 augustus 2021 12:12 > To: Maximilian Fillinger ; openvpn- > de...@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH] Replace deprecated mbedtls DRBG > update function > > Am 10.08.21 um 08:

Re: [Openvpn-devel] [PATCH] Replace deprecated mbedtls DRBG update function

> Normally we have patch v2 here and also a patch v2 in the subject (use > -v 2 when doing git format-patch) but for this small patch it is not a > problem. I'll keep it in mind for next time! > Apart from the fact that we might want to abort (M_FATAL) if this fails > instead basically ignoring

Re: [Openvpn-devel] [PATCH] Don't "undo" ifconfig when given --ifconfig-noexec

> ... so why is "did_ifconfig_setup" true, if ifconfig wasn't done? > > Or, phrased differently, what is did_ifconfig_setup used for, across the > code, and can we just "not set it to true" if ifconfig-noexec is in > effect? Or does it have nasty side effects? tt->did_ifconfig_setup is set in

Re: [Openvpn-devel] [PATCH applied] Re: Update openssl_compat.h for newer LibreSSL

> but they think the revamped OpenSSL 3.0 way of calculating the TLS1 PRF > might actually not be in 2.5 yet, so they do not need a patch for that. In 2.5, openssl_compat.h also doesn't try to define X509_OBJECT_free(), so there's nothing to backport there.

Re: [Openvpn-devel] [PATCH v2 1/2] Update openssl_compat.h for newer LibreSSL

> -Original Message- > From: Arne Schwabe [mailto:a...@rfc2549.org] > Sent: donderdag 18 augustus 2022 22:16 > To: Maximilian Fillinger ; openvpn- > de...@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH v2 1/2] Update openssl_compat.h for > newer LibreSSL &

Re: [Openvpn-devel] [PATCH applied] Re: Update openssl_compat.h for newer LibreSSL

> I'm a bit unsure if we need this for 2.5 - it's "long term compat" > and not very intrusive, but on the other hand, not too many people > seem to care about LibreSSL. OpenBSD has packaged 2.5.7 for snapshots, so they must already have a workaround.

Re: [Openvpn-devel] [PATCH 2/2] Handle EVP_MD_CTX as an opaque struct

> -Original Message- > From: Arne Schwabe [mailto:a...@rfc2549.org] > Sent: donderdag 11 augustus 2022 14:21 > To: Maximilian Fillinger ; openvpn- > de...@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH 2/2] Handle EVP_MD_CTX as an opaque > struct >

Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-crypt-v2 metadata

Hi! > -Original Message- > From: Gert Doering [mailto:g...@greenie.muc.de] > Sent: maandag 12 december 2022 13:03 > To: Maximilian Fillinger > Cc: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls- > cryp

Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-crypt-v2 metadata

> So if you have a limit like 733, you need to actually decode the base64 > to check if it is short enough. The alternative would be to only allow > 732 bytes, so we could check the base64 length again or use 735 bytes > and use a maximum tls-crypt wrapped key size of 1026 bytes (which sounds > a

Re: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates

The grammar in the 3rd sentence in the comment below is messed up. (I think I understand it, but I'm not sure.) > +if (session->opt->verify_hash_no_ca) > +{ > +/* > + * If we decide to verify the peer certificate based on the > fingerprint > + * we ignore wrong

[Openvpn-devel] [PATCH] reliable: retransmit if 3 follow-up ACKs are received

Hi! I'm currently preparing the OpenVPN-NL 2.5 release at Fox-IT. (We're a bit behind the times...) I thought that one of our patches, by Steffan Karger, could be useful in regular OpenVPN. He said that he hadn't submitted it yet, and thought it would be a good idea to ask. The patch increases

Re: [Openvpn-devel] [Patch] Wipe Socks5 credentials after use

Sorry about that! I'll send it again from my personal account later. -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: vrijdag 19 maart 2021 18:30 To: Maximilian Fillinger Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [Patch] Wipe Socks5

[Openvpn-devel] [Patch] Wipe Socks5 credentials after use

Socks5 plaintext authentication is not exactly high security, but we might as well memzero the credentials before leaving the function. --- src/openvpn/socks.c | 23 ++- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c