openvpn-devel Mailing List for OpenVPN

Samuli Seppänen <sa...@op...> wrote: Hi everyone, > Alberto Gonzales Iniesta ("agi") is, after 15 years of excellent work, > letting others take over maintainance of Debian's OpenVPN packages[1]: > ><https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865555> > > If you're interested in maintaining (or co-maintaining) OpenVPN packages > on Debian, please comment in the above bug report. Jörg Frings-Fürst and me have taken over maintainership of OpenVPN in Debian. Thanks to Alberto for the maintainership in the last decade. We will slowly wade through the open bugs. There are a couple of things in the pipeline already (updated debian specific systemd units, build against OpenSSL 1.1.0, ...), and we will try to keep up with new upstream releases when they happen. I'd like to remind here that Debian has a strict policy for updating packages in stable. We will not ever update the upstream release within stable, so Debian 9 (stretch) will stay on OpenVPN 2.4.0. Security bugs will be fixed through applying individual patches from the 2.4-branch on top of 2.4.0. We can fix major annoyances or usability issues in Debian stable point releases (approx. every 2-4 months), if they can be fixed by backporting commits from the git repo on top of 2.4.0. If you have something like this feel free to drop us a note (or even better, file a bug in the Debian BTS). We'll have a look at Samuli's source package within the next weeks and try to reduce the diff between Debian and his packages as much as possible. Best Regards, Bernhard 

Your patch has been applied to the master and release/2.4 branch. commit f9ebfe1b5a011e55fb87a5026b1897c8ffb8f75e (master) commit 67e3f0280937757ce716211829c82c3795d21ad1 (release/2.4) Author: David Sommerseth Date: Wed Jun 28 21:15:38 2017 +0200 doc: The CRL processing is not a deprecated feature Signed-off-by: David Sommerseth <da...@op...> Acked-by: Steffan Karger <ste...@fo...> Message-Id: <201...@op...> URL: https://www.mail-archive.com/ope...@li.../msg14985.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

ACK. Counting in Arne's ACK as well, as v2 is basically the same actual code change, and the "const" change does not have any further effect ("options" is not const in the callers). Your patch has been applied to the master and release/2.4 branch. commit 3be9a1c1cd75627c30dca05bed28c84ad4dc1d37 (master) commit e050c762e2bd3695275ee675f197f062c63e2b6f (release/2.4) Author: Steffan Karger Date: Wed Jun 28 00:20:29 2017 +0200 Undo cipher push in client options state if cipher is rejected Signed-off-by: Steffan Karger <st...@ka...> Acked-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <201...@ka...> URL: https://www.mail-archive.com/ope...@li.../msg14984.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

Your patch has been applied to the master and release/2.4 branch. commit 7ee9a94fcbbde941bfed167229a64df0f7cdae0b (master) commit ebb5c70bf6acede8d941687ae0e40d827003fb2e (release/2.4) Author: Emmanuel Deloget Date: Thu Jun 29 16:21:19 2017 +0200 OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer Signed-off-by: Emmanuel Deloget <lo...@fr...> Acked-by: Steffan Karger <ste...@fo...> Message-Id: <201...@fr...> URL: https://www.mail-archive.com/search?l=mid&q=2...@fr... Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

Your patch has been applied to the master and release/2.4 branch. commit a72d21a56a0223b8a50d05d88af64abcda0fc5dc (master) commit 0f9575852bc981e75884d1a75b2e7c1f9af091f4 (release/2.4) Author: Emmanuel Deloget Date: Thu Jun 29 16:21:18 2017 +0200 OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer Signed-off-by: Emmanuel Deloget <lo...@fr...> Acked-by: Steffan Karger <ste...@fo...> Message-Id: <201...@fr...> URL: https://www.mail-archive.com/ope...@li.../msg14989.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

 On 28-06-17 23:05, Arne Schwabe wrote: > --- > src/openvpn/options.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 61af6e3a..d8049e76 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -1697,7 +1697,7 @@ show_settings(const struct options *o) > > #ifdef ENABLE_CRYPTO > SHOW_STR(shared_secret_file); > - SHOW_INT(key_direction); > + SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false), "%s"); > SHOW_STR(ciphername); > SHOW_BOOL(ncp_enabled); > SHOW_STR(ncp_ciphers); > Makes sense, but keydirection2acrii() can return NULL, which technically is undefined behaviour as input for a %s format string specifier... I know it's slightly lame, but still think either keydirection2ascii should always return a valid string, or this needs to wrapped in a np() call. -Steffan 

Hi, On 29-06-17 16:21, Emmanuel Deloget wrote: > For unknown reason, the write of the compat layer seemed to think that > this function was only present in OpenSSL 1.1. This is not the case at > all, since it has been introduced in OpenSSL before version 0.9.8. > > Thus, there is no need to add this function to the compat layer, and it > can be safely removed. > > Signed-off-by: Emmanuel Deloget <lo...@fr...> > --- > configure.ac | 1 - > src/openvpn/openssl_compat.h | 15 --------------- > 2 files changed, 16 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 22f91cb6..cb121795 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -919,7 +919,6 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then > >	AC_CHECK_FUNCS( >	[ \ > -	EVP_CIPHER_CTX_new \ >	EVP_CIPHER_CTX_free \ >	HMAC_CTX_new \ >	HMAC_CTX_free \ > diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h > index 617410e0..cd25bd37 100644 > --- a/src/openvpn/openssl_compat.h > +++ b/src/openvpn/openssl_compat.h > @@ -101,21 +101,6 @@ EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c) > } > #endif > > -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) > -/** > - * Allocate a new cipher context object > - * > - * @return A zero'ed cipher context object > - */ > -static inline EVP_CIPHER_CTX * > -EVP_CIPHER_CTX_new(void) > -{ > - EVP_CIPHER_CTX *ctx = NULL; > - ALLOC_OBJ_CLEAR(ctx, EVP_CIPHER_CTX); > - return ctx; > -} > -#endif > - > #if !defined(HAVE_HMAC_CTX_RESET) > /** > * Reset a HMAC context > For some reason, the reviewer seemed to think this author was right about that. He should crearly have looked a bit better... ACK -Steffan 

Hi, On 29-06-17 16:21, Emmanuel Deloget wrote: > For unknown reason, the write of the compat layer seemed to think that > this function was only present in OpenSSL 1.1. This is not the case at > all, since it has been introduced in OpenSSL before version 0.9.8. > > Thus, there is no need to add this function to the compat layer, and it > can be safely removed. > > Signed-off-by: Emmanuel Deloget <lo...@fr...> > --- > configure.ac | 1 - > src/openvpn/openssl_compat.h | 13 ------------- > 2 files changed, 14 deletions(-) > > diff --git a/configure.ac b/configure.ac > index cb121795..60bb4658 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -919,7 +919,6 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then > >	AC_CHECK_FUNCS( >	[ \ > -	EVP_CIPHER_CTX_free \ >	HMAC_CTX_new \ >	HMAC_CTX_free \ >	HMAC_CTX_reset \ > diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h > index cd25bd37..36f68b01 100644 > --- a/src/openvpn/openssl_compat.h > +++ b/src/openvpn/openssl_compat.h > @@ -88,19 +88,6 @@ EVP_MD_CTX_new(void) > } > #endif > > -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) > -/** > - * Free an existing cipher context > - * > - * @param ctx The cipher context > - */ > -static inline void > -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c) > -{ > -	free(c); > -} > -#endif > - > #if !defined(HAVE_HMAC_CTX_RESET) > /** > * Reset a HMAC context > For some reason, the reviewer seemed to think this author was right about that. He should crearly have looked a bit better... ACK -Steffan 

Hi, For the two patches in this series, I failed to correctly write "writer", which I spelled "write", sorry for that. And sorry to said writer for the gratuitous attack (but then, I'm me, and I'm pretty sure I'll be able to handle that). And I forgot to mention that the EVP_CIPHER_CTX_free() function is broken (good thing it has never been used) since it leaks memory. For the record, I found this (kinda stupid?) mistake while I was writing yet another shim to openssl 1.1. I started a discussion on the openssh mailing list and it seems that supporting a shim in openssh is the least prefered idea for a few people, right after "not supporting openssl 1.1 at all". The idea would then to have an independant shim that would cover the needs for various openssl-based projects. I'm doing my tests on openvpn since it's the easy way (for me). So: sorry for the annoying noise :) Best regards, -- Emmanuel Deloget 

For unknown reason, the write of the compat layer seemed to think that this function was only present in OpenSSL 1.1. This is not the case at all, since it has been introduced in OpenSSL before version 0.9.8. Thus, there is no need to add this function to the compat layer, and it can be safely removed. Signed-off-by: Emmanuel Deloget <lo...@fr...> --- configure.ac | 1 - src/openvpn/openssl_compat.h | 15 --------------- 2 files changed, 16 deletions(-) diff --git a/configure.ac b/configure.ac index 22f91cb6..cb121795 100644 --- a/configure.ac +++ b/configure.ac @@ -919,7 +919,6 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then	AC_CHECK_FUNCS(	[ \ -	EVP_CIPHER_CTX_new \	EVP_CIPHER_CTX_free \	HMAC_CTX_new \	HMAC_CTX_free \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 617410e0..cd25bd37 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -101,21 +101,6 @@ EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c) } #endif -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -/** - * Allocate a new cipher context object - * - * @return A zero'ed cipher context object - */ -static inline EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void) -{ - EVP_CIPHER_CTX *ctx = NULL; - ALLOC_OBJ_CLEAR(ctx, EVP_CIPHER_CTX); - return ctx; -} -#endif - #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context -- 2.11.0 

For unknown reason, the write of the compat layer seemed to think that this function was only present in OpenSSL 1.1. This is not the case at all, since it has been introduced in OpenSSL before version 0.9.8. Thus, there is no need to add this function to the compat layer, and it can be safely removed. Signed-off-by: Emmanuel Deloget <lo...@fr...> --- configure.ac | 1 - src/openvpn/openssl_compat.h | 13 ------------- 2 files changed, 14 deletions(-) diff --git a/configure.ac b/configure.ac index cb121795..60bb4658 100644 --- a/configure.ac +++ b/configure.ac @@ -919,7 +919,6 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then	AC_CHECK_FUNCS(	[ \ -	EVP_CIPHER_CTX_free \	HMAC_CTX_new \	HMAC_CTX_free \	HMAC_CTX_reset \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index cd25bd37..36f68b01 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -88,19 +88,6 @@ EVP_MD_CTX_new(void) } #endif -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -/** - * Free an existing cipher context - * - * @param ctx The cipher context - */ -static inline void -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c) -{ -	free(c); -} -#endif - #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context -- 2.11.0 

On 28-06-17 21:15, David Sommerseth wrote: > The note related to the CRL processing was somehow put into > the deprecated section. This is quite confusing. > > Since this is a fairly important change, and there have been > a noticable amount of supports questions related to OpenVPN > not starting due to CRL errors, I put this into the > "New features" section labelled as an improvement. Otherwise > I fear this would drown in the list of "User-visible Changes" > later on. > > Signed-off-by: David Sommerseth <da...@op...> > --- > Changes.rst | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 9db0a451..0b2b04dd 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -44,6 +44,13 @@ ECDH key exchange > The TLS control channel now supports for elliptic curve diffie-hellmann > key exchange (ECDH). > > +Improved Certificate Revocation List (CRL) processing > + CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead > + of inside OpenVPN itself. The crypto library implementations are more > + strict than the OpenVPN implementation was. This might reject peer > + certificates that would previously be accepted. If this occurs, OpenVPN > + will log the crypto library's error description. > + > Dualstack round-robin DNS client connect > Instead of only using the first address of each ``--remote`` OpenVPN > will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. > @@ -160,12 +167,6 @@ Deprecated features > will then use ``--key-method 2`` by default. Note that this requires changing > the option in both the client and server side configs. > > -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of > - inside OpenVPN itself. The crypto library implementations are more strict > - than the OpenVPN implementation was. This might reject peer certificates > - that would previously be accepted. If this occurs, OpenVPN will log the > - crypto library's error description. > - > - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar > functionality is provided via ``--verify-x509-name``, which does the same job in > a better way. > ACK -Steffan 

--- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 61af6e3a..d8049e76 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1697,7 +1697,7 @@ show_settings(const struct options *o) #ifdef ENABLE_CRYPTO SHOW_STR(shared_secret_file); - SHOW_INT(key_direction); + SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false), "%s"); SHOW_STR(ciphername); SHOW_BOOL(ncp_enabled); SHOW_STR(ncp_ciphers); -- 2.11.0 (Apple Git-81) 

The note related to the CRL processing was somehow put into the deprecated section. This is quite confusing. Since this is a fairly important change, and there have been a noticable amount of supports questions related to OpenVPN not starting due to CRL errors, I put this into the "New features" section labelled as an improvement. Otherwise I fear this would drown in the list of "User-visible Changes" later on. Signed-off-by: David Sommerseth <da...@op...> --- Changes.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Changes.rst b/Changes.rst index 9db0a451..0b2b04dd 100644 --- a/Changes.rst +++ b/Changes.rst @@ -44,6 +44,13 @@ ECDH key exchange The TLS control channel now supports for elliptic curve diffie-hellmann key exchange (ECDH). +Improved Certificate Revocation List (CRL) processing + CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead + of inside OpenVPN itself. The crypto library implementations are more + strict than the OpenVPN implementation was. This might reject peer + certificates that would previously be accepted. If this occurs, OpenVPN + will log the crypto library's error description. + Dualstack round-robin DNS client connect Instead of only using the first address of each ``--remote`` OpenVPN will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. @@ -160,12 +167,6 @@ Deprecated features will then use ``--key-method 2`` by default. Note that this requires changing the option in both the client and server side configs. -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of - inside OpenVPN itself. The crypto library implementations are more strict - than the OpenVPN implementation was. This might reject peer certificates - that would previously be accepted. If this occurs, OpenVPN will log the - crypto library's error description. - - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar functionality is provided via ``--verify-x509-name``, which does the same job in a better way. -- 2.11.0 

Because of the way we re-use the options parser for both config files and pushed options, we always update the local options state when we accept an option. This resulted in a pushed cipher being rejected the first time it was pushed, but being accepted the second time. This patch is a minimal way to resolve this issue in the master and release/2.4 branches. I'll send a more invasive patch for master, to reset the entire options state on reconnects, later. Trac: #906 Signed-off-by: Steffan Karger <st...@ka...> --- v2 - send the _entire_ patch, not just 1 hunk... src/openvpn/ssl.c | 4 +++- src/openvpn/ssl.h | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index bbc1c965..f868457e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1958,7 +1958,7 @@ cleanup: bool tls_session_update_crypto_params(struct tls_session *session, - const struct options *options, struct frame *frame) + struct options *options, struct frame *frame) { if (!session->opt->server && 0 != strcmp(options->ciphername, session->opt->config_ciphername) @@ -1967,6 +1967,8 @@ tls_session_update_crypto_params(struct tls_session *session, msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s", options->ciphername, session->opt->config_ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 56ea6013..0e0f68fa 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi, * @return true if updating succeeded, false otherwise. */ bool tls_session_update_crypto_params(struct tls_session *session, - const struct options *options, struct frame *frame); + struct options *options, struct frame *frame); /** * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. -- 2.11.0 

Hi, On Wed, Jun 21, 2017 at 10:50:00PM +0200, Steffan Karger wrote: > The following have to be cherry-picked (just tested, works without fuzz): > > 56e6bd8967d72c4374389dfd5cf32f5e3b86242c > 81ba70b39b78d7677aabab957421264800028f53 > aeac1139a34321a7f770ca20bfef886a21a89fe9 I have done this, and squashed them into a single commit for simplicity (but keeping the original URL and Message-IDs). commit 5852a035b444a41140a7fc7007b7df718a2e6c43 (HEAD -> release/2.4) Author: Ilya Shipitsin <chi...@gm...> Date: Sat Feb 25 23:00:04 2017 +0500 travis-ci: add 3 missing patches from master to release/2.4 "Testing infrastructure only, no code changes" gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

Your patch has been applied to the master and release/2.4 branch. (After some deliberation wrt release/2.4 - normally, a refactoring patch would not go to 2.4, but this improves our testing infrastructure and is not *rewriting* any code, just *moving* it - so I decided it makes much sense to have it in 2.4, and the stability risk is minimal) commit 9fc0e963c757ffec3cc9fbf797fb7609f409c370 (master) commit 8b55a445385ce55244cb659b8cdd0dc3156550af (release/2.4) Author: Steffan Karger Date: Wed Jun 21 23:10:43 2017 +0200 Move adjust_power_of_2() to integer.h Signed-off-by: Steffan Karger <ste...@fo...> Acked-by: Antonio Quartulli <an...@op...> Message-Id: <201...@ka...> URL: https://www.mail-archive.com/ope...@li.../msg14940.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

Your patch has been applied to the master branch. commit 5e6e4b7d21150ea2f0738948d5a9bd0c7d910e1a Author: Steffan Karger Date: Mon Jun 19 13:51:05 2017 +0200 init_key_ctx: key and iv arguments can (now) be const Signed-off-by: Steffan Karger <ste...@fo...> Acked-by: Antonio Quartulli <an...@op...> Message-Id: <149...@fo...> URL: https://www.mail-archive.com/ope...@li.../msg14881.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

Your patch has been applied to the master and release/2.4 branch. commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf (master) commit 95c07b13ce112ceb8b15175fcae0d95c70e93eee (release/2.4) Author: Arne Schwabe Date: Mon Jun 26 13:13:26 2017 +0200 Set tls-cipher restriction before loading certificates Acked-by: Christian Hesse <li...@ew...> Acked-by: Steffan Karger <ste...@fo...> Message-Id: <149...@rf...> URL: https://www.mail-archive.com/ope...@li.../msg14961.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

Hi, On Mon, Jun 26, 2017 at 11:15:40PM +0200, Steffan Karger wrote: > Because of the way we re-use the options parser for both config files and > pushed options, we always update the local options state when we accept an > option. This resulted in a pushed cipher being rejected the first time it > was pushed, but being accepted the second time. > > This patch is a minimal way to resolve this issue in the master and > release/2.4 branches. I'll send a more invasive patch for master, to > reset the entire options state on reconnects, later. Uh. While I find the patch totally logical, and have already finished the ACK-and-merged mail, my compiler disagrees with me... gcc -DHAVE_CONFIG_H -I. -I../../../openvpn/src/openvpn -I../.. -I../../include -I../../../openvpn/include -I../../../openvpn/src/compat -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\" -g -O2 -std=c99 -MT ssl.o -MD -MP -MF .deps/ssl.Tpo -c -o ssl.o ../../../openvpn/src/openvpn/ssl.c ../../../openvpn/src/openvpn/ssl.c: In function 'tls_session_update_crypto_params': ../../../openvpn/src/openvpn/ssl.c:1971:29: error: assignment of member 'ciphername' in read-only object options->ciphername = session->opt->config_ciphername; ^ ... wut? (this is 2.4, but I assume master will look similar enough) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

On Mon, Jun 12, 2017 at 2:28 PM, Selva Nair <sel...@gm...> wrote: > On Mon, Jun 12, 2017 at 2:14 PM, Gert Doering <ge...@gr...> wrote: > >> Hi, >> >> wading through my heap of mails that did not get proper attention... >> >> On Fri, May 05, 2017 at 02:24:02PM -0400, sel...@gm... wrote: >> > From: Selva Nair <sel...@gm...> >> > >> > If static challenge is in use, the password passed to the plugin by >> openvpn >> > is of the form "SCRV1:base64-pass:base64-response". Parse this string >> to >> > separate it into password and response and use them to respond to >> queries >> > in the pam conversation function. >> > >> > On the plugin parameters line the substitution keyword for the static >> > challenge response is "OTP". For example, for pam config named "test" >> that >> > prompts for "user", "password" and "pin", use >> > >> > plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin >> OTP" >> >> What is the status of this one? Does it need updating after 1/2 got >> changed to v2 and v3 are these independent enough that 2/2 is standalone? >> >> From a cursory glance, it calls secure_memzero() which is now, I think, >> plugin_secure_memzero() - right? >> >> >> I also seem to remember discussions between you and David regarding >> base64 function exporting - what's the state on this? >> > > > I have a version 2 that uses exported base64 but waiting on the following > patch to get an NAK or ACK to finalize it. > > https://www.mail-archive.com/ope...@li... > rge.net/msg14655.html > > That would also help David's base64 export patch revised, reviewed and > merged. For background, see the thread > > https://www.mail-archive.com/ope...@li... > .net/msg14577.html > bump :) 

Your patch has been applied to the master, release/2.4 and release/2.3 branch. commit 778aca3d251b6a563ffbabef95816fab863825e1 (master) commit d3c0b2b6b743ef8db37f8c63dc77ffe6b421a2df (release/2.4) commit ca870b1396a173bbb9752bbe2e69f25fa2c094af (release/2.3) Author: Antonio Quartulli Date: Tue Jun 27 20:00:47 2017 +0800 crypto: correct typ0 in error message Signed-off-by: Antonio Quartulli <a...@un...> Acked-by: Steffan Karger <ste...@fo...> Message-Id: <201...@un...> URL: https://www.mail-archive.com/ope...@li.../msg14975.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

 On 27-06-17 14:00, Antonio Quartulli wrote: > Signed-off-by: Antonio Quartulli <a...@un...> > --- > src/openvpn/crypto.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 191fee8e..9f2828a4 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -1261,7 +1261,7 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) > fd = platform_open(file, O_RDONLY, 0); > if (fd == -1) > { > - msg(M_ERR, "Cannot open file key file '%s'", file); > + msg(M_ERR, "Cannot open key file '%s'", file); > } > size = read(fd, in.data, in.capacity); > if (size < 0) > ACK (Wow, a 12 year old typo!) -Steffan 

Signed-off-by: Antonio Quartulli <a...@un...> --- src/openvpn/crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 191fee8e..9f2828a4 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1261,7 +1261,7 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) fd = platform_open(file, O_RDONLY, 0); if (fd == -1) { - msg(M_ERR, "Cannot open file key file '%s'", file); + msg(M_ERR, "Cannot open key file '%s'", file); } size = read(fd, in.data, in.capacity); if (size < 0) -- 2.13.2 

Here is the set of fuzzers used to find the recent vulnerabilities in OpenVPN: https://github.com/guidovranken/openvpn/tree/fuzzing Not all code is covered by this set; more fuzzers need to be written in order to verify the overall security of OpenVPN. Hence, it is conceivable that more vulnerabilities exist. Guido