Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(282) |
Sep
(620) |
Oct
(793) |
Nov
(682) |
Dec
(65) |
|
From: klemens (C. Review) <ge...@op...> - 2025-12-07 13:31:52
|
Attention is currently required from: cron2, plaisthos. klemens has posted comments on this change by klemens. ( http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email ) Change subject: Prevent crash on invalid server-ipv6 argument ...................................................................... Patch Set 2: (1 comment) Patchset: PS1: > (I might add some wording about this to the commit message) Done, thanks. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9 Gerrit-Change-Number: 1418 Gerrit-PatchSet: 2 Gerrit-Owner: klemens <kn...@op...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Sun, 07 Dec 2025 13:31:35 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <ge...@gr...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-06 22:39:02
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email ) Change subject: mbedtls: gracefully exit if certificate file is NULL ...................................................................... mbedtls: gracefully exit if certificate file is NULL Instead of crashing because we feed a NULL pointer to strlen(), gracefully exit with an error message. While at it, improve the error message a bit. Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1 Reported-By: Joshua Rogers <co...@jo...> Found-by: ZeroPath (https://zeropath.com/) Signed-off-by: Steffan Karger <st...@ka...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34864.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/ssl_mbedtls.c 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 83fca78..3440319 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -466,10 +466,14 @@ if (cert_inline) { + if (!cert_file) + { + msg(M_FATAL, "Cannot load inline certificate: NULL"); + } if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file, strlen(cert_file) + 1))) { - msg(M_FATAL, "Cannot load inline certificate file"); + msg(M_FATAL, "Cannot load inline certificate"); } } else -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1 Gerrit-Change-Number: 1419 Gerrit-PatchSet: 2 Gerrit-Owner: syzzer <st...@ka...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-06 22:38:55
|
cron2 has uploaded a new patch set (#2) to the change originally created by syzzer. ( http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: mbedtls: gracefully exit if certificate file is NULL ...................................................................... mbedtls: gracefully exit if certificate file is NULL Instead of crashing because we feed a NULL pointer to strlen(), gracefully exit with an error message. While at it, improve the error message a bit. Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1 Reported-By: Joshua Rogers <co...@jo...> Found-by: ZeroPath (https://zeropath.com/) Signed-off-by: Steffan Karger <st...@ka...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34864.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/ssl_mbedtls.c 1 file changed, 5 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/1419/2 diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 83fca78..3440319 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -466,10 +466,14 @@ if (cert_inline) { + if (!cert_file) + { + msg(M_FATAL, "Cannot load inline certificate: NULL"); + } if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file, strlen(cert_file) + 1))) { - msg(M_FATAL, "Cannot load inline certificate file"); + msg(M_FATAL, "Cannot load inline certificate"); } } else -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1 Gerrit-Change-Number: 1419 Gerrit-PatchSet: 2 Gerrit-Owner: syzzer <st...@ka...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-12-06 22:38:20
|
I have not tested if I can reproduce the situation (like with an empty
inline <cert></cert> cert, or somehow via management interface) or if
this is caught further upstream - but this check looks quite reasonable,
and the BBs are fine with it.
Your patch has been applied to the master branch.
commit d7c7caa370ad1fff1cd222e2499a77ea792c8a0e
Author: Steffan Karger
Date: Sat Dec 6 21:58:16 2025 +0100
mbedtls: gracefully exit if certificate file is NULL
Signed-off-by: Steffan Karger <st...@ka...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34864.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-12-06 20:58:40
|
From: Steffan Karger <st...@ka...> Instead of crashing because we feed a NULL pointer to strlen(), gracefully exit with an error message. While at it, improve the error message a bit. Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1 Reported-By: Joshua Rogers <co...@jo...> Found-by: ZeroPath (https://zeropath.com/) Signed-off-by: Steffan Karger <st...@ka...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 83fca78..3440319 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -466,10 +466,14 @@ if (cert_inline) { + if (!cert_file) + { + msg(M_FATAL, "Cannot load inline certificate: NULL"); + } if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file, strlen(cert_file) + 1))) { - msg(M_FATAL, "Cannot load inline certificate file"); + msg(M_FATAL, "Cannot load inline certificate"); } } else |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-06 20:58:19
|
Attention is currently required from: plaisthos, syzzer. cron2 has posted comments on this change by syzzer. ( http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email ) Change subject: mbedtls: gracefully exit if certificate file is NULL ...................................................................... Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: need to test a bit how to trigger this :-) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1 Gerrit-Change-Number: 1419 Gerrit-PatchSet: 1 Gerrit-Owner: syzzer <st...@ka...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: syzzer <st...@ka...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Sat, 06 Dec 2025 20:58:10 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-06 20:57:31
|
Attention is currently required from: klemens, plaisthos. cron2 has posted comments on this change by klemens. ( http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email ) Change subject: Prevent crash on invalid server-ipv6 argument ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: On FreeBSD and Linux, freeaddrinfo(NULL) seems to be safe, but the comment inside FreeBSD's lib sources hint at "this is not clearly defined in the standard" and it seems OpenBSD prefes to make that point very clear. We do actually check getaddrinfo() return everywhere else and only do `freeaddrinfo(ai)` in the success branch, or after testing for `not NULL`, so this is a very reasonable change. (I might add some wording about this to the commit message) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9 Gerrit-Change-Number: 1418 Gerrit-PatchSet: 1 Gerrit-Owner: klemens <kn...@op...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: klemens <kn...@op...> Gerrit-Comment-Date: Sat, 06 Dec 2025 20:57:16 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No |
|
From: Gert D. <ge...@gr...> - 2025-12-06 20:55:13
|
From: Klemens Nanni <kn...@op...> `get_addr_generic()` expects `openvpn_getaddrinfo()` to return a newly allocated struct, but getaddrinfo(3) failure leaves `*ai = NULL` as-is. Unlike free(3), freegetaddrinfo(3) requires a valid struct, thus the following is enough to trigger a NULL pointer dereference in libc: ``` $ openvpn --server-ipv6 '' 2025-12-06 11:59:18 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name) Segmentation fault (core dumped) ``` Guard against empty `ai`, i.e. failure, like similar code already does: ``` $ ./openvpn --server-ipv6 '' 2025-12-06 12:05:11 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name) Options error: error parsing --server-ipv6 parameter Use --help for more information. ``` Spotted through a configuration typo "server-ipv6 fd00:/64" with 2.6.17, reproduced with and tested against 2.7rc3 on OpenBSD/amd64 7.8-current. Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9 Signed-off-by: Klemens Nanni <kn...@op...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1418 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1418 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 46bedf4..80c2895 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -189,7 +189,10 @@ *sep = '/'; } out: - freeaddrinfo(ai); + if (ai) + { + freeaddrinfo(ai); + } free(var_host); return ret; |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-06 20:54:40
|
Attention is currently required from: klemens, plaisthos. cron2 has posted comments on this change by klemens. ( http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email ) Change subject: Prevent crash on invalid server-ipv6 argument ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9 Gerrit-Change-Number: 1418 Gerrit-PatchSet: 1 Gerrit-Owner: klemens <kn...@op...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: klemens <kn...@op...> Gerrit-Comment-Date: Sat, 06 Dec 2025 20:54:25 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: syzzer (C. Review) <ge...@op...> - 2025-12-06 20:51:08
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email
to review the following change.
Change subject: mbedtls: gracefully exit if certificate file is NULL
......................................................................
mbedtls: gracefully exit if certificate file is NULL
Instead of crashing because we feed a NULL pointer to strlen(),
gracefully exit with an error message.
While at it, improve the error message a bit.
Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1
Reported-By: Joshua Rogers <co...@jo...>
Found-by: ZeroPath (https://zeropath.com/)
Signed-off-by: Steffan Karger <st...@ka...>
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 5 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/1419/1
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 83fca78..3440319 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -466,10 +466,14 @@
if (cert_inline)
{
+ if (!cert_file)
+ {
+ msg(M_FATAL, "Cannot load inline certificate: NULL");
+ }
if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file,
strlen(cert_file) + 1)))
{
- msg(M_FATAL, "Cannot load inline certificate file");
+ msg(M_FATAL, "Cannot load inline certificate");
}
}
else
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1419?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1
Gerrit-Change-Number: 1419
Gerrit-PatchSet: 1
Gerrit-Owner: syzzer <st...@ka...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: klemens (C. Review) <ge...@op...> - 2025-12-06 14:09:24
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email
to review the following change.
Change subject: Prevent crash on invalid server-ipv6 argument
......................................................................
Prevent crash on invalid server-ipv6 argument
`get_addr_generic()` expects `openvpn_getaddrinfo()` to return a newly
allocated struct, but getaddrinfo(3) failure leaves `*ai = NULL` as-is.
Unlike free(3), freegetaddrinfo(3) requires a valid struct, thus the
following is enough to trigger a NULL pointer dereference in libc:
```
$ openvpn --server-ipv6 ''
2025-12-06 11:59:18 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name)
Segmentation fault (core dumped)
```
Guard against empty `ai`, i.e. failure, like similar code already does:
```
$ ./openvpn --server-ipv6 ''
2025-12-06 12:05:11 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name)
Options error: error parsing --server-ipv6 parameter
Use --help for more information.
```
Spotted through a configuration typo "server-ipv6 fd00:/64" with 2.6.17,
reproduced with and tested against 2.7rc3 on OpenBSD/amd64 7.8-current.
Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9
Signed-off-by: Klemens Nanni <kn...@op...>
---
M src/openvpn/socket.c
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/18/1418/1
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 46bedf4..80c2895 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -189,7 +189,10 @@
*sep = '/';
}
out:
- freeaddrinfo(ai);
+ if (ai)
+ {
+ freeaddrinfo(ai);
+ }
free(var_host);
return ret;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1418?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9
Gerrit-Change-Number: 1418
Gerrit-PatchSet: 1
Gerrit-Owner: klemens <kn...@op...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-12-05 17:58:04
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
to look at the new patch set (#3).
Change subject: CMake: For VS build, switch from /W2 to /W3
......................................................................
CMake: For VS build, switch from /W2 to /W3
But exclude the added checks that currently have failures
so that we can keep /WX enabled.
Basically this excludes -Wconversion and -Wsign-compare,
as expected from our GCC/Clang flags.
Github: #382
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M CMakeLists.txt
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/17/1417/3
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3142e4..906fa04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -85,9 +85,12 @@
if (USE_WERROR)
add_compile_options(/WX)
endif ()
+ # C4018: signed/unsigned mismatch
+ # C4244: conversion from 'type1' to 'type2', possible loss of data
+ # C4267: conversion from 'size_t' to 'type', possible loss of data
add_compile_options(
/MP
- /W2
+ /W3 /wd4018 /wd4267 /wd4244
/sdl
/Qspectre
/guard:cf
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Gerrit-Change-Number: 1417
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-12-05 16:11:16
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
to look at the new patch set (#2).
Change subject: CMake: For VS build, document what we're missing from /W3
......................................................................
CMake: For VS build, document what we're missing from /W3
Basically -Wconversion and -Wsign-compare, so as expected.
Github: #382
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M CMakeLists.txt
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/17/1417/2
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3142e4..906fa04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -85,9 +85,12 @@
if (USE_WERROR)
add_compile_options(/WX)
endif ()
+ # C4018: signed/unsigned mismatch
+ # C4244: conversion from 'type1' to 'type2', possible loss of data
+ # C4267: conversion from 'size_t' to 'type', possible loss of data
add_compile_options(
/MP
- /W2
+ /W3 /wd4018 /wd4267 /wd4244
/sdl
/Qspectre
/guard:cf
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Gerrit-Change-Number: 1417
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-12-05 14:48:43
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
to review the following change.
Change subject: CMake: For VS build, document what we're missing from /W3
......................................................................
CMake: For VS build, document what we're missing from /W3
Basically -Wconversion and -Wsign-compare, so as expected.
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M CMakeLists.txt
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/17/1417/1
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3142e4..906fa04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -85,9 +85,12 @@
if (USE_WERROR)
add_compile_options(/WX)
endif ()
+ # C4018: signed/unsigned mismatch
+ # C4244: conversion from 'type1' to 'type2', possible loss of data
+ # C4267: conversion from 'size_t' to 'type', possible loss of data
add_compile_options(
/MP
- /W2
+ /W3 /wd4018 /wd4267 /wd4244
/sdl
/Qspectre
/guard:cf
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Gerrit-Change-Number: 1417
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 15:01:59
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34847.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco.c 1 file changed, 12 insertions(+), 0 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 15:01:57
|
cron2 has uploaded a new patch set (#3) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by ordex Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34847.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco.c 1 file changed, 12 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1369/3 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-12-04 15:01:49
|
We know everything about corners inside corner cases!
But we also do them right!
I have not tested this for real - it's fairly trivial anyway, and it has
no memory leaks anymore :-) - the use case is "testing" or "I just need
a tunnel with a more dynamic endpoint than statically-configured GRE,
no crypto needed, and minimum overhead required". Whether or not this is
a good idea is not addressed by the patch, and OpenVPN itself *will* print
a big fat warning when trying to do "cipher none".
Your patch has been applied to the master branch.
commit 4ff746ad87ca5aa7b2058c9332622fc86551c0c8
Author: Arne Schwabe
Date: Thu Dec 4 14:45:16 2025 +0100
Fix dco with null cipher being enabled without auth none
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Antonio Quartulli <an...@ma...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34847.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-12-04 14:17:32
|
Hi,
On Sat, Nov 29, 2025 at 07:08:09PM +0100, Simon Matter via Openvpn-devel wrote:
> The patch is attached to this email. Would be nice if it was considered.
I have turned this into a proper commit with all the extra references
we want to have in our codebase.
commit 864aab8a6cb9c473629bab2b6d5d0338d2d64186 (HEAD -> master)
Author: Simon Matter <sim...@in...>
Date: Thu Dec 4 15:05:27 2025 +0100
Add CAP_SYS_NICE to the positive list in systemd service files
This is necessary to make the ``--nice n`` option work for OpenVPN
instances started by systemd.
Github: closes OpenVPN/openvpn#834
Signed-off-by: Simon Matter <sim...@in...>
Acked-By: Arne Schwabe <ar...@rf...>
Message-Id: <f58...@xx...>
URL: https://www.mail-archive.com/ope...@li.../msg34803.html
Signed-off-by: Gert Doering <ge...@gr...>
... for the next patch, please learn how to use git for simple changes
like this - who can do a "diff -u oldfile newfile" can also do a
"git commit ; git format-patch -1" to produce a patch with sufficient
git stuff around that I have to spend less time on it.
From there to "git send-email --to=...@li... -1"
it's a very small step, and then everything is nearly automatic :-)
I do understand that "git is a huge thing to learn" - and it is, but
hardly anyone really needs to understand all the details. For most cases,
a few commands are enough
$ git clone https://github.com/OpenVPN/openvpn.git
$ cd openvpn
openvpn$ vi <somefiles>
openvpn$ git commit -s <somefiles> # make a commit from that change
openvpn$ git show # look at that commit
openvpn$ git format-patch -1 # make a nice patch file out of it
gert
PS: yes, this is all about putting burdens on other people's shoulders -
you want us to do something, we want you to make this less time consuming
for us.
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 14:00:49
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email ) Change subject: Add a section about wolfSSL GPLv3 and point out missing TLS PRF support ...................................................................... Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34840.html Signed-off-by: Gert Doering <ge...@gr...> --- M README.wolfssl 1 file changed, 10 insertions(+), 0 deletions(-) diff --git a/README.wolfssl b/README.wolfssl index 3918d0f..3e531ae 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,7 +28,17 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or + other build that do not support TLS EKM) + +************************************************************************* +Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not +compatible with OpenVPN's GPLv2 license. + +However wolfSSL Inc has granted an exception to combine the wolfSSL library +with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) +with version 5.8.4 and later. ************************************************************************* To build WolfSSL with post-quantum KEMs built in, the following command is used: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Gerrit-Change-Number: 1416 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 14:00:48
|
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Add a section about wolfSSL GPLv3 and point out missing TLS PRF support ...................................................................... Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34840.html Signed-off-by: Gert Doering <ge...@gr...> --- M README.wolfssl 1 file changed, 10 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/16/1416/2 diff --git a/README.wolfssl b/README.wolfssl index 3918d0f..3e531ae 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,7 +28,17 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or + other build that do not support TLS EKM) + +************************************************************************* +Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not +compatible with OpenVPN's GPLv2 license. + +However wolfSSL Inc has granted an exception to combine the wolfSSL library +with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) +with version 5.8.4 and later. ************************************************************************* To build WolfSSL with post-quantum KEMs built in, the following command is used: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Gerrit-Change-Number: 1416 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-12-04 14:00:29
|
Documentation improvements are always welcome :-)
Your patch has been applied to the master branch.
commit 603fe533a429e99f6b9e39304e0a1a0391af0547
Author: Arne Schwabe
Date: Thu Dec 4 13:42:16 2025 +0100
Add a section about wolfSSL GPLv3 and point out missing TLS PRF support
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34840.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-12-04 13:45:34
|
From: Arne Schwabe <ar...@rf...> This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli <an...@ma...> diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:45:24
|
Attention is currently required from: plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 2: -Code-Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 04 Dec 2025 13:45:09 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:24:12
|
cron2 has uploaded a new patch set (#3) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld, Code-Review-1 by ordex Change subject: Clarify some code in epoch with better comments ...................................................................... Clarify some code in epoch with better comments Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34829.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto.c M src/openvpn/crypto.h 2 files changed, 11 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1190/3 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 8049b3a..e43bc6c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -97,6 +97,13 @@ /* IV starts with packet id to make the IV unique for packet */ if (use_epoch_data_format) { + /* Note this does not check aead_usage_limit but can overstep it by + * a few extra blocks in one extra write. This is not affecting the + * security margin as these extra blocks are on a completely + * different order of magnitude than the security margin. + * The next iteration/call to epoch_check_send_iterate will + * iterate the epoch + */ if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 72c6821..9424fd7 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -298,7 +298,8 @@ /** last epoch_key used for generation of the current send data keys. * As invariant, the epoch of epoch_key_send is always kept >= the epoch of - * epoch_key_recv */ + * key_ctx_bi.decrypt.epoch + */ struct epoch_key epoch_key_send; /** epoch_key used for the highest receive epoch keys */ @@ -309,7 +310,8 @@ /** The limit for AEAD cipher, this is the sum of packets + blocks * that are allowed to be used. Will switch to a new epoch if this - * limit is reached*/ + * limit is reached. + */ uint64_t aead_usage_limit; /** Keeps the future epoch data keys for decryption. The current one -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Gerrit-Change-Number: 1190 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:24:10
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email ) Change subject: Clarify some code in epoch with better comments ...................................................................... Clarify some code in epoch with better comments Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34829.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto.c M src/openvpn/crypto.h 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 8049b3a..e43bc6c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -97,6 +97,13 @@ /* IV starts with packet id to make the IV unique for packet */ if (use_epoch_data_format) { + /* Note this does not check aead_usage_limit but can overstep it by + * a few extra blocks in one extra write. This is not affecting the + * security margin as these extra blocks are on a completely + * different order of magnitude than the security margin. + * The next iteration/call to epoch_check_send_iterate will + * iterate the epoch + */ if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 72c6821..9424fd7 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -298,7 +298,8 @@ /** last epoch_key used for generation of the current send data keys. * As invariant, the epoch of epoch_key_send is always kept >= the epoch of - * epoch_key_recv */ + * key_ctx_bi.decrypt.epoch + */ struct epoch_key epoch_key_send; /** epoch_key used for the highest receive epoch keys */ @@ -309,7 +310,8 @@ /** The limit for AEAD cipher, this is the sum of packets + blocks * that are allowed to be used. Will switch to a new epoch if this - * limit is reached*/ + * limit is reached. + */ uint64_t aead_usage_limit; /** Keeps the future epoch data keys for decryption. The current one -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Gerrit-Change-Number: 1190 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
154 messages has been excluded from this view by a project administrator.
