You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(282) |
Sep
(620) |
Oct
(528) |
Nov
|
Dec
|
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:56:26
|
From: Arne Schwabe <ar...@rf...> This is not a supported configuration and will often work good enough to get a connection working but will operate more in a weird pre P2P negotiation compatibility way rather than actually negotiating protocol features. Also remove an anused macro. Change-Id: I82c7c61be07593ecd5bf2f854767dda74ab5170c Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1288 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1288 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ccc1374..347a251 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -497,6 +497,9 @@ ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` + Note: using ``--push`` requires OpenVPN to run in ``--mode server`` (or + using of one of `--server`, `--server-bridge` helper directives). + --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option list for a client. ``opt`` is matched as a substring against the whole diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 65c6b3b..9c02a8c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2690,6 +2690,13 @@ MUST_BE_UNDEF(vlan_accept, "vlan-accept"); MUST_BE_UNDEF(vlan_pvid, "vlan-pvid"); MUST_BE_UNDEF(force_key_material_export, "force-key-material-export"); + + if (options->push_list.head) + { + msg(M_WARN, "Note: Using --push without --mode server is an " + "unsupported configuration. Negotiation of OpenVPN " + "features is expected to fail."); + } } /* diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 009904a..24253af 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -768,16 +768,11 @@ #define OPT_P_DEFAULT (~(OPT_P_INSTANCE | OPT_P_PULL_MODE)) #define PULL_DEFINED(opt) ((opt)->pull) -#define PUSH_DEFINED(opt) ((opt)->push_list) #ifndef PULL_DEFINED #define PULL_DEFINED(opt) (false) #endif -#ifndef PUSH_DEFINED -#define PUSH_DEFINED(opt) (false) -#endif - #ifdef _WIN32 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK) #else |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:51:07
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33849.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1295 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:51:05
|
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33849.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/95/1295/2 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1295 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:50:56
|
This is basically the same as commit a69d9b665 on master, but due to
context/formatting changes it did not directly apply and Arne was so
nice and did a 2.6 version.
BB says this is all good, did not wait for GHA results.
Your patch has been applied to the release/2.6 branch (long-term compat).
commit 0848531640f670f7f6bb79833223ac8a05c1b36e
Author: Arne Schwabe
Date: Thu Oct 23 17:35:08 2025 +0200
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33849.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:47:22
|
Change and explanation make sense, and BB/GH confirms that macOS is now
happy again (this isn't a "macOS" problem but the GHA workers on macOS
discovered it first).
Your patch has been applied to the master branch.
commit a69d9b66502f13354750d8146cd038cc7a26a0bd
Author: Arne Schwabe
Date: Thu Oct 23 13:11:33 2025 +0200
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Frank Lichtenheld <fr...@li...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33846.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:46:46
|
cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. This patch defines the flag if the SSL library does not define the flag to also work when the SSL library is upgraded after OpenVPN has been compiled. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33846.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/4 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7688add..f596b8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -789,7 +789,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3e7cf8..fb3c9b1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -211,4 +211,9 @@ #endif #endif +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:46:43
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. This patch defines the flag if the SSL library does not define the flag to also work when the SSL library is upgraded after OpenVPN has been compiled. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33846.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7688add..f596b8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -789,7 +789,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3e7cf8..fb3c9b1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -211,4 +211,9 @@ #endif #endif +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:35:28
|
From: Arne Schwabe <ar...@rf...> These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:35:07
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1295 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 23 Oct 2025 15:34:57 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-23 11:20:19
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email
to review the following change.
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
2 files changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/95/1295/1
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 331af99..280389c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -798,7 +798,8 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
EVP_CIPHER_free(cipher);
return ret;
}
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index c9fa719..03ece13 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -817,4 +817,9 @@
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1295
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: Gert D. <ge...@gr...> - 2025-10-23 11:11:52
|
From: Arne Schwabe <ar...@rf...> These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. This patch defines the flag if the SSL library does not define the flag to also work when the SSL library is upgraded after OpenVPN has been compiled. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7688add..f596b8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -789,7 +789,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3e7cf8..fb3c9b1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -211,4 +211,9 @@ #endif #endif +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-10-23 11:04:01
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 23 Oct 2025 11:03:51 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-23 09:56:19
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
to look at the new patch set (#3).
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
This patch defines the flag if the SSL library does not define the flag
to also work when the SSL library is upgraded after OpenVPN has been compiled.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
2 files changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/3
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7688add..f596b8c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -789,7 +789,8 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
EVP_CIPHER_free(cipher);
return ret;
}
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index e3e7cf8..fb3c9b1 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -211,4 +211,9 @@
#endif
#endif
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1294
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-23 09:53:42
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
to look at the new patch set (#2).
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
2 files changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/2
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7688add..f596b8c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -789,7 +789,8 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
EVP_CIPHER_free(cipher);
return ret;
}
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index e3e7cf8..fb3c9b1 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -211,4 +211,9 @@
#endif
#endif
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1294
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: Jon C. <ro...@fo...> - 2025-10-22 22:11:01
|
Thanks Gert! :) I did find a nice built-in method in the OVPN source code to extract both the source and destination ipv4 addresses (mroute_extract_addr_ip) which I was able to use and build on top of to help solve this multi-threaded "issue" of mine. It has helped greatly in terms of performance now as I am able to simply associate an IPv4 connection state to an available thread which will result in ordered packet processing of data from the TUN device (read/write). This has helped greatly to prevent or reduce the amount of processing and reordering that TCP and QUIC-UDP have to perform and things are loading "snappier" now it seems. The other available threads can also work on their own connection states at the same time allowing them to work in parallel but also separately if you will. Thanks again for your work on this project and inputs on this proof-of-concept experiment I'm running. I wouldn't have been able to do any of this with WireGuard! Blog post: https://fossjon.com/2025/10/22/solving-a-final-remaining-performance-impact-with-mutli-threaded-operation-by-using-connection-state-mapping-in-the-highly-modified-openvpn-source-code-implementation/ On Tue, Oct 21, 2025 at 2:40 AM Gert Doering <ge...@gr...> wrote: > Hi, > > On Mon, Oct 20, 2025 at 04:15:22PM -0400, Jon Chiappetta via Openvpn-devel > wrote: > > I was wondering if any part of the OpenVPN source code parses the IPv4 > > packet header for source/destination address already in place? > > With tun/tap and ipv4/ipv6, this is a bit of nastiness... > > You might want to have a look at drop_if_recursive_routing() in master, > as that one has to find destination address & port and will log source > address & port. > > Not sure we have something more convenient. Grepping for openvpn_iphdr > might turn up something, though :-) (like somewhere in the NAT code). > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > ge...@gr... > |
|
From: Gert D. <ge...@gr...> - 2025-10-22 19:38:28
|
Hi, On Wed, Oct 22, 2025 at 06:06:21PM +0000, Joshua Rogers wrote: > By the way, as mentioned, this was found with the ZeroPath tool. I was wondering if it would be of interest to send the raw results of this scanner to somebody that could allow them to review the findings without me manually triaging? I have done this with curl (https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/) and it was quite succesful (~20% false positive rate). > > If this is of interest, please let me know where to send them. The output is just markdown, and it includes potential security vulnerabilities. If not, I will (slowly) continue triaging myself. This is of interest. I'm not really sure where to send this - security bugs go to sec...@op..., but if it's not security, we should not spam this list. Non-security things could go to GH issues, but *if* there is security relevant things in between, we might want to keep the lid on it, for the moment... So you could send everything my way for a start and I discuss with my co-developers how to do this in the future. I'll then try to triage this in a timely fashion and forward to GH, security@, or just drop :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany ge...@gr... |
|
From: Joshua R. <co...@jo...> - 2025-10-22 18:06:36
|
Hi all, By the way, as mentioned, this was found with the ZeroPath tool. I was wondering if it would be of interest to send the raw results of this scanner to somebody that could allow them to review the findings without me manually triaging? I have done this with curl (https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/) and it was quite succesful (~20% false positive rate). If this is of interest, please let me know where to send them. The output is just markdown, and it includes potential security vulnerabilities. If not, I will (slowly) continue triaging myself. Thank you. On Wednesday, 22 October 2025 at 13:55, Gert Doering <ge...@gr...> wrote: > > > Hi, > > On Tue, Oct 21, 2025 at 10:34:21PM +0200, Arne Schwabe wrote: > > > Before commiting we have to check that port-share does not rely on this > > behaviour to pass the fd the forked instances. I didn't check right now. > > > Good point. I have a port-share test instance, will test. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany ge...@gr... |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-22 17:02:46
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: GHA run with OpenSSL 3.6.0 on macOS: https://github.com/schwabe/openvpn/actions/runs/18723419183 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 22 Oct 2025 17:02:35 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-22 16:44:29
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
to review the following change.
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
1 file changed, 5 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/1
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7688add..04aefa2 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -789,7 +789,11 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+#ifdef EVP_CIPH_FLAG_ENC_THEN_MAC
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)
+#endif
+ );
EVP_CIPHER_free(cipher);
return ret;
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1294
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: Johan D. <jo...@op...> - 2025-10-22 16:15:52
|
Meeting summary for 22 October 2025:
*
*Updated: Release 2.7*
OpenVPN 2.7 beta3 was released 13 October.
It looks like next up will be beta4, after which a rc1 or stable
release is expected, after the hackathon end of October.
There are some bug reports for beta3 so we want to address those
before doing a beta4.
Current tentative release date for beta4 is 29 October.
*
*Updated: OpenVPN community meetup 2025*
https://community.openvpn.net/openvpn/wiki/CommunityMeetup2025
T-shirts arrived at the hotel.
*
*Updated: forums situation*
minx from OpenVPN Inc. originally set up flarum and started
migration process, but he left the company before completion.
Now we have eduardo at OpenVPN Inc. who is taking a look and he
managed to get migration working.
He suggests some further migration testing, and to then plan a hard
cutover date.
*
*Updated: wolfSSL license changed from gplv2 to gplv3*
The release notes of wolfSSL indicate the license changed to GPLv3.
This basically makes wolfSSL incompatible in regards to licensing
with OpenVPN.
Currently trying to arrange a meeting between relevant parties.
As always you're welcome to join at #openvpn-meeting on Libera IRC
network every Wednesday at 14:00 Central European Time.
Kind regards,
Johan Draaisma
|
|
From: Gert D. <ge...@gr...> - 2025-10-22 05:56:09
|
Hi,
On Tue, Oct 21, 2025 at 10:34:21PM +0200, Arne Schwabe wrote:
> Before commiting we have to check that port-share does not rely on this
> behaviour to pass the fd the forked instances. I didn't check right now.
Good point. I have a port-share test instance, will test.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: Arne S. <ar...@rf...> - 2025-10-21 20:34:40
|
Am 21.10.2025 um 21:40 schrieb Gert Doering: > Hi, > > On Tue, Oct 21, 2025 at 06:11:06PM +0000, Joshua Rogers via Openvpn-devel wrote: >> The accept path calls set_cloexec(sd) after accept(). That re-flags the >> listening socket, which is already CLOEXEC from create_socket_tcp(), and >> leaves new_sd inheritable. As a result, client-connect and auth scripts >> spawned after accept can inherit the connected socket and read or write >> the raw TCP stream. This defeats the stated intent to prevent scripts from >> accessing the client socket. > Impressive find. I had to actually look at the code to see what > you are talking about :-) > > So we do > > new_sd = accept(sd, &act->dest.addr.sa, &remote_len); > > and then > > /* set socket file descriptor to not pass across execs, so that > * scripts don't have access to it */ > set_cloexec(sd); > Before commiting we have to check that port-share does not rely on this behaviour to pass the fd the forked instances. I didn't check right now. Arne |
|
From: Gert D. <ge...@gr...> - 2025-10-21 19:46:10
|
Bad API hack, correct fix... verified by going to mroute.c and
reading up on what mroute_extract_openvpn_sockaddr() does with
"addr.proto" which should be an *output* structure, but this
field is used as input as well... can someone fix this for good,
please, after 2.7 release?
(Quite an impressive find by GCC)
Your patch has been applied to the master branch.
commit 0abf6e716b5a50b2b7f4287b1d50f4889eed36aa
Author: Frank Lichtenheld
Date: Tue Oct 21 21:31:40 2025 +0200
multi: Fix wrong usage of mroute_extract_openvpn_sockaddr
Signed-off-by: Frank Lichtenheld <fr...@li...>
Acked-by: Gert Doering <ge...@gr...>
Acked-by: Gianmarco De Gregori <gia...@ma...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1292
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33830.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-21 19:46:07
|
cron2 has uploaded a new patch set (#3) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1292?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2, Code-Review+2 by its_Giaan Change subject: multi: Fix wrong usage of mroute_extract_openvpn_sockaddr ...................................................................... multi: Fix wrong usage of mroute_extract_openvpn_sockaddr maddr.proto needs to be set before the call since that will change the behavior. Found by GCC "'maddr.proto' is used uninitialized" Change-Id: I76babf08b041162ddedf7a9b7c2799847f15cbdc Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Acked-by: Gianmarco De Gregori <gia...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1292 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33830.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/multi.c 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/92/1292/3 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e907524..fa9c654 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3965,9 +3965,9 @@ saddr.addr.in4.sin_family = AF_INET; saddr.addr.in4.sin_addr.s_addr = htonl(addr); saddr.addr.in4.sin_port = htons(port); + maddr.proto = proto; if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true)) { - maddr.proto = proto; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1292?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I76babf08b041162ddedf7a9b7c2799847f15cbdc Gerrit-Change-Number: 1292 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: its_Giaan <gia...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-21 19:46:07
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1292?usp=email ) Change subject: multi: Fix wrong usage of mroute_extract_openvpn_sockaddr ...................................................................... multi: Fix wrong usage of mroute_extract_openvpn_sockaddr maddr.proto needs to be set before the call since that will change the behavior. Found by GCC "'maddr.proto' is used uninitialized" Change-Id: I76babf08b041162ddedf7a9b7c2799847f15cbdc Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Acked-by: Gianmarco De Gregori <gia...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1292 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33830.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/multi.c 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e907524..fa9c654 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3965,9 +3965,9 @@ saddr.addr.in4.sin_family = AF_INET; saddr.addr.in4.sin_addr.s_addr = htonl(addr); saddr.addr.in4.sin_port = htons(port); + maddr.proto = proto; if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true)) { - maddr.proto = proto; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1292?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I76babf08b041162ddedf7a9b7c2799847f15cbdc Gerrit-Change-Number: 1292 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: its_Giaan <gia...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |