| Message ID | 20221215190143.2107896-1-arne@rfc2549.org |
|---|---|
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp632040dyk;
Thu, 15 Dec 2022 11:02:43 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6/ai79bRJkS9JJrS0018CfY38rn6CcRUnzNdfOZONR2WE0zkebq3nFLftBQLAul6bVZbTT
X-Received: by 2002:a92:caca:0:b0:303:4a25:4e95 with SMTP id
m10-20020a92caca000000b003034a254e95mr17625667ilq.4.1671130963558;
Thu, 15 Dec 2022 11:02:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671130963; cv=none;
d=google.com; s=arc-20160816;
b=uYQvM1Nmm6jUSIIehyyvFY6hmPwKkEcbrDx7GUEQDyv4NNeTIxbNSdjfvDI17RtpJL
tiJe4qYfMjijawQ99vshe9hDiCInXlMVeTNWcdVf+hOsxAgRJ0MvIGaU34n3Oaj9JxSe
ZVUBqR03bi3+cWh0H0V+JBHzpioske7DGVk05S0SRBfiA40rU+ZnUEs09m3YcF2UPDoy
Rv+kjBtNsNq2vdBFGH4mhpSxdqp9VAYfWCMXtWCkDTGs2ZMKMaBGOiSdTuWf/Zp968Ug
ezEC2LPY2MmbQwgxKFigftEQ2w+66VApOSV/rUKvDnROScXjTMBsWQoLaNvIU+Q1Hz8s
U9TQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:message-id:date:to:from:dkim-signature:dkim-signature;
bh=JhjglrKGariVwTFj2qL30pT1mNMN3k2aEUYZ8rzlQjA=;
b=yeTDH/PyVQOrEyegixoHVZzQlwyTgh0prQ7xaWk0WHD+CNh2KUV7A2pw9RJVTP5s2L
eHiipC5hrvWS9cIXcR7D7Ff57rCth7rfBIryRQypZG335HPPFLpohiXoB2l5tcJcHgPd
FAcCQriOtJT6aOjbYbuItEX37XFO8iiE1JFq9AHIIPu9hREm919l4dUgjf65A6F/gnOs
vLb1s42BMuce9/QX/v6yfqMx6arUh+jiZsgxRmLkFyYBkhV6PFYUWfUaZHLPzEnLlNz6
9y0ogwNesoH3m8MrtuznrUB84datOsUJyUmxmSG+2kaRlY8Fs7I1LqRwEk9HN7uhlwAV
Dmyw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=axg8nKz2;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=VuagzgOJ;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
q20-20020ab070b4000000b00419d34215cdsi1891082ual.29.2022.12.15.11.02.43
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Thu, 15 Dec 2022 11:02:43 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=axg8nKz2;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=VuagzgOJ;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1p5tUW-0007BW-UC;
Thu, 15 Dec 2022 19:02:00 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <arne@kamera.blinkt.de>) id 1p5tUT-0007B3-0e
for openvpn-devel@lists.sourceforge.net;
Thu, 15 Dec 2022 19:01:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Ic1QHWrdWSdtVbWPa0b8NvkbYEtpq32k3JKh2Uoa7k8=; b=axg8nKz2yVktzd4UzmhYVSv9AL
RxEYkevyZqRiuVxIdFGttfEUKm7J+g1CCwz5N6BiUrcARZgcJQrxEWq3PGVkXw5G5gNGOzKd9uVJE
jyzbvGTk4XR+VQ95sBJuNfvpjmvS2j3oKQFOYpDa3qvcaX5SpRdrbtK1ABlvPSev5D5s=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=Ic1QHWrdWSdtVbWPa0b8NvkbYEtpq32k3JKh2Uoa7k8=; b=V
uagzgOJV0qVuqiYWB7ZDl+CVkPRnjb4/GZPGb3CbVB/g6QAhbuXRd0gEhwY9pU0VdjxSMuci0BEDo
+UaJRRYyF5DdJLaiY/a4J+6gbHbBz5v1yqDQgIKMVDIZjHHYSS6IKspU7UNTtSI3Z/b4Yo7t36ott
xuKrxOb88rUI5rIk=;
Received: from mail.blinkt.de ([192.26.174.232])
by sfi-mx-1.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1p5tUR-000hyl-Tv for openvpn-devel@lists.sourceforge.net;
Thu, 15 Dec 2022 19:01:56 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
(envelope-from <arne@kamera.blinkt.de>) id 1p5tUF-000Kvu-8F
for openvpn-devel@lists.sourceforge.net;
Thu, 15 Dec 2022 20:01:43 +0100
Received: (nullmailer pid 2107942 invoked by uid 10006);
Thu, 15 Dec 2022 19:01:43 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Thu, 15 Dec 2022 20:01:35 +0100
Message-Id: <20221215190143.2107896-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-1.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: This patch set addresses some issues found by Trail of Bits
in an audit of OpenVPN 2.x. This audit is currently not public but the
intention
is to publish it. The audit contained no vulnerability or problem that was
deemed a vulnerability that needed a CVE or coordinated release. Therefore,
this patch set is send to the public mailing list instead of going [...]
Content analysis details: (0.3 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 SPF_NONE SPF: sender does not publish an SPF Record
X-Headers-End: 1p5tUR-000hyl-Tv
Subject: [Openvpn-devel] [PATCH 0/8] Improvement/fixes based on Trail of
Bits audit
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1752307821479180196?=
X-GMAIL-MSGID: =?utf-8?q?1752307821479180196?=
|
| Series |
Improvement/fixes based on Trail of Bits audit
|
expand
|
This patch set addresses some issues found by Trail of Bits in an audit of OpenVPN 2.x. This audit is currently not public but the intention is to publish it. The audit contained no vulnerability or problem that was deemed a vulnerability that needed a CVE or coordinated release. Therefore, this patch set is send to the public mailing list instead of going through a closed review only on the security@openvpn.net list that we would have done otherwise. This patch set also includes another security patch that is unrelated to the audit (Make management password check constant time) that was reported by Connor Edwards <cedw@pm.me>. Arne Schwabe (7): Make management password check constant time Ensure that argument to parse_line has always space for final sentinel Improve documentation on user/password requirement and unicodize function Eliminate or comment empty blocks and switch fallthrough Remove unused gc_arena Fix corner case that might lead to leaked file descriptor Deprecate NTLMv1 proxy auth method. David Sommerseth (1): ssl_verify: Fix memleak if creating deferred auth control files fails src/openvpn/comp-lz4.c | 1 + src/openvpn/crypto.c | 1 + src/openvpn/forward.c | 3 -- src/openvpn/init.c | 1 + src/openvpn/lzo.c | 1 + src/openvpn/manage.c | 6 +++- src/openvpn/misc.c | 1 + src/openvpn/misc.h | 1 + src/openvpn/multi.c | 2 -- src/openvpn/ntlm.c | 13 ++++++++ src/openvpn/options.c | 14 +++----- src/openvpn/proxy.c | 2 ++ src/openvpn/push.c | 4 +-- src/openvpn/ssl_openssl.c | 68 ++++++++++++++++++--------------------- src/openvpn/ssl_verify.c | 6 ++-- 15 files changed, 68 insertions(+), 56 deletions(-)