Re: [Openvpn-devel] [PATCH v2] reformatting: fix style in crypto*.{c, h}

2016-12-21 Thread Selva Nair
On Wed, Dec 21, 2016 at 4:09 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

>
> Hmmm ... I like that we're trying to clean up the formatting further.
> But I'm not too happy that uncrustify seems to disagree slightly ...
> See the attached patch what happened after applying your patch and then
> running:
>
>$ uncrustify --no-backup -l C $files


Then do not run uncrustify.. let it disagree :)

Selva
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH v2] reformatting: fix style in crypto*.{c, h}

2016-12-21 Thread Steffan Karger
Hi,

On 21 December 2016 at 22:09, David Sommerseth
 wrote:
> On 18/12/16 19:26, Steffan Karger wrote:
>> Now that we have touched each and every file anyway, I decided to go over
>> the code I regularly work with and reformat it some more by hand.  This is
>> how for I got today, and is a large enough patch I think.
>>
>> This commit is mostly just reordering and changing whitespace, with one
>> exception: it removes the #if 0 around some debugging code in
>> read_key_file(), and now always print the debugging if D_SHOW_KEYS is
>> enabled.
>>
>> This patch is best reviewed with something like
>> 'git diff --ignore-space-change'.
>>
>> Signed-off-by: Steffan Karger 
>> ---
>> v2: fix wrong indent, add more 'for () {' -> 'for ()\n{' fixes.
>>
>>  src/openvpn/crypto.c | 425 
>> ++-
>>  src/openvpn/crypto.h |  27 ++-
>>  src/openvpn/crypto_mbedtls.c |  63 ---
>>  src/openvpn/crypto_openssl.c |  38 ++--
>>  src/openvpn/cryptoapi.c  | 101 ++
>>  5 files changed, 356 insertions(+), 298 deletions(-)
>>
> [...snip...]
>
> Hmmm ... I like that we're trying to clean up the formatting further.
> But I'm not too happy that uncrustify seems to disagree slightly ...
> See the attached patch what happened after applying your patch and then
> running:
>
>$ uncrustify --no-backup -l C $files
>
> We should either see if our uncrustify config is correct or need slight
> adjustments (without needing to re-run it on the complete tree once again)

This seems to be due to 2 things:

1) I adhered to the CodeStyle page 'When lines exceed this length,
wrap them using a double indent (ie 8 spaces)', while the crustify
config uses a single indent.  Since this double indent was somewhat
arbitrary, I think we should just change the CodeStyle page to single
indent.

2) Uncrustify insists on either 'align function parameters' or 'indent
function parameters'.  There is no 'ignore' for this option.  The
current config uses 'align', which is fine in a lot of places, but in
some cases (such as the ones I've changed) it impairs readability.

Point 2 makes me believe that we should not enforce the code style
with a tool, but rather just with eyes during patch review.  There's
just too many places where some freedom can improve readability.

Alternatively, if everyone thinks that 'indent' is better than
'align', we can change the config and postpone this discussion until
the next time where we run into something ;)

-Steffan

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH release/2.4] Update copyrights

2016-12-21 Thread Christian Hesse
David Sommerseth  on Wed, 2016/12/21 21:00:
> Signed-off-by: David Sommerseth 

As we will (hopefully) see a release in 2016... Does it make sense to update
to 2017?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpY3oC0O5Zqi.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH release/2.3] docs: Further improve --reneg-bytes and SWEET32 information

2016-12-21 Thread Steffan Karger
Hi,

On 21 December 2016 at 21:54, David Sommerseth  wrote:
> +If using ciphers with cipher block sizes less than 128-bits, 
> \-\-reneg\-bytes is
> +set to 64MB by default, unless it is explicitly disabled by setting the 
> value to
> +0,but this is

(As in the patch for master:) missing space behind the ,.

ACK once that's fixed.

-Steffan

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH master+v2.4] docs: Further enhance the documentation related to SWEET32

2016-12-21 Thread Steffan Karger
Hi,

On 21 December 2016 at 21:54, David Sommerseth  wrote:
>  User-visible Changes
>  
> +- When using ciphers with cipher blocks less than 128-bits
> +  OpenVPN will complain loudly if the configuration uses ciphers considered
> +  weak, such as the SWEET32 attack vector.  In such scenarios, OpenVPN will 
> by
> +  default do a renegotiation for each 64MB of transported data 
> (``--reneg-bytes``).
> +  This can renegotiation can be disabled, but is HIGHLY DISCOURAGED.

There's a can too much here.

> +If using ciphers with cipher block sizes less than 128-bits, 
> \-\-reneg\-bytes is
> +set to 64MB by default, unless it is explicitly disabled by setting the 
> value to
> +0,but this is

Missing a space behind the ,

> +.B HIGHLY DISCOURAGED
> +as this is designed to add some protection against the SWEET32 attack vector.
> +For more information see the \-\-cipher option.

-Steffan

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-21 Thread Christian Hesse
debbie10t  on Tue, 2016/12/20 00:32:
> On 16/12/16 15:57, Christian Hesse wrote:
> > From: Christian Hesse 
> >
> > Different unit instances create and destroy the same RuntimeDirectory.
> > This leads to running instances where the status file (and possibly
> > more runtime data) is no longer accessible.
> >
> > So create a RuntimeDirectory per instance.
> >
> > Signed-off-by: Christian Hesse 
> > ---
> >  distro/systemd/openvpn-client@.service | 2 +-
> >  distro/systemd/openvpn-server@.service | 4 ++--
> >  2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-client@.service index 5618af3..fcb5302 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-client@.service
> > @@ -9,7 +9,7 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-client
> > +RuntimeDirectory=openvpn-client@%i
> >  RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/client
> >  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config
> > %i.conf diff --git a/distro/systemd/openvpn-server@.service
> > b/distro/systemd/openvpn-server@.service index b9b4dba..8b240cf 100644
> > --- a/distro/systemd/openvpn-server@.service
> > +++ b/distro/systemd/openvpn-server@.service
> > @@ -9,10 +9,10 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-server
> > +RuntimeDirectory=openvpn-server@%i
> >  RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/server
> > -ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> > --status-version 2 --suppress-timestamps --config %i.conf
> > +ExecStart=/usr/sbin/openvpn --status %t/openvpn-server@%i/status.log
> > --status-version 2 --suppress-timestamps --config %i.conf
> > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> > LimitNPROC=10 DeviceAllow=/dev/null rw 
> 
> 
> CentOS 7 (after full update) still only uses systemd version 219
> 
> This functionality is not introduced until systemd 227
> 
> https://github.com/systemd/systemd/blob/master/NEWS

Ah, good to know when this was implemented. :-D

But we already know that this does not work for version we want to support.
Thus I had sent a patch with new approach on Dec 16th where RuntimeDirectory
is removed from unit files and directories are handled via tmpfiles.d. Can
you take a look at that one?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpY35vqpn_LT.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH v2] reformatting: fix style in crypto*.{c, h}

2016-12-21 Thread David Sommerseth
On 18/12/16 19:26, Steffan Karger wrote:
> Now that we have touched each and every file anyway, I decided to go over
> the code I regularly work with and reformat it some more by hand.  This is
> how for I got today, and is a large enough patch I think.
> 
> This commit is mostly just reordering and changing whitespace, with one
> exception: it removes the #if 0 around some debugging code in
> read_key_file(), and now always print the debugging if D_SHOW_KEYS is
> enabled.
> 
> This patch is best reviewed with something like
> 'git diff --ignore-space-change'.
> 
> Signed-off-by: Steffan Karger 
> ---
> v2: fix wrong indent, add more 'for () {' -> 'for ()\n{' fixes.
> 
>  src/openvpn/crypto.c | 425 
> ++-
>  src/openvpn/crypto.h |  27 ++-
>  src/openvpn/crypto_mbedtls.c |  63 ---
>  src/openvpn/crypto_openssl.c |  38 ++--
>  src/openvpn/cryptoapi.c  | 101 ++
>  5 files changed, 356 insertions(+), 298 deletions(-)
> 
[...snip...]

Hmmm ... I like that we're trying to clean up the formatting further.
But I'm not too happy that uncrustify seems to disagree slightly ...
See the attached patch what happened after applying your patch and then
running:

   $ uncrustify --no-backup -l C $files

We should either see if our uncrustify config is correct or need slight
adjustments (without needing to re-run it on the complete tree once again)


--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 06e7b7e..a665648 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -268,9 +268,9 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work,
 {
 struct packet_id_net pin;
 packet_id_alloc_outgoing(&opt->packet_id.send, &pin,
-BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM));
+ BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM));
 ASSERT(packet_id_write(&pin, buf,
-BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true));
+   BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true));
 }
 if (ctx->hmac)
 {
@@ -570,7 +570,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work,
 
 /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
 const int work_headroom =
-FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT);
+FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT);
 ASSERT(buf_init(&work, work_headroom));
 
 /* use IV if user requested it */
@@ -718,7 +718,7 @@ openvpn_decrypt(struct buffer *buf, struct buffer work,
 
 void
 crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt,
-bool use_iv, bool packet_id, bool packet_id_long_form)
+   bool use_iv, bool packet_id, bool packet_id_long_form)
 {
 size_t crypto_overhead = 0;
 
@@ -840,7 +840,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
 /* given a key and key_type, build a key_ctx */
 void
 init_key_ctx(struct key_ctx *ctx, struct key *key, const struct key_type *kt,
-int enc, const char *prefix)
+ int enc, const char *prefix)
 {
 struct gc_arena gc = gc_new();
 CLEAR(*ctx);
@@ -1101,7 +1101,7 @@ test_crypto(struct crypto_options *co, struct frame *frame)
 #ifdef HAVE_AEAD_CIPHER_MODES
 /* init implicit IV */
 const cipher_kt_t *cipher =
-cipher_ctx_get_cipher_kt(co->key_ctx_bi.encrypt.cipher);
+cipher_ctx_get_cipher_kt(co->key_ctx_bi.encrypt.cipher);
 if (cipher_kt_mode_aead(cipher))
 {
 size_t impl_iv_len = cipher_kt_iv_size(cipher) - sizeof(packet_id_type);
@@ -1114,7 +1114,7 @@ test_crypto(struct crypto_options *co, struct frame *frame)
 co->key_ctx_bi.encrypt.implicit_iv_len = impl_iv_len;
 
 memcpy(co->key_ctx_bi.decrypt.implicit_iv,
-co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH);
+   co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH);
 co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len;
 }
 #endif /* ifdef HAVE_AEAD_CIPHER_MODES */
@@ -1172,8 +1172,8 @@ test_crypto(struct crypto_options *co, struct frame *frame)
 
 void
 crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx,
-const char *key_file, const char *key_inline, const int key_direction,
-const char *key_name, const char *opt_name)
+const char *key_file, const char *key_inline, const int key_direction,
+const char *key_name, const char *opt_name)
 {
 struct key2 key2;
 struct key_direction_state kds;
@@ -1419,7 +1419,7 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
 for 

Re: [Openvpn-devel] [PATCH applied] Bump master to version 2.5_git

2016-12-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit e1dd49a38875909bda218c0c3f772e791681ac36
Author: Steffan Karger
Date:   Sun Dec 18 17:38:15 2016 +0100

 Bump master to version 2.5_git

 Signed-off-by: Steffan Karger 
 Acked-by: David Sommerseth 
 Message-Id: <1482079095-14880-1-git-send-email-stef...@karger.me>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13619.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYWu08AAoJEIbPlEyWcf3yaq8P/jT6UioXn+8LNgJo1P1kr0OA
XITQeGlMBVIqJmDaDCjUkBZyOilWlyJyqgJI0Mk1s+gAzpAcfv+T4VDkWFT4jT5N
YOOI/HyRBK9yYHWEPuhCXaBKSUfm7zzOX1tM7trc5KZLq0hSdUv2mz3v80ySduGR
U008VRH/gS9jU6bzViAs7AhlUQifMsO1CEPNj8nNcuKWWA4ka48iYgS4JK/ILB7V
Y0TXHnorm5ZH8/qlV1GrSzfvfz1c6vqncTH8NKO4nc0XN3AaFjOKVOHZg2v3jERN
RyZbWgnjwthxMnI3ZHadTaqqjW+81sLL6QrEhs0zTVtoeACgb5ebflPeCGhigPJ6
E3DFzFBHTX4JBQtvb8YbKvLjwISBqv7xlQ3igUmbfKdfcHD/HBsF+aMBHT2w7t3d
GHoJly1Jl1w5tVzKlJdKw7GILvp3lCJuyBxEZLSMnSzsLf+ZS74o9JXlpRkPwVgy
H1r8zvWH5AkFHlImkaA0e9Ead1NVvFq43eh3ObRYAM4t27S5xIwj7VOIzHGKLEuj
Tqml4uc+RLrzyLmTNNhr/0BOBYXt1y5VdDEW3XgboprI05Ge6R8rtQkN0k7K7MqC
3Nu+FGsFeOG0VWTf92ch+pJRT1Y37waaHEvFFRLFF4m7hszYjPQmi9XpblsHV0Ib
TWj0RDIzUU2apYT3vZzq
=slnp
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH applied] Update copyrights

2016-12-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the release/2.3 branch.

commit 782c95330b630c3823418a7867fcc1763d3f103f
Author: David Sommerseth
Date:   Wed Dec 21 21:00:53 2016 +0100

 Update copyrights

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: <1482350454-27280-3-git-send-email-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13656.html


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYWuy8AAoJEIbPlEyWcf3yNqQQAJHiUT5UVjkwDUbVWyXwmKnW
WsFKO3KH3tQGUFgM4R1fjDwXvvnd1636COTUyVHmeABFM7J7KHgjtumxJWq/SXV9
mR0GiOMAU/ShmtWUevpgx18B44EoCZ66pQy7laV8ZkSJXvqc2I+btwQwOcd6Hy04
tbUj7KPadzXlBDdcWXBD7gDERDXg9xP80fpbHD4VIBUGC34wd1eTMT9NecJVW8yw
jn0MayCPnFBt+3ejO41J0n5T4NIrTxSpFhAebkccdg0LPsRpgUw/Nv4lpnuIX4E9
xcnK/Bouofv/8Ccxa2oW3LzA6mceHE04ypu4OeCdDC3AQc5+8zXFG72EhpebPOUp
75d3zsOsHuN9e7CbyLolQVgDbQ3huzdBZWWkDC155j8kSwvsbbCFFjdSZRUumtlk
SQZKF4bbwUasSYW7nL+kIdQW+jxAKzJmoqp7k5jFasPnm77wHNRbxr+kvQNNaUv9
dixf+pUg/EQTxE2WQ+GvDpwrEOJNVgNyrhrOCAHmBIIhnSiu3hdBdMB60CWvxQWF
BVUizhhqISkDq3yI5P6pVDoPl6kGrYmAcl5gJa7NkyMDVm59y3Kzk+xb21VkY3v0
PjpZIsQTBKqTIlREfwdNuSkmWwFW2sXtZ/TPmt3J8yMsOKDPrlZSeEmSShpay66S
7mwipdPovMgOvcrtuX+T
=Sv1/
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH applied] Update copyrights

2016-12-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit 58716979640b5d8850b39820f91da616964398cc
Author: David Sommerseth
Date:   Wed Dec 21 21:00:52 2016 +0100

 Update copyrights

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: <1482350454-27280-2-git-send-email-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13653.html


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYWuzbAAoJEIbPlEyWcf3yAiIP/0dW81f1ZSFOp/f1x09v531c
uW+wjIyYWAyXorzIpKmzlJi/2seHcOLPUrg9xrO0hL0l5yx2W3dozWr3d+1jQZQT
+lEMnyxXD8asLDj/LDl3ULzolKkMC+BeUXYd0fPZkN0DnhNQkf7wMCXjxrT+78IS
UAIlSDUBPevz7wYBsacBT2c0eVqvn388KcRmB1zKvltE75iJy4nS4d4hlMwu5gf+
bs/wJ0MTyhJgyschgcINxPU2fp4bBP1Iy04K/DeLwwirMFtiNBowo7iWqmsWSofL
f6zAljkyNvWvCuSLVt1cw1PJpeCHiLyAbmpZTbifFshvvG/turIttwEBlk2yM+W2
E/8QhMPMomweN4IKL+iWmqLyvur0faYz1G43WpmOHemnm3zTOogcpYOAkZ5tseS0
zGqFwtbGtkNxtWoz59bqRHGdQtBvNrSIkFPCmBCI/crIm3lV7SEqFORRn8Nv82Cj
B0oUEdZqwgKHWQz/SKrfbLJ84r2aeP/r3JsRJwqZzuI2EInmoACO/8IuU7MokEc5
sMplAyULBqFWq4F1A4l9oirvAWBkSVgg+ZQ1eF2HcJvHZhuZz1Oxo9BHulbRRcHG
89rWOYNgSqpxVrORupDJHlkcm7U3z8LCv3mw8kL9iJL/acT2uvyhnj9sXry6DqxH
ILw9Wa80vglPAF+wQRpp
=3qJT
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH applied] Update copyrights

2016-12-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the release/2.4 branch.

commit a0006fa431d2109a55ecc741a34510aea00dd608
Author: David Sommerseth
Date:   Wed Dec 21 21:00:54 2016 +0100

 Update copyrights

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: <1482350454-27280-4-git-send-email-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13655.html


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYWuyjAAoJEIbPlEyWcf3yPtQQAMUovDeAU78rVHAKo8CELS/d
U+5+IJ5mQbPwx0FiA5f0FxY7NIpv1JVP2AX5tvigHo3DXCLe91jvrCXlB5l5Q7Nr
umDiO9HBkfY9JfpOsk1j7MgH+JHInatoO6Ez1tcPgB2NBvb4WQ4mgFvUElQbEYLF
oCsEiA0W8CO+5+v+L0rA8vO70DsFm0cJK/9noPPrhvh2qRJyQarDRDRUaLgltK28
jcSfUR9OaeCmFwXYZH2ERvSKMTcTGyQ0jsTiu1ZUE4pdpE/7gDjPJczcVHB59xzS
aHQjwZJEh/AbTGnjhfeOhWwtqHJfRpoMIm4fLitatSUoxKLteC94JMm9lfEEytOI
CYz3IhrRyqN4SBDInS9raei6dDn5/kpmggRTyJgpeXm+S7DIecCjJb78u3pReTWs
BZbWWIfLnnuGOf8iNXWZ2tPyZvAmAl38Re0AwEPwDtUknD3T+JQAYZOsSiPlsuy8
YHpgwWSKg6t9/lzKm/O7v/unebfPmFaRtBVuEw6XyCP/I9i9VbxXCktqx2u4GSOy
Hkom3Rkj87kEJJ/FL6hRURJnH9t10OOZnIZ4vSDVckkwaleaD9VY6M4xEW4sxN8i
b1fQ2PwnhMDvmzESdGN7b0vkqF4H//OZJJFYecXng6UoEuKSiUKEHfnvGdiLFKhw
zyfj8/BRNEdfgvqVN6ko
=j33o
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH] Improve documentation related to SWEET32 and --reneg-bytes

2016-12-21 Thread David Sommerseth
There have been several support questions related to the enforced renegotiation
happening in OpenVPN v2.3.13.  This will also be visible to users when they
upgrade to v2.4.0.

These patches updates both master (including release/2.4) and release/2.3
branches with additional details to hopefully make it a bit less surprising.


--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH master+v2.4] docs: Further enhance the documentation related to SWEET32

2016-12-21 Thread David Sommerseth
The git master/2.4 code lacked some useful information about
the changes to --reneg-bytes, SWEET32 and weak ciphers (less
than 128-bits cipher blocks)

Signed-off-by: David Sommerseth 
---
 Changes.rst   |  6 ++
 doc/openvpn.8 | 13 ++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 8508fa3..2702419 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -182,6 +182,12 @@ Deprecated features
 
 User-visible Changes
 
+- When using ciphers with cipher blocks less than 128-bits
+  OpenVPN will complain loudly if the configuration uses ciphers considered
+  weak, such as the SWEET32 attack vector.  In such scenarios, OpenVPN will by
+  default do a renegotiation for each 64MB of transported data 
(``--reneg-bytes``).
+  This can renegotiation can be disabled, but is HIGHLY DISCOURAGED.
+
 - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields
   are now exported to the environment, where each second and later occurrence
   of a field get _$N appended to it's field name, starting at N=1.  For the
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index f079799..f2d7c6d 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4876,11 +4876,18 @@ such as TCP expect this role to be left to them.
 .B \-\-reneg\-bytes n
 Renegotiate data channel key after
 .B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
 OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets, 
or
-a number of seconds.  A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds.  A key renegotiation will be forced
 if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes 
is
+set to 64MB by default, unless it is explicitly disabled by setting the value 
to
+0,but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
 .\"*
 .TP
 .B \-\-reneg\-pkts n
-- 
1.8.3.1


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH release/2.3] docs: Further improve --reneg-bytes and SWEET32 information

2016-12-21 Thread David Sommerseth
There are still some support tickets related to SWEET32 and
our defult enforced --reneg-bytes 64 when using weaker ciphers
(less than 128-bits cipher blocks).  Try to clarify this even
more.

Also fix a few mistakes, saying less than 128-bits and not 128-bits
and less.

Signed-off-by: David Sommerseth 
---
 Changes.rst   |  6 +++---
 doc/openvpn.8 | 13 ++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 3e3aaad..1c0154c 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -57,10 +57,10 @@ Improved UTF-8 support
 Behavioral changes
 --
 
-- OpenVPN will complain loudly about ciphers with 128-bits block sizes or less
+- OpenVPN will complain loudly about ciphers with block sizes less than 
128-bits
 
 - OpenVPN will by default re-negotiate the tunnel after 64MB when used with
-  ciphers using cipher blocks of 128-bits or less
+  ciphers using cipher blocks sizes less than 128-bits
 
 - Remove --enable-password-save option to configure, this is now always enabled
 
@@ -121,7 +121,7 @@ Version 2.3.13
 
   Ciphers with cipher blocks less than 128 bits will now do a renegotiation
   of the tunnel by default for every 64MB of data.  This behaviour can be
-  overridden by explictly setting --reneg-bytes 0 in the configuration file,
+  overridden by explicitly setting --reneg-bytes 0 in the configuration file,
   however this is HIGHLY discouraged.
 
   This is to reduce the risk for SWEET32 attacks.  The general recommendation
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2140733..6063ccd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4612,11 +4612,18 @@ such as TCP expect this role to be left to them.
 .B \-\-reneg\-bytes n
 Renegotiate data channel key after
 .B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
 OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets, 
or
-a number of seconds.  A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds.  A key renegotiation will be forced
 if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes 
is
+set to 64MB by default, unless it is explicitly disabled by setting the value 
to
+0,but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
 .\"*
 .TP
 .B \-\-reneg\-pkts n
-- 
1.8.3.1


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH master] Update copyrights

2016-12-21 Thread Steffan Karger
Hi,

On 21-12-16 21:00, David Sommerseth wrote:
> Signed-off-by: David Sommerseth 
> ---
>  COPYING   | 2 +-
>  ChangeLog | 2 +-
>  Makefile.am   | 2 +-
>  PORTS | 2 +-
>  build/Makefile.am | 2 +-
>  build/msvc/Makefile.am| 2 +-
>  build/msvc/msvc-generate/Makefile.am  | 2 +-
>  configure.ac  | 2 +-
>  dev-tools/reformat-all.sh | 2 +-
>  dev-tools/update-copyright.sh | 2 +-
>  distro/Makefile.am| 2 +-
>  distro/rpm/Makefile.am| 2 +-
>  doc/Makefile.am   | 2 +-
>  doc/doxygen/doc_compression.h | 2 +-
>  doc/doxygen/doc_control_processor.h   | 2 +-
>  doc/doxygen/doc_control_tls.h | 2 +-
>  doc/doxygen/doc_data_control.h| 2 +-
>  doc/doxygen/doc_data_crypto.h | 2 +-
>  doc/doxygen/doc_eventloop.h   | 2 +-
>  doc/doxygen/doc_external_multiplexer.h| 2 +-
>  doc/doxygen/doc_fragmentation.h   | 2 +-
>  doc/doxygen/doc_internal_multiplexer.h| 2 +-
>  doc/doxygen/doc_key_generation.h  | 2 +-
>  doc/doxygen/doc_mainpage.h| 2 +-
>  doc/doxygen/doc_memory_management.h   | 2 +-
>  doc/doxygen/doc_protocol_overview.h   | 2 +-
>  doc/doxygen/doc_reliable.h| 2 +-
>  doc/doxygen/doc_tunnel_state.h| 2 +-
>  doc/openvpn.8 | 2 +-
>  include/Makefile.am   | 2 +-
>  include/openvpn-msg.h | 2 +-
>  include/openvpn-plugin.h.in   | 2 +-
>  sample/Makefile.am| 2 +-
>  sample/sample-plugins/defer/simple.c  | 2 +-
>  .../keying-material-exporter-demo/keyingmaterialexporter.c| 2 +-
>  sample/sample-plugins/log/log.c   | 2 +-
>  sample/sample-plugins/log/log_v3.c| 2 +-
>  sample/sample-plugins/simple/simple.c | 2 +-
>  src/Makefile.am   | 2 +-
>  src/compat/Makefile.am| 2 +-
>  src/compat/compat-gettimeofday.c  | 2 +-
>  src/openvpn/Makefile.am   | 2 +-
>  src/openvpn/argv.c| 2 +-
>  src/openvpn/argv.h| 2 +-
>  src/openvpn/basic.h   | 2 +-
>  src/openvpn/block_dns.c   | 2 +-
>  src/openvpn/buffer.c  | 2 +-
>  src/openvpn/buffer.h  | 2 +-
>  src/openvpn/circ_list.h   | 2 +-
>  src/openvpn/clinat.c  | 2 +-
>  src/openvpn/clinat.h  | 2 +-
>  src/openvpn/common.h  | 2 +-
>  src/openvpn/comp-lz4.c| 4 
> ++--
>  src/openvpn/comp-lz4.h| 4 
> ++--
>  src/openvpn/comp.c| 2 +-
>  src/openvpn/comp.h| 2 +-
>  src/openvpn/compstub.c| 2 +-
>  src/openvpn/console.c | 4 
> ++--
>  src/openvpn/console.h | 4 
> ++--
>  src/openvpn/console_builtin.c | 4 
> ++--
>  src/openvpn/crypto.c  | 4 
> ++--

Re: [Openvpn-devel] [PATCH release/2.3] Update copyrights

2016-12-21 Thread Steffan Karger
Hi,

On 21-12-16 21:00, David Sommerseth wrote:
> Signed-off-by: David Sommerseth 
> ---
>  COPYING| 2 +-
>  ChangeLog  | 2 +-
>  Makefile.am| 2 +-
>  PORTS  | 2 +-
>  build/Makefile.am  | 2 +-
>  build/msvc/Makefile.am | 2 +-
>  build/msvc/msvc-generate/Makefile.am   | 2 +-
>  configure.ac   | 2 +-
>  dev-tools/update-copyright.sh  | 2 +-
>  distro/Makefile.am | 2 +-
>  distro/rpm/Makefile.am | 2 +-
>  doc/Makefile.am| 2 +-
>  doc/doxygen/doc_compression.h  | 2 +-
>  doc/doxygen/doc_control_processor.h| 2 +-
>  doc/doxygen/doc_control_tls.h  | 2 +-
>  doc/doxygen/doc_data_control.h | 2 +-
>  doc/doxygen/doc_data_crypto.h  | 2 +-
>  doc/doxygen/doc_eventloop.h| 2 +-
>  doc/doxygen/doc_external_multiplexer.h | 2 +-
>  doc/doxygen/doc_fragmentation.h| 2 +-
>  doc/doxygen/doc_internal_multiplexer.h | 2 +-
>  doc/doxygen/doc_key_generation.h   | 2 +-
>  doc/doxygen/doc_mainpage.h | 2 +-
>  doc/doxygen/doc_memory_management.h| 2 +-
>  doc/doxygen/doc_protocol_overview.h| 2 +-
>  doc/doxygen/doc_reliable.h | 2 +-
>  doc/doxygen/doc_tunnel_state.h | 2 +-
>  doc/openvpn.8  | 2 +-
>  include/Makefile.am| 2 +-
>  include/openvpn-plugin.h   | 2 +-
>  sample/Makefile.am | 2 +-
>  sample/sample-plugins/defer/simple.c   | 2 +-
>  sample/sample-plugins/log/log.c| 2 +-
>  sample/sample-plugins/log/log_v3.c | 2 +-
>  sample/sample-plugins/simple/simple.c  | 2 +-
>  src/Makefile.am| 2 +-
>  src/compat/Makefile.am | 2 +-
>  src/compat/compat-gettimeofday.c   | 2 +-
>  src/openvpn/Makefile.am| 2 +-
>  src/openvpn/basic.h| 2 +-
>  src/openvpn/buffer.c   | 2 +-
>  src/openvpn/buffer.h   | 2 +-
>  src/openvpn/circ_list.h| 2 +-
>  src/openvpn/clinat.c   | 2 +-
>  src/openvpn/clinat.h   | 2 +-
>  src/openvpn/common.h   | 2 +-
>  src/openvpn/console.c  | 2 +-
>  src/openvpn/console.h  | 2 +-
>  src/openvpn/crypto.c   | 4 ++--
>  src/openvpn/crypto.h   | 4 ++--
>  src/openvpn/crypto_backend.h   | 4 ++--
>  src/openvpn/crypto_openssl.c   | 4 ++--
>  src/openvpn/crypto_openssl.h   | 4 ++--
>  src/openvpn/crypto_polarssl.c  | 4 ++--
>  src/openvpn/crypto_polarssl.h  | 4 ++--
>  src/openvpn/dhcp.c | 2 +-
>  src/openvpn/dhcp.h | 2 +-
>  src/openvpn/errlevel.h | 2 +-
>  src/openvpn/error.c| 2 +-
>  src/openvpn/error.h| 2 +-
>  src/openvpn/event.c| 2 +-
>  src/openvpn/event.h| 2 +-
>  src/openvpn/fdmisc.c   | 2 +-
>  src/openvpn/fdmisc.h   | 2 +-
>  src/openvpn/forward-inline.h   | 2 +-
>  src/openvpn/forward.c  | 2 +-
>  src/openvpn/forward.h  | 2 +-
>  src/openvpn/fragment.c | 2 +-
>  src/openvpn/fragment.h | 2 +-
>  src/openvpn/gremlin.c  | 2 +-
>  src/openvpn/gremlin.h  | 2 +-
>  src/openvpn/helper.c   | 2 +-
>  src/openvpn/helper.h   | 2 +-
>  src/openvpn/httpdigest.c   | 2 +-
>  src/openvpn/httpdigest.h   | 2 +-
>  src/openvpn/init.c | 2 +-
>  src/openvpn/init.h | 2 +-
>  src/openvpn/integer.h  | 2 +-
>  src/openvpn/interval.c | 2 +-
>  src/openvpn/interval.h | 2 +-
>  src/openvpn/list.c | 2 +-
>  src/openvpn/list.h | 2 +-
>  src/openvpn/lzo.c  | 2 +-
>  src/openvpn/lzo.h  | 2 +-
>  src/openvpn/manage.c   | 2 +-
>  src/openvpn/manage.h   | 2 +-
>  src/openvpn/mbuf.c | 2 +-
>  src/openvpn/mbuf.h | 2 +-
>  src/openvpn/memdbg.h   | 2 +-
>  src/openvpn/misc.c | 2 +-
>  src/openvpn/misc.h | 2 +-
>  src/openvpn/mroute.c   | 2 +-
>  src/openvpn/mroute.h   | 2 +-
>  src/openvpn/mss.c  | 2 +-
>  src/openvpn/mss.h  | 2 +-
>  src/openvpn/mstats.c   | 2 +-
>  src/openvpn/mstats.h   | 2 +-
>  src/openvpn/mtcp.c | 2 +-
>  src/openvpn/mtcp.h | 2 +-
>  src/openvpn/mtu.c  | 2

Re: [Openvpn-devel] [PATCH release/2.4] Update copyrights

2016-12-21 Thread Steffan Karger
Hi,

On 21-12-16 21:00, David Sommerseth wrote:
> Signed-off-by: David Sommerseth 
> ---
>  COPYING   | 2 +-
>  ChangeLog | 2 +-
>  Makefile.am   | 2 +-
>  PORTS | 2 +-
>  build/Makefile.am | 2 +-
>  build/msvc/Makefile.am| 2 +-
>  build/msvc/msvc-generate/Makefile.am  | 2 +-
>  configure.ac  | 2 +-
>  dev-tools/reformat-all.sh | 2 +-
>  dev-tools/update-copyright.sh | 2 +-
>  distro/Makefile.am| 2 +-
>  distro/rpm/Makefile.am| 2 +-
>  doc/Makefile.am   | 2 +-
>  doc/doxygen/doc_compression.h | 2 +-
>  doc/doxygen/doc_control_processor.h   | 2 +-
>  doc/doxygen/doc_control_tls.h | 2 +-
>  doc/doxygen/doc_data_control.h| 2 +-
>  doc/doxygen/doc_data_crypto.h | 2 +-
>  doc/doxygen/doc_eventloop.h   | 2 +-
>  doc/doxygen/doc_external_multiplexer.h| 2 +-
>  doc/doxygen/doc_fragmentation.h   | 2 +-
>  doc/doxygen/doc_internal_multiplexer.h| 2 +-
>  doc/doxygen/doc_key_generation.h  | 2 +-
>  doc/doxygen/doc_mainpage.h| 2 +-
>  doc/doxygen/doc_memory_management.h   | 2 +-
>  doc/doxygen/doc_protocol_overview.h   | 2 +-
>  doc/doxygen/doc_reliable.h| 2 +-
>  doc/doxygen/doc_tunnel_state.h| 2 +-
>  doc/openvpn.8 | 2 +-
>  include/Makefile.am   | 2 +-
>  include/openvpn-msg.h | 2 +-
>  include/openvpn-plugin.h.in   | 2 +-
>  sample/Makefile.am| 2 +-
>  sample/sample-plugins/defer/simple.c  | 2 +-
>  .../keying-material-exporter-demo/keyingmaterialexporter.c| 2 +-
>  sample/sample-plugins/log/log.c   | 2 +-
>  sample/sample-plugins/log/log_v3.c| 2 +-
>  sample/sample-plugins/simple/simple.c | 2 +-
>  src/Makefile.am   | 2 +-
>  src/compat/Makefile.am| 2 +-
>  src/compat/compat-gettimeofday.c  | 2 +-
>  src/openvpn/Makefile.am   | 2 +-
>  src/openvpn/argv.c| 2 +-
>  src/openvpn/argv.h| 2 +-
>  src/openvpn/basic.h   | 2 +-
>  src/openvpn/block_dns.c   | 2 +-
>  src/openvpn/buffer.c  | 2 +-
>  src/openvpn/buffer.h  | 2 +-
>  src/openvpn/circ_list.h   | 2 +-
>  src/openvpn/clinat.c  | 2 +-
>  src/openvpn/clinat.h  | 2 +-
>  src/openvpn/common.h  | 2 +-
>  src/openvpn/comp-lz4.c| 4 
> ++--
>  src/openvpn/comp-lz4.h| 4 
> ++--
>  src/openvpn/comp.c| 2 +-
>  src/openvpn/comp.h| 2 +-
>  src/openvpn/compstub.c| 2 +-
>  src/openvpn/console.c | 4 
> ++--
>  src/openvpn/console.h | 4 
> ++--
>  src/openvpn/console_builtin.c | 4 
> ++--
>  src/openvpn/crypto.c  | 4 
> ++--

[Openvpn-devel] [PATCH release/2.3] Update copyrights

2016-12-21 Thread David Sommerseth
Signed-off-by: David Sommerseth 
---
 COPYING| 2 +-
 ChangeLog  | 2 +-
 Makefile.am| 2 +-
 PORTS  | 2 +-
 build/Makefile.am  | 2 +-
 build/msvc/Makefile.am | 2 +-
 build/msvc/msvc-generate/Makefile.am   | 2 +-
 configure.ac   | 2 +-
 dev-tools/update-copyright.sh  | 2 +-
 distro/Makefile.am | 2 +-
 distro/rpm/Makefile.am | 2 +-
 doc/Makefile.am| 2 +-
 doc/doxygen/doc_compression.h  | 2 +-
 doc/doxygen/doc_control_processor.h| 2 +-
 doc/doxygen/doc_control_tls.h  | 2 +-
 doc/doxygen/doc_data_control.h | 2 +-
 doc/doxygen/doc_data_crypto.h  | 2 +-
 doc/doxygen/doc_eventloop.h| 2 +-
 doc/doxygen/doc_external_multiplexer.h | 2 +-
 doc/doxygen/doc_fragmentation.h| 2 +-
 doc/doxygen/doc_internal_multiplexer.h | 2 +-
 doc/doxygen/doc_key_generation.h   | 2 +-
 doc/doxygen/doc_mainpage.h | 2 +-
 doc/doxygen/doc_memory_management.h| 2 +-
 doc/doxygen/doc_protocol_overview.h| 2 +-
 doc/doxygen/doc_reliable.h | 2 +-
 doc/doxygen/doc_tunnel_state.h | 2 +-
 doc/openvpn.8  | 2 +-
 include/Makefile.am| 2 +-
 include/openvpn-plugin.h   | 2 +-
 sample/Makefile.am | 2 +-
 sample/sample-plugins/defer/simple.c   | 2 +-
 sample/sample-plugins/log/log.c| 2 +-
 sample/sample-plugins/log/log_v3.c | 2 +-
 sample/sample-plugins/simple/simple.c  | 2 +-
 src/Makefile.am| 2 +-
 src/compat/Makefile.am | 2 +-
 src/compat/compat-gettimeofday.c   | 2 +-
 src/openvpn/Makefile.am| 2 +-
 src/openvpn/basic.h| 2 +-
 src/openvpn/buffer.c   | 2 +-
 src/openvpn/buffer.h   | 2 +-
 src/openvpn/circ_list.h| 2 +-
 src/openvpn/clinat.c   | 2 +-
 src/openvpn/clinat.h   | 2 +-
 src/openvpn/common.h   | 2 +-
 src/openvpn/console.c  | 2 +-
 src/openvpn/console.h  | 2 +-
 src/openvpn/crypto.c   | 4 ++--
 src/openvpn/crypto.h   | 4 ++--
 src/openvpn/crypto_backend.h   | 4 ++--
 src/openvpn/crypto_openssl.c   | 4 ++--
 src/openvpn/crypto_openssl.h   | 4 ++--
 src/openvpn/crypto_polarssl.c  | 4 ++--
 src/openvpn/crypto_polarssl.h  | 4 ++--
 src/openvpn/dhcp.c | 2 +-
 src/openvpn/dhcp.h | 2 +-
 src/openvpn/errlevel.h | 2 +-
 src/openvpn/error.c| 2 +-
 src/openvpn/error.h| 2 +-
 src/openvpn/event.c| 2 +-
 src/openvpn/event.h| 2 +-
 src/openvpn/fdmisc.c   | 2 +-
 src/openvpn/fdmisc.h   | 2 +-
 src/openvpn/forward-inline.h   | 2 +-
 src/openvpn/forward.c  | 2 +-
 src/openvpn/forward.h  | 2 +-
 src/openvpn/fragment.c | 2 +-
 src/openvpn/fragment.h | 2 +-
 src/openvpn/gremlin.c  | 2 +-
 src/openvpn/gremlin.h  | 2 +-
 src/openvpn/helper.c   | 2 +-
 src/openvpn/helper.h   | 2 +-
 src/openvpn/httpdigest.c   | 2 +-
 src/openvpn/httpdigest.h   | 2 +-
 src/openvpn/init.c | 2 +-
 src/openvpn/init.h | 2 +-
 src/openvpn/integer.h  | 2 +-
 src/openvpn/interval.c | 2 +-
 src/openvpn/interval.h | 2 +-
 src/openvpn/list.c | 2 +-
 src/openvpn/list.h | 2 +-
 src/openvpn/lzo.c  | 2 +-
 src/openvpn/lzo.h  | 2 +-
 src/openvpn/manage.c   | 2 +-
 src/openvpn/manage.h   | 2 +-
 src/openvpn/mbuf.c | 2 +-
 src/openvpn/mbuf.h | 2 +-
 src/openvpn/memdbg.h   | 2 +-
 src/openvpn/misc.c | 2 +-
 src/openvpn/misc.h | 2 +-
 src/openvpn/mroute.c   | 2 +-
 src/openvpn/mroute.h   | 2 +-
 src/openvpn/mss.c  | 2 +-
 src/openvpn/mss.h  | 2 +-
 src/openvpn/mstats.c   | 2 +-
 src/openvpn/mstats.h   | 2 +-
 src/openvpn/mtcp.c | 2 +-
 src/openvpn/mtcp.h | 2 +-
 src/openvpn/mtu.c  | 2 +-
 src/openvpn/mtu.h  | 2 +-
 src/openvpn/mudp.c | 2 +-
 src/openvpn/mudp.h | 2 +-
 src/openvpn/multi.c| 2 +-
 src/openvpn/multi.h| 2 +-
 src/openvpn/

[Openvpn-devel] [PATCH release/2.4] Update copyrights

2016-12-21 Thread David Sommerseth
Signed-off-by: David Sommerseth 
---
 COPYING   | 2 +-
 ChangeLog | 2 +-
 Makefile.am   | 2 +-
 PORTS | 2 +-
 build/Makefile.am | 2 +-
 build/msvc/Makefile.am| 2 +-
 build/msvc/msvc-generate/Makefile.am  | 2 +-
 configure.ac  | 2 +-
 dev-tools/reformat-all.sh | 2 +-
 dev-tools/update-copyright.sh | 2 +-
 distro/Makefile.am| 2 +-
 distro/rpm/Makefile.am| 2 +-
 doc/Makefile.am   | 2 +-
 doc/doxygen/doc_compression.h | 2 +-
 doc/doxygen/doc_control_processor.h   | 2 +-
 doc/doxygen/doc_control_tls.h | 2 +-
 doc/doxygen/doc_data_control.h| 2 +-
 doc/doxygen/doc_data_crypto.h | 2 +-
 doc/doxygen/doc_eventloop.h   | 2 +-
 doc/doxygen/doc_external_multiplexer.h| 2 +-
 doc/doxygen/doc_fragmentation.h   | 2 +-
 doc/doxygen/doc_internal_multiplexer.h| 2 +-
 doc/doxygen/doc_key_generation.h  | 2 +-
 doc/doxygen/doc_mainpage.h| 2 +-
 doc/doxygen/doc_memory_management.h   | 2 +-
 doc/doxygen/doc_protocol_overview.h   | 2 +-
 doc/doxygen/doc_reliable.h| 2 +-
 doc/doxygen/doc_tunnel_state.h| 2 +-
 doc/openvpn.8 | 2 +-
 include/Makefile.am   | 2 +-
 include/openvpn-msg.h | 2 +-
 include/openvpn-plugin.h.in   | 2 +-
 sample/Makefile.am| 2 +-
 sample/sample-plugins/defer/simple.c  | 2 +-
 .../keying-material-exporter-demo/keyingmaterialexporter.c| 2 +-
 sample/sample-plugins/log/log.c   | 2 +-
 sample/sample-plugins/log/log_v3.c| 2 +-
 sample/sample-plugins/simple/simple.c | 2 +-
 src/Makefile.am   | 2 +-
 src/compat/Makefile.am| 2 +-
 src/compat/compat-gettimeofday.c  | 2 +-
 src/openvpn/Makefile.am   | 2 +-
 src/openvpn/argv.c| 2 +-
 src/openvpn/argv.h| 2 +-
 src/openvpn/basic.h   | 2 +-
 src/openvpn/block_dns.c   | 2 +-
 src/openvpn/buffer.c  | 2 +-
 src/openvpn/buffer.h  | 2 +-
 src/openvpn/circ_list.h   | 2 +-
 src/openvpn/clinat.c  | 2 +-
 src/openvpn/clinat.h  | 2 +-
 src/openvpn/common.h  | 2 +-
 src/openvpn/comp-lz4.c| 4 ++--
 src/openvpn/comp-lz4.h| 4 ++--
 src/openvpn/comp.c| 2 +-
 src/openvpn/comp.h| 2 +-
 src/openvpn/compstub.c| 2 +-
 src/openvpn/console.c | 4 ++--
 src/openvpn/console.h | 4 ++--
 src/openvpn/console_builtin.c | 4 ++--
 src/openvpn/crypto.c  | 4 ++--
 src/openvpn/crypto.h  | 4 ++--
 src/openvpn/crypto_backend.h  | 4 ++--
 src/openvpn/crypto_mbedtls.c   

[Openvpn-devel] [PATCH] Update copyrights

2016-12-21 Thread David Sommerseth
These patches updates the copyright lines with an updated year.  The
result is generated by the ./dev-tools/update-copyright.sh script.


--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH master] Update copyrights

2016-12-21 Thread David Sommerseth
Signed-off-by: David Sommerseth 
---
 COPYING   | 2 +-
 ChangeLog | 2 +-
 Makefile.am   | 2 +-
 PORTS | 2 +-
 build/Makefile.am | 2 +-
 build/msvc/Makefile.am| 2 +-
 build/msvc/msvc-generate/Makefile.am  | 2 +-
 configure.ac  | 2 +-
 dev-tools/reformat-all.sh | 2 +-
 dev-tools/update-copyright.sh | 2 +-
 distro/Makefile.am| 2 +-
 distro/rpm/Makefile.am| 2 +-
 doc/Makefile.am   | 2 +-
 doc/doxygen/doc_compression.h | 2 +-
 doc/doxygen/doc_control_processor.h   | 2 +-
 doc/doxygen/doc_control_tls.h | 2 +-
 doc/doxygen/doc_data_control.h| 2 +-
 doc/doxygen/doc_data_crypto.h | 2 +-
 doc/doxygen/doc_eventloop.h   | 2 +-
 doc/doxygen/doc_external_multiplexer.h| 2 +-
 doc/doxygen/doc_fragmentation.h   | 2 +-
 doc/doxygen/doc_internal_multiplexer.h| 2 +-
 doc/doxygen/doc_key_generation.h  | 2 +-
 doc/doxygen/doc_mainpage.h| 2 +-
 doc/doxygen/doc_memory_management.h   | 2 +-
 doc/doxygen/doc_protocol_overview.h   | 2 +-
 doc/doxygen/doc_reliable.h| 2 +-
 doc/doxygen/doc_tunnel_state.h| 2 +-
 doc/openvpn.8 | 2 +-
 include/Makefile.am   | 2 +-
 include/openvpn-msg.h | 2 +-
 include/openvpn-plugin.h.in   | 2 +-
 sample/Makefile.am| 2 +-
 sample/sample-plugins/defer/simple.c  | 2 +-
 .../keying-material-exporter-demo/keyingmaterialexporter.c| 2 +-
 sample/sample-plugins/log/log.c   | 2 +-
 sample/sample-plugins/log/log_v3.c| 2 +-
 sample/sample-plugins/simple/simple.c | 2 +-
 src/Makefile.am   | 2 +-
 src/compat/Makefile.am| 2 +-
 src/compat/compat-gettimeofday.c  | 2 +-
 src/openvpn/Makefile.am   | 2 +-
 src/openvpn/argv.c| 2 +-
 src/openvpn/argv.h| 2 +-
 src/openvpn/basic.h   | 2 +-
 src/openvpn/block_dns.c   | 2 +-
 src/openvpn/buffer.c  | 2 +-
 src/openvpn/buffer.h  | 2 +-
 src/openvpn/circ_list.h   | 2 +-
 src/openvpn/clinat.c  | 2 +-
 src/openvpn/clinat.h  | 2 +-
 src/openvpn/common.h  | 2 +-
 src/openvpn/comp-lz4.c| 4 ++--
 src/openvpn/comp-lz4.h| 4 ++--
 src/openvpn/comp.c| 2 +-
 src/openvpn/comp.h| 2 +-
 src/openvpn/compstub.c| 2 +-
 src/openvpn/console.c | 4 ++--
 src/openvpn/console.h | 4 ++--
 src/openvpn/console_builtin.c | 4 ++--
 src/openvpn/crypto.c  | 4 ++--
 src/openvpn/crypto.h  | 4 ++--
 src/openvpn/crypto_backend.h  | 4 ++--
 src/openvpn/crypto_mbedtls.c   

[Openvpn-devel] Summary of today's (Wednesday, 21st Dec 2016) community meeting

2016-12-21 Thread Samuli Seppänen

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 21st Dec 2016
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock and syzzer participated in this meeting.

--

Discussed decommissioning openvpn-testing.git repository. Agreed that it 
makes sense.


--

Discussed updating copyrights in files to 2017. Agreed that it makes 
sense. Dazo will push out a review branch.


--

Discussed the OpenVPN 2.4.0 release. Agreed to make the release slightly 
ahead of schedule on 27th Dec.


--

Discussed the "reformatting: fix style in crypto*.{c, h}" patch:



Agreed to merge this into Git "master" now, but not into "release/2.4" 
until 2.4.0 is out.


--

Discussed scheduling the next meeting. It was agreed that we probably 
don't need an official meeting next week (28th). If there are issues 
with the 2.4.0 release we can discuss and fix things informally on 
#openvpn-devel channel.


---

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


(20:57:29) syzzer: evening :)
(20:57:52) cron2: not yet
(20:58:45) syzzer: oh, sorry
(20:58:52) mattock: yes, way too yearly :P
(20:58:57) mattock: we have to wait ~60 seconds
(21:00:21) syzzer: and now, and now, and now/
(21:00:38) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2016-12-21
(21:00:39) vpnHelper: Title: Topics-2016-12-21 – OpenVPN Community (at 
community.openvpn.net)
(21:00:41) syzzer: \o/
(21:01:14) cron2: evening!
(21:01:26) mattock: ready?
(21:01:38) mattock: is dazo here?
(21:01:51) syzzer: looking at the topics, seems we need dazo
(21:02:03) cron2: a
(21:02:07) cron2: why is the agenda so long
(21:02:20) mattock: yes, too much to read
(21:02:41) syzzer: at least the 2.4 status page says 'All done!'
(21:02:53) cron2: ok, I've read the agenda, and I say "make it so!".
(21:03:00) cron2: are we done?
(21:03:27) cron2: :)
(21:03:45) mattock: I agree with everything
(21:03:58) mattock: so 2.4.0 release in original schedule?
(21:04:04) cron2: (why do we have release/2.3 in testing, but no other 
release/2.x branch...?)
(21:04:25) syzzer: yeah, looks good to me too
(21:04:39) cron2: mattock: yes.  m-a brought up something strange in 
#openvpn-devel regarding some freebsd-base firewall, but that can always be 
platform-fixed later on
(21:04:56) mattock: so 2.4.0 is due on 28th
(21:05:00) mattock: which is fine for me
(21:05:04) cron2: I'm running _rc1 on our corp servers for two weeks now, with 
poor man's NCP, on FreeBSD, and that all behaves
(21:05:50) ***dazo is here 
(21:05:52) dazo: just forgot time
(21:05:56) cron2: so, anectotal evidence says "this is a good release" :)
(21:06:27) mattock: there are a few openvpn-gui, openvpnserv2 and openvpn-build 
improvements in the queue which can probably make it to 2.4.0 installers
(21:06:56) mattock: but if they don't, they can probably go to 2.4.1
(21:07:03) mattock: nothing really major for the most part
(21:07:06) cron2: there's endless opportunities to fix and improve things :-) - 
but I'm not aware on anything seriously pressing
(21:07:13) mattock: yeah, same here
(21:07:33) dazo: If nobody is against it, based on the lack of really much 
noise ... I propose we doe the final release 1-2 days earlier
(21:07:53) syzzer: as long as the interactive service is installed in a nice 
way, because that's the new feature we want people to use on windows
(21:07:54) dazo: I think we should just add a few docs updates + the copyright 
updates and then call it 2.4.0
(21:07:58) mattock: 26th is a national holiday here, so 27th would work
(21:08:43) cron2: 26th is "christmas with grandparents", so I won't get 
anything useful done.  But then, with the current state of things (which is 
really good) you do not need me anyway :)
(21:08:46) ***cron2 retires
(21:08:59) syzzer: what about my crypto*.{c,h} patch?  I'd like that in 
release/2.4 too, but *after* 2.4.0 is fine too 
(21:09:12) dazo: okay, I beleive I can have everything prepared for the 26th, 
including branch push ... so you can test on 27th and I'll do the tags push 
once you confirm it's good
(21:09:27) cron2: syzzer: that's the refactoring Selva ACKed?
(21:09:32) syzzer: indeed
(21:09:35) dazo: syzzer: I might have forgotten about that
(21:09:39) syzzer: more reformatting that refactoring
(21:09:45) cron2: uh, right
(21:10:20) cron2: dazo: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13624.html
(21:10:22) vpnHelper: Title: [Openvpn-devel] [PATCH v2] reformatting: fix style 
in crypto*.{c, h} (at www.mail-archive.com)
(

Re: [Openvpn-devel] [PATCH applied] dev-tools: Added script for updating copyright years in files

2016-12-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I've done a quick update to the patch at commit time.  As suggested
by Steffan, I've changed from excluding cmocka to exclude vendor/.  In
addition @sophos.com copyright lines will also be included in this
update.

If anyone else wants to be included in these updates, please let us
know and we will update the script accordingly.


Your patch has been applied to the following branches

commit da8f11f895bb78174d4412d82a6992c398da495a  (master)
commit 0b159a62ed1c9d60e0c7001b025d2d016a90057f  (release/2.4)
commit 9e2bbbc7bc9bb126ed1061cf0c2ee2fb5ffc919d  (release/2.3)
Author: David Sommerseth
Date:   Mon Dec 19 19:52:12 2016 +0100

 dev-tools: Added script for updating copyright years in files

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: <1482173532-25132-1-git-send-email-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13645.html


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYWm4lAAoJEIbPlEyWcf3ydKgQAKaAAAXh9G+FqkyCXRdNxR0X
R4WQqI6oU+uejUqg2EXQYPp/xfBuqZM+k7XlzqMpsHR7YRnEHSb30gRxokFdHdwa
o1fBnDy1GWl+y+ZpFwnVTfwX2pu+6eoxqxku7eiMFrQayzZnm0P9Y+Aq4PrL3OWl
1nwS5zPO3YkAW7KNCDK+7pXXqLNINI3Pj6LdfAoAEOeXK3Qi1umgdFTwh1nGCq5J
xnXTn6b0aF8aURqjRnA51Sz3Pg36YquA7nuoP7AiGGlmD3ctiys4QCOYdjPk0Qs8
aliYHvtRMeNhfiH3SjIixY+J0Mk0EUqP0AXPUu6YvdJ99tzyGhhgcpcS+pHkC1cF
9iyLpKPwpKG4cVbsqhMw7WDkZZqCxxfDkUd0i64nt3T35IaLjkwDq1Bw6KAeREs2
sRT8ptrq7u4b+X34xdU3ah/dgl7KXzYk03A7bhrkopvZpnxlEPQ2nljhk0duu1lB
mv9Af0be4lSN+4WOo8XPrpnlc0o24oKDErjyHsfbVjI1mcl1hhqjUCz7XH4qP2/e
Iqjh9rQG2mbl0d8IiVhZpowHHB5EKjQ8XjxOHXZ9YBKYy1WiHC5bOOZAMaBupJk6
sUN7THfoPbbMG5kWMQdogeW27Fuqvx5G3UfuMmesTgkwgRMPUtRaELMgQLaP6raM
RbAG5ScQAowiLsCrOaiT
=YMgD
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Google Summer of Code

2016-12-21 Thread Matthias Andree
Am 19.12.2016 um 11:01 schrieb Илья Шипицин:
>
> it seems, it depends on network-manager version.
> on fedora 23 I cannot import files, but on ubuntu I can.

Fedora 23 goes out of support these days (it's now more than 4 weeks
after Fedora 25 release), so it's time to upgrade...

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel