Re: [Openvpn-devel] [PATCH] Deprecate --keysize
On 01/07/17 13:29, Steffan Karger wrote: > The --keysize option can only be used with already deprecated ciphers, > such as CAST5, RC2 or BF. Deviating from the default keysize is > generally not a good idea (see man page text), and otherwise only > complicates our code.> > (If this patch is accepted, I'll send a follow-up patch to remove the > option from the master branch.) I agree to the wanted intention of this change. But, it hits badly if we remove --keysize on configurations still enforcing BF-CBC with --keysize 256. I don't have any numbers of how many users uses it; but I know many have preferred BF-CBC for a long time - at least before SWEET32 came and hit us all. Bare in mind that BF-CBC was the default since 2002-ish (probably even longer, if considering the OpenVPN v1.x branch). And many have added --cipher BF-CBC in their configs despite it was the default. As long as BF-CBC is available, we cannot remove --keysize. And to remove BF-CBC support, I think that needs a bit longer timespan than v2.5. Users *must* be far better prepared for that and we need to make loud and clear announcements with such a change. Yes, in all this, I know that NCP is a nice rescue. As long as everyone either runs v2.4 everywhere or deploys --ncp-ciphers and starts the migration. But I've lost confidence that the vast majority of our users pays closely attention to such feature changes - thus they won't notice until it stops working. We need to PUSH this information into their faces, with large posters carrying promises of rainbow coloured unicorns if they comply today(!). In addition to adding clear warnings in the log files for a looong time. So I propose: - We add the warning about removing --keysize for both v2.4 and v2.5. - Add a warning in v2.4 and v2.5 that ciphers with block sizes < 128 bits will be *removed* in v2.6 - When removing those ciphers in v2.6, we can remove --keysize together with the ciphers, as it will no longer be valid. But --keysize needs to be a NOP for some time (with a warning it has no effect), to avoid OpenVPN stopping to run on upgrades. - Ensure these changes are synchronised within OpenVPN 3 as well - Start a new wiki page: "How-To: Migrate to secure and modern OpenVPN configurations" where we list all deprecated features/options and their replacement (including examples). We also need to have a description on the reasoning for deprecating and removing these options. - And the most tricky one: Get some publicity that OpenVPN is going to deprecate and remove support for weak ciphers out to the public. Not just on crypto focused sites, but more broadly reaching "media channels". (I believe we can facilitate some of the PR work done by the company, but we do need more than that). Channels/sites I'm pondering on: ~ An official Press Release by the company? (Samuli and I can check) ~ twitter (via the @OpenVPN account) ~ reddit? (and similar sites) ~ LWN.net ~ arstechnica ~ ThreatPost ~ OS Distribution channels (blog posts, mailing lists, etc) ~ Our own wiki and web pages ~ others? The first round is to clearly state that BF-CBC, CAST and RC2 are deprecated and their support will be removed in a coming release (not mentioning version, on purpose!). Users are strongly advised to upgrade to OpenVPN v2.4 or server and client side instantly, to benefit from NCP (byt more less-tech worded) and to point at the "How-To" described above. And then we try to re-iterate this once again with the release of v2.5 and v2.6. I know and understand this hurts security focused people, and probably in even more those who understand crypto very well. But my personal experience is that the average users are usually less understanding than security minded people. (Yes, I've burnt my, and other's, fingers within the Fedora community with the v2.4 upgrade) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Deprecate --keysize
Hi, On 14-08-17 12:36, David Sommerseth wrote: > On 01/07/17 13:29, Steffan Karger wrote: >> The --keysize option can only be used with already deprecated ciphers, >> such as CAST5, RC2 or BF. Deviating from the default keysize is >> generally not a good idea (see man page text), and otherwise only >> complicates our code.> >> (If this patch is accepted, I'll send a follow-up patch to remove the >> option from the master branch.) > > I agree to the wanted intention of this change. But, it hits badly if > we remove --keysize on configurations still enforcing BF-CBC with > --keysize 256. I don't have any numbers of how many users uses it; but > I know many have preferred BF-CBC for a long time - at least before > SWEET32 came and hit us all. Bare in mind that BF-CBC was the default > since 2002-ish (probably even longer, if considering the OpenVPN v1.x > branch). And many have added --cipher BF-CBC in their configs despite it > was the default. > > As long as BF-CBC is available, we cannot remove --keysize. And to > remove BF-CBC support, I think that needs a bit longer timespan than > v2.5. Users *must* be far better prepared for that and we need to make > loud and clear announcements with such a change. > > Yes, in all this, I know that NCP is a nice rescue. As long as everyone > either runs v2.4 everywhere or deploys --ncp-ciphers and starts the > migration. But I've lost confidence that the vast majority of our users > pays closely attention to such feature changes - thus they won't notice > until it stops working. We need to PUSH this information into their > faces, with large posters carrying promises of rainbow coloured unicorns > if they comply today(!). In addition to adding clear warnings in the > log files for a looong time. > > So I propose: > > - We add the warning about removing --keysize for both v2.4 and v2.5. > > - Add a warning in v2.4 and v2.5 that ciphers with block sizes < 128 > bits will be *removed* in v2.6 > > - When removing those ciphers in v2.6, we can remove --keysize together > with the ciphers, as it will no longer be valid. But --keysize needs > to be a NOP for some time (with a warning it has no effect), to avoid > OpenVPN stopping to run on upgrades. Okay. Instead of sending the keysize removal patch, I'll send a patch that warns that small block ciphers will be removed in 2.6. Can you then do s/2.5/2.6/ on the patch, or shall I send a v2? -Steffan signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Deprecate --keysize
On 14/08/17 13:17, Steffan Karger wrote: > Hi, > > On 14-08-17 12:36, David Sommerseth wrote: >> On 01/07/17 13:29, Steffan Karger wrote: >>> The --keysize option can only be used with already deprecated ciphers, >>> such as CAST5, RC2 or BF. Deviating from the default keysize is >>> generally not a good idea (see man page text), and otherwise only >>> complicates our code.> >>> (If this patch is accepted, I'll send a follow-up patch to remove the >>> option from the master branch.) >> >> I agree to the wanted intention of this change. But, it hits badly if >> we remove --keysize on configurations still enforcing BF-CBC with >> --keysize 256. I don't have any numbers of how many users uses it; but >> I know many have preferred BF-CBC for a long time - at least before >> SWEET32 came and hit us all. Bare in mind that BF-CBC was the default >> since 2002-ish (probably even longer, if considering the OpenVPN v1.x >> branch). And many have added --cipher BF-CBC in their configs despite it >> was the default. >> >> As long as BF-CBC is available, we cannot remove --keysize. And to >> remove BF-CBC support, I think that needs a bit longer timespan than >> v2.5. Users *must* be far better prepared for that and we need to make >> loud and clear announcements with such a change. >> >> Yes, in all this, I know that NCP is a nice rescue. As long as everyone >> either runs v2.4 everywhere or deploys --ncp-ciphers and starts the >> migration. But I've lost confidence that the vast majority of our users >> pays closely attention to such feature changes - thus they won't notice >> until it stops working. We need to PUSH this information into their >> faces, with large posters carrying promises of rainbow coloured unicorns >> if they comply today(!). In addition to adding clear warnings in the >> log files for a looong time. >> >> So I propose: >> >> - We add the warning about removing --keysize for both v2.4 and v2.5. >> >> - Add a warning in v2.4 and v2.5 that ciphers with block sizes < 128 >> bits will be *removed* in v2.6 >> >> - When removing those ciphers in v2.6, we can remove --keysize together >> with the ciphers, as it will no longer be valid. But --keysize needs >> to be a NOP for some time (with a warning it has no effect), to avoid >> OpenVPN stopping to run on upgrades. > > Okay. Instead of sending the keysize removal patch, I'll send a patch > that warns that small block ciphers will be removed in 2.6. > > Can you then do s/2.5/2.6/ on the patch, or shall I send a v2? Yes, I can do that. I'll also remove the remark ("If this is accepted...") from the commit message too, commit to master and cherry-pick to release/2.4. I'll also use the term "OpenVPN v2.6" everywhere, to be more precise in the statements. But we will need to get started on the planning of the public stunts too. Getting a wiki page in place would be a nice starting point though. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] add missing static attribute to functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 72bcdfdc19243c1ed6cb8568f62f0c35e8b70f5f (master) commit d1e18d89d9ff4ce946f27d5b019c407bf750fe4b (release/2.4) Author: Antonio Quartulli Date: Fri Aug 11 17:07:42 2017 +0800 add missing static attribute to functions Signed-off-by: Antonio Quartulli Acked-by: Steffan Karger Message-Id: <20170811090744.31750-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15202.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkarWAAoJEIbPlEyWcf3ykp8P/jZX5e+B8le3+hfEqpKHuaE1 739gAXun6mrVjbxQOcFrhBp68igoNzRNmZ6mTJYfhIfksgJGscZJ5y9RygLvHNHm XnHRFLwwdGiU1H+Cw28io1Z5mmLlbeFavvb3H2JaeDRNyZy3MqEF1U/G46zlJ93E 1lPVlqRj+ANkThw7VKKs0EBcW5cEQfTR4UkzSTT4anwDVqjBe970hYZnLevSLMVG mNzbPaUl+zON6z14RbnDqvVNxt53hccDJbxL4bLgNmEAJYBbxuwVc0/teYw1c0Mv bD7ACZXIW+8hFQIno+GxwOpCSamOF+g58x0peyTdKa5vBzNsgwTzktwgnux+4NFl 5rXR6vM88W5AtXnwXzGNYHkVTYVieNjunnUbV6Oo2KUwLLLPX7jh5/9lbmqBt2q0 ZuUABlnisIcNWsjpnQPdMhGlRjqaFBGN6Ww7/ozgaSev83xjughDpXoJfgybPcf1 jvZexEUrlasO50cdVvlbkRoXamFxUU3QgDRT/QY6qi95x67jrZP7cV/ThfAZLWfr qM7c5zN9uKaepy7m5Hmy9698VL+aotgUl+qsD8TfaO5cfzUc3mItIA538Tla9vAJ USGIaVrQQVHNBBESWg26mDBa2z0s++X1gjH6HrYxRDUqFNlaQyHulpl1atwy7iYL tGbxLS4+bA+n/HGEDU9b =lkM2 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Always use default keysize for NCP'd ciphers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Checked code and ran a few quick local tests where it was observed that --keysize was reset to 0 when NCP was active. Your patch has been applied to the following branches commit 956bb1c32fa40ee184919b3ce569c90643a01b5b (master) commit 6f616aa6b7570db965b8eee1d8b8d182af4bb05f (release/2.4) Author: Steffan Karger Date: Thu Jul 20 19:55:57 2017 +0200 Always use default keysize for NCP'd ciphers Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <1500573357-20496-1-git-send-email-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkaszAAoJEIbPlEyWcf3yRloP/0fYFXg2FbBw1wC7kr45K9DK aOWseSiHZy20TcrPxUJySy8prN6LopyDf1HNsWkPmOWA7duZwZLio1n4Hmh393ew ooXHH/iNkp4CWWppAf7Z+nzN0Wn1pH2yHchbtZoT+rLqLQP5Rgt1y94yb6gx1FC5 JfBw99weWvVfvrvFDXdJlrnDJYoJtoyfd6Z+gJL2n+DBkoHPTaxN6yU28raIzksC gvs2j98WAThiIfTMbstDiR2Qxz7/puIR0xDZkzQkgLnq8jV5uoH4jvnHJFbQO3Wa cPuBHQguTsKe/q2si9y0qhLQ8zURdVy+yTOgzPDHueVuRJs7deeXbDClf1Wfn+dd RPdH4DQoCjsjDZ+AFyPCEn1hora1ulFpnVE97pWnFUIlTeRVIJ9P4r9/z4iABGmp TVfvapucdED0VKxeYqyZYlEXHK3Vxg7eruS9f2X7gPwTYJbQ8DvKqigZIuBjMEcE tGkzt4A3XNSbtHHcgdssI2WVInhRPQG1Y0YFSxPNLw5SYlkY2zlUlVCHROoOZfBT AilgH3kygPgymf+k+OLxVCCm8HL8TC8DD/YxczV8i6kKkvMbIQfR+wM1i592eKSQ Ryi4md7F+FJUfnDUB0JT07FK95jFF7ANStq+vhj9TyzyV3v6ktQVF3t+pgv6djyF YLY70Eu/WV15iXBZnddU =582X -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Move create_temp_file() out of #ifdef ENABLE_CRYPTO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. This makes sense, code looks good and passes initial tests. Your patch has been applied to the following branches commit cd5a74d0d7c6347b31e261e98ca8984819e594df (master) commit a91c38fbabf6f949990ef8a3801d56225a47a33f (release/2.4) Author: Steffan Karger Date: Tue Jul 25 23:02:34 2017 +0200 Move create_temp_file() out of #ifdef ENABLE_CRYPTO Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <20170725210234.5673-1-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15146.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkatbAAoJEIbPlEyWcf3yjUQP/1yZE+5cYLEdBYrkbv61p1wY f7EG3F29hdCYEYHS1rTvYQbPZFy48YJL5mqvs6IKemQxVIYoEFkCF5KLdYIU6ZlU 1n6Km+yUqeYpU3Tm07Yl+20qCv3+H9FAMJkDjosoh6BIuF8HJD7NsAmDFoY23X2k TXicBKu9zgIHszzFhYQkhQBIBxhpVirZ2r2TqgXOmiz/rbRtmRsHeqFEEcfWv/mT YULxqREKDPTWKHsH/s1JbwoWwrhkzeeYdxoaYs6/qN7zuNj5bmfxfvzJXmtbRlH3 mi/fCtgxq9OJvokUpfSNVoKwf90VGEVy+occziE7KdOmWNCh4QpPBVt27PdloEmc dbbDES7YSndiaHXYoU9I15SP9pGgUI8DmUc9SU9PUPSGSdVG+aRhw4DzY400EQRL jTzdiOZB33xWJivKuxWXM0kWbdu1Nga4Q/aTwJCLaa+Xcuh/mdMZMCuPKfNiRTFZ iU4ZIqSGi84h1pt9azWftI9+7fLIaAsdmwhnQBy9rGz5afzC8rf2TlOmSTYzwdqA fI6TVlu9JosMxDnUtXN5NANRVB79JVYaCVxshCajDBUe4m/j1Ywz5R/PLqMk29zt WBbNdMsVBijJ1DhMFqZDxrBCyKh9OwPHRawdonRU4MD53aXbfBNRR7kCrCAcd3Rt /qnAV7+hg5KxbpF0UrC9 =CjJG -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Use provided env vars in up/down script.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Verified that ${dev} does indeed exists in --up and when the plug-in runs with OPENVPN_PLUGIN_DOWN mode, which is facilitated via the down-root plug-in. Your patch has been applied to the following branches commit 94c1ce22ebcc1f672bb80598afccc130aa01fafc (master) commit 9f390f0209aa119f7625a75ae309787bc6785831 (release/2.4) Author: Conrad Hoffmann Date: Wed Aug 2 20:14:34 2017 +0200 Use provided env vars in up/down script. Signed-off-by: Conrad Hoffmann Acked-by: David Sommerseth Message-Id: <20170802181435.14549-2...@bitfehler.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15165.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkau8AAoJEIbPlEyWcf3yxFwP/jdgEw7U5naNlSTSOmDnOE32 ox/JMuKEeWx4U4j+ngsijBGciX+kaEWihPCFfYgTnZw25aR2vQfz5eGeDpdNrf7h Sk/sddAjy1urIn97aA2gdbNOt2JXjuPYXPbTMvbp/HAby3rjdsP+WwftRS5PlNfC wh85felObSHULdw/9keLZMVYgrkNWKB1FdAsKxXW0ky5bj3qTYL5BNPtqPe0Iw6D iSi3XeUwRYDQ0tegzoIJYaEIzEfCSiTpr64mOvotVvmNDDg5y5QkMJg9UtXrkBsC xFd7CIOjBArht44U7OM0tK1KNEqa5W7n3EFUu10hsuEUVI5VAQwPLppTt9Zf7ja2 X0MhMBD7+Eh3lOX+SKjuOfO+lKhNtM3f0T3Nklrz7zxhNlMinn3a4w9xgDMHrsj2 vhBuQfRtvsnQEY41egibEL0dNRvwVSDdGziFtgRBc75qUihFD+yVbLdYxz1lQ9RP jmWKJn6QS6U4at88z0h+gYM2XYLXTbNzAn49C78HQZbTw2gSlpUcrVEEF554FPSt zWQ47p5sUbUDptS1pPrCPsh+s03drWYOYqVY6O2NHz4Qz+vgd//eXW2pKMf90l2E wuPxbA7wIzUGhwGWFzGyf/u7v9zqJnj9a7hOS7Poka90tSiMCsw1iIkLPsR5Lu2d yyhWjWqhpKLTr1rpc3dq =dG9l -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Document down-root plugin usage in client.down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Your patch has been applied to the following branches commit cbeff7b1b3f2815ee27f4479dca502c220fc4d15 (master) commit 597b6224e254775915956b8db45c090709b17b1a (release/2.4) Author: Conrad Hoffmann Date: Wed Aug 2 20:14:35 2017 +0200 Document down-root plugin usage in client.down Signed-off-by: Conrad Hoffmann Acked-by: David Sommerseth Message-Id: <20170802181435.14549-3...@bitfehler.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15164.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkavnAAoJEIbPlEyWcf3y9HMP/ihfyiarn7ADfF1wCrWxCrcU ZbtPELZHmIMxgAhmK7z6RSiomr7MmfCHi4M9MGrqBNYKSWTyySHg9vaPE5sT8ThP Rky9zwrgMBhJVvKIQEv63B/h3HjVGw9eg8SvkRbNlUYPh3lH8q1h7/2pmRiBsQi7 o6QUWrSSlX2/w2WFg21S8Uj0I+2pzMx7fHykEjbC/EUTuYGzxMWPxLqUEXY+ayD8 E92hewWDkVo8cNXTxQaw2UUk59LBUsux8hf7GnCnlTZ2yCTsaYbWFOOWsuW0FuKZ liN/xzIstlQn3HbWA27gbcUrjkOfdl7thANnFjormV8TSm8BYYmjhyKqyVx2g6pH jwWgOEuP3GlvykFj5dC3S5D4DfhHGVqgtYs9h+TieeN7qXO+hrkD+94cLqyYEAb4 rGeAUWKUjRCWzTG5doADRj3RA37ScUjtJptgXfqiWWUcKpUlIfxG90tiOTV1J737 bDgi8eSnSxCYSg56Difwtr7mAGuXejZNqil8zMXVjkRa5fc7qaxzk4pw/3T4o/aU R3Jl99KJtb/BKqL3GbQTZSEY7E8n3hGxCznK3t4u6Asu0f6eXrK/1TF4A1adOTVm ZBkpjrWWE+YAOtMCoiKBz/1R0fzCbbGVYoSrwuiXx+DJBg+pTWxRuKxrzcLtoB9r Jnh5QxUVgRguD7Z36lby =dFSr -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. I have a slightly modified version of this patch pending for release/2.4 (which lacks the OpenSSL 0.9.6b workaround removal). This will be considered to be added a bit later. Your patch has been applied to the master branch commit c43045ca0590364552fbd060cc65ee1c50a4866a Author: Steffan Karger Date: Fri Jul 28 12:38:22 2017 +0200 sample-plugins: fix ASN1_STRING_to_UTF8 return value checks Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <1501238302-16714-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15161.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkax0AAoJEIbPlEyWcf3ytLkQAIojuE34qq8HN2UTkIPoEDNz /LUzFJjLovzMEibI3Q1g8h3MkSlEi0ar6CHo1X4q4uXoD6dkb6K7Ccy2iU4HglqU rQtrjU/0tC/iVHmdRayhJc7aez4QIbovIfRuamA0dqC4zoEZutMRrbHF4prRy7Lc VFprsfEjJPV8yRvEfU34PWHaxFehU8l/9P530oMPeO+mFG0oKP7FCaYbgmV9KZLF CxjbHY8ZdEXQ++GBmKa/vklsdxb+QF03OoDTmNvqM5YqaCHsWkAxesu5ESwpJomC pkfG2dSd/0WZI8vuw02sgOAGDPXx5+rNSFpg2eDbynhC1w30lk9w5e281ViyDMcl h1DrLyP+MTMhIPYYQ5bZSwyct5Mwao+biGxdFmtnTOn1zWrG4M8d4uSA6Sf0pu2b /u+68KxrHG5/yra3RyTTIza4fCdLUVriepAQAqtHXlPSyGwKS8/eFzlzrFbFhEa8 iDeHJvtQSyPQvt/N3sprvtIKnv88GS3orrpEdDtFJYL2KSVJ4eb2mXKgYqkSDhL0 2KADnwl9cOmiHKBYKPq515GI6b6i63CmLmO32wXh44yU00k26vLfEX8s3ItOWlRD eJi7t1R8sZm1IJWmZM3AHsv+5h+Kn84f8YZit/fiZJivIREMb5LAVS/h9ZqBMyNX 4LgYGutbSjKU+fSrG2JB =KULp -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This is the slightly modified commit, which resolves the merge conflict when cherry-picking the corresponding commit from git master (c43045ca059). Below is the complete commit message. commit 5ed5030c349326c5448fd87424c1a2283ccee18f (release/2.4) Author: David Sommerseth Date: Mon Aug 14 15:19:37 2017 +0200 sample-plugins: fix ASN1_STRING_to_UTF8 return value checks As we did in 2d032c7f for the ASN1_STRING_to_UTF8() calls in the core code, we should also free(buf) if the function returns 0. [DS: On-the-fly merge conflict fix: There was a conflict against the OpenSSL 0.9.6b workaround in v2.4. Since we no longer support anything older than OpenSSL 0.9.8 in release/2.4, whack that workaround and be more consistent with git master those two places] Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <1501238302-16714-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15161.html Signed-off-by: David Sommerseth (cherry picked from commit c43045ca0590364552fbd060cc65ee1c50a4866a) - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkcvWAAoJEIbPlEyWcf3yka4P/jCrg3SkgPEGZxmWOU4RGQlh VSlcq64qKGggg7wEcG/G0UYCdiPwUT1zD0s/cFoJPNG/qSeX8D8LWOJosu41ISwH aTU8j6oQ/WCA3xLbi9gLL67Aq7IlEoclQF56YUzAfyAYfF1eDmaJ2L8OlwYPlvQO PAPYVKE/wHWXUaTa6xbgQJmL7evHg/Jr4ThnoOPGgrTwNPZFso4yrECd87wmhnXT yjyypzrh/XEgQLMdo09LYyReLYAmOKx7BlmR9sXcp3JiXctwtd8//lSUoX8XrtlG mNVzKBlWlzN4oPO0Llel33tuiSm4kGE7EQKbFzDx2Q6acEsvEmkVljILZ5Pe0MBi wpT9hNcGr5/mImXEcm0Ga/z/qKLTlrgQJBiKmn6WOfaFFuGKWSqtN5MzpW1MPDwc IUoPnlI/UaM86pLJqtq8+7/sAkM7V6H7zX9sMcz6JNi4HxdLIJg/ziL4qnRqU8ZA 88UOsY+2UnW4aJKZOkpNbGJiyUtUMn+NBwwd4tXsw5PXkh/Usjkyqhl5uGGTFEzu rJgHkwE89R6C9NYEvzC5u85pe8yMZ/eJtywIwate+G7BST/KU98Bfyxbpe9eMjzo qfewluWhHFzQaUSnSRk6jvzWCe3dr21nCyZM/ku9xKdI+vrmY0IwIjl8Haa2rAvD VEXemEB5tgG8jxqPP7z7 =zosr -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel